Information Security Basic Concepts

Similar documents
INF3510 Information Security. Lecture 01: - Course info - Basic concepts in information security

Course information. INF3510 Information Security. Lecture 01: - Course info - Basic concepts in information security. Course organisation

Chap. 1: Introduction

CPSC 467: Cryptography and Computer Security

IY2760/CS3760: Part 6. IY2760: Part 6

Information Security

Information Technology Branch Access Control Technical Standard

CHIS, Inc. Privacy General Guidelines

Chapter 10. Cloud Security Mechanisms

Content Teaching Academy at James Madison University

Introduction to IT Security

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Danske Bank Group Certificate Policy

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Security Goals Services

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Introduction to Security

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016

Security + Certification (ITSY 1076) Syllabus

Brainloop Cloud Security

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

FBLA Cyber Security aligned with Common Core FBLA: Cyber Security RST RST RST RST WHST WHST

Central Agency for Information Technology

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

Network Security. Network Security Hierarchy. CISCO Security Curriculum

ISO Controls and Objectives

Security Policy JUNE 1, SalesNOW. Security Policy v v

COSC 472 Network Security

ICT USER ACCOUNT MANAGEMENT POLICY

CS 356 Lecture 28 Internet Authentication. Spring 2013

CTS2134 Introduction to Networking. Module Network Security

LogMeIn HIPAA Considerations

CONTENTS. PCI DSS Compliance Guide

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

7. Public Key Cryptosystems and Digital Signatures, 8. Firewalls, 9. Intrusion detection systems, 10. Biometric Security Systems, 11.

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Skoot Secure File Transfer

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

CSC 474 Information Systems Security

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Newcastle University Information Security Procedures Version 3

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

SonicWALL PCI 1.1 Implementation Guide

Autodesk PLM 360 Security Whitepaper

Musina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-

Advanced Topics in Distributed Systems. Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

LogRhythm and PCI Compliance

Application Intrusion Detection

Overview of computer and communications security

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

HIPAA Security Alert

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

GE Measurement & Control. Cyber Security for NEI 08-09


Security Awareness. Wireless Network Security

ISO27001 Controls and Objectives

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

E Security Assurance Framework:

Tenzing Security Services and Best Practices

Evaluate the Usability of Security Audits in Electronic Commerce

Information Security It s Everyone s Responsibility

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Client Server Registration Protocol

Govt. of Karnataka, Department of Technical Education Diploma in Computer Science & Engineering. Sixth Semester

Human Factors in Information Security

HIPAA Privacy & Security White Paper

SUPPLIER SECURITY STANDARD

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

The Information Security Problem

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Projectplace: A Secure Project Collaboration Solution

Computer and Network Security Policy

Using Entrust certificates with VPN

Did you know your security solution can help with PCI compliance too?

HIPAA Information Security Overview

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Transcription:

Information Security Basic Concepts 1

What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment, the nation Security and related concepts National security (political stability) Safety (health) Environmental security (clean environment) Information security etc.

What is Information Security Information Security focuses on protecting information assets from damage or harm What are the assets to be protected? Example: data files, software, IT equipment and infrastructure Covers both intentional and accidental events Threat agents can be people or acts of nature People can cause harm by accident or by intent Information Security defined: The preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved. (ISO27001)

Scope of information security IS management has as goal to avoid damage and to control risk of damage to information assets IS management focuses on: Understanding threats and vulnerabilities Managing threats by reducing vulnerabilities or threat exposures Detection of attacks and recovery from attacks Investigate and collect evidence about incidents (forensics)

The Need for Information Security Why not simply solve all security problems once for all? Reasons why that s impossible: Rapid innovation constantly generates new technology with new vulnerabilities More activities go online Crime follows the money Information security is a second thought when developing IT New and changing threats More effective and efficient attack technique and tools are being developed Conclusion: Information security doesn t have a final goal, it s a continuing process

Internet Storm Survival Time Measure The survival time is calculated as the average time between attacks against average target IP address. http://isc.sans.org/survivaltime.html

Malware Trend

Security control categories Information Security Physical controls Facility protection Security guards Locks Monitoring Environmental controls Intrusion detection Technical controls Logical access control Cryptographic controls Security devices User authentication Intrusion detection Forensics Administrative controls Policies Standards Procedures & practice Personnel screening Awareness training

Security control functional types Preventive controls: prevent attempts to exploit vulnerabilities Example: encryption of files Detective controls: warn of attempts to exploit vulnerabilities Example: Intrusion detection systems (IDS) Corrective controls: correct errors or irregularities that have been detected. Example: Restoring all applications from the last known good image to bring a corrupted system back online Use a combination of controls to help ensure that the organisational processes, people, and technology operate within prescribed bounds.

Controls by Information States Information security involves protecting information assets from harm or damage. Information is considered in one of three possible states: During storage Information storage containers Electronic, physical, human During transmission Physical or electronic During processing (use) Physical or electronic Security controls for all information states are needed

Security Services and Properties A security service is a high level security property The traditional definition of information security is to preserve the three CIA properties for data and services: Confidentiality: Integrity Availability: Data and Services Availability The CIA properties are the three main security services

Security services and controls Security services (aka. goals or properties) implementation independent supported by specific controls Security controls (aka. mechanisms) Practical mechanisms, actions, tools or procedures that are used to provide security services Security services: e.g. Confidentiality Integrity Availability support Security controls: e.g. Encryption Firewalls Awareness

Confidentiality The property that information is not made available or disclosed to unauthorized individuals, entities, or processes. (ISO 27001) Can be divided into: Secrecy: Protecting business data Privacy: Protecting personal data Anonymity: Hide who is engaging in what actions Main threat: Information theft, unintentional disclosure Controls: Encryption, Access Control, Perimeter defence

Integrity Data Integrity: The property that data has not been altered or destroyed in an unauthorized manner. (X.800) System Integrity: The property of safeguarding the accuracy and completeness of assets (ISO 27001) Main threat: Data and system corruption Controls: Cryptographic integrity check, Encryption, Access Control Perimeter defence Audit Verification of systems and applications

Availability The property of being accessible and usable upon demand by an authorized entity. (ISO 27001) Main threat: Denial of Service (DoS) The prevention of authorized access to resources or the delaying of time critical operations Controls: Redundancy of resources, traffic filtering, incident recovery, international collaboration and policing

Authenticity (Security Service) The CIA properties are quite general security services. Other security services are often mentioned. Authentication is very important, with various types: User authentication: The process of verifying a claimed identity of a (legal) user when accessing a system or an application. Organisation authentication: The process of verifying a claimed identity of a (legal) organisation in an online interaction/session System authentication (peer entity authentication): The corroboration (verification) that a peer entity (system) in an association (connection, session) is the one claimed (X.800). Data origin authentication (message authentication): The corroboration (verification) that the source of data received is as claimed (X.800).

Taxonomy of Authentication Authentication Entity Authentication Data Authentication MAC, DigSig&PKI User Authentication passwords, tokens, OTP, biometrics, PKI Organisation Authentication crypto protocols, e.g. TLS, PKI System Authentication crypto protocols, e.g. IPSec, PKI

User Identification and Authentication Identification Who you claim to be Method: (user)name, biometrics User authentication Prove that you are the one you claim to be Main threat: Unauthorized access Controls: Passwords, Personal cryptographic tokens, OTP generators, etc. Biometrics Id cards Cryptographic security/authentication protocols

System Authentication Host A Host B Goal Establish the correct identity of remote hosts Main threat: Network intrusion Masquerading attacks, Replay attacks (D)DOS attacks Controls: Cryptographic authentication protocols based on hashing and encryption algorithms Examples: TLS, VPN, IPSEC

Data Origin Authentication (Message authentication) Goal: Recipient of a message (i.e. data) can verify the correctness of claimed sender identity But 3 rd party may not be able to verify it Main threats: False transactions False messages and data Controls: Encryption with shared secret key MAC (Message Authentication Code) Security protocols Digital signature with private key Electronic signature, i.e. any digital evidence

Non-Repudiation (Security Service) Goal: Making sending and receiving messages undeniable through unforgible evidence. Non-repudiation of origin: proof that data was sent. Non-repudiation of delivery: proof that data was received. NB: imprecise interpretation: Has a message been received and read just because it has been delivered to your mailbox? Main threats: Sender falsely denying having sent message Recipient falsely denying having received message Control: digital signature Cryptographic evidence that can be confirmed by a third party Data origin authentication and non-repudiation are similar Data origin authentication only provides proof to recipient party Non-repudiation also provides proof to third parties

Accountability (Security Service) Goal: Trace action to a specific user and hold them responsible Audit information must be selectively kept and protected so that actions affecting security can be traced to the responsible party (TCSEC/Orange Book) Main threats: Inability to identify source of incident Inability to make attacker responsible Controls: Identify and authenticate users Log all system events (audit) Electronic signature Non-repudiation based on digital signature Forensics

Authorization Authorization is to specify access and usage permissions for entities, roles or processes Authorization policy normally defined by humans Issued by an authority within the domain/organisation Authority can be delegated Management Sys.Admin Implemented in IT systems as configuration/policy Beware of confusion (also in Harris text book): Correct: Harris 6 th ed. p.161: "A user may be authorized to access the files on the file server, but until she is properly identified and authenticated, those resources are out of reach." Wrong: Harris 6 th ed. p.161: "If the system determines that the subject may access the resource, it authorizes the subject".

Identity and Access Management (IAM) Phases Configuration phase Operation phase Termination phase Registration Identification Claim identity Revoke authorization Provisioning Authentication Prove claimed identity Deactivate credentials Authorization Access control Are you authorized? De-registration

Confusion about Authorization The term authorization is often wrongly used in the sense of access control e.g. If the system determines that the subject may access the resource, it authorizes the subject (e.g. Harris 6 th ed. p.161) Common in text books and technical specifications (RFC 2196 ) Cisco AAA Server (Authentication, Authorization andaccounting) Wrong usage of authorization leads to absurd situations: 1. You get somebody s password, and uses it to access account 2. Login screen gives warning: Only authorized users may access this system 3. You are caught and taken to court 4. You say: The text book at university said I was authorized ifthe system granted access, which it did, so I was authorized

Identity and Access Management Concepts System Owner Domain User registration 1 2 provisioning 3 authorization PAP log-on Identity Provider System Owner policy request 7 PDP 6 decision request User authentication function 4 + Id Cr request resource & access type access 8 PEP 5 System resource Access control function PAP: Policy Administration Point PEP: Policy Enforcement Point Registration PDP: Policy DecisionPoint IdP: IdentityProvider Operations

Questions? 27

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information