Welcome to Information Systems Security (503009)

Transcription

1 Welcome to (503009) Nguyen Thi Ai Thao Faculty of Computer Science & Engineering HCMC University of Technology

2 Course Outline Week Lectures 1 Information systems security: basic concepts 2,3 Basic cryptography & key exchange protocols 4 Identification & Authentication 5,6 Discretionary Access Controls 7,8 Mandatory Access Controls 9 Auditing & Accountability 10, 11, 12, 13, Presentations 14 Chapter 1: Introduction to 2 2

3 References [1] M. Gertz, S. Jajodia (2008). Handbook of Database Security: Applications and Trends, Springer Verlag, ISBN [2] S. Castano, M. Fugini, G. Martella, and P. Samarati (1995). Database Security, ACM Press & Addison- Wesley, ISBN [3] D.C. Knox (2004). Effective Oracle Database 10g Security by Design, Oracle Press, ISBN [4] T.R. Peltier, J. Peltier, J. Blackley (2005). Information Security Fundamentals, Auerbach Publications, ISBN [5] W. Mao (2003). Modern Cryptography: Theory and Practice, 3 rd Ed., Prentice Hall, ISBN Chapter 1: Introduction to 3

4 Course Outline - Details Week Lectures References Introduction 1.1 Basic concepts 1.2 Picture of DB security 1.3 Framework for DB & Applications security 2. Basic cryptography & key exchange protocols 2.1 Cryptography-related concepts 2.2 Key channel 2.3 Perfect encryption 2. Basic cryptography & key exchange protocols 2.4 Dolev-Yao threat model 2.5 Protocols [1,2,3,4,5] [4,5] [4,5] Chapter 1: Introduction to 4

5 Course Outline - Details Week Lectures References 4 3. Identification & Authentication 3.1 Introduction 3.2 Identification techniques 3.3 Authentication techniques 3.2 Authentication protocols [2,3,4] Discretionary Access Controls 3.1 Introduction to DAC 3.2 Models for DAC 3. Discretionary Access Controls 3.3 SQL for Data Control 3.4 DAC & Information Flow Controls [2,3,4] [2,3,4] Chapter 1: Introduction to 5

6 Course Outline - Details Week Lectures References 7 4. Mandatory Access Control 4.1 Introduction to MAC 4.2 Models for MAC [2,3,4] 8 4. Mandatory Access Control 4.3 Case study: Oracle Label Security [2,3,4] 9 10, 11, 12, 13, 5. Auditing & Accountability 5.1 Introduction to Auditing & Accountability 5.2 Techniques to Auditing 5.3 Case study: Auditing in Oracle Presentation 14 [2,3] Tbc. Chapter 1: Introduction to 6

7 Assessments Credits: 3 No mid-term test Open-book exams Assessment Pattern % Presentation 1 15 Presentation 2 15 Assignment 20 Final Examination 50 7 Chapter 1: Introduction to 7

8 Presentation Group of 2-3 students Presentation topics: >> Teaching Register for the presentations: Send to Deadline: February 3 rd, Chapter 1: Introduction to 8

9 Chapter 1: Introduction to Nguyen Thi Ai Thao Faculty of Computer Science & Engineering HCMC University of Technology

10 Outline 1 Basic concepts 2 Picture of DB Security 3 Framework for DB & Applications Security Chapter 1: Introduction to 10

11 Basic Concepts Data and Information Information System Information Security Information System Security Requirements Countermeasures Basic Steps in Information Security Process Chapter 1: Introduction to 11

12 Basic Concepts - Data are plain facts. When data are processed, organized, structured or presented in a given context so as to make them useful, they are called Information. Chapter 1: Introduction to 12

13 Basic Concepts - Information System refers to a system of people, data records and activities that process the data and information in an organization. People Data Process Chapter 1: Introduction to 13

14 Basic Concepts - Information Security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. Chapter 1: Introduction to 14

15 Basic Concepts - Security Requirements Information System Security Requirements : Confidentiality Integrity Non-repudiation Availability Chapter 1: Introduction to 15

16 Basic Concepts - Security Requirements Information System Security Requirements: Confidentiality: Protection of data from unauthorized disclosure Example: In a bank system, preventing a client from finding out the information of another client, such as balance. Integrity: Only authorized users should be allowed to modify data. Example: In a bank system, preventing a client from changing his or her balance. Chapter 1: Introduction to 16

17 Basic Concepts - Security Requirements Information System Security Requirements: Availability: Making data available to the authorized users and application programs Example: In a bank system, ensuring that the invoices are printed on time as required by law. Non-repudiation: The ability to prevent the effective denial of an act. Example: In a bank system, providing proof of the origin and delivery of transactions from a client. Chapter 1: Introduction to 17

18 Basic Concepts - Countermeasures Countermeasures ensures these security requirements for information systems. There are some countermeasures: Access control Inference control Flow control Encryption Chapter 1: Introduction to 18

19 Basic Concepts - Access Control Access Control: The security mechanism for restricting access to the database as a whole Handled by creating user accounts and passwords to control login process by the Database Management System (DBMS). Two types of access control system Closed system Open system Chapter 1: Introduction to 19

20 Basic Concepts Closed System Access request Closed system Is there a rule authorizing the access? Rules: authorized accesses Access permitted Access denied Chapter 1: Introduction to 20

21 Basic Concepts Opened System Access request Opened system Is there a rule denying the access? Rules: denied accesses Access permitted Access denied Chapter 1: Introduction to 21

22 Basic Concepts - Inference control Inference control: The security problem associated with databases is that of controlling the access to a statistical database, which is used to provide statistical information or summaries of values based on various criteria. The countermeasures to statistical database security problem is called inference control measures. Chapter 1: Introduction to 22

23 Inference attack Non-sensitive database Sensitive database Infer Access control Access permitted Access denied Meta data Chapter 1: Introduction to 23

24 Inference control Non-sensitive database INFERENCE CONTROL Sensitive database Access control Access permitted Access denied Meta data Chapter 1: Introduction to 24

25 Basic Concepts - Flow control Flow control prevents information from flowing in such a way that it reaches unauthorized users. Channels that are pathways for information to flow implicitly in ways that violate the security policy of an organization are called Covert Channels. Storage channel Timing channel Chapter 1: Introduction to 25

26 Convert chanel Timing Chanel In Python: def validate_password(actual_pw, typed_pw): if len(actual_pw) <> len(typed_pw): return 0 for i in len(actual_pw): if actual_pw[i] <> typed_pw[i]: return 0 return 1 Chapter 1: Introduction to 26

27 Basic Concepts - Encryption Data encryption refers to mathematical calculations and algorithmic schemes that transform plaintext into cyphertext, a form that is non-readable to unauthorized parties. Only the user having a correct key can decrypt the cyphertext, transforming it to the original plaintext version. Data encryption is used to protect sensitive data (such as credit card numbers). Chapter 1: Introduction to 27

28 Basic Concepts Basic Steps in Access control Process: Identification A user presents an identity to the database Authentication: The user proves that the identity is valid Authorization: What privileges and authorizations the user has Chapter 1: Introduction to 28

29 Outline 1 Basic concepts 2 Picture of DB Security 3 Framework for DB & Applications Security Chapter 1: Introduction to 29

30 Chapter 1: Introduction to 30

31 Các thành phần cần bảo vệ trong một HTTT Encryption Identify &Authenticate Access control Auditing & Accountability Design Security in OBDS Chapter 1: Introduction to 31

32 Các thành phần cần bảo vệ trong một HTTT Encryption Key exchange protocols Physical security Chapter 1: Introduction to 32

33 Các thành phần cần bảo vệ trong một HTTT Physical security Chapter 1: Introduction to 33

34 Các thành phần cần bảo vệ trong một HTTT Training Auditing & Accountability Chapter 1: Introduction to 34

35 Outline 1 Basic concepts 2 Picture of DB Security 3 Framework for DB & Applications Security Chapter 1: Introduction to 38

36 Framework for DB & Applications Security Privacy, Dependable Information Management, Secure Information Management Technologies, Data Mining and Security, Digital Forensics, Secure Knowledge Management Technologies, Secure Semantic Web, Biometrics Relational DB Security, Distributed/Federated DB Security, Web DB Security, Object/Multimedia DB Security, Data Warehouse Security, Inference Problem, Sensor DB and Stream Data Processing Security Database Systems, Information Retrieval, Knowledge Management, Information Management, Information & Computer Security Chapter 1: Introduction to 39

37 Chapter 1: Introduction to 40