1 / 40

Ch. 11: IS Security

Ch. 11: IS Security. Gerhard Steinke BUS 3620. According to Internetworldstats.com , there are 2,095,006,005 internet users worldwide. It is now unsafe to turn on your computer. Slammed on All Sides. Viruses. Employee Error. Rogue Insiders. Software Bugs. Corporate Spies.

cassia
Download Presentation

Ch. 11: IS Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Ch. 11: IS Security Gerhard Steinke BUS 3620 According to Internetworldstats.com, there are 2,095,006,005 internet users worldwide Steinke

  2. It is now unsafe to turn on your computer... Steinke

  3. Slammed on All Sides Viruses Employee Error Rogue Insiders Software Bugs Corporate Spies Script Kiddies Web Defacements Password Crackers Network vulnerabilities Denial of Service War Drivers “SneakerNet” Backdoors Worms Trojans Buffer Overflows “Blended Threats” Steinke

  4. Definition: Information Security • Confidentiality • Protecting information from unauthorized disclosure • Integrity • Protecting information from unauthorized alternation/destruction • Availability • Ensuring the availability and access to the information Availability Integrity Confidentiality

  5. The Threat: Who Are They? • Internal (authorized users (intentional & unintentional), contract worker, etc.) • Hackers (‘script kiddies’ to experts) • Industrial Espionage (legal? acceptable in some countries and sometimes government funded) • Foreign Espionage • Criminal (financial or criminal motivation) • Other (terrorists, political activists) Steinke

  6. The Cyber Security Threat • The threat is global • The attack sophistication is increasing • The skill level required to become a threat is decreasing • We live in a “Target Rich” environment • Exposure time and response time are critical Steinke

  7. What Are They Doing? • Corrupting Information • Viruses, worms • File deletion • Data tampering (medical & financial), Web page hacks • Disclosing Information • Public release of private data • Selling of private or financial data (e.g., stolen charge card numbers) • Stealing Service • Using site as intermediary for attacks • Denial of Service (preventing the use of IT resources) • Network flooding • Crashing systems or services Steinke

  8. Security Awareness - Posters Steinke

  9. Technical Security Measures: Firewalls • A system which examines network packets entering/leaving an organization and determines whether the packets are allowed to travel ‘through’ the firewall Organization Steinke

  10. Firewalls - DMZ Steinke

  11. Match Alarm Intrusion Detection System (IDS)Intrusion Prevention System (IPS) • attempts to detect/prevent someone breaking into your system • running in background and notifies you when… Steinke

  12. Decryption Exercise Can you decrypt these? • mfuttubsu • cepninotry Steinke

  13. Why Encryption? • Disguising message in order to hide its substance • Based in logic and mathematics • Confidentiality • Message wasn’t changed • Authentication • who really sent message? • Integrity • was message altered? • Non-repudiation • so sender cannot deny they sent message Steinke

  14. Encryption • Substitution Cipher (13) ABCDEFGHIJKLMNOPQRSTUVWXYZ                        NOPQRSTUVWXYZABCDEFGHIJKLM • Transposition Cipher • Rearranging all characters in the plaintext • Attack: frequency of letters • Concealment – hide in text • Break Encryption by brute force - try all possible keys • key length • Steal, bribe, replace encryption software, flaws in system Steinke

  15. Steganography • Hiding information • http://www.jjtc.com/Steganography/ • http://www-users.aston.ac.uk/~papania1/stegano.html • S-tools demo Steinke

  16. Symmetric / Secret Key • same key for encryption and decryption • confidentiality • secure key distribution required • otherwise could impersonate sender as well • scalability - n users require n*(n-1)/2 keys Steinke

  17. Asymmetric or Public/Private Key Encryption • Two keys – one encrypts, the other decrypts • Public and Private keys generated as a pair • Private key for user • Public key for distribution • Each key decrypts what the other encrypts • Confidentiality, integrity, authentication and non-repudiation • Intensive computations, slow

  18. Picture of Asymmetric

  19. Hash / Message Digest Function • Create hash value / digital fingerprint • Provides integrity checking • Shorter than original message • Variable length message to fixed length hash value • One way function, can’t go back • Appended to message • Examples: • MD5 - 128 bit hash • SHA - 160 bit, by NIST, NSA in DSS (Digital Signature Standard)

  20. Digital Signatures • Create a hash value • Encrypt hash value with your private key • Attach to message to be sent • Encrypt with recipients public key • Send

  21. What does Digital Signature do? • Integrity – Message not changed • Authentication - Verify sender identity and message origin • Creates non-repudiation • Applications: • Used to authenticate software, data, images • Used with electronic contracts, purchase orders • Protect software against viruses

  22. Security Basics • Security policy • document security principles • Educate users - what and why of security • Physical Security • Monitor network • Passwords Steinke

  23. PC Security • gateway to network • access to information on PC • power on password, screen saver password • encryption • password protect files, disk drive • erase information when deleting a file Steinke

  24. Software Control • control program change requests • require multiple authorizations • require full documentation • independent testing of changes • check with operations before acceptance • procedure to handle emergency situations Steinke

  25. Operational Controls • investigate error messages, reports, alarms • monitor communication lines for failures, problems • monitor network status for operational, out-of-service stations • monitor traffic queues for congestion • control tapes, disks and other system materials to ensure proper labeling and retention Steinke

  26. maintain backup for programs, tapes and other material • examine system printouts, program dumps, recovery printouts • monitor vendor and maintenance personnel • control testing during operational hours • ensure that changes to hardware and software are necessary Steinke

  27. Biometrics • Identify people by measuring some aspect of individual anatomy or physiology, some deeply ingrained skill, or other behavioral characteristic or something that is a combination of the two • Handwritten signatures • Face Recognition • Fingerprints • Iris Codes • Voice • Retina Prints • DNA Identification • Palm Prints • Handwriting Analysis

  28. Errors • All recognition systems are subject to error • ‘Fraud’ / ‘false positive’ • A client is accepted as authenticated when they should have been rejected • ‘Insult’ / ‘false negative’ • A client is rejected as NOT authenticated when in fact they should have been accepted.

  29. Face Recognition • The oldest way • There is widespread acceptance (and requirement!) for photo ID • The issuing of other authentication devices (like passwords, key cards, digital signatures) usually depends on facial recognition by the agents of the issuing authority • Photo-ID is not particularly reliable, but has a very significant deterrent effect

  30. Facial Scan • Strengths: • Database can be built from driver’s license records, visas, etc. • Can be applied covertly (surveillance photos). (Super Bowl 2001) • Few people object to having their photo taken • Weaknesses: • No real scientific validation • Attacks: • Surgery • Facial Hair • Hats • Turning away from the camera • Defenses: • Scanning stations with mandated poses

  31. Fingerprints • Accounts for the majority of sales of biometric equipment • The ridges that cover the fingertips make patterns, that were classified in the 1800’s • These patterns have loops of several distinct types, branches, and endpoints. • Because of the association with criminals, commercial users are very reluctant to impose fingerprinting systems upon their clients • Fingerprint sensors on laptops

  32. Iris Codes • Iris patterns believed to be unique • The patterns are easy enough to detect • They do not wear out • They are protected by the eyelids and cornea • Easier to capture and process than fingerprints • A processing technique is used to generate a 256 byte iris code • Low false acceptance rates

  33. Iris Codes • Practical difficulties: • Capturing the iris image is intrusive • The subject has to be co-operative

  34. Voice Recognition • Strengths: • Most systems have audio hardware • Works over the telephone • Can be done covertly • Lack of negative perception • Weaknesses: • Background noise • No large database of voice samples • Attacks: • Tape recordings • Identical twins / soundalikes

  35. Hand Scan • Typical systems measure 90 different features: • Overall hand and finger width • Distance between joints • Bone structure • Primarily for access control: • Machine rooms • Olympics • Strengths: • No negative connotations – non-intrusive • Reasonably robust systems • Weaknesses: • Accuracy is limited

  36. Other Biometrics • Retina Scan • Very popular in the 1980s military; not used much anymore. • Facial Thermograms • Vein identification • Scent Detection • Gait recognition • Handwriting

  37. Space Required for each Biometric

  38. A Comprehensive Security Program Policies & Management Sponsorship Procedures Reporting Practices and Procedures Assessment Service Provider Compliance Awareness and Training

  39. Security Principles • impossible to provide complete security • match to value of assets • provide good security but keep system easy to use easy to use, little security <-----> difficult to use, high security Steinke

More Related