Implementando segurança e controle em redes de computadores / Implementing security and control in computer networks

Bertholdo, Leandro Márcio

January 1997

O crescimento e proliferação da Internet nos últimos anos tem trazido à tona vários problemas relativos à segurança e operacionabilidade das máquinas de universidades e empresas. Inúmeras invasões são realizadas anualmente. Entretanto, a grande maioria delas não possui registro algum, sendo muitas vezes de total desconhecimento do administrador local. Para prover soluções para estes problemas foi realizado um estudo, aqui apresentado, que tem como principal objetivo propor uma filosofia de gerência de segurança. São utilizados para isso conceitos de gerenciamento de redes como SNMPv2, aliado à implementação de um conjunto de ferramentas que garantam a integridade dos vários sistemas envolvidos. O resultado foi um sistema denominado CUCO1, que alerta sobre tentativas de ataque e situações de risco. CUCO foi projetado para permitir a um administrador, protegido ou não por uma firewall, dispor de um controle maior e melhor sobre acessos e tentativas de acessos indevidos à sua rede. O sistema usa uma estratégia de monitoração de eventos em diferentes níveis e aplicações, tentando com isto detectar e alertar a ocorrência de ataques tradicionais. Também está incorporado um bloco de funções que visam identificar um agressor situado em algum lugar da Internet, e obter maiores informações sobre ele e o domínio onde esta localizado. / The Internet increase and proliferation in the last years has brought a lot of problems related to the security and handling of hosts in universities and corporations. Many break-ins are done each year, without any record or knowledge by the site’s administrator. To give solutions to this problems was made up a study, here presented, has as the main goal the proposal of a security management philosophy. Are used network management concepts, joined with a toolkit to ensure the integrity of many systems envolved. The result was a system named CUCO2, that alerts about attacks and risks situations. CUCO was designed to allow an administrator, protected or not by firewall, to have a bigger and better access control in his network. The system uses an event monitor strategy in different levels and applications, trying to detect and alert the occurrence of common attacks. Moreover, it is also incorporated by a set of functions that attempt to identify aggressor’s location in any place in the Internet, and get information about him and the domain where he is located.

Redes : Computadores

Seguranca : Redes : Computadores

Gerencia : Redes : Computadores

Firewall

Computer networks

Network management

Data security

System security

Security management

Tools

The development of a technique to establish the security requirements of an organization

Gerber, Mariana

January 2001

To perform their business activities effectively, organizations rely heavily on the use of information (ISO/IEC TR 13335-2, 1996, p 1). Owens (1998) reiterates this by claiming that all organizations depend on information for their everyday operation and without it business will fail to operate (Owens, 1998, p 1-2). For an organization it means that if the right information is not available at the right time, it can make the difference between profit and loss or success and failure (Royds, 2000, p 2). Information is an asset and just like other important business assets within the organization, it has extreme value to an organization (BS 7799-1, 1999, p 1; Humphreys, Moses & Plate, 1998, p 8). For this reason it has become very important that business information is sufficiently protected. There are many different ways in which information can exist. Information can be printed or written on paper, stored electronically, transmitted electronically or by post, even spoken in conversation or any other way in which knowledge and ideas can be conveyed (URN 99/703, 1999, p. 2; Humphreys, Moses & Plate, 1998, p 8; URN 96/702, 1996, p 3).It is, therefore, critical to protect information, and to ensure that the security of IT (Information Technology) systems within organizations is properly managed. This requirement to protect information is even more important today, since many organizations are internally and externally connected by networks of IT systems (ISO/IEC TR 13335-2, 1996, p 1). Information security is therefore required to assist in the process of controlling and securing of information from accidental or malicious changes, deletions or unauthorized disclosure (Royds, 2000, p 2; URN 96/702, 1996, p 3). By preventing and minimizing the impact of security incidents, information security can ensure business continuity and reduce business damage (Owens, 1998, p 7). Information security in an organization can be regarded as a management opportunity and should become an integral part of the whole management activity of the organization. Obtaining commitment from management is therefore extremely important for effective information security. One way in which management can show their commitment to ensuring information security, is to adopt and enforce a security policy. A security policy ensures that people understand exactly what important role they play in securing information assets.

Computer security -- Management

Computers -- Access control

Information Classification in Swedish Governmental Agencies : Analysis of Classification Guidelines

Anteryd, Fredrik

January 2015

Information classification deals with the handling of sensitive information, such as patient records and social security information. It is of utmost importance that this information is treated with caution in order to ensure its integrity and security. In Sweden, the Civil Contingencies Agency has established a set of guidelines for how governmental agencies should handle such information. However, there is a lack of research regarding how well these guidelines are followed as well as if the agencies have made accommodations of these guidelines of their own. This work presents the results from a survey sent to 245 governmental agencies in Sweden, investigating how information classification actually is performed today. The questionnaire was answered by 144 agencies and 54 agencies provided detailed documents of their classification process. The overall results show that the classification process is difficult, while those who provided documents proved to have good guidelines, but not always consistent with the existing recommendations.

Information Security Management Systems

Information Classification

Classification Guidelines

ISO/IEC 27000

Governmental agencies

Computer and Information Sciences

Data- och informationsvetenskap

A data protection methodology to preserve critical information from the possible threat of information loss

Schwartzel, Taryn

03 October 2011

M.Tech. / Information is a company’s greatest asset that is continually under threat from human error, technological failure, natural disasters and other external factors. These threats need to be identified and quantified and their relevant protection techniques need to be deployed. This research will allow businesses to ascertain which of these data protection strategies to embrace and deploy, thereby highlighting the balance between cost and value for their business needs. Every commercial enterprise should understand the business value of their data and realise that protecting this data is of utmost importance. However, company data often resides on different mediums, in different locations and implementing a data protection strategy is not always cost effective in terms of the cost of storage mediums and protection methods. The challenges that businesses face is trying to distinguish between mission-critical data from other business data, excluding any non-business or invaluable data that resides on their systems. Thus a cost-effective data protection strategy can be implemented according to the different values of business data. This research provides a model to enable an organisation to: · Utilise the model as a framework or guideline in determining a strategy for protection, storage, retrieval and preservation of business critical data. · Define the data protection strategy to meet the organisation’s business requirements. · Define a cost effective data protection solution that encompasses protection, storage, retrieval and preservation of business critical data. · Make strategic decisions based on an array of best practices to ensure mission-critical data is protected accordingly. iii · Draw a conclusion between the costs of implementing these solutions against the real business value of the data that it protects.

Data protection

Computer security management

Electronic commerce - Security measures

Strategie pro rozvoj vzdělávání v oblasti bezpečnosti ICT na vysokých školách / Strategy for the development of education in the field of ICT security at universities

Sulanová, Monika

January 2017

The thesis deals with the problems of education in ICT security experts at universities in order to design a strategy for the development of education in present degree courses that dealing with this issue. The theoretical part focuses on the definition of ICT security and to familiarize the reader with the basic concepts of information security management and management of cyber security and gives an overview of the overall development of ICT security and the current trends in this area. It also describes the current situation on the labor market in relation to ICT security and the education of professionals in this field and characterizes the existing recommendations for education in ICT security. Practical part focuses on analyzing the current education ic ICT security and on analyzing the knowledge and skills requirements of the labor market to professionals in this area. Defines the basic professional role and knowledge domains that should be covered by this role. In the analytical part they are evaluated current profiles of graduates Master's degree programs focused on this area in order to find gaps in the knowledge base of graduates based on the requirements of the labor market and the existing recommendations. The results of the analysis are input to define a strategy on education in ICT security, which gives basic recommendations on how to eliminate the shortcomings.

Možnosti zajištění informační bezpečnosti pomocí definice standardního chování zaměstnanců / Options to ensure information security by defining a standard behavior of employees

Dvořák, Martin

January 2009

Continually the number of transactions carried out electronically via the internet has grown, as well as the number of users of IT (information technology). In the same way are accruing transactions that may be at risk in terms of information security as well as an increasing number of security incidents threatening financial gain or thefts of sensitive information. Attackers carried out attacks in order to make financial gains using more sophisticated methods, sophisticated not only using information technology but also using social engineering techniques. This growing trend is known about by governments and measures are being taken to help increase the information security of the state. This is evidenced by the fact that the European Parliament recently approved the following Directive Directive of the European parliament and of the council concerning measures to ensure a high common level of network and information security across the Union and the ensuing law on cyber security (Act No. 181/2014 Coll.) adopted by the Parliament of the Czech Republic in the summer of 2014. This act orders organizations which are maintaining critical infrastructure to implement a system to evaluate cybersecurity events (user behavior). So far no unified approach to implement such systems has been defined. Author defines standardized methodology for implementation of systems which evaluate user behavior with focus on optimization of data which these systems have to process to ensure their efficient functionality.

Návrh průmyslového řešení ISMS / Design of Industrial Solutions ISMS

Havlík, Michal

January 2017

Thesis deals with industrial solutions of ISMS mainly network infrastructure. First introduction into theoretical background of the thesis. Further analysis of the current situation in the company and its evaluation. Consequently, the design of solution done to meet the standards of ISO / IEC 27000.

Návrh zavedení řízení bezpečnosti informací s důrazem na budování bezpečnostního povědomí v příspěvkové organizaci / Proposal to introduce information security management with emphasis on building security awareness in a contributory organisation

Chudoba, David

January 2019

The thesis deals with the information security management system in the organization together with building of security awareness among employees. The theme is focused on the custom made proposal for a contributory organization in which personal and sensitive data are being processed. In the process of controlled change, the individual steps of the design will be gradually implemented in order to increase the security and bring the ongoing processes in the organization into line with the requirements of the GDPR.

Návrh systémového řízení inteligentního domu a jeho zabezpečení / Design of smart home control systém and security management

Valentová, Kateřina

January 2019

This master's thesis is focused on design of smart home control system with focus onsecurity of system in terms of information, network and physical security. Design is based on the requirements of the house owner and his needs. In thesis is assembled risk analysis with security measures to the individual threats. Complete design of cable system is not a part of this work, thesis is particularly focused on questions about security of the entire intelligent system.

Návrh metodiky pro zavedení ISMS / Design of Methodology for Implementation of ISMS

Dokoupil, Ondřej

January 2016

This master’s thesis deals with the design of methodology for implementation of ISMS (Information Security Management System). The theoretical part describes the basic principles and procedures for processing of this domain, including normative and legal - legislative aspects. The next section is an analysis of the current state of the organization. On its basis the practical part is drafted, including an economic evaluation of the project and possible benefits of implementation.