Data security and cryptology iii vulnerabilities of information assets appliable safeguards
This presentation is the property of its rightful owner.
Sponsored Links
1 / 49

Data Security and Cryptology , III Vulnerabilities of Information Assets . Appliable Safeguards PowerPoint PPT Presentation


  • 45 Views
  • Uploaded on
  • Presentation posted in: General

Data Security and Cryptology , III Vulnerabilities of Information Assets . Appliable Safeguards. September 17th , 2014 Valdo Praust mois @ mois .ee Lecture Course in Estonian IT College Autumn 2014. Components of Information Security.

Download Presentation

Data Security and Cryptology , III Vulnerabilities of Information Assets . Appliable Safeguards

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

DataSecurity and Cryptology, IIIVulnerabilitiesofInformationAssets. AppliableSafeguards

September 17th, 2014

Valdo Praust

[email protected]

Lecture Course in Estonian IT College

Autumn 2014


Components of information security

Components of Information Security

  • Infortmation security (infoturve) or data security (andmeturve) is a complex concept consisting of following three properties (security goals):

  • information availability (käideldavus)

  • information integrity (terviklus)

  • information confidentiality (konfidentsiaalsus)

These three properties – called branches or goals of secrity – must be maintained for all information/data items we possess


Standard model of security harming

Standard Model of Security Harming

  • Threats(ohud) influence the data (via IT assets)

  • Threats use the vulnerabilities(nõrkused, turvaaugud) of IT assets or components of IT system

  • Threats with co-influence the vulnerabilites will determine the risk or security risk(risk, turvarisk)

  • When a certain risk realises, there will appear a security loss or security breach or security incident(turvakadu, turvarike, turvaintsident)

  • In order to minimize the risks there’s necessary to minimise vulnerabilities using safeguards of security measures(turvameetmeid)


Harming of security

Harming of Security


Influence of safeguard s

Influence of Safeguard(s)


Security and residual risk

Security and Residual Risk

NB!It does not matter how many safeguards we implement, we never achieve the absolute security. If we implement more safeguards we only minimise the probability that security (availability, integrity of confidentiality) will be harmed but it will never fall into zero

Instead of absolute security usually the concept acceptable residual risk by the business process ((äriprotsessi jaoks) aktsepteeritav jääkrisk) is used

An acceptable residual risk is a situation where the total price of all implemented safeguards is approximately equal to the forecasted total loss of security (measured by the amount of money)


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Economical View of Data Security


Peculiarities of securing digital data

PeculiaritiesofSecuringDigitalData

  • Cryptography is a very essential tool for achieving both confidentiality and integrity.The metods for archiving confidentiality and integrity are completly different from the methods used in the paper document practice

  • The essential part is an authentication (in a front of computer or information system) – ensuring for a technical device/entity, who is using it (which is usually followed by granting appropriate right for executing, reading, writing etc. access)

  • Availability is often ensured by the network(Intrenet). Several distributed client-server systems are very wide-spread


The role of cryptography

TheRoleofCryptography

Encryption or enciphering (krüpteerimine, šifreerimine) is a technique where data are converted to the certain non-readable form. The converting process usually uses a special amount of data which are usually kept secret – a key (võti)

  • This basic technique can be used:

  • For ensuring the confidentiality– without the key it’s impossible to decipher the data, i.e. to get the information beared by the (encrypted) data

  • For ensuring the integrity– without a special private key it’s impossible to change the data without the notice. It allows to associate the data with the certaing subjects (it also a basic principle of digital signature)


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

ThreatsClassification

bytheSource

1. Spontaneousoraccidentialthreats(stiihilised ohud):

environmentalthreats(keskkonnaohud)

technicalfailures and defects(tehnilised ohud ja defektid)

humanthreats and failures(inimohud)

2. Deliberateactsorattacks(ründed) which are characterizedby a clearintentional(human) activity (selge tahtlik (inim)tegevus)


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

SpontaneousorAccidentialThreats

Spontaneous (accidential) threats(stiihilised ohud) canbecausedby:

  • theforcemajeure(vääramatu (looduslik) jõud), whichcanbebothoccasional (lightning, flooding) orregular (wearing, materialfatigue, contaminationetc)

  • humanfailures (inimvead) whichcancausedbyinadequateskills, negligence, mis-management, environmentalfactorsetc


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Attacks

Attacks or deliberate acts (ründed)are always based on humans who make a certain intended or deliberate action (sihilik tegevus) to harm the security goals (lead by a personal interest, private or state intelligence, hooliganism etc)

Attacks are usually classified by the attacksources, attacking methods and attackable objects


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

SourcesofAttack

1. Authorized users of IT systems

Available stastics show that they are the most important source. Main motives:

  • providing illegal (financial) profit

  • revenge of hired/harried people

  • political / ideological

    2. Intelligence (economical, state-based, military etc) agents

    3. Crackers, often also mis-called hackers (kräkkerid, häkkerid) an increasing factor

    4. Other(in Estonia mainly criminal element)


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

AttackChannels

Instant contactwith an attackable object (IT component/device, personal, infrastrcture etc)

Networks (mass-used for all client-server systems). The most common attacking way (channel)

Portable data carriers (memory sticks etc) – were historically important but during last years are again very actual


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Vulnerabilities

Vulnerabilities(nõrkused ehk turvaaugud) are all such a propertiesof a protectableobject through which (security) threatscanbe realised

Can be divied to:

  • infrastructure vulnerabilities

  • IT vulnerabilities

  • personal-related vulnerabilities

  • organisational vulnerabilities


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

InfrastructureVulnerabilites

1. Unfavorable (physical) location of a protectable object

Increases realisation probabilities of several threats

2. Primitive or depreciated infrastructure

Doesn’t allow to implement several sefaguards (mainly physical and IT-related sefaguards)


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

IT(-related) Vulnerabilities

  • limited resources

  • false installation of equipment or connection lines

  • errors, defects and/or undocumented features of software (hardware)

  • shortcomings of protocols (incl. communication protocols)

  • shortcomings of data management

  • inconvenience of safeguards (NB! Safeguards can’t heavily impair a normal work (normal availability)


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Personal-related Vulnerabilities

  • incorrect procedures (often due to ignorance or convenience, often systematic)

  • ignorance and lack of motivation (as a rule extends to all employees of the organization)

  • ignoring the safeguards(both intentionally and negligently)


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Organisational Vulnerabilities

  • Deficienciesof work organization (rules, adapting to new circumstances etc)

  • Shortcomings of resource management (computers, communications, maintenance, testing, storage media, etc.)

  • Incomplete documentation(of IT equipment, communicatimperfectnesses of safeguard selectionion lines, data storage, etc.)

  • Incompleteinplementation(safeguards are implemented incorrectly, in the wrong place / configuration etc)

  • Shortcomings of safeguards management(monitoring, audit etc)


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Interaction Between Threats and Vulnerabilities

Main rule: threats always exploit some vulnerabilities typical to them

Information system security as a whole is weaker so far:

  • the probability of threats is bigger

  • there are more vulnerabilities exploitable by the threats and these vulnerabilitires are more seroius


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Safeguards (Security Measures)

  • Safeguards (turvameetmed):

  • enable to minimize vulnerabilities

  • through minimizing of vulnerabilities enable to minimize the residual risk


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Classification of Safeguards

Safeguards (turvameetmed) can by classified differently:

  • by the purpose (prevents threat, frightens attask, repairs defect etc)

  • by the influented security component/goal (availability, integrity, confidentiality)

  • by the type of (harmable) IT asset

  • mean of implementation or realisation (procedure, technical equipment, program, building construction etc)

  • by the strength of security


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Purpose of Safeguards

By porpore the safeguards are divided to:

  • preventive safeguards (profülaktilised meetmed)

  • identifying safeguards (tuvastusmeetmed)

  • reconstructive safeguads (taastemeetmed)

Several safeguards are polyfunctional (for example error correcting code)


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Preventive Safeguards

Preventive safeguards(profülaktilised turvameetmed) enable to prevent security incidents:

  • to minimize vulnerabilities

  • to prevent attacks

  • to minimize security risk probabilities

  • to decrease the influence of security incidents to IT assets

  • to facilitate site (object) restoration

Can be divided into three categories:

  • reinforcable safeguards (tugevdusmeetmed)

  • scaring safeguards (peletusmeetmed)

  • separative safeguards (eraldusmeetmed)


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Reinforcable Safeguards

Reinforcable safeguards(tugevdusmeetmed) will influence mainly the minimizing of security risk caused by the spontaneous threats

Will consists of:

  • order or systematicness (kord)

  • working conditions (töötingimused)

  • preventive check (ennetav kontroll)

  • security awareness (turvateadlikkus)


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Reinforcable Safeguards: Order

Examples:

internal rules

accurate job descriptions

standards

regular maintenance of infrastructure and facilities

established procurement procedures

documentation of equipment

labeling of date carries and cables

version management

resource management

security policies, security plans, security guidelines etc


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Reinforcable Safeguards: Working Conditions

micro-climate (temperature, humidity, air cleanliness)

ergonomic design and layout of workplace

corporartive social climate, positive human relations

corporative promotion and career principles


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Reinforcable Safeguards: Preventive Check

  • verification and testing of IT products and security mechanisms

  • regular monitoring of IT security-related information

  • test-attacks of safeguards and security mechanisms

  • auditing of IT systems (by standard methodics)


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Reinforcable Safeguards: Sacurity Awareness

Main branches:

suitable choosing of employees

regular training of employees

regular (and irrregular) awaring events

test alarms


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Scaring Safeguards

Scaring safeguards(peletusmeetmed) minimize the probability of attacking attempts.Scaring influence is often a useful additional feature of a safeguard - the mere knowledge about safeguards often reduces the risk (especially in the cases where the expected yield for an attacker can’t compensate the risk)

Examples:

  • different sanctions (legal etc)

  • warning signs on documents, data carriers, gates, walls, doors, etc.visible safeguards - a guard, a camera, illumination of the territory, security doors, card locks etc


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Saparative Safeguards

Separative safeguards (eraldusmeetmed) fend off mainly the attacks. They usually defend all aspects of security (availability, integrity, confidentiality)

  • Can be divided into:

  • spatial isolation (ruumiline isoleerimine)

  • temporal isolation (ajaline isoleerimine)

  • logical isolation (loogiline isoleerimine)


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Spatial Isolation

  • using different computers for the data of different security levels

  • using different data carriers to store the data of different security levels (with different authorized users)

  • using separate lines for a data of different security levels

  • using separate rooms for storing the documents of different security levels


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Temporal Isolation

  • using a computer at different times for a data of different level of security

  • using different software at different times on the same computer

  • using of (office)rooms at different times for the events of different sensitivity


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Logical Isolation

Logical isolation(loogiline isoleerimine) is the dividing of IT assets (for example: data) into the small elements that can be treated separately and/or grouped together

Realisation:

  • access control (password protection, card lock etc)

  • service broker (eg, firewall, database query processor)

  • securing (encrypting, hiding, destroying, erasing etc)


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Identifying Safeguards

By the minimization of security loss we tend towards the following goals

  • avoiding the security incident

  • operative identifying the incident

  • registrating the incident (and identifying it later)

  • to proving the incident later

  • Identifying safeguards(avastavad turvameetmed) can be divided to:

  • operative identification (operatiivtuvastus)

  • post-identification (järeltuvastus)

  • evidence-based identification (tõendtuvastus)


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Operative Identification

Operative identification (operatiivtuvastus) involves methods which are able to identify security incidents as soon as they occur, and respond to them immediately

  • Examples:

  • guard, fire and security alarm, environmental monitoring etc

  • warning message caused by the blocked (prohibited) operations, false authentication attempt etc

  • debugging of software


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Post-Identification

Post-identification(järeltuvastus) bases on registration of the events and proving the security incident later by them

  • Examples:

  • logfiles of computers and lock systems

  • several testing and diagnostic tools

  • different methods of verification, auditing, testing etc


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Evidence-Based Identification

Evidence-based identification(tõendtuvastus) bases on several security elements (which are added to IT assets and data) enabling to check the integrity and/or confidentiality

Examples:

  • parity bit, checksum, cryptographic message digest

  • digital signature and timestamp

  • steganographic watermark

  • physical security elements (visible or low-noticeable threads, seals, labels etc)


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Reconstructive Safeguards

After a security incident there’s always necessary to restore the normal operability of a harmed object. It can be done as fast and to a greater extent as the more importance the object (IT asset) has for us

  • Main branches of reconstructive safeguards (taastavad turvameetmed) are:

  • backuping (varundamine)

  • renovation (ennistamine)

  • replacing (asendamine)


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Backuping

Backuping(varundamine) is the main and more important premise for an any restoring

  • Examples:

  • regular backup of data (once in a day, week etc)

  • parallel (backup) computer system

  • RAID hard disk system


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Renovation

Renovation(ennistamine) involves the removing of faults, errors and defects

Examples:

  • repairing of IT equipment

  • repairing and modifying of software using version management methods

  • repairing of infastructures (cables, power supplies etc)

  • removing of malware (viruses) with anti-virus software


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Replacing

Replacing(asendamine) must be prepared for the cases of non-repairable damages

  • Examples:

  • keeping some PCs and/or laptops in company’s stock

  • rapid delivery agreements of IT equipment

  • substituting plans of employees (for a cases of illness, vacation, death etc)

  • backup office rooms (or readiness for rooms)


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Classification of Safeguards by IT Assets

German BSI IT Baseline Security Method (2005, English version):

generic aspects

infrastructure

IT systems

network

applications


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Classification of Safeguards by IT Assets

ISO and Estonian National Data Security Standard EVS- ISO/IEC 13335:

physical assets

information / data

software

ability to produce some product or provide a service

people

intangibles


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Classification of Safeguards by Realization

  • organisational safeguards

  • physical safeguards

  • IT-related sefaguards

The most essential branch is organisational safeguards – without them any physical or IT-related sefaguards has no real influence


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Organisational Safeguards

Organisational safeguards(organisatsioonilised turvameetmed) include security administration, security system design, management and security incident handling activities and operations

Organisational safeguards should be implemented in the first order beginning from security policy formulating, risk analysis and the security plan composing


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Organisational Safeguards

... include four main components:

  • activities that a certain person must do

  • activities which are prohibited for a certain person

  • things what happen when someone does something forbidden

  • things what happen when someone doesn’t make necessary things


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

Physical Safeguards

Physical safeguards(füüsilised turvameetmed) involve:

1. Infrastructure of a protectable object:

  • structural barriers

  • communications

  • heating and air conditioning

  • security doors and windows, gates etc

    2. Mechanical components: locks, signs, packaging, labels etc

    Usually physical safeguards involve also guards, employees of entrance building etc


Data security and cryptology iii vulnerabilities of information assets appliable safeguards

IT-related Safeguards

IT-related Safeguards(infotehnilised turvameetmed)are mainly used for a performing a logical separation and an identification of a security incident

Two main branches of practical tools:

  • software-based access control to data and IT systems (incl. authentication techniques)

  • cryptography means – for achieving of both confidentiality and integrity


  • Login