SlideShare a Scribd company logo

Jb ia

Download as PPTX, PDF
D
Deepal Samaraweera

Information security has evolved from securing physical access to mainframes during World War II to modern concerns over networked and digital assets. It began with physical controls but now addresses software, data, networks and more. Effective security requires balancing protection with reasonable access and is best achieved through a structured methodology like SecSDLC that considers security in all phases from analysis to maintenance. Information security seeks to preserve the confidentiality, integrity and availability of information through technical, operational and personnel countermeasures.

1 of 135
Downloaded 18 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
Information Assurance and Security Dr. Jayalath Ekanayake
3 Introduction  Information security: a “well-informed sense of assurance that the information risks and controls are in balance.” —Jim Anderson, Inovant (2002)  Necessary to review the origins of this field and its impact on our understanding of information security today
4 The History of Information Security  The first mainframes, which used to aid code- breaking computations during World War II  How the security was provided?  Physical controls to limit access to sensitive military locations to authorized personnel: badges, keys, and facial recognition by security guards  Primary threats to information security: physical theft of equipment, spying against the products of the systems, and sabotage
5 Figure 1-1 – The Enigma Principles of Information Security, 2nd Edition
6 The History of Information Security  1st documented problem that is not in physical nature (Early 1960s)  One administrator editing a file and another administrator was editing the password file  A software called glitch mixed the two files and printed on every output file
7 History of Internet  Objective: Link mainframes to share information  Advanced Research Procurement Agency (ARPA) began to examine feasibility of redundant networked communications  Larry Roberts developed ARPANET from its inception  ARPANET is the first Internet
 70s- 80s, ARPANET became popular and more widely used  At the same time potential for its misuse grew  Robert M.“Bob”Metcalfe (1973), identified fundamental problems of ARPANET with the development of the Ethernet (networking protocol) Principles of Information Security, 2nd Edition 9
10 Drawbacks of ARPANET  Fundamental problems with ARPANET:  No safety procedures for dial-up connections to ARPANET  Non-existent user identification and authorization to system
11 R-609- Formal Report of IS  Information security began with Rand Report R- 609 (paper that started the study of computer security)  Defines mechanisms for protecting systems  Scope of computer security grew from physical security to include:  Safety of data  Limiting unauthorized and random access to data  Involvement of personnel from multiple levels of an organization in matters pertaining to information security
12 The History of Information Security  Multics  Operating System  Security is the primary goal  Unix was developed  Late 1970s: Microprocessor invented and expanded computing capabilities and security threats  From mainframe to PC  Decentralized computing  Need for sharing resources increased  Major changed computing
13 The 1990s  Internet was born (global network of networks)  Virtually all computers connected to the Internet  In early Internet deployments, security was treated as a low priority  Only the physical protection was considered  Now, data and information protection are the highest priority.
14 The Present  The Internet brings millions of computer networks into communication with each other—many of them unsecured  Ability to secure a computer’s data influenced by the security of every computer to which it is connected
15 What is Security?  “The quality or state of being secure—to be free from danger”  In other words, protection against adversaries  A successful organization should have multiple layers of security in place:  Physical security  Personal security  Operations security  Communications security  Network security  Information security
16 What is Information Security (InfoSec)?  “The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information” by NSTISSC  Necessary tools: policy, awareness, training, education, technology  NSTISSC defined the model of IS:  C.I.A. triangle (key objectives confidentiality, integrity, and availability)
17Principles of Information Security, 2nd Edition
C.I.A. Triangle Principles of Information Security, 2nd Edition 18
Drawbacks of CIA Model  Does not adequately address the present issues.  CIA model expanded 19
20 Critical Characteristics of Information  The value of information comes from the characteristics it possesses:  Availability  No interference or obstruction for authorized users  No delaying and in required format  Accuracy  No errors  Authenticity  Data origin: i.e., sender of an email  Confidentiality  Prevent discoursing information to unauthorized users
21 Critical Characteristics of Information  Integrity  Prevent unauthorized modifications or damages  Virus or worm can change the integrity  Transmission errors  Integrity checking mechanism: Size of the file, hash values, error-correcting codes, retransmission  Utility  Meaning of information (format of information)  Applicability of information for some purposes
Critical Characteristics of Information contd..  Possession  Ownership  Breach of confidentiality results in the breach of possession, not the reverse 22
NSTISSC Security Model  National Training Standard for Information Systems Security Professionals (NSTISSC)  Documentation prepared by John McCumber : http://www.cnss.gov/Assets/pdf/nstissi_40 11.pdf  Graphical representation of this model : McCumber Cube  27 cells representing areas that must be 23
24 Figure 1-4 – NSTISSC Security Model NSTISSC Security Model Principles of Information Security, 2nd Edition
25 Components of an Information System  Software  Perhaps most difficult to secure  Bugs, weaknesses, or other fundamental problems create security wholes  Hardware  Physical security policies  Securing physical location important  Laptops  Flash memory
26 Components of an Information System  Data  Often most valuable asset and main target of intentional attacks  Use of DBMS to protect data  People  Always been threats to IS  Must be well trained, educated and informed  Procedures  Written instructions for accomplishing a specific task  Unauthorized use of procedures  Educating employees about safeguarding the
Components of an Information System  Networks  Locks and keys won’t work  Implementation of alarm and intrusion systems to make system owners aware of ongoing compromises 27
28 Securing Components  Computer can be subject of an attack and/or the object of an attack  When the subject of an attack, computer is used as an active tool to conduct attack  When the object of an attack, computer is the entity being attacked  2 types of attack  Direct  Hacker uses their computer to break into a system  Indirect  System is compromised and used to attack other systems
Principles of Information Security, 2nd Edition 29 Figure 1-5 – Subject and Object of Attack
30 Information Security Vs. Access  Impossible to obtain perfect security—it is a process, not an goal  Security should be considered balance between protection and availability  To achieve the balance, level of security must allow reasonable access, yet protect against threats
31 Figure 1-6 – Balancing Security and Access Principles of Information Security, 2nd Edition
32 Security implementation mechanisms: Bottom-Up Approach  Incremental process that begins from grassroots level : initiated by system admin  Needs coordination, time and patience  Advantages:  System administrator can gain technical expertise  Disadvantages:  Sometimes bottom-up approach is not working  Lack of participant support and organizational
33 Security Implementation Mechanisms: Top-down Approach  Initiated by upper management  Issue policy, procedures and processes  Dictate goals and expected outcomes of project  Determine accountability for each required action  Formal Top-Down approach: Systems Development Life Cycle (SDLC)
Principles of Information Security, 2nd Edition 34
35 Systems Development Life Cycle (SDLC)  Systems Development Life Cycle (SDLC) is methodology for designing and implementation of information system  SDLC can be used for developing security systems also: (SecSDLC)  Methodology contains structured sequence of procedures  Traditional SDLC consists of six general phases
Principles of Information Security, 2nd Edition 36
How to secure SDLC?  Each of the phases of the SDLC should include security measurements  Investigation/Analysis Phases:  Security Categorization — defines three levels (i.e., low, moderate, or high) of potential impact on organizations or individuals should there be a breach of security.  Preliminary risk Assessment:  basic security needs of the system  define the threat environment in which the system 37
How to secure SDLC?  Logical/Physical Design Phases:  Risk Assessment: identifies the protection requirements for the system through a formal risk assessment process  Cost Considerations and Reporting: the development cost of ISec system  Security Planning: provides complete description of IS and reference materials of ISec system.  Security Test and Evaluation: Design and develop a complete security test plan 38
How to secure SDLC?  Implementation Phase:  Inspection and Acceptance: verifies that the functionality described in the specification is included in the deliverables  System Integration: System is integrated at the operational site and all the security controls are available  Security Certification: verify the security controls are working properly 39
How to secure SDLC?  Maintenance & Change Phase:  Configuration Management and Control: consideration of the potential security impacts due to specific changes to an information system or its surrounding environment.  Continuous Monitoring: Periodical tests for assuring the security controls are working 40
41 The Security Systems Development Life Cycle  The same phases as traditional SDLC  Identification of specific threats and creating controls to counter them  SecSDLC is a logical program rather than a series of random, seemingly unconnected actions
42 The Security Systems Development Life Cycle  Investigation  Identifies process, outcomes, goals, and constraints of the project (initiated by the upper management)  Begins with enterprise information security policy  Analysis  Existing security policies, legal issues  Perform risk analysis: the threats to the organization’s security
43 The Security Systems Development Life Cycle  Logical Design  Creates and develops blueprints for information security (IS)  Implements key policies that influence the IS  Design Incident response actions: Continuity planning, Incident response, Disaster recovery  Feasibility analysis to determine whether project should continue or be outsourced  Physical Design
44 The Security Systems Development Life Cycle  Implementation  Security solutions are acquired, tested, implemented, and tested again  Personnel issues evaluated; specific training and education programs conducted  Entire tested package is presented to management for final approval  Maintenance and Change  Constant changing threats  Constant monitoring, testing updating and implementing change
45 Security Professionals and the Organization  Wide range of professionals required to support a diverse information security program  Senior management is key component; also, additional administrative support and technical expertise required to implement details of IS program
46 Senior Management  Chief Information Officer (CIO)  Senior technology officer  Primarily responsible for advising senior executives on strategic planning  Chief Information Security Officer (CISO)  Primarily responsible for assessment, management, and implementation of IS in the organization  Usually reports directly to the CIO
47 Information Security Project Team  A number of individuals who are experienced in one or more facets of technical and non- technical areas:  Champion: Senior executive who promotes the project  Team leader: project manager, departmental level manager  Security policy developers  Risk assessment specialists  Security professionals  Systems administrators  End users
48 Data Ownership  Data Owner: responsible for the security and use of a particular set of information  Data Custodian: responsible for storage, maintenance, and protection of information  Data Users: end users who work with information to perform their daily jobs supporting the mission of the organization
49 Communities Of Interest  Group of individuals united by similar interest/values in an organization  Information Security Management and Professionals  Information Technology Management and Professionals  Organizational Management and Professionals
50 Key Terms  Access  Asset  Attack  Control, Safeguard or Countermeasure  Exploit  Exposure  Hacking  Object  Risk  Security Blueprint  Security Model  Security Posture or Security Profile  Subject  Threats  Threat Agent  Vulnerability
51 Critical infrastructure  From Wikipedia.  Critical infrastructure is a term used by governments to describe systems or material assets that are essential for the functioning of a society and economy. Most commonly associated with the term are facilities for:  electricity generation and distribution;  telecommunication;  water supply;  agriculture, food production and distribution;  heating (natural gas, fuel oil);  public health;  transportation systems (fuel supply, railway network, airports);  financial services;  security services (police, military).  Critical-infrastructure protection is the study, design and implementation of precautionary measures aimed to reduce the risk that critical infrastructure fails as the result of war, disaster, civil unrest, vandalism, or sabotage.
52 Summary  Information security is a “well-informed sense of assurance that the information risks and controls are in balance.”  Computer security began immediately after first mainframes were developed  Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information.
53 Summary  Security should be considered a balance between protection and availability  Information security must be managed similar to any major system implemented in an organization using a methodology like SecSDLC  Implementation of information security often described as a combination of art and science
Model for Information Assurance  Model for information security: McCumber Cube by John McCumber  Information Systems Security (INFOSEC) has evolved into Information Assurance (IA)  Information Assurance not only expands the coverage, but also responsibilities and accountability of security professionals.  InfoSec Model needs changes 54
MSR Model  Has four dimensions:  Information States  Security Services  Security Countermeasures  Time
MSR Model: Information States  Three states  stored  processed  Transmitted  Information can be in two states at a time:  Eg: sending an email ( transmission and storage states)
MSR Model: Security Services  Five security services  Availability  Integrity  Authentication  Confidentiality  Non-Repudiation
MSR Model: Security Countermeasures  technology  operations  people
MSR Model: Time  Time has an impact of all the dimensions of the model  Eg: introduction of new technology, over time, requires modifications to other dimensions of the integrated model in order to restore a system to a secure state of operation.  human side of the time line leads to career progression
Computer Forensics and Techniques  What is Computer Forensics?  scientific study or research for the purpose of gathering digital evidence in cases of cyber crimes or for other scientific research purposes.  Who can conduct Computer Forensics?  a government authorized computer forensic agent  in SL - Digital Forensic Lab operated by SL police 60
Computer Forensics and Techniques  What are the offences under the Computer Crime Act No. 24 of SL constitute?  Hacking  Unauthorized access to the system and manipulated Data  Collecting, Changing, Corruption and destroying of data without approval.  Offences against National Security, National Economy and Public Order.  Offences resulting in cheating amounting to 61
Computer Forensics and Techniques  Digital evidence is just as any evidence but the difference is it is digital evidence exists in digital form like computer data, disks, printed documents, etc.  Digital evidence could be encrypted or hidden (not easy to access)  Need forensics techniques to analyze digital evidences 62
Basic Computer Forensic Techniques  Can be categorized into two:  For Computer Networks  For Computer Systems 63
Forensic Techniques: for computer networks  Packet Sniffing: pulling out critical data packets from these networks  Packets can contain useful information such as username, password, incoming/out going emails etc.  IP Address Tracing: to identify the data/message origin  Email Address Tracing: this can be achieved by analyzing email headers 64
Forensic Techniques: for Computer Systems  File Structure  Look for suspicious files: which are encrypted, hidden, hashed with some algorithms.  Storage Media  Erase or formatted data  Advance techniques to recover data  Sometimes, data fragment is sufficient for digital evidences 65
Forensic Techniques: for Computer Systems  Steganography  Hiding information in images, sounds or any other file format  Extremely difficult to recover the original format  Steg-Analysis and decryption techniques are useful for data recovery  Prints are print outs which are taken from a computer printer device 66
Tools used in computer forensic  Hex Editors  Disassemblers  Disk Analyzers  Decryptors  Packet Sniffers  DNS Tools 67
Computer Forensics Jobs  A computer forensics investigator combats against crimes which range from damaged file system recovery on computers to crimes against children.  The need for computer forensic specialists is rising due to rising number of cyber crimes  Duties of a computer forensic specialist: recovering, assessing, and presenting the computer data in such a way that they can 68
OSI Security Architecture defined by ITU-T for OSI Security Attacks Security Services Security Mechanisms
Security Attacks Passive Attacks Active Attacks
Passive Attacks Reading Content Monitoring Traffic
Active Attacks  Masquerade: One entity pretends to be a different entity  Replay: Passive capture of data units and subsequent retransmission  Modification of Messages: Some potion of original message is altered. Eg: “ Allow Floria Serban to read the file accounts” is modified to mean “ Allow Dorothie Rinhard to read the file accounts”
Jb ia
Jb ia
Jb ia
Jb ia
Active Attacks Contd..  Denial of Services: Prevents the normal use of communication facilities. Eg: direct all the messages to another destination, disruption of all the network by overloading to degrade performances or disabling the network
Active attacks Vs. Passive attacks  Passive attacks: difficult to detect, but measures are available to prevent  Active attacks: Quite difficult to prevent absolutely The goal is to detect active attacks and recover from any distruption
Security Services  X.800 defines a security service as a service that provided by the protocol layer
Security Services  Availability  Authentication  Confidentiality  Integrity  Non-repudiation
Security Mechanisms  Encipherment  Digital signature  Access control  Data integrity  Authentication exchange  Traffic padding  Routing control
Cryptography  Symmetric encryption and Message confidentiality
Cryptographic System classification  Type of operations used for transforming plain text into ciphertext  Number of keys used  Single key : Symmetric encryption  Multiple keys: Asymmetric encryption (public- key)  The way in which the plain text is processed (block or characters)
Cryptanalysis  The process of attempting to identify the plain text or key  Cryptanalyst: Who analyses the encrypted message
Feistal Cipher Structure  Described by Horst Feistel of IBM in 1973  Feistal structure is a model for most of symmetric block cipher
Feistal Cipher Structure contd. 86
Symmetric Block Encryption Algorithms  Data Encryption Standards (DES)  Triple DES (3DES)  Advanced Encryption Standards (AES)
Weakness of DES  In July 1998 Electronic Frontier Foundation (EFF) had broken DES
Public-key Cryptography and Message Authentication  Encryption protects against passive attacks  Message authentication protects against active attacks
Message Authentication without Message Encryption  No encrypted message, but authentication tag is merged to the message  The message can be read independent of authentication tag Applications: if the recipient heavily overloaded usually then decrypting each message would cost more time. In such a case only authentication is sufficient
Message Authentication Code (MAC)  Use common secret key Kab  MACM =F(Kab ,M): Number of methods available for generating MAC  MAC is calculated by both parties to check the authenticity  Assumption: secret key is shared through secure channel
Jb ia
Function F:  F can be of encrypting the message with DES and the MAC is the last 16 or 32 bits.
One-Way Hash Function  Fixed–size message digest: H(M), where M is variable size message  No secret key  H(M) attached with the message and the recipient compares the message digest with the computed one  H(M) can be encrypted using symmetric (single key) or asymmetric (public key) method
 No encryption but uses a hash function that concatenates a secret value(Sab) with message. Secret value is sheared through a secure channel.  MDM =H(Sab|| M) and send [M || MDM ] This method is known as HMAC and adapted for IP security.
Public-Key Cryptography  Alternate to the symmetric encryption  First proposed by Diffe and Hellman (1976)  Based on mathematical function rather than bit wise operations  Use two keys: public and private  No key shring
Ingredients  Plain text  Encryption algorithm  Public, private key  Cipher text  Decryption algorithm
Essential Steps  User creates a pair of keys  Place one key in public register (public key), other key in private place (private key)  Eg: Bob sending message to Alice, Bob encrypts the message using Alice’e public key and when the message receives to Allice, she decrypts it using her private key
Properties of PKC  No key distribution  User can replace the private and public key at any time
Application for Public-key Cryptosystems  Encryption/Decryption: encryption using recipients public-key  Digital signature: sender signs a message with its private key.  Key exchange: exchange a session key
Requirements for Public Key Encryption  Easy to generate key pair public and private  Easy to encrypt a message using public key  Easy to decrypt using private key  Not easy to decide private key using public key  Not easy to recover private key for given cipher and the public key
 Not easy to recover the original message from the cipher and the public key
Public-Key Cryptographic Algorithms  RSA  Diff-Hellman
Authentication of Public Keys 104  Digital certificates prevent impersonation/man- in-the middle attack  Certification agency: which is a trusted third party that creates digital certificate (encrypted using it’s private key)  Verifies site identity by external means first!  Site sends certificate to customer  Customer uses public key of certification agency to decrypt certificate and finds the site’s public key  Man-in-the-middle cannot send fake public key  Site’s public key is used for setting up secure communication
Intrusion Detection Systems (IDS)  What is the Intrusion Detection?  Indentifies possible attacks  How is it done?  collecting information from a variety of systems and network sources  analyzing the information for possible security problems 105
Tasks of IDS  Monitoring and analysis of user and system activity  Auditing of system configurations and vulnerabilities  Assessing the integrity of critical system and data files  Statistical analysis of activity patterns based on the matching to known attacks  Abnormal activity analysis  Operating system audit 106
IDS Operations  It uses three kinds of information:  long-term information related to the technique used to detect intrusions (a knowledge base of attacks)  Configuration information about the current state of the system  Audit information describing the events that are happening on the system (log information) 107
 Symptoms of an intrusion or vulnerabilities can be detected by comparing current state and security-related actions taken during normal usage of the system 108
Efficiency of intrusion- detection systems  Accuracy: absence of false alarms  Performance: the rate at which audit events are processed  Completeness: detect all attacks  Fault tolerance: should itself be resistant to attacks  Timeliness: how much quick in responding for an attack 109
Intrusion-detection systems classification  Detection method  Audit source location  Detection paradigm 110
Knowledge-based intrusion detection  Accumulate Knowledge about specific attacks and system vulnerabilities  Looks behaviors similar to attacks and raises alarms  Accuracy: good  Completeness: not good (regular update of knowledge about attacks)  Easy to take preventive actions (the type of attack is known) 111
knowledge-based intrusion detection: Experts Systems  Characterized attacks as set of rules  Audit events are then translated into facts  Inference engine draws conclusions using these rules and facts 112
Behavior-based intrusion detection  Intrusion is detected by observing a deviation from the normal or expected behavior of the system or the users  Advantages:  Complete  Observe new attacks or vulnerabilities (new knowledge)  Disadvantages:  Not accurate (high false alarm rate) 113
How to build behavior-based IDS  Statistics  System behavior is measured by a number of variables sampled over time Eg: login and logout time of each session, the resource duration, and the amount of processor- memory disk, resources consumed during the session  Compare the deviation from the current state and the normal state  Too simple method but still effective 114
How to build behavior-based IDS contd..  Expert systems:  A set of rules that describe proper usage policy  Prevent any action that does not fit the acceptable patterns  Neural networks:  Learn the relationship between the two sets of information (Independent and target variable)  Disadvantage: Computationally expensive 115
Operational Issues  A useful policy and mechanism must balance the benefits of the protection against the cost of designing, implementing, and using the mechanism.  This balance can be determined by analyzing the risks of a security attacks and the likelihood of it occurring.  Analysis is subjective 116
Cost-Benefit Analysis  Computer security are weighed against their total cost  Eg: If the data or resources are of less value, than their protection then no protections (reconstruction of data is more cheaper than protection).  This case is very rare  Eg: Database that provides salary information for a second system which prints the checks.  Integrity of the data has to protected 117
When analysis is not clear  Eg: The need for confidentiality of the salaries in the database  Financial lost should be determined if the salaries are disclosed  Financial lost: including potential loss from lawsuits, changes in policies, procedures and personals and the effect on future business. 118
Overlapping Benefits  Integrity mechanism can be used to provide confidentiality.  Cost can be reduced  Cost depends on the selected mechanism  Implement security mechanism in design phase is much more cheaper than adding them into existing systems 119
Risk Analysis  To determine whether an asset should be protected  What level  Likelihood of attacks  If an attack is unlikely, protecting against it has a lower priority than protecting against a likely one.  But, unlikely attacks could cause more damage than likely attacks  Then, priority should be given to unlikely 120
Risk Analysis contd..  Eg: Salary printing system  The risk of unauthorized changed could happen in three places  Database level  Network level  Printing level  In LAN: untrustworthy internal personnel  IN WAN: untrustworthy worldwide personnel 121
Risk Analysis contd..  This example illustrates some finer points of risk analysis: First point  is a function of environment  Threats to LAN: Internal people  Threats to WAN: Internal + external people  If the company’s payroll system is paralyzed:  Employees lost their faith  Company could not hire anyone  Investors would not fund the company  The risk arises from the environments in 122
Risk Analysis contd..  Second point  Risks change with time.  Eg: LAN becomes WAN (if the LAN is connected to the Internet) 123
Risk Analysis contd..  Third point:  Many risks are quite remote but still exist  Eg: risk of connecting to the Internet  This risk is "acceptable" but not nonexistent  Usually, people do not worry about acceptable risk, but the people worry when it becomes unacceptable risk. 124
Laws and Customs  Laws restrict the availability and use of technology and affect procedural controls  Policy and any selection of mechanisms must take into account legal considerations  Laws are not the only constraints on policies and selection of mechanisms but customs  Eg: (1) provide DNA samples for authentication purposes is legal but not socially acceptable 125
Laws and Customs contd..  These practices provide security but at an unacceptable cost  Drawback: encourage users to avoid or overcome the security mechanisms 126
Security Policies  What is a Security Policy?  Why is a Security Policy necessary?  What are the problems in designing policies?  What a policy should cover?  Types of policies  Policy content  Policy implementation  Policy review 127
What is a Security Policy?  It is a strategy for how company implements Information Security principles and technologies  It provides high level guidelines related to IT security  But, it does not provide any procedures or mechanisms  It specifically accomplishes three objectives:  Confidentiality 128
Why is a Security Policy Necessary?  Security policy is a plan and it is essential to accomplish a complex task of providing IT security  Security policy aware management and the staff about their commitment of protecting data and information  Security policy provides legal protection to company  Security policy often required by clients of organization  Security policy maintains standards 129
What are the problems in designing policies?  Not a trivial task  Time consuming  Expensive (hiring security professionals)  Different opinions from different experts (more subjective) 130
What a Policy Should Cover  Policy should be clear for target audients.  Minimum section of policy  Overview: Provides background information on the issue that the policy will address.  Purpose: Specifies why the policy is needed.  Scope: Lays out exactly who and what the policy covers.  Target Audience: Advises for whom the policy is intended. 131
What a Policy Should Cover contd.  Policies: This is the main section of the document, and provides statements on each aspect of the policy. For example, an Acceptable Use Policy might have individual policy statements relating to Internet use, email use, software installation, network access from home computers, etc.  Definitions: For clarity, any technical terms should be defined.  Version: To ensure consistent use and application of the policy, include a version number that is changed to reflect any 132
Types of Policies  Essential for most organizations:  Acceptable Use Policy  Authentication Policy  Backup Policy  Confidential Data Policy  Incident Response Policy  Mobile Device Policy  Network Access Policy  Network Security policy  Password Policy 133
Policy Content  A security policy should be no longer than is absolutely necessary  A security policy should be written in “plain English”  A security policy must be consistent with applicable laws and regulations  A security policy should be reasonable  A security policy must be clear : permitted and not permitted actions 134
Policy Implementation  Hardest part  Must be backed by company’s senior management  Officially adapted as company policy  Create a position Information Security Officer or IT Security Manager  Check whether the required technology is available at the company  User education is critical to a successful security policy implementation 135
Policy Implementation contd..  Uses must acknowledge user-policies in writing  Exception will need to be granted in some cases 136
Policy Review  Should be periodically reviewed  To check whether the policies have been strictly followed by the uses.  To check whether the policies meet the current requirements 137

More Related Content

PPTX
OSI Security Architecture
university of education,Lahore
 
PPT
Steganography
university of education,Lahore
 
PPTX
Network Security Terminologies
university of education,Lahore
 
PPT
Ch01
Joe Christensen
 
PDF
Network security chapter 1
osama elfar
 
PPTX
Ppt.1
veeresh35
 
PPTX
Introduction to Network Security
Computing Cage
 
PPT
Nw sec
shivz3
 
OSI Security Architecture
university of education,Lahore
 
Steganography
university of education,Lahore
 
Network Security Terminologies
university of education,Lahore
 
Ch01
Joe Christensen
 
Network security chapter 1
osama elfar
 
Ppt.1
veeresh35
 
Introduction to Network Security
Computing Cage
 
Nw sec
shivz3
 

What's hot (19)

PPT
Lecture1 Introduction
rajakhurram
 
PPTX
Network security
quest university nawabshah
 
PPTX
Network Security: Attacks, Tools and Techniques
waqasahmad1995
 
PPTX
02 introduction to network security
Joe McCarthy
 
PPTX
OSI Layer Security
Nurkholish Halim
 
PPT
Chapter 01
nathanurag
 
PDF
Is ch1 (2)
abdallahmezher
 
PDF
Network security - OSI Security Architecture
BharathiKrishna6
 
PPTX
Chapter 1: Overview of Network Security
Shafaan Khaliq Bhatti
 
PPTX
Smart city project's Information Security challenges
Behak Kangarloo
 
PPTX
Security Mechanisms
priya_trehan
 
PPTX
Network security
Harsh Kishore Mishra
 
PPTX
Information and network security 3 security challenges
Vaibhav Khanna
 
PPTX
Information and network security 2 nist security definition
Vaibhav Khanna
 
PPTX
Computer Security Chapter 1
Temesgen Berhanu
 
PPTX
Information and network security 9 model for network security
Vaibhav Khanna
 
PDF
Network Security Fundamentals
Fat-Thing Gabriel-Culley
 
PDF
Network security
nageshkanna13
 
PDF
DEFENSE MECHANISMS FOR COMPUTER-BASED INFORMATION SYSTEMS
IJNSA Journal
 
Lecture1 Introduction
rajakhurram
 
Network security
quest university nawabshah
 
Network Security: Attacks, Tools and Techniques
waqasahmad1995
 
02 introduction to network security
Joe McCarthy
 
OSI Layer Security
Nurkholish Halim
 
Chapter 01
nathanurag
 
Is ch1 (2)
abdallahmezher
 
Network security - OSI Security Architecture
BharathiKrishna6
 
Chapter 1: Overview of Network Security
Shafaan Khaliq Bhatti
 
Smart city project's Information Security challenges
Behak Kangarloo
 
Security Mechanisms
priya_trehan
 
Network security
Harsh Kishore Mishra
 
Information and network security 3 security challenges
Vaibhav Khanna
 
Information and network security 2 nist security definition
Vaibhav Khanna
 
Computer Security Chapter 1
Temesgen Berhanu
 
Information and network security 9 model for network security
Vaibhav Khanna
 
Network Security Fundamentals
Fat-Thing Gabriel-Culley
 
Network security
nageshkanna13
 
DEFENSE MECHANISMS FOR COMPUTER-BASED INFORMATION SYSTEMS
IJNSA Journal
 
Ad

Similar to Jb ia (20)

PPT
Ch01_Introduction_to_Information_Securit.ppt
Tayyab AlEe
 
PPT
Ch01_Introduction_to_Information_Securit.ppt
Tayyab AlEe
 
PPT
Ch01_Introduction_to_Information_Securit.ppt
KawukiDerrick
 
PPT
Ch01_Introduction_to_Information_Securit
KawukiDerrick
 
PPT
Introduction to information security
Elumalai Vasan
 
PPT
information-security-3rd-edition2-define-information-security.ppt
MuhammadAbdullah311866
 
PPT
60304756 whitman-ch01-1
UDCNTT
 
PPT
Chap01
KASSAWMAR AYALEW
 
PPT
is_1_Introduction to Information Security
SARJERAO Sarju
 
PPT
168581476-Critical-Characteristics-of-Information-In-Information-Security.ppt
SenzotaSemakuwa
 
PPT
Introduction to information security
Kumawat Dharmpal
 
PPT
01Introduction to Information Security.ppt
it160320737038
 
PPT
Information security.pptx
Veer Rengu korku Govt. College Khaknar
 
PPT
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
PPT
Information security
razendar79
 
PDF
Ch2 Introduction to Information Security (3).pdf
mominabotayea1997
 
PPT
Information Assurance And Security - Chapter 1 - Lesson 1
MLG College of Learning, Inc
 
PPTX
Princinples of information security Lecture_1_Information_Security.pptx
MuhammadUsmanNasir5
 
PDF
IT8073 _Information Security _UNIT I Full notes
Guru Nanak Technical Institutions
 
PDF
IT8073_Information Security_UNIT I _.pdf
Guru Nanak Technical Institutions
 
Ch01_Introduction_to_Information_Securit.ppt
Tayyab AlEe
 
Ch01_Introduction_to_Information_Securit.ppt
Tayyab AlEe
 
Ch01_Introduction_to_Information_Securit.ppt
KawukiDerrick
 
Ch01_Introduction_to_Information_Securit
KawukiDerrick
 
Introduction to information security
Elumalai Vasan
 
information-security-3rd-edition2-define-information-security.ppt
MuhammadAbdullah311866
 
60304756 whitman-ch01-1
UDCNTT
 
Chap01
KASSAWMAR AYALEW
 
is_1_Introduction to Information Security
SARJERAO Sarju
 
168581476-Critical-Characteristics-of-Information-In-Information-Security.ppt
SenzotaSemakuwa
 
Introduction to information security
Kumawat Dharmpal
 
01Introduction to Information Security.ppt
it160320737038
 
Information security.pptx
Veer Rengu korku Govt. College Khaknar
 
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
Information security
razendar79
 
Ch2 Introduction to Information Security (3).pdf
mominabotayea1997
 
Information Assurance And Security - Chapter 1 - Lesson 1
MLG College of Learning, Inc
 
Princinples of information security Lecture_1_Information_Security.pptx
MuhammadUsmanNasir5
 
IT8073 _Information Security _UNIT I Full notes
Guru Nanak Technical Institutions
 
IT8073_Information Security_UNIT I _.pdf
Guru Nanak Technical Institutions
 
Ad

Jb ia

  • 2. 3 Introduction  Information security: a “well-informed sense of assurance that the information risks and controls are in balance.” —Jim Anderson, Inovant (2002)  Necessary to review the origins of this field and its impact on our understanding of information security today
  • 3. 4 The History of Information Security  The first mainframes, which used to aid code- breaking computations during World War II  How the security was provided?  Physical controls to limit access to sensitive military locations to authorized personnel: badges, keys, and facial recognition by security guards  Primary threats to information security: physical theft of equipment, spying against the products of the systems, and sabotage
  • 4. 5 Figure 1-1 – The Enigma Principles of Information Security, 2nd Edition
  • 5. 6 The History of Information Security  1st documented problem that is not in physical nature (Early 1960s)  One administrator editing a file and another administrator was editing the password file  A software called glitch mixed the two files and printed on every output file
  • 6. 7 History of Internet  Objective: Link mainframes to share information  Advanced Research Procurement Agency (ARPA) began to examine feasibility of redundant networked communications  Larry Roberts developed ARPANET from its inception  ARPANET is the first Internet
  • 7.  70s- 80s, ARPANET became popular and more widely used  At the same time potential for its misuse grew  Robert M.“Bob”Metcalfe (1973), identified fundamental problems of ARPANET with the development of the Ethernet (networking protocol) Principles of Information Security, 2nd Edition 9
  • 8. 10 Drawbacks of ARPANET  Fundamental problems with ARPANET:  No safety procedures for dial-up connections to ARPANET  Non-existent user identification and authorization to system
  • 9. 11 R-609- Formal Report of IS  Information security began with Rand Report R- 609 (paper that started the study of computer security)  Defines mechanisms for protecting systems  Scope of computer security grew from physical security to include:  Safety of data  Limiting unauthorized and random access to data  Involvement of personnel from multiple levels of an organization in matters pertaining to information security
  • 10. 12 The History of Information Security  Multics  Operating System  Security is the primary goal  Unix was developed  Late 1970s: Microprocessor invented and expanded computing capabilities and security threats  From mainframe to PC  Decentralized computing  Need for sharing resources increased  Major changed computing
  • 11. 13 The 1990s  Internet was born (global network of networks)  Virtually all computers connected to the Internet  In early Internet deployments, security was treated as a low priority  Only the physical protection was considered  Now, data and information protection are the highest priority.
  • 12. 14 The Present  The Internet brings millions of computer networks into communication with each other—many of them unsecured  Ability to secure a computer’s data influenced by the security of every computer to which it is connected
  • 13. 15 What is Security?  “The quality or state of being secure—to be free from danger”  In other words, protection against adversaries  A successful organization should have multiple layers of security in place:  Physical security  Personal security  Operations security  Communications security  Network security  Information security
  • 14. 16 What is Information Security (InfoSec)?  “The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information” by NSTISSC  Necessary tools: policy, awareness, training, education, technology  NSTISSC defined the model of IS:  C.I.A. triangle (key objectives confidentiality, integrity, and availability)
  • 15. 17Principles of Information Security, 2nd Edition
  • 16. C.I.A. Triangle Principles of Information Security, 2nd Edition 18
  • 17. Drawbacks of CIA Model  Does not adequately address the present issues.  CIA model expanded 19
  • 18. 20 Critical Characteristics of Information  The value of information comes from the characteristics it possesses:  Availability  No interference or obstruction for authorized users  No delaying and in required format  Accuracy  No errors  Authenticity  Data origin: i.e., sender of an email  Confidentiality  Prevent discoursing information to unauthorized users
  • 19. 21 Critical Characteristics of Information  Integrity  Prevent unauthorized modifications or damages  Virus or worm can change the integrity  Transmission errors  Integrity checking mechanism: Size of the file, hash values, error-correcting codes, retransmission  Utility  Meaning of information (format of information)  Applicability of information for some purposes
  • 20. Critical Characteristics of Information contd..  Possession  Ownership  Breach of confidentiality results in the breach of possession, not the reverse 22
  • 21. NSTISSC Security Model  National Training Standard for Information Systems Security Professionals (NSTISSC)  Documentation prepared by John McCumber : http://www.cnss.gov/Assets/pdf/nstissi_40 11.pdf  Graphical representation of this model : McCumber Cube  27 cells representing areas that must be 23
  • 22. 24 Figure 1-4 – NSTISSC Security Model NSTISSC Security Model Principles of Information Security, 2nd Edition
  • 23. 25 Components of an Information System  Software  Perhaps most difficult to secure  Bugs, weaknesses, or other fundamental problems create security wholes  Hardware  Physical security policies  Securing physical location important  Laptops  Flash memory
  • 24. 26 Components of an Information System  Data  Often most valuable asset and main target of intentional attacks  Use of DBMS to protect data  People  Always been threats to IS  Must be well trained, educated and informed  Procedures  Written instructions for accomplishing a specific task  Unauthorized use of procedures  Educating employees about safeguarding the
  • 25. Components of an Information System  Networks  Locks and keys won’t work  Implementation of alarm and intrusion systems to make system owners aware of ongoing compromises 27
  • 26. 28 Securing Components  Computer can be subject of an attack and/or the object of an attack  When the subject of an attack, computer is used as an active tool to conduct attack  When the object of an attack, computer is the entity being attacked  2 types of attack  Direct  Hacker uses their computer to break into a system  Indirect  System is compromised and used to attack other systems
  • 27. Principles of Information Security, 2nd Edition 29 Figure 1-5 – Subject and Object of Attack
  • 28. 30 Information Security Vs. Access  Impossible to obtain perfect security—it is a process, not an goal  Security should be considered balance between protection and availability  To achieve the balance, level of security must allow reasonable access, yet protect against threats
  • 29. 31 Figure 1-6 – Balancing Security and Access Principles of Information Security, 2nd Edition
  • 30. 32 Security implementation mechanisms: Bottom-Up Approach  Incremental process that begins from grassroots level : initiated by system admin  Needs coordination, time and patience  Advantages:  System administrator can gain technical expertise  Disadvantages:  Sometimes bottom-up approach is not working  Lack of participant support and organizational
  • 31. 33 Security Implementation Mechanisms: Top-down Approach  Initiated by upper management  Issue policy, procedures and processes  Dictate goals and expected outcomes of project  Determine accountability for each required action  Formal Top-Down approach: Systems Development Life Cycle (SDLC)
  • 32. Principles of Information Security, 2nd Edition 34
  • 33. 35 Systems Development Life Cycle (SDLC)  Systems Development Life Cycle (SDLC) is methodology for designing and implementation of information system  SDLC can be used for developing security systems also: (SecSDLC)  Methodology contains structured sequence of procedures  Traditional SDLC consists of six general phases
  • 34. Principles of Information Security, 2nd Edition 36
  • 35. How to secure SDLC?  Each of the phases of the SDLC should include security measurements  Investigation/Analysis Phases:  Security Categorization — defines three levels (i.e., low, moderate, or high) of potential impact on organizations or individuals should there be a breach of security.  Preliminary risk Assessment:  basic security needs of the system  define the threat environment in which the system 37
  • 36. How to secure SDLC?  Logical/Physical Design Phases:  Risk Assessment: identifies the protection requirements for the system through a formal risk assessment process  Cost Considerations and Reporting: the development cost of ISec system  Security Planning: provides complete description of IS and reference materials of ISec system.  Security Test and Evaluation: Design and develop a complete security test plan 38
  • 37. How to secure SDLC?  Implementation Phase:  Inspection and Acceptance: verifies that the functionality described in the specification is included in the deliverables  System Integration: System is integrated at the operational site and all the security controls are available  Security Certification: verify the security controls are working properly 39
  • 38. How to secure SDLC?  Maintenance & Change Phase:  Configuration Management and Control: consideration of the potential security impacts due to specific changes to an information system or its surrounding environment.  Continuous Monitoring: Periodical tests for assuring the security controls are working 40
  • 39. 41 The Security Systems Development Life Cycle  The same phases as traditional SDLC  Identification of specific threats and creating controls to counter them  SecSDLC is a logical program rather than a series of random, seemingly unconnected actions
  • 40. 42 The Security Systems Development Life Cycle  Investigation  Identifies process, outcomes, goals, and constraints of the project (initiated by the upper management)  Begins with enterprise information security policy  Analysis  Existing security policies, legal issues  Perform risk analysis: the threats to the organization’s security
  • 41. 43 The Security Systems Development Life Cycle  Logical Design  Creates and develops blueprints for information security (IS)  Implements key policies that influence the IS  Design Incident response actions: Continuity planning, Incident response, Disaster recovery  Feasibility analysis to determine whether project should continue or be outsourced  Physical Design
  • 42. 44 The Security Systems Development Life Cycle  Implementation  Security solutions are acquired, tested, implemented, and tested again  Personnel issues evaluated; specific training and education programs conducted  Entire tested package is presented to management for final approval  Maintenance and Change  Constant changing threats  Constant monitoring, testing updating and implementing change
  • 43. 45 Security Professionals and the Organization  Wide range of professionals required to support a diverse information security program  Senior management is key component; also, additional administrative support and technical expertise required to implement details of IS program
  • 44. 46 Senior Management  Chief Information Officer (CIO)  Senior technology officer  Primarily responsible for advising senior executives on strategic planning  Chief Information Security Officer (CISO)  Primarily responsible for assessment, management, and implementation of IS in the organization  Usually reports directly to the CIO
  • 45. 47 Information Security Project Team  A number of individuals who are experienced in one or more facets of technical and non- technical areas:  Champion: Senior executive who promotes the project  Team leader: project manager, departmental level manager  Security policy developers  Risk assessment specialists  Security professionals  Systems administrators  End users
  • 46. 48 Data Ownership  Data Owner: responsible for the security and use of a particular set of information  Data Custodian: responsible for storage, maintenance, and protection of information  Data Users: end users who work with information to perform their daily jobs supporting the mission of the organization
  • 47. 49 Communities Of Interest  Group of individuals united by similar interest/values in an organization  Information Security Management and Professionals  Information Technology Management and Professionals  Organizational Management and Professionals
  • 48. 50 Key Terms  Access  Asset  Attack  Control, Safeguard or Countermeasure  Exploit  Exposure  Hacking  Object  Risk  Security Blueprint  Security Model  Security Posture or Security Profile  Subject  Threats  Threat Agent  Vulnerability
  • 49. 51 Critical infrastructure  From Wikipedia.  Critical infrastructure is a term used by governments to describe systems or material assets that are essential for the functioning of a society and economy. Most commonly associated with the term are facilities for:  electricity generation and distribution;  telecommunication;  water supply;  agriculture, food production and distribution;  heating (natural gas, fuel oil);  public health;  transportation systems (fuel supply, railway network, airports);  financial services;  security services (police, military).  Critical-infrastructure protection is the study, design and implementation of precautionary measures aimed to reduce the risk that critical infrastructure fails as the result of war, disaster, civil unrest, vandalism, or sabotage.
  • 50. 52 Summary  Information security is a “well-informed sense of assurance that the information risks and controls are in balance.”  Computer security began immediately after first mainframes were developed  Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information.
  • 51. 53 Summary  Security should be considered a balance between protection and availability  Information security must be managed similar to any major system implemented in an organization using a methodology like SecSDLC  Implementation of information security often described as a combination of art and science
  • 52. Model for Information Assurance  Model for information security: McCumber Cube by John McCumber  Information Systems Security (INFOSEC) has evolved into Information Assurance (IA)  Information Assurance not only expands the coverage, but also responsibilities and accountability of security professionals.  InfoSec Model needs changes 54
  • 53. MSR Model  Has four dimensions:  Information States  Security Services  Security Countermeasures  Time
  • 54. MSR Model: Information States  Three states  stored  processed  Transmitted  Information can be in two states at a time:  Eg: sending an email ( transmission and storage states)
  • 55. MSR Model: Security Services  Five security services  Availability  Integrity  Authentication  Confidentiality  Non-Repudiation
  • 56. MSR Model: Security Countermeasures  technology  operations  people
  • 57. MSR Model: Time  Time has an impact of all the dimensions of the model  Eg: introduction of new technology, over time, requires modifications to other dimensions of the integrated model in order to restore a system to a secure state of operation.  human side of the time line leads to career progression
  • 58. Computer Forensics and Techniques  What is Computer Forensics?  scientific study or research for the purpose of gathering digital evidence in cases of cyber crimes or for other scientific research purposes.  Who can conduct Computer Forensics?  a government authorized computer forensic agent  in SL - Digital Forensic Lab operated by SL police 60
  • 59. Computer Forensics and Techniques  What are the offences under the Computer Crime Act No. 24 of SL constitute?  Hacking  Unauthorized access to the system and manipulated Data  Collecting, Changing, Corruption and destroying of data without approval.  Offences against National Security, National Economy and Public Order.  Offences resulting in cheating amounting to 61
  • 60. Computer Forensics and Techniques  Digital evidence is just as any evidence but the difference is it is digital evidence exists in digital form like computer data, disks, printed documents, etc.  Digital evidence could be encrypted or hidden (not easy to access)  Need forensics techniques to analyze digital evidences 62
  • 61. Basic Computer Forensic Techniques  Can be categorized into two:  For Computer Networks  For Computer Systems 63
  • 62. Forensic Techniques: for computer networks  Packet Sniffing: pulling out critical data packets from these networks  Packets can contain useful information such as username, password, incoming/out going emails etc.  IP Address Tracing: to identify the data/message origin  Email Address Tracing: this can be achieved by analyzing email headers 64
  • 63. Forensic Techniques: for Computer Systems  File Structure  Look for suspicious files: which are encrypted, hidden, hashed with some algorithms.  Storage Media  Erase or formatted data  Advance techniques to recover data  Sometimes, data fragment is sufficient for digital evidences 65
  • 64. Forensic Techniques: for Computer Systems  Steganography  Hiding information in images, sounds or any other file format  Extremely difficult to recover the original format  Steg-Analysis and decryption techniques are useful for data recovery  Prints are print outs which are taken from a computer printer device 66
  • 65. Tools used in computer forensic  Hex Editors  Disassemblers  Disk Analyzers  Decryptors  Packet Sniffers  DNS Tools 67
  • 66. Computer Forensics Jobs  A computer forensics investigator combats against crimes which range from damaged file system recovery on computers to crimes against children.  The need for computer forensic specialists is rising due to rising number of cyber crimes  Duties of a computer forensic specialist: recovering, assessing, and presenting the computer data in such a way that they can 68
  • 67. OSI Security Architecture defined by ITU-T for OSI Security Attacks Security Services Security Mechanisms
  • 70. Active Attacks  Masquerade: One entity pretends to be a different entity  Replay: Passive capture of data units and subsequent retransmission  Modification of Messages: Some potion of original message is altered. Eg: “ Allow Floria Serban to read the file accounts” is modified to mean “ Allow Dorothie Rinhard to read the file accounts”
  • 75. Active Attacks Contd..  Denial of Services: Prevents the normal use of communication facilities. Eg: direct all the messages to another destination, disruption of all the network by overloading to degrade performances or disabling the network
  • 76. Active attacks Vs. Passive attacks  Passive attacks: difficult to detect, but measures are available to prevent  Active attacks: Quite difficult to prevent absolutely The goal is to detect active attacks and recover from any distruption
  • 77. Security Services  X.800 defines a security service as a service that provided by the protocol layer
  • 78. Security Services  Availability  Authentication  Confidentiality  Integrity  Non-repudiation
  • 79. Security Mechanisms  Encipherment  Digital signature  Access control  Data integrity  Authentication exchange  Traffic padding  Routing control
  • 80. Cryptography  Symmetric encryption and Message confidentiality
  • 81. Cryptographic System classification  Type of operations used for transforming plain text into ciphertext  Number of keys used  Single key : Symmetric encryption  Multiple keys: Asymmetric encryption (public- key)  The way in which the plain text is processed (block or characters)
  • 82. Cryptanalysis  The process of attempting to identify the plain text or key  Cryptanalyst: Who analyses the encrypted message
  • 83. Feistal Cipher Structure  Described by Horst Feistel of IBM in 1973  Feistal structure is a model for most of symmetric block cipher
  • 85. Symmetric Block Encryption Algorithms  Data Encryption Standards (DES)  Triple DES (3DES)  Advanced Encryption Standards (AES)
  • 86. Weakness of DES  In July 1998 Electronic Frontier Foundation (EFF) had broken DES
  • 87. Public-key Cryptography and Message Authentication  Encryption protects against passive attacks  Message authentication protects against active attacks
  • 88. Message Authentication without Message Encryption  No encrypted message, but authentication tag is merged to the message  The message can be read independent of authentication tag Applications: if the recipient heavily overloaded usually then decrypting each message would cost more time. In such a case only authentication is sufficient
  • 89. Message Authentication Code (MAC)  Use common secret key Kab  MACM =F(Kab ,M): Number of methods available for generating MAC  MAC is calculated by both parties to check the authenticity  Assumption: secret key is shared through secure channel
  • 91. Function F:  F can be of encrypting the message with DES and the MAC is the last 16 or 32 bits.
  • 92. One-Way Hash Function  Fixed–size message digest: H(M), where M is variable size message  No secret key  H(M) attached with the message and the recipient compares the message digest with the computed one  H(M) can be encrypted using symmetric (single key) or asymmetric (public key) method
  • 93.  No encryption but uses a hash function that concatenates a secret value(Sab) with message. Secret value is sheared through a secure channel.  MDM =H(Sab|| M) and send [M || MDM ] This method is known as HMAC and adapted for IP security.
  • 94. Public-Key Cryptography  Alternate to the symmetric encryption  First proposed by Diffe and Hellman (1976)  Based on mathematical function rather than bit wise operations  Use two keys: public and private  No key shring
  • 95. Ingredients  Plain text  Encryption algorithm  Public, private key  Cipher text  Decryption algorithm
  • 96. Essential Steps  User creates a pair of keys  Place one key in public register (public key), other key in private place (private key)  Eg: Bob sending message to Alice, Bob encrypts the message using Alice’e public key and when the message receives to Allice, she decrypts it using her private key
  • 97. Properties of PKC  No key distribution  User can replace the private and public key at any time
  • 98. Application for Public-key Cryptosystems  Encryption/Decryption: encryption using recipients public-key  Digital signature: sender signs a message with its private key.  Key exchange: exchange a session key
  • 99. Requirements for Public Key Encryption  Easy to generate key pair public and private  Easy to encrypt a message using public key  Easy to decrypt using private key  Not easy to decide private key using public key  Not easy to recover private key for given cipher and the public key
  • 100.  Not easy to recover the original message from the cipher and the public key
  • 102. Authentication of Public Keys 104  Digital certificates prevent impersonation/man- in-the middle attack  Certification agency: which is a trusted third party that creates digital certificate (encrypted using it’s private key)  Verifies site identity by external means first!  Site sends certificate to customer  Customer uses public key of certification agency to decrypt certificate and finds the site’s public key  Man-in-the-middle cannot send fake public key  Site’s public key is used for setting up secure communication
  • 103. Intrusion Detection Systems (IDS)  What is the Intrusion Detection?  Indentifies possible attacks  How is it done?  collecting information from a variety of systems and network sources  analyzing the information for possible security problems 105
  • 104. Tasks of IDS  Monitoring and analysis of user and system activity  Auditing of system configurations and vulnerabilities  Assessing the integrity of critical system and data files  Statistical analysis of activity patterns based on the matching to known attacks  Abnormal activity analysis  Operating system audit 106
  • 105. IDS Operations  It uses three kinds of information:  long-term information related to the technique used to detect intrusions (a knowledge base of attacks)  Configuration information about the current state of the system  Audit information describing the events that are happening on the system (log information) 107
  • 106.  Symptoms of an intrusion or vulnerabilities can be detected by comparing current state and security-related actions taken during normal usage of the system 108
  • 107. Efficiency of intrusion- detection systems  Accuracy: absence of false alarms  Performance: the rate at which audit events are processed  Completeness: detect all attacks  Fault tolerance: should itself be resistant to attacks  Timeliness: how much quick in responding for an attack 109
  • 108. Intrusion-detection systems classification  Detection method  Audit source location  Detection paradigm 110
  • 109. Knowledge-based intrusion detection  Accumulate Knowledge about specific attacks and system vulnerabilities  Looks behaviors similar to attacks and raises alarms  Accuracy: good  Completeness: not good (regular update of knowledge about attacks)  Easy to take preventive actions (the type of attack is known) 111
  • 110. knowledge-based intrusion detection: Experts Systems  Characterized attacks as set of rules  Audit events are then translated into facts  Inference engine draws conclusions using these rules and facts 112
  • 111. Behavior-based intrusion detection  Intrusion is detected by observing a deviation from the normal or expected behavior of the system or the users  Advantages:  Complete  Observe new attacks or vulnerabilities (new knowledge)  Disadvantages:  Not accurate (high false alarm rate) 113
  • 112. How to build behavior-based IDS  Statistics  System behavior is measured by a number of variables sampled over time Eg: login and logout time of each session, the resource duration, and the amount of processor- memory disk, resources consumed during the session  Compare the deviation from the current state and the normal state  Too simple method but still effective 114
  • 113. How to build behavior-based IDS contd..  Expert systems:  A set of rules that describe proper usage policy  Prevent any action that does not fit the acceptable patterns  Neural networks:  Learn the relationship between the two sets of information (Independent and target variable)  Disadvantage: Computationally expensive 115
  • 114. Operational Issues  A useful policy and mechanism must balance the benefits of the protection against the cost of designing, implementing, and using the mechanism.  This balance can be determined by analyzing the risks of a security attacks and the likelihood of it occurring.  Analysis is subjective 116
  • 115. Cost-Benefit Analysis  Computer security are weighed against their total cost  Eg: If the data or resources are of less value, than their protection then no protections (reconstruction of data is more cheaper than protection).  This case is very rare  Eg: Database that provides salary information for a second system which prints the checks.  Integrity of the data has to protected 117
  • 116. When analysis is not clear  Eg: The need for confidentiality of the salaries in the database  Financial lost should be determined if the salaries are disclosed  Financial lost: including potential loss from lawsuits, changes in policies, procedures and personals and the effect on future business. 118
  • 117. Overlapping Benefits  Integrity mechanism can be used to provide confidentiality.  Cost can be reduced  Cost depends on the selected mechanism  Implement security mechanism in design phase is much more cheaper than adding them into existing systems 119
  • 118. Risk Analysis  To determine whether an asset should be protected  What level  Likelihood of attacks  If an attack is unlikely, protecting against it has a lower priority than protecting against a likely one.  But, unlikely attacks could cause more damage than likely attacks  Then, priority should be given to unlikely 120
  • 119. Risk Analysis contd..  Eg: Salary printing system  The risk of unauthorized changed could happen in three places  Database level  Network level  Printing level  In LAN: untrustworthy internal personnel  IN WAN: untrustworthy worldwide personnel 121
  • 120. Risk Analysis contd..  This example illustrates some finer points of risk analysis: First point  is a function of environment  Threats to LAN: Internal people  Threats to WAN: Internal + external people  If the company’s payroll system is paralyzed:  Employees lost their faith  Company could not hire anyone  Investors would not fund the company  The risk arises from the environments in 122
  • 121. Risk Analysis contd..  Second point  Risks change with time.  Eg: LAN becomes WAN (if the LAN is connected to the Internet) 123
  • 122. Risk Analysis contd..  Third point:  Many risks are quite remote but still exist  Eg: risk of connecting to the Internet  This risk is "acceptable" but not nonexistent  Usually, people do not worry about acceptable risk, but the people worry when it becomes unacceptable risk. 124
  • 123. Laws and Customs  Laws restrict the availability and use of technology and affect procedural controls  Policy and any selection of mechanisms must take into account legal considerations  Laws are not the only constraints on policies and selection of mechanisms but customs  Eg: (1) provide DNA samples for authentication purposes is legal but not socially acceptable 125
  • 124. Laws and Customs contd..  These practices provide security but at an unacceptable cost  Drawback: encourage users to avoid or overcome the security mechanisms 126
  • 125. Security Policies  What is a Security Policy?  Why is a Security Policy necessary?  What are the problems in designing policies?  What a policy should cover?  Types of policies  Policy content  Policy implementation  Policy review 127
  • 126. What is a Security Policy?  It is a strategy for how company implements Information Security principles and technologies  It provides high level guidelines related to IT security  But, it does not provide any procedures or mechanisms  It specifically accomplishes three objectives:  Confidentiality 128
  • 127. Why is a Security Policy Necessary?  Security policy is a plan and it is essential to accomplish a complex task of providing IT security  Security policy aware management and the staff about their commitment of protecting data and information  Security policy provides legal protection to company  Security policy often required by clients of organization  Security policy maintains standards 129
  • 128. What are the problems in designing policies?  Not a trivial task  Time consuming  Expensive (hiring security professionals)  Different opinions from different experts (more subjective) 130
  • 129. What a Policy Should Cover  Policy should be clear for target audients.  Minimum section of policy  Overview: Provides background information on the issue that the policy will address.  Purpose: Specifies why the policy is needed.  Scope: Lays out exactly who and what the policy covers.  Target Audience: Advises for whom the policy is intended. 131
  • 130. What a Policy Should Cover contd.  Policies: This is the main section of the document, and provides statements on each aspect of the policy. For example, an Acceptable Use Policy might have individual policy statements relating to Internet use, email use, software installation, network access from home computers, etc.  Definitions: For clarity, any technical terms should be defined.  Version: To ensure consistent use and application of the policy, include a version number that is changed to reflect any 132
  • 131. Types of Policies  Essential for most organizations:  Acceptable Use Policy  Authentication Policy  Backup Policy  Confidential Data Policy  Incident Response Policy  Mobile Device Policy  Network Access Policy  Network Security policy  Password Policy 133
  • 132. Policy Content  A security policy should be no longer than is absolutely necessary  A security policy should be written in “plain English”  A security policy must be consistent with applicable laws and regulations  A security policy should be reasonable  A security policy must be clear : permitted and not permitted actions 134
  • 133. Policy Implementation  Hardest part  Must be backed by company’s senior management  Officially adapted as company policy  Create a position Information Security Officer or IT Security Manager  Check whether the required technology is available at the company  User education is critical to a successful security policy implementation 135
  • 134. Policy Implementation contd..  Uses must acknowledge user-policies in writing  Exception will need to be granted in some cases 136
  • 135. Policy Review  Should be periodically reviewed  To check whether the policies have been strictly followed by the uses.  To check whether the policies meet the current requirements 137