It3 4 4 1 1

  • View

  • Download

Embed Size (px)



Text of It3 4 4 1 1

  • 1. Biztonsg-tudatos fejleszts s zemeltets NHIT IT3 Barti Trsasg ls 2009.02.06. - Rtai Balzs, Krauth Pter -

2. Defincik

  • Az informcibiztonsga szervezeti rtelemben vett biztonsg megteremtsnek eszkze.
  • Az informcibiztonsg egyik maghatroz pillre azinformatikabiztonsg , amely alatt az informatikai rendszerek s eszkzk (szoftver, hardver vagy ezek egyttese) elvrt mkdst (biztonsgos mkdst) akadlyoz vagy veszlyeztet kockzatok (cselekmnyek, kls hatsok vagy ezek kvetkezmnyeknt elll llapotok) elleni vdettsg rtend.
  • Az informatikabiztonsg (biztonsgos mkds) definci szerint csak a konkrt hasznlati cl alapjn egyedileg meghatrozhat minsg, ami ugyanakkor azonban nem zrja ki a tipizls lehetsgt.
  • Azinformatikai rendszer s termkkifejezs az zemeltetst s hasznlatot is tfog szles rtelemben hasznlatos, ahol az informatikai rendszerekbe az internetes alkalmazsok s szolgltatsok nvekv szerepre val tekintettel belertendk az adattviteli-tvkzlsi hlzatok is.

Network and Information Security "NIS": means the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems. Network:means transmission systems, switching or routing equipmentand other resources which permit the conveyance of signals bywire, radio, optical or other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, electricity cable systems (for the purpose of transmitting signals), networks used for radio and television broadcasting, and cable TV networks, irrespective of the type of information conveyed. Information system:means computers and electronic communication networks, and also electronic data stored, processed, retrieved or transmitted by them for the purposes of their operation, use, protection and maintenance. 3. Nvekv biztonsgi kockzatok

  • a biztonsgi szempontokat a legtbb esetben a fejleszts fzisban nem rvnyestik
      • biztonsgos informatikai termkek s rendszerek ellltsa hosszabb idt ignyel s tbbletkltsgekkel jr
      • kell biztonsgi szintet garantlni tud termk- s rendszerfejlesztsi mdszertanok nem voltak (jelenleg sincsenek)

4. ISMERETEK ZEMELTETSI PROBLMK TERVEZSI HIBK The Boulton and Watt machines used low-pressure steam (from 5 to 15 psi), which limited both their efficiency and economy. Higher pressure (i.e., above atmospheric pressure) would have permitted more powerful and economical engines, but Watt opposed it on the grounds that it increased the danger of explosion and thus constituted an unacceptable risk. The first wide-spread application of the highpressure engine, on steamboats, resulted in frequent and disastrous explosions: passengers and crew were blown up, scalded to death, hit by flying fragments of iron, and blown off steamers to drown. Accidents were also common in industrial uses of high-pressure steam. The early steam engines used inferior materials; they had low standards of workmanship; the mechanics lacked proper training and skills; and there were serious problems with quality control. The risk from this type of machine came from the boiler and not from the engine itself: It was the boiler that was exploding and causing most of the casualities. The technological development of boilers lagged behind the rapid improvement of the engines. Engineers quickly amassed scientific information about thermodynamics, the action of steam in the cylinder, the strength of materials in the engine, and many other aspects of steam engine operation. But there was little scientific understanding about the buildup of steam pressure in the boiler, the effect of corrosion and decay, and the causes of boiler explosions .Although computer hardware technologyhas advanced at an astounding rate, the development of software engineering has been slower. It has also been slower than required for the complex systems we want to build, like a space station orautomaticallycontrolled nuclear power plants.Watt and others were correct in their belief that new standards of precision and safety were essential in the design, manufacture, and operation of the engines. These high standards were finally enforced in Britain in the latter part of the nineteenth century, and boiler explosions in Britain fell dramatically.High-Pressure Steam Engines and Computer Software Nancy G. Leveson Computer Science and Eng. Dept., FR-35 University of Washington Seattle, WA 98195 source 5. ISMERETEK S TECHNOLGIK ZEMELTETS TERVEZS MEGVALSTS 6. megelzs detektls vlasz 7. Reaktv Proaktv vdekezs 8. Biztonsgos szoftver fejleszts

  • US CERT Survivable Systems Engineering
      • Flow-Service-Quality (FSQ) Engineering: Foundations for Developing Network-Centric Systems
      • System Component Composition: Engineering Automation for Understanding System Behavior
      • Software Correctness Verification: Engineering Automation for Software Assurance
      • Computational Security Attributes: Engineering Automation for Software Security Analysis
      • Function Extraction for Software Assurance: Engineering Automation for Computing Software Behavior
      • SQUARE: Requirements Engineering for Improved System Security
      • LEVANT: Protocols for Anonymity and Traceability Tradeoffs
      • SAF: Survivability Analysis Framework

Ninety-five percent of software bugs are caused by the same 19 programming flaws. Amit Yoran, Former Director of The Department of Homeland Securitys National Cyber Security Division * Buffer overruns * Format string problems * Integer overflows * SQL injection * Command injection * Failure to handle errors * Cross-site scripting * Failure to protect network traffic * Use of magic URLs and hidden forms * Improper use of SSL * Use of weak password-based systems * Failure to store and protect data securely * Information leakage * Trusting network address resolution * Improper file access * Race conditions * Unauthenticated key exchange * Failure to use cryptographically strong random numbers * Poor usability 9. Biztonsgos hardver

  • Trusted Computing Group
      • Trusted Platform Module (TPM)
      • Trusted Network Connect ("TNC") protocol

10. Biztonsgi rtkels s tansts

  • llami szablyozs, ipargi gyakorlatok (Basel II, Sarbannes-Oaxley, NATO)
  • Konszolidci a jelenleg verseng biztonsgi szabvnyok s tanstsi rendszerek kztt (ISO/IEC 27001, a COBIT s az ISO/IEC 15408 Common Criteria)
  • Biztonsgi kvetelmnyeknek val megfelelsget vizsgl s ellenrz, a biztonsgi elrsok kiknyszertst tmogat IT-alkalmazsok

11. Biztonsg-tudatos szoftver fejleszts ltalnoss vlsa Biztonsgos hardver platformok kialakulsa Biztonsg-tudatos fejleszts s zemeltets ltalnoss vlsa Informatika-biztonsgi szabvnyok hasznlatnak elterjedse Informatika-biztonsgi szablyozs ltalnoss vlsa 2005 2010 2020