Security Architecture (1 of 2)

2

Security Concerns

Internet

Viruses

Denial of ServiceInformation Theft

Unauthorized Access

Industrial Espionage

HacktivismPublic Confidence

PrivacyPornography

3

Security Expectations

Users can perform only authorized tasks

Users can obtain only authorized information

Users cannot cause damage to the data, applications, or operating environment of a system

4

Motivations for Security

5

Network Security Weaknesses

Technology weaknesses Configuration weaknesses Security policy weaknesses

6

Technology Weaknesses

All computer and network technologies have inherent security weaknesses or vulnerabilities.

Don’t overlook: Hardware issues OS issues Network protocol issues (even TCP/IP) Application vulnerabilities

7

Configuration Weaknesses

Insecure default settings If you left the defaults, you are dead.

Misconfigured network equipment A little knowledge is a dangerous thing

Insecure user accounts/passwords End-users can’t be trusted to use

strong passwords Misconfigured Internet services

HTTP, Java, CGI, unneeded services.

8

Security Policy Weaknesses

Lack of a written security policy Internal politics Lack of business continuity

Turnover in staff/management can be devastating Logical access controls to network equipment

are not applied Security administration is lax, including

monitoring and auditing Lack of awareness of having been attacked Software and hardware installation and

changes do not follow the policy Security incident and disaster recovery

procedures are not in place

9

Categories of Network Threats

Unstructured

Structured Internal External

10

Threats and Consequences

11

Database Security

Degree to which data is fully protected from tampering or unauthorized acts

Comprises Information system Information security concepts

12

Information Systems

Comprised of components working together to produce and generate accurate information

Wise decisions require: Accurate and timely information Information integrity

Categorized based on usage

13

Information Systems Components

14

Database Management

Essential to success of information system

DBMS functions: Organize data Store and retrieve data efficiently Manipulate data (update and delete) Enforce referential integrity and consistency Enforce and implement data security

policies and procedures Back up, recover, and restore data

Client Server Database systems

15

16

Database Management

Data Hardware Software Networks Procedures Database

servers

17

Information Security Architecture

Protects data and information produced from the data

Model for protecting logical and physical assets

Is the overall design of a company’s implementation of C.I.A. triangle

18

Information Security Architecture

19

Confidentiality

Addresses two aspects of security: Prevention of unauthorized access Information disclosure based on

classification Classify information into levels:

Each level has its own security measures

Usually based on degree of confidentiality necessary to protect information

20

Eavesdropping – Packet Sniffing

21

Confidentiality Classification

22

Integrity

Consistent and valid data, processed correctly, yields accurate information

Information has integrity if: It is accurate It has not been tampered with

Read consistency Each user sees only his changes and

those committed by other users

23

Degradation of Data Integrity

24

Degradation of Data Integrity

25

Availability

Systems must be always available to authorized users

Systems determines what a user can do with the information

Reasons for a system to become unavailable: External attacks and lack of system protection System failure with no disaster recovery strategy Overly stringent and obscure security policies Bad implementation of authentication processes

Fin…