Mis jaiswal-chapter-11

CHAPTER 11INFORMATION SECURITY

MANAGEMENT

Information Security The protection of information systems

against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats

The result of any system of administrative policies and procedures for identifying, controlling, and protecting from unauthorized disclosure, information the protection of which is authorized by executive order

Information Security Management

Information Security Management provides:

- a systematic approach to achieving effective information security within an organization;

- a realistic understanding of information security risks and issues facing organizations; and

- effective techniques for matching information security requirements with business requirements.

- consists of various facets : security policy, risk analysis, risk management, contingency planning, and disaster recovery

Virus :A program which gets executed when ever a program is run on computer

Trojan Horse :A program which does its supposed job but also includes unsuspected and undesirable functions. e. g. deletion of desirable items

Worm :A self replicating program, creates its own copies and executes, works in networks.

Software agents and malicious code

Information Security Threats

Hackers can use electronic eavesdropping to trap user and un-encrypted passwords

Hackers can spoof or configure a system tomimic some other system

Hackers use popular UNIX programs to discover account names and guess passwords

Hackers have potential access to large systemswith prospects of security holes

Threats to Servers on Networks

Information Security Threats contd

Security Architecture

Network Security

Business

Procedural Security

Physical Security

Authentication and Authorization

Data and application security

External World

Information Security

Authentication Message received by B has actually come from A

Confidentiality Message is secured and not seen by any snooper

Integrity Message has not been distorted by accident or design

Non repudiation B can make A legally responsible for the message

Information Security Architecture

A sends a message to B

A B

Information Security

Encryption and Decryption Technology

Transfer Rs. 10,000 to the account of X

Encrypt

bjqhiudiiodo

Send

Decrypt Receive

Transfer Rs. 10,000 to the account of X

Information Security contd

Symmetric Encryption :The sender encrypts a message by using a secret key

and the receiver uses the same key for decryptionUseful where two parties are well knownDifficulties in sharing the keys especially in large networks

DATA ENCRYPTION STANDARD ( DES )• Secret Key, Symmetric Encryption

• 56 bit secret key which means 2^56 possibilities(56 Bit DES recently broken in a few hours, 128 bit Okay)

• Triple DES uses 112 bit key

• Bigger the bit size larger amount it takes for decryption


Public and Private Key encryption

Both parties have one public key and one private key eachThe public keys are known to each other, Private key is not.Message is encrypted using B’s public keyIt can be opened only when B uses its private key

CONFIDENTIALITY IS ENSURED

RSA ( Rivest Shamir Adleman) algorithm for public key 768 bit RSA considered safe presently

Message

Encrypted with B’s public key

Message

Decrypted with B’s private key


A B

Public and Private Key encryption

Message is encrypted using B’s public key.The packet of the message encrypted with B’s public key is further encrypted by A using A’s private key.It can be opened only when B uses the public key of A and its own private key

CONFIDENTIALITY AND AUTHENTICITY IS ENSURED

Message

Encrypted with B’s public key

Message

Encrypted with A’s private key

A B

Decrypted with A’s public key and B’s private key


Digital signature and public key encryption

Message

Digital Signature using A’s private key

Encryption with A’s private key

Encrypted with B’s Public Key

CONFIDENTIALITY, INTEGRITY AND AUTHENTICITY ENSUREDBUT REPUDIATION POSSIBLE


Digital Signature -A Sum check number called finger print (like Message Authentication Code (MAC) as used in banking industry) which is included in the message to ensure INTEGRITY

VERSION

Certificate Serial No.

Signature Algorithm ID.

ISSUER

VALIDITY Period

Subject

Subject Public KEY INFO.

ISSUER Unique Identifier

Subject Unique Identifier

Extensions

C.A.DIGITAL Signature

C.A.PRIVATE KEY

GENERATE DIGITAL

SIGNATURE


Digital Certificate

Issued by Certifying Authority links the person with his public and private key Standard X.509

Set of agreed upon standards, certification authorities, structure between multiple authorities, methods to discover and validate certification paths,operational protocols, management protocols, inter operable tools and supporting legislature

Public Key Infrastructure

PKI Issues : Regulation

• Governments are producing legislation to govern e-commerce

• Who regulates Certification Authorities• C A Liability• Revocation of certificates


Internet Security• Internet provides global reach at very low cost and high speed but is not secure due to its inherent weakness in TCP/IP• Growth of the Internet Exponential results in a rise of security incidents• Most ISP and user organisations use public domain software such as LINUX, Apache for Internet that are more prone to security threads• Default network OS setting and access to FTP, Telnet facilities becomes vulnerable

Types of Attack• Password - Based Attack

- cracking, FTP, Telnet, etc/password• IP Spoofing

- TCP/IP allows anyone to generate a message claiming to be another machine

• Session Hijacking- special type of IP Spoofing which an

intruder is able to determine the sequence used between two parties

• Network Snooping / Packet sniffing Packets can easily be intercepted at any point in the network

Security Threats to Internet

External Users

Web server

FTP server

Gopher server

Inbound traffic from the Internet to the internal networkOutbound traffic from the internal network

Inbound traffic from the Internet to public services

Inside

Internet Security Network level - Firewall

Internet Security Technology

Operational Technology• One-Time passwords• Network Monitoring Tools• Network Security Analysis Tools• Firewalls

Cryptography Policy based Technology

• Digital Signature• PKI Policy

Network Security - FirewallSecurity Architecture

Mis jaiswal-chapter-11

Technology

Transcript of Mis jaiswal-chapter-11