Data security and cryptology i introduction essence of data security
1 / 41

Andmeturve ja kr ptoloogia, I Sissejuhatus, infoturbe olemus - PowerPoint PPT Presentation

  • Uploaded on

Data Security and Cryptology , I Introduction . Essence of Data Security. September 4th, 2013 Valdo Praust mois @ mois .ee Lecture Course in Estonian IT College Autumn 2013. Name and Goal. Name : Data Security and Cryptology ( Andmeturve ja krüptoloogia)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Andmeturve ja kr ptoloogia, I Sissejuhatus, infoturbe olemus' - kirsten

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Data security and cryptology i introduction essence of data security
DataSecurity and Cryptology, IIntroduction. Essence of Data Security

September 4th, 2013

Valdo Praust

[email protected]

Lecture Course in Estonian IT College

Autumn 2013

Name and goal
Name and Goal

Name: DataSecurity and Cryptology

(Andmeturve ja krüptoloogia)

Place: Estonian IT College

Goal of lecture course: To provide a systematic overview of contemporary datasecurity and cryptology, bothfrom theoreticaland practical side. Datasecurityas a practicaldisciplinewillconsidered a littlebitmoretheoretically and cyrpotographyas a deeptheoreticaldiscipline (and alsoanimportant tool fordatasecurity) morepractically

Processual data i
Processual Data, I

  • Code: I378

  • Invovles: 16 academic pairs of lectures, 12 pairs of practices, 74 hours independent work

  • Points: 5 ECTS

  • Schedule (lectures): once a week, on Wednesdays between 12pm and 2pm

    • Grading: final test (determines the final mark) – 70 multiple choice questions

Processual data ii
Processual Data, II

  • Distibution of materials: via webpage - English slideshows (PPTs); Estonian slideshows from year 2011 also available

  • Communication between lecturer and students: via email and the above-mentioned webpage

  • Practical exercises will start in 5th week (2 pm)


  • Valdo Praust

  • Master of Science (MSc)

  • have 21 years different experience if the field of data security (different roles)

  • currently freelancer IT Securiy expert

  • ph +372 514 3262

  • email [email protected]

Plan of lectures i
Plan of Lectures, I

  • Introduction. Essense of Data Security. Data security, it’s essence and importance in contemporary information systems and in whole world.Availability, integrity and confidentiality, its importance in different information systems and in protection of IT assets. Standard model of security harming. Economical side of data security. Practical solving of security problem

  • Security Threats, Classification. Classification of threats: spontaneous (accidental) threats and attacks. Methods used for finding and evaluating threats. Threats frequency

Plan of lectures ii
Plan of Lectures, II

  • Vulnerabilities of Information Assets. Appliable Security Measues. Classification of vulnerabilities. Interaction between vulnerabilities and theats, examples

  • Risk Management and its Methodics.Risk management as a tool of solving practical security problem. Four alternatives of risk management – detailed risk analysis, baseline security method, mixed method, non-formal method; their comparison. Quantitative and qualitative risk analysis, examples. Examples of baseline security methods, BSI and ISKE

Plan of lectures iii
Plan of Lectures, III

  • Essence of Cryptogrtaphy. Pre-Computer Cryptography. Essence and basic concepts of encryption. History of cryptography, traditional cryptography. Pre-computer cryptography, best-known traditional techniques and machines. Theoretical and practical security

  • Basics of Contemporary Cryptography. Main concepts, essence and goals. Main types of algorithms and their’ usage.Cryptanalysis, its’ goal and properties. Practical security of cryptoalgoritms, ways of achieving this

Plan of lectures iv
Plan of Lectures, IV

  • Symmetric Cryptoalgorithms. AES.Essence of symmetric cryptoalgorithms. Modes of operation, their usability and security. AES – history, main properties, technical description. Security and modes operation of AES

  • Other Symmetric Cryptoalgorithms. IDEA, Skipjack, Blowfish, AES, RC4. Their properties, security, usability. DES as a retrospective view of a classic symmetric algorithm

Plan of lectures v
Plan of Lectures, V

  • Asymmetric Cryptoalgorithms. RSA.Essence, properties, mathemathical background and main concepts. Example. Practical usability, realisations

  • Hash Functions. Cryptoprotocols, TLSEssence of hash functions, properties, demands. Mostly used algorithms, thoretical and practical secrity. Collisions. Security protocols. TLS as an example - its desciption and usability

Plan of lectures vi
Plan of Lectures, VI

  • Digital Signature, its Usage. Urgency of digital signature in digital record management. Digital signature as an application of public-key cryptography. Practices of handling both the private and public key. Certification, certificates. Timestamp, validity of approval, service providers. Certification infrastructure, PKI. Digital signature in Estonia

Plan of lectures vii
Plan of Lectures, VII

  • Digital Signature and Digital Record Management in Practice. Digital Archieving, Estonian ID card.Peculiarities of digital signature in practice. Comparison with handwritten signature for end users and business. Overview of Estonian ID-card and mobile-ID card. Digital record management and digital archieving from the point of view of security

Plan of lectures viii
Plan of Lectures, VIII

  • Database Security. Network Security. Database security, theory and practice. Importance and usability of cryptographical chaining, integrity and accountability. Confidentiality as a difficultly solvable problem. Importance of network security. Firewall, virtual private network, cryptowall. Secure remote client

Plan of lectures ix
Plan of Lectures, IX

  • Security Management (Organisational Security).Principles and goals of data security management. Functions and activities. Essence of data security policy. Roles of Data Security Forum. Choosing of appropriate risk managementtechnique. Data security plan, implementation of security measures and follow-up activities. Related national and international standards

Plan of lectures x
Plan of Lectures, X

  • Legal Control of Data Security. Protecting of Personal Data.Essence of personal data. Common practices of protecting personal data both in Europe and in all around the world. Estonian DataProtectionAct. Sensitive personal data, obligation of registration. Peculiarities of data security in public sector – data security classes, etc

  • Social Elements of Data Security. Influence of data security to information systems and society. Cyberattacks, cyberwar, information war. Cyberdefence, therole and shareofdifferentinstitutions. Cyber-security and datasecurity, theirmainproblems and comparison

Practical exercises i
Practicalexercises, I

  • Classification of threats, vulnerabilities and safeguards, their inter-dependendence

  • Different baseline security standards

  • Different risk analysis methodics

  • Different cryptographic tools, usage of cryptoalgorithms

Practical exercises ii
Practicalexercises, II

  • Introduction of PKI environment and software

  • Practical solving of security task (different aspects and poit of view)

  • Different secure authentication means

  • Will start in 5th week

Independent work

  • Referative work, related to data security or cryptography (deadline - 14th week). Minimal amount – 20 pages

  • Final test (determines the final mark) – 70 multiple choice questions

  • In order to access to the final test both the referative work and practical exercises must be passed (and marked)

What we protect information
What We Protect: Information

Information(informatsioon, teave)– a knowledge concerning any objects, such as facts, events, things, processes or ideas, which have a special meaning in certain contexts

The concept “information” isheavily related tothemoregeneralconcept – knowledge. Itassumesthatthereis a factwhisisknown (an object), andthepersonwhoknowsthefact (the subject)

Informationitselfdoesnothavethe practicalshape. The practicalshapeof information will occure whenwe also consider the practical representation of information (and then it is called - data)

What we protect data
What We Protect: Data

Data(andmed)– reinterpretable formalized representation of aninformation in sucha form whichissuitable for transfer, processing and/or interpretation

Data are always the presentation of information,usually in a pre-agreed form (which allows to transfer the information beared by the data from one subject to another)

The same data can be interpreted differently by the different subjects having a different background (for example, “hallitus” inEstonian and inFinnish)

Digital data
Digital Data

  • Any information can be represented (carried) by the data in many different ways. The more essential ways are two following:

  • paper-based data (paberkandjal andmed) – text, schemes, pictures etc are beared on the surface of the carrier (paper sheet(s))

  • digital data (digikujul andmed) – all the data are coded into the queues of 0’s and 1’s using certain standards and certain technical equipment

When we talk about the computer-based (computer processable) data we always thought the digital data, which are always coded by using the queues of 0’s and 1’s.

Data format
Data Format

Data format(andmevorming, vorming) — a desciption how different type of information – text, picture, voice, video etc – is coded into the queue of 0’s and 1’s

A pre-agreed (standardised) data format gives to data (to data file) a concrete and unique meaning. If we have data but do not have the data format desciption, then we do not have the information, carried by the data

From data format to meaning
From Data Format to Meaning

Different data formats are supported by a different application software which usually allow to write the file in certain format, or to made the content of data (information) human-perceptable etc.

A typical end-user usually don’t know anything about different data formats and interpretation. He/she usually associates the certain format only to the certain software which is able to interpretate these format(s).

End user usually receives only an human-perceptable form, prepared by the software, so-calles WYSIWYG (What You See Is What You Get, in Estonian adekvaatkuva)

Necessity of data security
Necessity of Data Security

If we possess (or process) the data then the information carried by the data has always a certain value for us (for our business process). It does not depend either the infomation is represented by the digital nor by the paper-based data

Information security (infoturve) or data security (andmeturve) is a discipline concerning the maintaining these values/properties of information (performed in practice by the maintaining the properties of data)

Components of information security
Components of Information Security

  • Infortmation security (infoturve) or data security (andmeturve) is a complex concept consisting of following three properties:

  • information availability (käideldavus)

  • information integrity (terviklus)

  • information confidentiality (konfidentsiaalsus)

These three properties (branches of secrity) must be maintained for all information/data items we possess.

In pre-computer world (paper-based information) we talked only about the confidentiality, not for other branches

About different concepts
About Different Concepts

  • The following four concepts:

  • information security (infoturve)

  • information protection (infokaitse)

  • data security (andmeturve)

  • data protection (andmekaitse)

  • are widely taken synonyms

It’s mainly a question about traditions and culture where we use which concept.For example in Europe the concept data protection is often used in a context of protection of personal data (isikuandmete kaitse)

Data availability
Data Availability

Dataavailabilty(andmete käideldavus) isa timely and convenient access and usage of information carried by the datafor all authorized persons and otherentities

  • Availability is the most important component of data security– the worst thing which must be happened is that data are no more available for the subjects which need them during business process (maybe destroyed forever)

  • Examples:

  • border guard does not have the list of fugitives (or the list isn’t up-to-date);

  • NationalBoardofLanddoesnotknowthewhopossessestheconcreteplotofland

Data integrity
Data Integrity

Data integrity(andmete terviklus) is a ensuring that data are originated (information was stored into the data) by a certain source and haven’t been altered (both by an accident or by a deliberate act or by the fake)

Integrity are thesecondimportantsecuritybranch (bytheavailability)

In the business process we usually assume that the data we used (information carried by the data) are firmly related to the creator/source of the data, creation time etc. Violationorabsense of these relationshipswill usually causesserios negative consequences

Näide: karistusregistri kuritahtliku muutmisega saab vang õigusevastaselt varem vabaks

Data confidentiality
Data Confidentiality

Data confidentiality (andmete konfidentsiaalsus ehk salastatus ehk salastus) is the availability of the information, carried by the data, only by the authorized subjects (and strict non-availability for other subjects)

  • Examples:

  • stateofcorporativesecretwillbedisclosed

  • operational intelligence information will be disclosed

  • personal datawillbespreadwithoutthepermissionofdatasubject

Security of data vs it assets
Security of Data vs IT Assets

Security of data (security of information beared by the data) is ensured by the securing the (IT) assets surrounding the data

  • IT assets (infovarad) include:

  • IT equipment (hardware, communication devices, power supplies etc)

  • data communication channels

  • software (both system and application software)

  • but it also MUST include (must taken into the account):

  • organization (its structure and operation)

  • personnel

  • data carriers (incl. documents)

  • infrastructure (buildings, offices etc)

Main properties of digital data from the security point of view
Main Properties of Digital Data (from the security point of view)

  • A great but indirect value of a data (information): it’s very hard to measure it

  • Portativity: data which can be stored by the very small and easily movable carriers can possess a huge value for our business process

  • Possibility of avoiding the physical contact: the physical and virtual structures are usually very different

  • Disclosure of security losses especially for integrity and confidentiality losses

Standard model of security harming
Standard Model of Security Harming view)

  • Threats(ohud) influence the data (via IT assets)

  • Threats use the vulnerabilities(nõrkused, turvaaugud) of IT assets or components of IT system

  • Threats with co-influence the vulnerabilites will determine the risk or security risk(risk, turvarisk)

  • When a certain risk realises, there will appear a security loss or security breach or security incident(turvakadu, turvarike, turvaintsident)

  • In order to minimize the risks there’s necessary to minimise vulnerabilities using safeguards of security measures(turvameetmeid)

Essence of security concepts
Essence of Security Concepts view)

  • Threat (oht) – a potential extern-influenced harm of information security

  • Vulnerability (nõrkus ehk turvaauk) – the property of each IT asset (component) from the point of view of external threats

  • Risk (risk) – a probability that threat can use the certain vulnerability and will realise

  • Security loss (turvakadu) – an event when the security (availability, integrity and/or confidentiality) of some IT asset(s) will be harmed

  • Safeguard or security measure (turvameede) – a modification of IT asset(s) which will minimise the risk(s) (the rate of vulnerabilities of asset(s))

Examples of security losses
Examples of Security Losses view)

  • failure of equipment – integrity loss of IT asset

  • theft of equipment – availability loss of IT asset

  • Unauthorised modifying of register – integrity loss of data

  • destroying of office rooms by fire – availability loss of infrastructure

  • wiretapping of non-crypted data cabels – confidentiality loss of data

Security and residual risk
Security and Residual Risk view)

NB!It does not matter how many safeguards we implement, we NEVER achieve the absolute security. If we implement more safeguards we only minimise the probability that security (availability, integrity of confidentiality) will be harmed but it will never fall into zero

Instead of absolute security usually the concept acceptable residual risk by the business process (äriprotsessi jaoks aktsepteeritav jääkrisk) is used

An acceptable residual risk is a situation where the total price of all implemented safeguards is approximately equal to the forecasted total loss of security (measured by the amount of money)

Serious Obstacles of Evaluating the view)

Optimal Security Point

  • The both graphs are hardly predictable (estimatable):

  • We do not know the exact expenses of the all safeguards (it will change over the times)

  • Even less we can estimate the graph of damages – we do not have the actual data of threat frequences and their impact for all IT assets

  • Even we have all this estimation data, the exact calculation (quantitative risk analysis) is very time-consuming prosess - there’s a hunderds of different IT assets, thousands of threats, thousands of vulnerabilities (and all of them must be taken account together)

Necessity for a risk management techniques
Necessity for a Risk Management Techniques view)

In order to simplify a practical security task it’s usually necessary

  • to standardise different security levelsi.e. different availability, integrity and confidentiality levels

  • to create a system which is able to determinestandardised actions (safeguards), for different security levels, which result ensures us to approximately achieve the optimum point (to archieve the acceptable residual risk situation

This process is usually called a risk management (riskihaldus)