An Overview of Information Security
-
Upload
burmansoft -
Category
Documents
-
view
215 -
download
0
Transcript of An Overview of Information Security
-
8/10/2019 An Overview of Information Security
1/30
An Overview of Information Security
Week 1
-
8/10/2019 An Overview of Information Security
2/30
2
Computer Security
Computational data can be in one of 3 statesat a time:
Stored
!rocessed
In transmission
"ence# computer security involves $ata security
!ro%ram security
&etwork security
-
8/10/2019 An Overview of Information Security
3/30
3
Security !rinciples
Con'dentiality Secrecy of data
Inte%rity
$ata (ave not been c(an%ed incorrectly )by accident ordeliberately* Availability
$ata s(ould be available to aut(ori+ed entities at alltimes,
CIAprinciples
-
8/10/2019 An Overview of Information Security
4/30
Con'dentiality
Concealment of data# its resources and-or t(ee.istence of data,
$ata concealment can be ac(ieved via
crypto%rap(y,
/esources are protected by limitin% data# fore.ample by usin% 'rewalls or address translationmec(anisms,
We can conceal t(e e.istence of data by accesscontrol mec(anisms,
/elies on t(e 0need to know principle ofmilitary,
4
-
8/10/2019 An Overview of Information Security
5/30
Inte%rity
2rustwort(iness of data or resources bypreventin% improper or unaut(ori+ed c(an%e,
Inte%rity includes
$ata inte%rity )t(e content of information*
Ori%in inte%rity )also called aut(entication*
A newspaper prints information leaked from
W(ite "ouse# but it turns out to be from awron% source, 2(is information preserves datainte%rity )printed as received*# but violatesori%in inte%rity )as t(e source is incorrect*,
5
-
8/10/2019 An Overview of Information Security
6/30
Inte%rity
Inte%rity mec(anisms are cate%ori+ed into classes
!revention mec(anisms# suc( as access controlst(at prevent unaut(ori+ed modi'cation of data
Occurs w(en an unaut(ori+ed user attempts toc(an%e data
$etection mec(anisms# w(ic( are intended to
detect unaut(ori+ed modi'cations w(enpreventive mec(anisms (ave failed,
Occurs w(en an aut(ori+ed user attempts to c(an%edata in ille%itimate ways,
6
-
8/10/2019 An Overview of Information Security
7/30
Inte%rity
4.ample:
An interrupted database transaction# leavin% t(edatabase in an inconsistent state violates inte%rity ofdata,
Controls t(at protect inte%rity include principles ofleast privile%e# separation# and rotation of duties,
Clark5Wilson model brin%s to%et(er t(ese controls toprovide inte%rity,
Crypto%rap(ic tools can be used to detect violation of
inte%rity# but t(ey cannot prevent t(em, $i%ital si%nature can be used to determine if data (as
c(an%ed,
7
-
8/10/2019 An Overview of Information Security
8/30
Availability
2(e ability to use t(e information or resourcedesired,
$e'ned in terms of 06uality of service# in w(ic(
aut(ori+ed users are e.pected to receive a speci'clevel of service )stated in terms of a metric*,
System desi%ns assume a statistical model toanaly+e e.pected patterns of use# and
mec(anisms ensure availability w(en t(atstatistical model (olds,
$enial of service )$oS* attacks are attempts toblock availability,
8
-
8/10/2019 An Overview of Information Security
9/30
Availability
4.ample:
Ann compromises a bank7s secondary system server#w(ic( supplies bank account balances, W(en anin6uiry is submitted to t(is secondary server# Ann cansupply any information s(e wants, 8erc(ants validatec(ecks by contactin% t(e bank7s primary balanceserver, 9ut w(en t(e primary server connection ispro(ibited# all merc(ant 6ueries will to t(e secondserver# w(ere Ann will never (ave a c(eck turneddown# re%ardless of (er actual balance,
If t(e bank (ad only t(e primary server# t(is sc(emewouldn7t work as t(e merc(ant wouldn7t be able tovalidate c(ecks,
9
-
8/10/2019 An Overview of Information Security
10/30
2(reats
A t(reat is a potential violation of security,
2(e violation need not actually occur for t(ereto be a t(reat,
2(e possibility t(at a violation mi%(t occurmeans t(at we s(ould %uard a%ainst t(oseactions t(at could cause it, 2(ese actions arecalled attacks,
10
-
8/10/2019 An Overview of Information Security
11/30
-
8/10/2019 An Overview of Information Security
12/30
Classes of 2(reats
$isclosure Snoopin%: unaut(ori+ed interception of
data, 4.: passive wiretappin%# w(ere t(e attacker
monitors communications,
12
-
8/10/2019 An Overview of Information Security
13/30
Classes of 2(reats
$eception 8odi'cation )alteration*: 4.: active wiretappin%#
w(ere t(e attacker in;ects somet(in% into acommunication or modi'es parts of t(ecommunication,
Spoo'n% )mas6ueradin%*: an impersonation ofone entity by anot(er,
$ele%ation is a le%itimate form of spoo'n%,
/epudiation of ori%in: A false denial t(at anentity sent or created somet(in%,
$enial of receipt: A false denial t(at an entityreceived data,
13
-
8/10/2019 An Overview of Information Security
14/30
Classes of 2(reats
$isruption 8odi'cation
surpation 8odi'cation
Spoo'n%
$elay: A temporary in(ibition of service, $enial of service: A lon%5term in(ibition of
service,
14
-
8/10/2019 An Overview of Information Security
15/30
15
Security Attacks
!assive attacks
-
8/10/2019 An Overview of Information Security
16/30
16
Con'dentiality Attacks
2ra>c analysis
Intercept communication to observe on%oin%tra>c
Still works even if messa%e is encrypted ?ields fre6uency# len%t( of messa%es
!revention: tra>c paddin%
Snoopin%
Intercept communication to e.ploit t(e content !revention: 4ncrypt data
9ot( are passive attacks
-
8/10/2019 An Overview of Information Security
17/30
17
Inte%rity Attacks
8odi'cation
8odify# delete# or delay messa%e
Active attacks
!revention: (as( )'n%erprint*
/eplay
Intercept t(e messa%e and send a%ain at a latertime
Active attack
!revention: se timestamps
-
8/10/2019 An Overview of Information Security
18/30
18
Availability Attacks
$enial of Service
Slow down or completely prevent acommunication# an entity# or a w(ole network
from servicin%
Active attack
!revention: se upper limit for @ of messa%es inbuer
-
8/10/2019 An Overview of Information Security
19/30
19
Aut(enticity Attacks
8as6ueradin% )Spoo'n%*
Attacker impersonates eit(er sender or receiver)man5in5t(e5middle attack*
Active attack
!revention: se 8AC )keyed5(as(*
-
8/10/2019 An Overview of Information Security
20/30
20
&on5/epudiation Attacks
/epudiation
/e;ectin% t(e occurrence of transmission
4it(er sender or receiver may performrepudiation attack
!revention: se di%ital si%nature
-
8/10/2019 An Overview of Information Security
21/30
!olicies and 8ec(anisms
!olicy says w(at is# and is not# allowed
2(is de'nes 0security for t(e site# system# etc,
!olicy maybe e.pressed in:
natural lan%ua%e# imprecise but easy tounderstand
mat(ematics# precise but (ard to understand
policy lan%ua%es# look like some form of
pro%rammin% lan%ua%e and try to balanceprecision wit( ease of understandin%
21
-
8/10/2019 An Overview of Information Security
22/30
!olicies and 8ec(anisms
8ec(anism A met(od# tool# or procedure to enforce a security
policy,
8ec(anisms maybe:
tec(nical# in w(ic( controls in t(e computer enforcet(e policyB for e.ample# t(e re6uirement t(at a usersupply a password to aut(enticate (erself beforeusin% t(e computer
procedural# in w(ic( controls outside t(e system
enforce t(e policyB for e.ample# 'rin% someone forbrin%in% in a disk containin% a %ame pro%ramobtained from an untrusted source
Composition of policies
If policies conict# discrepancies may createsecurity vulnerabilities
22
-
8/10/2019 An Overview of Information Security
23/30
Doals of Security
!revention !revent attackers from violatin% security policy
$etection $etect attackers7 violation of security policy
/ecovery Stop attack# assess and repair dama%e
Continue to function correctly even if attack
succeeds
23
-
8/10/2019 An Overview of Information Security
24/30
Assurance
Assurance is (ow muc( you can trust t(e system to dow(at it is supposed to do, It does not say w(at t(esystem is to doB rat(er# it only covers (ow well t(esystem does it,
Speci'cation /e6uirements analysis
Statement of desired functionality
$esi%n
"ow system will meet speci'cation
Implementation
!ro%rams-systems t(at carry out desi%n
24
-
8/10/2019 An Overview of Information Security
25/30
-
8/10/2019 An Overview of Information Security
26/30
Cost 9ene't Analysis 4.ample
A $9 provides salary information to anot(er systemt(at prints c(ecks, If t(e data in t(e $9 is altered# t(ecompany would suer si%ni'cant 'nancial lossB (ence#t(e cost5bene't analysis s(ould su%%est t(at t(estron%est inte%rity mec(anisms s(ould protect t(e data
in t(e $9,
Anot(er company (as several branc( o>ces# and eac(day a copy of t(e data is copied to eac( branc( o>ce,
2(e branc( o>ces use t(e data to recommend salaries
for new employees, "owever# t(e 'nal decision is madeby t(e main o>ce usin% t(e ori%inal $9, In t(is case#%uardin% t(e inte%rity of t(e copies is not particularlyimportant,
26
-
8/10/2019 An Overview of Information Security
27/30
/isk Analysis
/isk is a function of environment,
2(e risks c(an%e wit( time,
8any risks are remote# but still e.ist,
27
-
8/10/2019 An Overview of Information Security
28/30
-
8/10/2019 An Overview of Information Security
29/30
"uman Issues
Or%ani+ational !roblems
!ower and responsibility
Ginancial bene'ts
!eople problems
Outsiders and insiders
Social en%ineerin%
29
-
8/10/2019 An Overview of Information Security
30/30
9rin%in% it all to%et(er ,,
2(e security lifecycle
30
Threats
PolicySpecification
Design
Implementation
peration "
maintenance