DOCSLIB.ORG

An Introduction to Computer Security: the NIST Handbook U.S

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

HATl INST. OF STAND & TECH R.I.C. NIST PUBLICATIONS AlllOB SEDS3fl NIST Special Publication 800-12 An Introduction to Computer Security: The NIST Handbook U.S. DEPARTMENT OF COMMERCE Technology Administration National Institute of Standards Barbara Guttman and Edward A. Roback and Technology COMPUTER SECURITY Contingency Assurance User 1) Issues Planniii^ I&A Personnel Trairang f Access Risk Audit Planning ) Crypto \ Controls O Managen»nt U ^ J Support/-"^ Program Kiysfcal ~^Tiireats Policy & v_ Management Security Operations i QC 100 Nisr .U57 NO. 800-12 1995 The National Institute of Standards and Technology was established in 1988 by Congress to "assist industry in the development of technology . needed to improve product quality, to modernize manufacturing processes, to ensure product reliability . and to facilitate rapid commercialization ... of products based on new scientific discoveries." NIST, originally founded as the National Bureau of Standards in 1901, works to strengthen U.S. industry's competitiveness; advance science and engineering; and improve public health, safety, and the environment. One of the agency's basic functions is to develop, maintain, and retain custody of the national standards of measurement, and provide the means and methods for comparing standards used in science, engineering, manufacturing, commerce, industry, and education with the standards adopted or recognized by the Federal Government. As an agency of the U.S. Commerce Department's Technology Administration, NIST conducts basic and applied research in the physical sciences and engineering, and develops measurement techniques, test methods, standards, and related services. The Institute does generic and precompetitive work on new and advanced technologies. NIST's research facilities are located at Gaithersburg, MD 20899, and at Boulder, CO 80303. Major technical operating units and their principal activities are listed below. For more information contact the Public Inquiries Desk, 301-975-3058. Office of the Director Manufacturing Engineering Laboratory • Advanced Technology Program • Precision Engineering • Quality Programs • Automated Production Technology • International and Academic Affairs • Intelligent Systems • Manufacturing Systems Integration Technology Services • Fabrication Technology • Manufacturing Extension Partnership • Standards Services Electronics and Electrical Engineering • Technology Commercialization Laboratory • Measurement Services • Microelectronics • Technology Evaluation and Assessment • Law Enforcement Standards • Information Services • Electricity • Semiconductor Electronics Materials Science and Engineering • Electromagnetic Fields' Laboratory • Electromagnetic Technology' • Intelligent Processing of Materials • Optoelectronics' • Ceramics • Materials Reliability' Building and Fire Research Laboratory • Polymers • Structures • Metallurgy • Building Materials • Reactor Radiation • Building Environment • Fire Safety Chemical Science and Technology • Fire Science Laboratory • Biotechnology Computer Systems Laboratory • Chemical Kinetics and Thermodynamics • Office of Enterprise Integration • Analytical Chemical Research • Information Systems Engineering • Process Measurements • Systems and Software Technology • Surface and Microanalysis Science • Computer Security • Thermophysics^ • Systems and Network Architecture • Advanced Systems Physics Laboratory • Electron and Optical Physics Computing and Applied Mathematics • Atomic Physics Laboratory • Molecular Physics • Applied and Computational Mathematics^ • Radiometric Physics • Statistical Engineering^ • Quantum Metrology • Scientific Computing Environments^ • Ionizing Radiation • Computer Services • Time and Frequency' • Computer Systems and Communications^ • Quantum Physics' • Information Systems 'At Boulder. CO 80303. ^Some elements at Boulder, CO 80303. NIST Special Publication 800-12 An IlltrOdUCtion tO CompUtCr Security: The NIST Handbook Barbara Guttman and Edward Roback COMPUTER SECURITY Computer Systems Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-0001 October 1995 U.S. Department of Commerce Ronald H. Brown, Secretary Technology Administration Mary L. Good, Under Secretary for Technology National Institute of Standards and Technology Arati Prabhakar, Director Reports on Computer Systems Technology The National Institute of Standards and Technology (NIST) has a unique responsibility for computer systems technology within the Federal government. NIST's Computer Systems Laboratory (CSL) devel- ops standards and guidelines, provides technical assistance, and conducts research for computers and related telecommunications systems to achieve more effective utilization of Federal information technol- ogy resources. CSL's responsibilities Include development of technical, management, physical, and ad- ministrative standards and guidelines for the cost-effective security and privacy of sensitive unclassified Information processed In Federal computers. CSL assists agencies in developing security plans and in Improving computer security awareness training. This Special Publication 800 series reports CSL re- search and guidelines to Federal agencies as well as to organizations In industry, government, and academia. National Institute of Standards and Technology Special Publication 800-12 Natl. Inst. Stand. Technol. Spec. Publ. 800-12, 272 pages (Oct. 1995) CODEN: NSPUE2 U.S. GOVERNMENT PRINTING OFFICE WASHINGTON: 1995 For sale by the Superintendent of Documents, U.S. Government Printing Office, Washington, DC 20402 Table of Contents I. INTRODUCTION AND OVERVIEW Chapter 1 INTRODUCTION 1.1 Purpose 3 1.2 Intended Audience 3 1.3 Organization 4 1.4 Important Terminology 5 1.5 Legal Foundation for Federal Computer Security Programs 7 Chapter 2 ELEMENTS OF COMPUTER SECURITY 2.1 Computer Security Supports the Mission of the Organization 9 2.2 Computer Security is an Integral Element of Sound Management 10 2.3 Computer Security Should Be Cost-Effective 11 2.4 Computer Security Responsibilities and Accountability Should Be Made Explicit 12 2.5 Systems Owners Have Security Responsibilities Outside Their Own Organizations 12 2.6 Computer Security Requires a Comprehensive and Integrated Approach 13 2.7 Computer Security Should Be Periodically Reassessed. 13 2.8 Computer Security is Constrained by Societal Factors. 14 iii Chapter 3 ROLES AND RESPONSIBILITIES 3.1 Senior Management 16 3.2 Computer Security Management 16 3.3 Program and Functional Managers/Application Owners 16 3.4 Technology Providers 16 3.5 Supporting Functions 18 3.6 Users 19 Chapter 4 COMMON THREATS: A BRIEF OVERVIEW 4.1 Errors and Omissions 22 4.2 Fraud and Theft 23 4.3 Employee Sabotage 24 4.4 Loss of Physical and Infrastructure Support 24 4.5 Malicious Hackers 24 4.6 Industrial Espionage 26 4.7 Malicious Code 27 4.8 Foreign Government Espionage 27 4.9 Threats to Personal Privacy 28 II. MANAGEMENT CONTROLS Chapter 5 COMPUTER SECURITY POLICY 5.1 Program Policy 35 5.2 Issue-Specific Policy 37 5.3 System-Specific Policy 40 iv 5.4 Interdependencies 42 5.5 Cost Considerations 43 Chapter 6 COMPUTER SECURITY PROGRAM MANAGEMENT 6.1 Structure of a Computer Security Program 45 6.2 Central Computer Security Programs 47 6.3 Elements of an Effective Central Computer Security Program 51 6.4 System-Level Computer Security Programs 53 6.5 Elements of Effective System-Level Programs 53 6.6 Central and System-Level Program Interactions 56 6.7 Interdependencies 56 6.8 Cost Considerations 56 Chapter 7 COMPUTER SECURITY RISK MANAGEMENT 7.1 Risk Assessment 59 7.2 Risk Mitigation 63 7.3 Uncertainty Analysis 67 7.4 Interdependencies 68 7.5 Cost Considerations 68 Chapter 8 SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE 8.1 Computer Security Act Issues for Federal Systems 71 8.2 Benefits of Integrating Security in the Computer System Life Cycle 72 8.3 Overview of the Computer System Life Cycle 73 V 8.4 Security Activities in the Computer System Life Cycle 74 8.5 Interdependencies 86 8.6 Cost Considerations 86 Chapter 9 i ASSURANCE 9.1 Accreditation and Assurance 90 9.2 Planning and Assurance 92 9.3 Design and Implementation Assurance 92 9.4 Operational Assurance 96 9.5 Interdependencies 101 9.6 Cost Considerations 101 III. OPERATIONAL CONTROLS Chapter 10 PERSONNEL/USER ISSUES 10.1 Staffing 107 10.2 User Administration 110 10.3 Contractor Access Considerations 116 10.4 Public Access Considerations 116 10.5 Interdependencies 117 10.6 Cost Considerations 117 Chapter 11 PREPARING FOR CONTINGENCIES AND DISASTERS 11.1 Step 1: Identifying the Mission- or Business-Critical Functions 120 vi 11.2 Step 2: Identifying the Resources That Support Critical Functions 120 11.3 Step 3: Anticipating Potential Contingencies or Disasters 122 11.4 Step 4: Selecting Contingency Planning Strategies 123 11.5 Step 5: Implementing the Contingency Strategies 126 11.6 Step 6: Testing and Revising 128 11.7 Interdependencies 129 11.8 Cost Considerations 130 Chapter 12 COMPUTER SECURITY INCIDENT HANDLING 12.1 Benefits of an Incident Handling Capability 134 12.2 Characteristics of a Successful Incident Handling Capability 137 12.3 Technical Support for Incident Handling 139 12.4 Interdependencies 140 12.5 Cost Considerations 141 Chapter 13 AWARENESS, TRAINING, AND EDUCATION 13.1 Behavior 143 13.2 Accountability 144 13.3 Awareness 144 13.4 Training 146 13.5 Education 147 13.6 Implementation 148 13.7 Interdependencies 152 13.8 Cost Considerations 152 vii Chapter 14 SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS
Recommended publications
  • The 5 Things You Need to Do to Protect Yourself from Ransomware

    The 5 Things You Need to Do to Protect Yourself from Ransomware

    THE 5 THINGS YOU NEED TO DO TO PROTECT YOURSELF FROM RANSOMWARE ARE YOU RANSOMWARE-AWARE? In our recent survey* of more than RANSOMWARE is malware sent The 5 things you need to do to protect 3,000 people in the U.S. and Canada by criminals that encrypts your we learned that many are unaware of files and threatens to delete yourself from ransomware ransomware or how to defend against it. them if you don’t pay a ransom. By Stephen Cobb, ESET Senior Security Researcher ...said85% they would not pay the ransom fee and just risk losing their files, and Family photos and videos. Tax returns and other financial records. Business 15% said they would pay and take the chance that they may not even get documents. Think about everything that you keep on your computer. What their files back. would happen if it all was stolen from you? ...of42% people did not know if the internet That’s what a ransomware attack does. Criminals use this nasty breed security/antivirus they were using helped protect them from ransomware. of software to reach out over your internet connection and kidnap the contents of your computer, literally holding them for ransom. Ransomware silently encrypts all of your personal files, making them unreadable, and then demands that you send money to the criminal in order to restore them. ...of31% respondents NEVER backup their files. Those in the youngest age bracket (18-24) were the most likely age group to never back up files (35%). We surveyed over 3,000 people across the U.S.
  • Analyzing Cyber Trends in Online Financial Frauds Using Digital Forensics Techniques Simran Koul, Yash Raj, Simriti Koul

    Analyzing Cyber Trends in Online Financial Frauds Using Digital Forensics Techniques Simran Koul, Yash Raj, Simriti Koul

    International Journal of Innovative Technology and Exploring Engineering (IJITEE) ISSN: 2278-3075, Volume-9 Issue-9, July 2020 Analyzing Cyber Trends in Online Financial Frauds using digital Forensics Techniques Simran Koul, Yash Raj, Simriti Koul Online frauds refer to the usage of Internet services or other Abstract: Online financial frauds are one of the leading issues open-source software requiring Internet access to frame users in the fields of digital forensics and cyber-security today. Various or to otherwise take advantage of them. Finance-related flaws online firms have been employing several methodologies for the are becoming quite commonplace today. The most common prevention of finance-related malpractices. This domain of criminal activity is becoming increasingly common in the present types of online financial frauds include: cyberspace. In this paper, we will try to implement an online Phishing: Here, the fraudsters acquire users’ sensitive data financial fraud investigation using the digital forensics tool: such as passwords and credit card credentials through email Autopsy. A few existing cyber-security techniques for the messages, fraud websites, and phone calls. investigation of such crimes, namely the Formal Concept Analysis Card Skimming: This crime involves the illegal extraction and Confirmatory Factor Analysis; have been analyzed and of the user’s sensitive financial details on the magnetic stripe reviewed. These techniques are primarily based on mathematical cyber-security concepts. Henceforth, it has been tried to find out from ATMs, debit, and credit cards. This is usually done by whether the investigation of similar crimes can be done the installation of malware on the card reader used by the satisfactorily using the readily-accessible digital forensics tool: victim.
  • Operating Systems and Virtualisation Security Knowledge Area (Draft for Comment)

    Operating Systems and Virtualisation Security Knowledge Area (Draft for Comment)

    OPERATING SYSTEMS AND VIRTUALISATION SECURITY KNOWLEDGE AREA (DRAFT FOR COMMENT) AUTHOR: Herbert Bos – Vrije Universiteit Amsterdam EDITOR: Andrew Martin – Oxford University REVIEWERS: Chris Dalton – Hewlett Packard David Lie – University of Toronto Gernot Heiser – University of New South Wales Mathias Payer – École Polytechnique Fédérale de Lausanne © Crown Copyright, The National Cyber Security Centre 2019. Following wide community consultation with both academia and industry, 19 Knowledge Areas (KAs) have been identified to form the scope of the CyBOK (see diagram below). The Scope document provides an overview of these top-level KAs and the sub-topics that should be covered under each and can be found on the project website: https://www.cybok.org/. We are seeking comments within the scope of the individual KA; readers should note that important related subjects such as risk or human factors have their own knowledge areas. It should be noted that a fully-collated CyBOK document which includes issue 1.0 of all 19 Knowledge Areas is anticipated to be released by the end of July 2019. This will likely include updated page layout and formatting of the individual Knowledge Areas. Operating Systems and Virtualisation Security Herbert Bos Vrije Universiteit Amsterdam April 2019 INTRODUCTION In this knowledge area, we introduce the principles, primitives and practices for ensuring security at the operating system and hypervisor levels. We shall see that the challenges related to operating system security have evolved over the past few decades, even if the principles have stayed mostly the same. For instance, when few people had their own computers and most computing was done on multiuser (often mainframe-based) computer systems with limited connectivity, security was mostly focused on isolating users or classes of users from each other1.
  • BEST PRACTICES in Anti-Terrorism Security for Sporting and Entertainment Venues RESOURCE GUIDE

    BEST PRACTICES in Anti-Terrorism Security for Sporting and Entertainment Venues RESOURCE GUIDE

    Command, Control and Interoperability Center for Advanced Data Analysis A Department of Homeland Security University Center of Excellence BEST PRACTICES in Anti-Terrorism Security for Sporting and Entertainment Venues RESOURCE GUIDE July 2013 Table of Contents Introduction to the Project ............................................................................................................7 Background...................................................................................................................................8 Identifying Best Practices in Anti-Terrorism Security in Sports Venues ......................................8 Identifying the Key Best Practices and Developing Metrics for Each .........................................11 Developing a Best Practices Resource Guide .............................................................................13 Testing the Guid e ........................................................................................................................13 Executive Summary....................................................................................................................13 Chapter 1 – Overview.................................................................................................................15 1.1 Introduction...........................................................................................................................15 1.2 Risk Assessment ...................................................................................................................15
  • 193 194 Chapter 17

    193 194 Chapter 17

    National Institute of Standards and Technology Technology Administration U.S. Department of Commerce An Introduction to Computer Security: The NIST Handbook Special Publication 800-12 User Contingency Assurance I & A Issues Planning Personnel Training Access Risk Crypto Controls Audit Planning Management Support Physical Program Threats Policy & Management Security Operations Table of Contents I. INTRODUCTION AND OVERVIEW Chapter 1 INTRODUCTION 1.1 Purpose .................................................... 3 1.2 Intended Audience .......................................... 3 1.3 Organization ............................................... 4 1.4 Important Terminology ..................................... 5 1.5 Legal Foundation for Federal Computer Security Programs . 7 Chapter 2 ELEMENTS OF COMPUTER SECURITY 2.1 Computer Security Supports the Mission of the Organization. 9 2.2 Computer Security is an Integral Element of Sound Management. .............................................. 10 2.3 Computer Security Should Be Cost-Effective. ............... 11 2.4 Computer Security Responsibilities and Accountability Should Be Made Explicit. .......................................... 12 2.5 Systems Owners Have Security Responsibilities Outside Their Own Organizations. ........................................ 12 2.6 Computer Security Requires a Comprehensive and Integrated Approach. ................................................. 13 2.7 Computer Security Should Be Periodically Reassessed. ...... 13 2.8 Computer Security is Constrained by Societal
  • Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems

    Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems

    NIST Special Publication 800-160 VOLUME 1 Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems RON ROSS MICHAEL McEVILLEY JANET CARRIER OREN This publication contains systems security engineering considerations for ISO/IEC/IEEE 15288:2015, Systems and software engineering — System life cycle processes. It provides security-related implementation guidance for the standard and should be used in conjunction with and as a complement to the standard. This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-160v1 NIST Special Publication 800-160 VOLUME 1 Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems RON ROSS Computer Security Division National Institute of Standards and Technology MICHAEL McEVILLEY The MITRE Corporation JANET CARRIER OREN Legg Mason This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-160v1 November 2016 INCLUDES UPDATES AS OF 03-21-2018: PAGE XIII U.S. Department of Commerce Penny Pritzker, Secretary National Institute of Standards and Technology Willie May, Under Secretary of Commerce for Standards and Technology and Director SPECIAL PUBLICATION 800-160, VOLUME 1 SYSTEMS SECURITY ENGINEERING A Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems ________________________________________________________________________________________________ Authority This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems.
  • Internet Security

    Internet Security

    Internet Security Thompson Davis & Co. (TD & Co.) is committed to protecting the security and confidentiality of customer information. We use a combination of state-of-the-art technology and methods to help to protect the security of your online information. • Internet Communication Security Measures - Any sensitive personal information that you send through TD & Co. is held in a secured environment, protected by tools such as firewalls and/or database field encryption. Please do not send any sensitive or personal information over email. TD & Co. will not electronically send any personal financial information to you unless you request us to do so. • Protect Yourself from Fraudulent Web Sites - Personal information shared over the Internet can be used to commit fraud. One common method is for thieves to create a web site using a name that is similar to that of a reputable business, for instance by using a common misspelling of the company's name. The intent is to lure you into clicking onto the copycat web site and giving your personal information, including your account number and password. We caution you to make sure of whom you are dealing with over the Internet and to understand what will be done with your information. Always check that you have typed the correct web site address before entering personal information onto a site. • Personal Computer Security – Regardless of the security measures TD & Co. takes to protect your online financial information, if the computer or network you are using to access this data is not secure, you run the risk of your financial information being compromised.
  • Malware Information

    Malware Information

    Malware Information Source: www.onguardonline.gov Malware Quick Facts Malware, short for "malicious software," includes viruses and spyware to steal personal information, send spam, and commit fraud. Criminals create appealing websites, desirable downloads, and compelling stories to lure you to links that will download malware – especially on computers that don't use adequate security software. But you can minimize the havoc that malware can wreak and reclaim your computer and electronic information. If you suspect malware is on your computer: • Stop shopping, banking, and other online activities that involve user names, passwords, or other sensitive information. • Confirm that your security software is active and current. At a minimum, your computer should have anti-virus and anti-spyware software, and a firewall. • Once your security software is up-to-date, run it to scan your computer for viruses and spyware, deleting anything the program identifies as a problem. • If you suspect your computer is still infected, you may want to run a second anti-virus or anti-spyware program – or call in professional help. • Once your computer is back up and running, think about how malware could have been downloaded to your machine, and what you could do to avoid it in the future. Malware is short for "malicious software;" it includes viruses – programs that copy themselves without your permission – and spyware, programs installed without your consent to monitor or control your computer activity. Criminals are hard at work thinking up creative ways to get malware on your computer. They create appealing web sites, desirable downloads, and compelling stories to lure you to links that will download malware, especially on computers that don't use adequate security software.
  • Practicing a Science of Security a Philosophy of Science Perspective

    Practicing a Science of Security a Philosophy of Science Perspective

    Practicing a Science of Security A Philosophy of Science Perspective Jonathan M. Spring Tyler Moore David Pym University College London The University of Tulsa University College London Gower Street 800 South Tucker Drive London WC1E 6BT London WC1E 6BT Tulsa, OK 74104-9700 Alan Turing Institute [email protected] [email protected] [email protected] ABSTRACT Experiments Structured observations of the empirical are untenable world Our goal is to refocus the question about cybersecurity re- Reproducibility Evaluate by repetition, replication, varia- search from ‘is this process scientific’ to ‘why is this scientific is impossible tion, reproduction, and/or corroboration process producing unsatisfactory results’. We focus on five No laws of common complaints that claim cybersecurity is not or can- Mechanistic explanation of phenomena nature not be scientific. Many of these complaints presume views to make nature intelligible No single associated with the philosophical school known as Logical Em- Specialization necessitates translation ontology piricism that more recent scholarship has largely modified or rejected. Modern philosophy of science, supported by mathe- ‘Just’ Both science and engineering are neces- matical modeling methods, provides constructive resources engineering sary to mitigate all purported challenges to a science of security. Table 1: Five common complaints raised by the science of cy- Therefore, we argue the community currently practices a bersecurity community and positive reframing from the phi- science of cybersecurity. A philosophy of science perspective losophy of science literature. suggests the following form of practice: structured observa- tion to seek intelligible explanations of phenomena, evaluating explanations in many ways, with specialized fields (including engineering and forensics) constraining explanations within Its proponents claim a science of security is needed for ongo- their own expertise, inter-translating where necessary.
  • Internet Security Threat Report Volume 24 | February 2019

    Internet Security Threat Report Volume 24 | February 2019

    ISTRInternet Security Threat Report Volume 24 | February 2019 THE DOCUMENT IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENT. THE INFORMATION CONTAINED IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. INFORMATION OBTAINED FROM THIRD PARTY SOURCES IS BELIEVED TO BE RELIABLE, BUT IS IN NO WAY GUARANTEED. SECURITY PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT (“CONTROLLED ITEMS”) ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER FOR YOU TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT SUCH CONTROLLED ITEMS. TABLE OF CONTENTS 1 2 3 BIG NUMBERS YEAR-IN-REVIEW FACTS AND FIGURES METHODOLOGY Formjacking Messaging Cryptojacking Malware Ransomware Mobile Living off the land Web attacks and supply chain attacks Targeted attacks Targeted attacks IoT Cloud Underground economy IoT Election interference MALICIOUS
  • Cybersecurity & Computing Innovations

    Cybersecurity & Computing Innovations

    Cybersecurity & Computing Innovations: Notes In this lesson: - Online Security - Legal & Ethical Concerns - Computing Innovations Online Security: ● Personal identifiable information (PII) is information about an individual that identifies links, relates, or describes them. ● Examples of PII include: ○ Social Security Number ○ Age ○ Race ○ Phone numbers ○ Medical information ○ Financial information ○ Biometric data (fingerprint and retinal scans) ● Search engines can record and maintain a history of search made by users. ○ Search engines can use search history to suggest websites or for targeted marketing. ● Websites can record and maintain a history of individuals who have viewed their pages. ○ Devices, websites, and networks can collect information about a user’s location. ● Technology enables the collection, use, and exploitation of information about by and for individuals, groups and institutions. ● Personal data such as geolocation, cookies, and browsing history, can be aggregated to create knowledge about an individual. ● Personal identifiable information and other information placed online can be used to enhance a user’s experiences. ● Personal identifiable information stored online can be used to simplify making online purchases. ● Commercial and government curation (collection) of information may be exploited if privacy and other protections are ignored. ● Information placed online can be used in ways that were not intended and that may have a harmful effect. ○ For example, an email message may be forwarded, tweets can be retweeted, and social media posts can be viewed by potential employers. ● Personal identifiable information can be used to stalk or steal the identity of a person or to aid in the planning of other criminal acts. ● Once information is placed online, it is difficult to delete.
  • DDS Security Specification Will Have Limited Interoperability with Implementations That Do Implement the Mechanisms Introduced by This Specification

    DDS Security Specification Will Have Limited Interoperability with Implementations That Do Implement the Mechanisms Introduced by This Specification

    An OMG® DDS Security™ Publication DDS Security Version 1.1 OMG Document Number: formal/2018-04-01 Release Date: July 2018 Standard Document URL: https://www.omg.org/spec/DDS-SECURITY/1.1 Machine Consumable Files: Normative: https://www.omg.org/spec/DDS-SECURITY/20170901/dds_security_plugins_spis.idl https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd https://www.omg.org/spec/DDS-SECURITY/20170901/dds_security_plugins_model.xmi Non-normative: https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance_example.xml https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions_example.xml Copyright © 2018, Object Management Group, Inc. Copyright © 2014-2017, PrismTech Group Ltd. Copyright © 2014-2017, Real-Time Innovations, Inc. Copyright © 2017, Twin Oaks Computing, Inc. Copyright © 2017, THALES USE OF SPECIFICATION – TERMS, CONDITIONS & NOTICES The material in this document details an Object Management Group specification in accordance with the terms, conditions and notices set forth below. This document does not represent a commitment to implement any portion of this specification in any company's products. The information contained in this document is subject to change without notice. LICENSES The companies listed above have granted to the Object Management Group, Inc. (OMG) a nonexclusive, royalty-free, paid up, worldwide license to copy and distribute this document and to modify this document and distribute copies of the modified version. Each of the copyright holders listed above has agreed that no person shall be deemed to have infringed the copyright in the included material of any such copyright holder by reason of having used the specification set forth herein or having conformed any computer software to the specification.