1 / 32

Session 1 – Introduction to Information Security

Session 1 – Introduction to Information Security. Security Objectives. Confidentiality (includes privacy) Integrity Availability . Security Processes. Identification Authentication Authorization Logging Monitoring . Common Security Measures. Password

hera
Download Presentation

Session 1 – Introduction to Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session 1 – Introduction to Information Security ITEC 4100, Fall 2007, D Chan

  2. Security Objectives • Confidentiality (includes privacy) • Integrity • Availability ITEC 4100, Fall 2007, D Chan

  3. Security Processes • Identification • Authentication • Authorization • Logging • Monitoring ITEC 4100, Fall 2007, D Chan

  4. Common Security Measures • Password • Two-factor authentication • Biometrics • Access control lists for granting authorization to information • Locks • Encryption • Anti-virus • Usage and rejection reports ITEC 4100, Fall 2007, D Chan

  5. Passwords • Should not be shared • Should be changed by user • Should be changed frequently and upon compromise (suspected unauthorized disclosure) ITEC 4100, Fall 2007, D Chan

  6. Passwords • Long, at least 8 characters • Alphanumeric • Hashed (one-way scrambling) • System should allow only a few attempts before locking out account ITEC 4100, Fall 2007, D Chan

  7. Passwords • An 8-letter password is 676 times stronger than a 6-letter password. • A 6-character alphanumeric password is 6 times stronger than a 6-letter password. • Strength should depend on user’s privilege and locality of system. ITEC 4100, Fall 2007, D Chan

  8. Two-factor Authentication • Used to compensate for the inherent weaknesses of passwords, i.e., guessing and hacking. • Uses what the user has and what the user knows. • Examples are to use a token with a dynamic password and ATM. ITEC 4100, Fall 2007, D Chan

  9. Biometrics • Can include fingerprint, hand geometry, voice etc. • Held back by privacy concerns. • Not recognised legally in place of signature ITEC 4100, Fall 2007, D Chan

  10. Operating System Security • Use a standard checklist for configuration • Implement vendor updates • Use scanning software to detect vulnerabilities before implementation and periodically ITEC 4100, Fall 2007, D Chan

  11. Firewall • Can be hardware based only, e.g., a router. • Can be a server with sophisticated software, more granular and reliable than a router, provides better logs. • Can use artificial intelligence to check for patterns. ITEC 4100, Fall 2007, D Chan

  12. Firewall • Every organization that hosts a web site should have a firewall to protect its internal network from hackers • The firewall would block traffic that is definitely unacceptable. ITEC 4100, Fall 2007, D Chan

  13. Firewall • A typical firewall uses rules to determine whether traffic is acceptable, e.g., port scanning is not allowed by some organizations. • A data packet typically consists of a source Internet Protocol (IP) address, a port and a destination Internet Protocol address. ITEC 4100, Fall 2007, D Chan

  14. Firewall • A port is a logical connection point in a network device including a computer. • It is used to standardize Internet traffic, e.g., web browsing uses port 80, e-commerce uses port 443. ITEC 4100, Fall 2007, D Chan

  15. Virus Protection • Companies around the world spend about US $20 billion a year to clean up viruses • All critical servers are protected • All internet email is scanned • Automated identification of workstations that do not have up-to-date signature files • Organizations should block common virus file types to be proactive ITEC 4100, Fall 2007, D Chan

  16. Virtual Private Network • To secure remote access to company systems by staff or contractors. • Should require two-factor authentication. • Encrypted traffic, bypasses firewall, secure tunnel should end at another firewall with traffic decrypted. ITEC 4100, Fall 2007, D Chan

  17. Intrusion Detection System • Installed at critical points of a network to inspect incoming and outgoing traffic for anomalies and malicious messages. • Alerts systems administrators to take pre-emptive or corrective actions. ITEC 4100, Fall 2007, D Chan

  18. Intrusion Prevention System • Combines firewall and intrusion detection technologies. • Rejects highly questionable or unacceptable traffic. • More effective than firewalls but may have false positive. ITEC 4100, Fall 2007, D Chan

  19. Encryption • Uses mathematics to scramble data. • Uses a key and an algorithm . Commercial algorithms are public knowledge. • Symmetric key. • Asymmetric keys (private/public key pair). ITEC 4100, Fall 2007, D Chan

  20. Symmetric Key Encryption • The same key is used to decrypt and encrypt • Simple to encrypt and decrypt • Large number of keys required for one-on-one secret communication • Number of keys for N people is N(N-1)/2 • Need to secure the key ITEC 4100, Fall 2007, D Chan

  21. Asymmetric Encryption • A pair of key is generated by a user, a private key and a corresponding public key. • The public key can be disclosed. The private key is secured. • People can use the public key to encrypt material. ITEC 4100, Fall 2007, D Chan

  22. Asymmetric Encryption • The corresponding private key is needed to decrypt. • The 2 keys cannot be reengineered, i.e., you cannot use the public key to derive the private key. • Longer keys than symmetric and therefore a longer process to encrypt and decrypt. ITEC 4100, Fall 2007, D Chan

  23. Asymmetric Encryption • Needed for email encryption. • Used for e-commerce, digital certificates and digital signatures. • Number of keys for N users is 2N. ITEC 4100, Fall 2007, D Chan

  24. Digital Signature • A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and to ensure that the original content of the message or document that has been sent is unchanged. ITEC 4100, Fall 2007, D Chan

  25. Digital Signature • The sender uses an algorithm to compute a hash (garbled digest) of the document • Sender uses its private key to encrypt the hash. • Recipient uses same algorithm to hash the plain text document when received. • Recipient uses the public key to decrypt the digital signature and compare to the hash the recipient created, to confirm integrity. ITEC 4100, Fall 2007, D Chan

  26. Digital Certificate • An electronic business card that establishes your credentials when doing business or other transactions on the Web. • It is issued and digitally signed by a certification authority. It contains your name, a serial number, expiration dates, the certificate authority’s name and public key, and your public key. • People can use the certificate authority’s public key to verify the signature. ITEC 4100, Fall 2007, D Chan

  27. Certificate Authority • An organization that issues digital certificates to companies and individuals • An organization can issue digital certificates to its own customers or employees to authenticate local transactions • The certificate authority will do due diligence to confirm the existence and authenticity of the party before issuing a certificate. ITEC 4100, Fall 2007, D Chan

  28. E-commerce Encryption • Uses both symmetric keys and asymmetric keys • Enforced by the merchant • Merchant sends its certificate and public key to the browser ITEC 4100, Fall 2007, D Chan

  29. E-commerce Encryption • Browser generates a symmetric key • Browser encrypts the symmetric key with the merchant’s public key • Browser authenticates the digital certificate • Encrypted symmetric key is sent to merchant ITEC 4100, Fall 2007, D Chan

  30. E-commerce Encryption • Merchant decrypts the symmetric key with its private key • The symmetric key is used for all subsequent transfer of information between the 2 parties until the user logs off. ITEC 4100, Fall 2007, D Chan

  31. Email Encryption • Sender uses the recipient’s public key to encrypt the message • Sender signs the message with own private key • Recipient uses own private key to decrypt message • Recipient uses sender’s public key to authenticate the digital signature ITEC 4100, Fall 2007, D Chan

  32. Conclusion • Security is increasingly important because of e-commerce. • Security is the responsibility of every employee. • Organizations should designate a chief information security officer to coordinate. ITEC 4100, Fall 2007, D Chan

More Related