Welcome to Information Systems Security (503009)

Similar documents

Chapter 23. Database Security. Security Issues. Database Security

Chapter 23. Database Security. Security Issues. Database Security

Weighted Total Mark. Weighted Exam Mark

Cryptography and Network Security

CSCI 4541/6541: NETWORK SECURITY

Chap. 1: Introduction

Information System Security

CPSC 467b: Cryptography and Computer Security

Soran University Faculty of Science and Engineering Computer Science Department Information Security Module Specification

Cryptography and Network Security Chapter 1

Network Security 網路安全. Lecture 1 February 20, 2012 洪國寶

RBAC and HIPAA Security

CNT5412/CNT4406 Network Security. Course Introduction. Zhenhai Duan

SECURITY CHAPTER 24 (6/E) CHAPTER 23 (5/E)

CS377: Database Systems Data Security and Privacy. Li Xiong Department of Mathematics and Computer Science Emory University

Introduction to IT Security

Lecture II : Communication Security Services

CPSC 467: Cryptography and Computer Security

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Advanced Topics in Distributed Systems. Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech

ITM661 Database Systems. Database Security and Administration

BM482E Introduction to Computer Security

Table: Security Services (X.800)

Database Security and Authorization

DATABASE SECURITY MECHANISM

Introduction to Security

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Chapter 8 A secure virtual web database environment

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Content Teaching Academy at James Madison University

CIS 6930/4930 Computer and Network Security. Dr. Yao Liu

Information Security Basic Concepts

CSE 5392 Sensor Network Security

Chapter 6 Electronic Mail Security

DISCRETIONARY ACCESS CONTROL. Tran Thi Que Nguyet Faculty of Computer Science & Engineering HCMC University of Technology ttqnguyet@cse.hcmut.edu.

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

Securing Data on Microsoft SQL Server 2012

CSC 474 Information Systems Security

CSCI 454/554 Computer and Network Security. Instructor: Dr. Kun Sun

CS 203 / NetSys 240. Network Security

Major prerequisites by topic: Basic concepts in operating systems, computer networks, and database systems. Intermediate programming.

Introduction to Computer Security

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

SECURITY MODELS FOR OBJECT-ORIENTED DATA BASES

AUDITING TECHNIQUES TO ASSESS FRAUD RISKS IN ELECTRONIC HEALTH RECORDS

Database and Data Mining Security

MS-55096: Securing Data on Microsoft SQL Server 2012

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

COSC 472 Network Security

RYERSON UNIVERSITY Ted Rogers School of Information Technology Management And G. Raymond Chang School of Continuing Education

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Department of Computer & Information Sciences. INFO-450: Information Systems Security Syllabus

CIS 253. Network Security

Introduction to Information Security

Cryptography and Network Security Overview & Chapter 1. Network Security. Chapter 0 Reader s s Guide. Standards Organizations.

Authentication, Access Control, Auditing and Non-Repudiation

Notes on Network Security - Introduction

CS 450/650 Fundamentals of Integrated Computer Security

Department of Computer & Information Sciences. CSCI-445: Computer and Network Security Syllabus

A Comparative Study of Security Features in FreeBSD and OpenBSD

TIME SCHEDULE. 1 Introduction to Computer Security & Cryptography 13

Why Security Matters. Why Security Matters. 00 Overview 03 Sept CSCD27 Computer and Network Security. CSCD27 Computer and Network Security 1

CS 348: Computer Networks. - Security; 30 th - 31 st Oct Instructor: Sridhar Iyer IIT Bombay

NSA/DHS CAE in IA/CD 2014 Mandatory Knowledge Unit Checklist 4 Year + Programs

Comprehensive Approach to Database Security

Information Security in Big Data using Encryption and Decryption

How Can Data Sources Specify Their Security Needs to a Data Warehouse?

CSUS COLLEGE OF ENGINEERING AND COMPUTER SCIENCE Department of Computer Science (RVR 3018; /6834)

COMP-530 Cryptographic Systems Security *Requires Programming Background. University of Nicosia, Cyprus

CS 464/564 Networked Systems Security SYLLABUS

SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security

Govt. of Karnataka, Department of Technical Education Diploma in Computer Science & Engineering. Sixth Semester

A Database Security Course on a Shoestring

Cybersecurity Definitions and Academic Landscape

Savitribai Phule Pune University

Course Outline Computing Science Department Faculty of Science. COMP Credits Computer Network Security (3,1,0) Fall 2015

City University of Hong Kong. Information on a Course offered by Department of Electronic Engineering with effect from Semester A in 2012/2013

Cryptography & Network Security. Introduction. Chester Rebeiro IIT Madras

Chapter 24. Database Security. Copyright 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley

DATABASE SECURITY MECHANISMS AND IMPLEMENTATIONS

BUY ONLINE FROM:

Identity Management and Access Control

UF IT Risk Assessment Standard

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

A Systems Engineering Approach to Developing Cyber Security Professionals

Information Security

CHAPTER 1 INTRODUCTION

Security Goals Services

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui

Transcription:

Welcome to (503009) Nguyen Thi Ai Thao Faculty of Computer Science & Engineering HCMC University of Technology thaonguyen@cse.hcmut.edu.vn

Course Outline Week Lectures 1 Information systems security: basic concepts 2,3 Basic cryptography & key exchange protocols 4 Identification & Authentication 5,6 Discretionary Access Controls 7,8 Mandatory Access Controls 9 Auditing & Accountability 10, 11, 12, 13, Presentations 14 Chapter 1: Introduction to 2 2

References [1] M. Gertz, S. Jajodia (2008). Handbook of Database Security: Applications and Trends, Springer Verlag, ISBN 978-0-387-48532-4. [2] S. Castano, M. Fugini, G. Martella, and P. Samarati (1995). Database Security, ACM Press & Addison- Wesley, ISBN 0-201-59375-0. [3] D.C. Knox (2004). Effective Oracle Database 10g Security by Design, Oracle Press, ISBN 0-07-223130-0. [4] T.R. Peltier, J. Peltier, J. Blackley (2005). Information Security Fundamentals, Auerbach Publications, ISBN 0-8493-1957-9. [5] W. Mao (2003). Modern Cryptography: Theory and Practice, 3 rd Ed., Prentice Hall, ISBN 0-13-066943-1. 3 Chapter 1: Introduction to 3

Course Outline - Details Week Lectures References 1 2 3 1. Introduction 1.1 Basic concepts 1.2 Picture of DB security 1.3 Framework for DB & Applications security 2. Basic cryptography & key exchange protocols 2.1 Cryptography-related concepts 2.2 Key channel 2.3 Perfect encryption 2. Basic cryptography & key exchange protocols 2.4 Dolev-Yao threat model 2.5 Protocols [1,2,3,4,5] [4,5] [4,5] Chapter 1: Introduction to 4

Course Outline - Details Week Lectures References 4 3. Identification & Authentication 3.1 Introduction 3.2 Identification techniques 3.3 Authentication techniques 3.2 Authentication protocols [2,3,4] 5 6 3. Discretionary Access Controls 3.1 Introduction to DAC 3.2 Models for DAC 3. Discretionary Access Controls 3.3 SQL for Data Control 3.4 DAC & Information Flow Controls [2,3,4] [2,3,4] Chapter 1: Introduction to 5

Course Outline - Details Week Lectures References 7 4. Mandatory Access Control 4.1 Introduction to MAC 4.2 Models for MAC [2,3,4] 8 4. Mandatory Access Control 4.3 Case study: Oracle Label Security [2,3,4] 9 10, 11, 12, 13, 5. Auditing & Accountability 5.1 Introduction to Auditing & Accountability 5.2 Techniques to Auditing 5.3 Case study: Auditing in Oracle Presentation 14 [2,3] Tbc. Chapter 1: Introduction to 6

Assessments Credits: 3 No mid-term test Open-book exams Assessment Pattern % Presentation 1 15 Presentation 2 15 Assignment 20 Final Examination 50 7 Chapter 1: Introduction to 7

Presentation Group of 2-3 students Presentation topics: http://cse.hcmut.edu.vn/~thaonguyen >> Teaching Register for the presentations: Send to thaonguyen@cse.hcmut.edu.vn Deadline: February 3 rd, 2015 8 Chapter 1: Introduction to 8

Chapter 1: Introduction to Nguyen Thi Ai Thao Faculty of Computer Science & Engineering HCMC University of Technology thaonguyen@cse.hcmut.edu.vn

Outline 1 Basic concepts 2 Picture of DB Security 3 Framework for DB & Applications Security Chapter 1: Introduction to 10

Basic Concepts Data and Information Information System Information Security Information System Security Requirements Countermeasures Basic Steps in Information Security Process Chapter 1: Introduction to 11

Basic Concepts - Data are plain facts. When data are processed, organized, structured or presented in a given context so as to make them useful, they are called Information. Chapter 1: Introduction to 12

Basic Concepts - Information System refers to a system of people, data records and activities that process the data and information in an organization. People Data Process Chapter 1: Introduction to 13

Basic Concepts - Information Security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. Chapter 1: Introduction to 14

Basic Concepts - Security Requirements Information System Security Requirements : Confidentiality Integrity Non-repudiation Availability Chapter 1: Introduction to 15

Basic Concepts - Security Requirements Information System Security Requirements: Confidentiality: Protection of data from unauthorized disclosure Example: In a bank system, preventing a client from finding out the information of another client, such as balance. Integrity: Only authorized users should be allowed to modify data. Example: In a bank system, preventing a client from changing his or her balance. Chapter 1: Introduction to 16

Basic Concepts - Security Requirements Information System Security Requirements: Availability: Making data available to the authorized users and application programs Example: In a bank system, ensuring that the invoices are printed on time as required by law. Non-repudiation: The ability to prevent the effective denial of an act. Example: In a bank system, providing proof of the origin and delivery of transactions from a client. Chapter 1: Introduction to 17

Basic Concepts - Countermeasures Countermeasures ensures these security requirements for information systems. There are some countermeasures: Access control Inference control Flow control Encryption Chapter 1: Introduction to 18

Basic Concepts - Access Control Access Control: The security mechanism for restricting access to the database as a whole Handled by creating user accounts and passwords to control login process by the Database Management System (DBMS). Two types of access control system Closed system Open system Chapter 1: Introduction to 19

Basic Concepts Closed System Access request Closed system Is there a rule authorizing the access? Rules: authorized accesses Access permitted Access denied Chapter 1: Introduction to 20

Basic Concepts Opened System Access request Opened system Is there a rule denying the access? Rules: denied accesses Access permitted Access denied Chapter 1: Introduction to 21

Basic Concepts - Inference control Inference control: The security problem associated with databases is that of controlling the access to a statistical database, which is used to provide statistical information or summaries of values based on various criteria. The countermeasures to statistical database security problem is called inference control measures. Chapter 1: Introduction to 22

Inference attack Non-sensitive database Sensitive database Infer Access control Access permitted Access denied Meta data Chapter 1: Introduction to 23

Inference control Non-sensitive database INFERENCE CONTROL Sensitive database Access control Access permitted Access denied Meta data Chapter 1: Introduction to 24

Basic Concepts - Flow control Flow control prevents information from flowing in such a way that it reaches unauthorized users. Channels that are pathways for information to flow implicitly in ways that violate the security policy of an organization are called Covert Channels. Storage channel Timing channel Chapter 1: Introduction to 25

Convert chanel Timing Chanel In Python: def validate_password(actual_pw, typed_pw): if len(actual_pw) <> len(typed_pw): return 0 for i in len(actual_pw): if actual_pw[i] <> typed_pw[i]: return 0 return 1 Chapter 1: Introduction to 26

Basic Concepts - Encryption Data encryption refers to mathematical calculations and algorithmic schemes that transform plaintext into cyphertext, a form that is non-readable to unauthorized parties. Only the user having a correct key can decrypt the cyphertext, transforming it to the original plaintext version. Data encryption is used to protect sensitive data (such as credit card numbers). Chapter 1: Introduction to 27

Basic Concepts Basic Steps in Access control Process: Identification A user presents an identity to the database Authentication: The user proves that the identity is valid Authorization: What privileges and authorizations the user has Chapter 1: Introduction to 28

Outline 1 Basic concepts 2 Picture of DB Security 3 Framework for DB & Applications Security Chapter 1: Introduction to 29

Chapter 1: Introduction to 30

Các thành phần cần bảo vệ trong một HTTT Encryption Identify &Authenticate Access control Auditing & Accountability Design Security in OBDS Chapter 1: Introduction to 31

Các thành phần cần bảo vệ trong một HTTT Encryption Key exchange protocols Physical security Chapter 1: Introduction to 32

Các thành phần cần bảo vệ trong một HTTT Physical security Chapter 1: Introduction to 33

Các thành phần cần bảo vệ trong một HTTT Training Auditing & Accountability Chapter 1: Introduction to 34

Outline 1 Basic concepts 2 Picture of DB Security 3 Framework for DB & Applications Security Chapter 1: Introduction to 38

Framework for DB & Applications Security Privacy, Dependable Information Management, Secure Information Management Technologies, Data Mining and Security, Digital Forensics, Secure Knowledge Management Technologies, Secure Semantic Web, Biometrics Relational DB Security, Distributed/Federated DB Security, Web DB Security, Object/Multimedia DB Security, Data Warehouse Security, Inference Problem, Sensor DB and Stream Data Processing Security Database Systems, Information Retrieval, Knowledge Management, Information Management, Information & Computer Security Chapter 1: Introduction to 39

Chapter 1: Introduction to 40