1 / 66

IT Security From an Organizational Perspective Ulrika Norman Jeffy Mwakalinga

This book provides an overview of IT security from an organizational perspective, covering topics such as security services, implementation, information systems, corporate security planning, and more.

rweber
Download Presentation

IT Security From an Organizational Perspective Ulrika Norman Jeffy Mwakalinga

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 1 IT Security From an Organizational Perspective Ulrika Norman Jeffy Mwakalinga Reference: 1) Enterprise Security. Robert C. Newman. ISBN: 0-13-047458-4 2) Corporate Computer and Network Security. Raymond R. Panko. ISBN: 0-13-101774-8

  2. PART I Security Overview Introduction Security Services and Implementation Overview of Existing Security Systems Implementing Security in a System PART II: Organizational Security 1) Introduction 2) Securing Information Systems of an Organization 3) Corporate Security Planning 4) Adding a Security Department 2 Outline

  3. 3 Introduction Information Security Security Management Security Technology Information Technology Security Physical Security Applications Security Communication Security Computer Security Wired Security Mobile (wireless) Security

  4. 4 Introduction Information security is defined as methods and technologies for deterrence (scaring away hackers), protection, detection, response, recovery and extended functionalities

  5. Generic Security System Protection Detection Response Recovery Detergence (Scare away) 5 Generic Security Principles Information while in transmission Information while in storage Hacker Hardware

  6. Introduction Security Services and Implementation Overview of Existing Security Systems Implementing security in a system 6 PART I: Security Overview

  7. 7 Security Services and Implementation : Confidentiality Confidentiality To keep a message secret to those that are not authorized to read it Authentication Access Control Integrity Non-repudiation Availability

  8. 8 Security Services: Authentication Confidentiality To verify the identity of the user / computer Authentication Access Control Integrity Non-repudiation Availability

  9. 9 Security Services: Access Control Confidentiality To be able to tell who can do what with which resource Authentication Access Control Integrity Non-repudiation Availability

  10. 10 Security Services: Integrity Confidentiality To make sure that a message has not been changed while on Transfer, storage, etc Authentication Access Control Integrity Non-repudiation Availability

  11. 11 Security Services: Non-repudiation Confidentiality To make sure that a user/server can’t deny later having participated in a transaction Authentication Access Control Integrity Non-repudiation Availability

  12. 12 Security Services: Availability Confidentiality To make sure that the services are always available to users. Authentication Access Control Integrity Non-repudiation Availability

  13. Cryptography 13 Providing Security Services: Confidentiality • We use cryptography Science of transforming information so it is secure during transmission or storage • Encryption: Changing original text into a secret, encoded message • Decryption: Reversing the encryption process to change text back to original, readable form

  14. 14 Encryption Someconfid entialtext essage) in clear Some confidential text (message) in clear (readable) form E n c r y p t i o n

  15. 15 Decryption Someconfid entialtext essage) in clear Some confidential text (message) in clear (readable) form D e c r y p t i o n

  16. 16 Example STOCKHOLM A B C D E F G . . . . X Y Z L G T U W O M . . . . I A C VWRFNKROP

  17. 17 Symmetric Key Encryption – One Key System Symmetric Key Note: A single key is used to encrypt and decrypt in both directions. Plaintext “Hello” Encryption Method & Key Ciphertext “11011101” Interceptor Internet Same Symmetric Key Ciphertext “11011101” Decryption Method & Key Plaintext “Hello” Anders Karin

  18. E n c r y p t i o n Someconfid entialtext essage) in clear Some confidential text (message) in clear (readable) form D e c r y p t i o n 18 Single Key System: Symmetric System • Same secret key is used to encrypt and decrypt messages. Secret Key must remain secret Crypto key

  19. K-1 19 Advanced EncryptionAlgorithm (AES) 1, 2, 3, ... ... .128, 192,256 1, 2, 3, ... ... ... ... ... ...128 Key Message If key = 128 Rounds = 9 If key = 192 Rounds = 11 If key = 256 Rounds = 13 K-2 K-Rounds Encrypted message 1, 2, 3, ... ... ... ... ... ...... 64

  20. E n c r y p t i o n Someconfid entialtext essage) in clear Some confidential text (message) in clear (readable) form D e c r y p t i o n 20 Two Keys System: Asymmetric System System with two keys: Private key and Public key. Example: Rivest Shamir Adleman system (RSA) Key 2 Key 1

  21. 21 Providing Security Services: Authentication • -something who you are • -something what you have • something what you know • -where you are - terminal WWW Server User

  22. 22 Authentication (continued) Fingerprint scanner • Passwords • Smart cards • certificates • Biometrics • Biometrics used for door locks, can also be used for access control to personal computers • Fingerprint scanners

  23. Read 23 Providing Security Services:Access Control Access control Who can do ... what ... with which resource ? File A File B Copy

  24. File1 File2 File3 File4 File5 File6 Subject1 read, Subject2 write Subject3 Subject4 Subject5 delete Subject6 24 Access Control Matrix

  25. 25 Providing Security Services: Integrity Some confidential text (message) in clear (readable) form Change to Binary form 1011100011001101010101010011101 0011 1010 1001 Compress (Hashing) It is called Message Digest 1101 0011 1010 1001

  26. message Message Digest 26 Providing Integrity Hashing System Message Digest ~ Message Authentication Code (MAC)

  27. message MAC Signature message Signature 27 14 Providing Security Services: Non-repudiation - Signatures Hashing System RSA (signing) Sender’s private RSA key PKCS#1

  28. 28 PART I: Security Overview • Introduction • Security Services • Overview of Existing Security Systems • Implementing security in a system

  29. 29 Overview of Existing Security Systems : FirewallsUsed even for Deterring (Scaring attackers) • Firewalls Designed to prevent malicious packets from entering • Software based Runs as a local program to protect one computer (personal firewall) or as a program on a separate computer (network firewall) to protect the network • Hardware based  separate devices that protect the entire network (network firewalls)

  30. 30 Overview of Existing Security Systems : Detection -Intrusion Detection Systems • Intrusion Detection System (IDS) Examines the activity on a network • Goal is to detect intrusions and take action • Two types of IDS: • Host-based IDS Installed on a server or other computers (sometimes all) • Monitors traffic to and from that particular computer • Network-based IDS Located behind the firewall and monitors all network traffic

  31. 31 Overview of Existing Security Systems :Network Address Translation (NAT) Network Address Translation (NAT) Systems  Hides the IP address of network devices Located just behind the firewall. NAT device uses an alias IP address in place of the sending machine’s real one “You cannot attack what you can’t see”

  32. 32 Overview of Existing Security Systems :Proxy Servers • Proxy Server Operates similar to NAT, but also examines packets to look for malicious content Replaces the protected computer’s IP address with the proxy server’s address • Protected computers never have a direct connection outside the networkThe proxy server intercepts requests. Acts “on behalf of” the requesting client

  33. 33 Adding a Special Network called Demilitarized Zone (DMZ) • Demilitarized Zones (DMZ)  Another network that sits outside the secure network perimeter. Outside users can access the DMZ, but not the secure network • Some DMZs use two firewalls. This prevents outside users from even accessing the internal firewall  Provides an additional layer of security

  34. 34 Overview of Existing Security Systems :Virtual PrivateNetworks (VPN) • Virtual Private Networks (VPNs) A secure network connection over a public network • Allows mobile users to securely access information • Sets up a unique connection called a tunnel

  35. 35 Overview of Existing Security Systems :Virtual Private Networks (VPN)

  36. 36 Overview of Existing Security Systems :Honeypots • Honeypots Computer located in a DMZ and loaded with files and software that appear to be authentic, but are actually imitations • Intentionally configured with security holes • Goals: Direct attacker’s attention away from real targets; Examine the techniques used by hackers

  37. SSL is used for securing communication between clients and servers. It provides mainly confidentiality, integrity and authentication 37 Overview of Existing Security Systems :Secure Socket Layer (SSL) Establish SSL connection - communication protected Client WWW Server

  38. 38 PART I: Security Overview • Introduction • Security Services and Implementation • Overview of Existing Security Systems • Implementing security in a system

  39. 39 Implementing Security in a System Involves: Patching software- Getting the latest versions Hardening systems- by using different security systems available Blocking attacks – By having different security tools to prevent attacks Testing defenses Regularly testing from outside and inside the network or an organization

  40. Summary (continued) 40 Protecting one Computer • Operating system hardening is the process of making a PC operating system more secure • Patch management • Antivirus software – to protect your pc from viruses • Antispyware software • Firewalls – to deter (scare), protect • Setting correct permissions for shares • Intrusion detection Systems – to detect intrusions • Cryptographic systems

  41. 41 Protecting a Wired Network Use Firewalls, Intrusion Detection Systems, Network Address Translation, Virtual Private net Networks, honey pots, cryptographic systems, etc

  42. 42 Protecting a Wireless Local Area Network (WLAN)

  43. 43 Security in a Wireless LAN • WLANs include a different set of security issues • Steps to secure: • Turn off broadcast information • MAC address filtering • Encryption • Password protect the access point • Physically secure the access point • Use enhanced WLAN security standards whenever possible • Use cryptographic systems

  44. Introduction Securing Information Systems of an Organization Corporate Security Planning Adding a security Department 44 PART II: Organizational Security

  45. Organization Management Research Production Marketing Sales Supply Services Customers Partners (Outsource) Business to Business Web Clients 45 Introduction - Traditional Organization

  46. Organization + IS Information System (IS) for Management IS for Research IS for Production IS for Marketing IS for Sales IS for Supply IS for Services IS for Customers IS 4 Partners (Outsource) IS 4 Business to Business IS for Web Clients 46 Introduction: Adding Information System How do we secure the IS of the organization?

  47. 47 PART II: Organizational Security • Introduction • Securing Information Systems of an Organization • Corporate Security Planning • Adding a security Department

  48. IS organization Security Information System for Management Security S E C U R I T y Security Security Security Security Security Security IS for Research IS for Production IS for Marketing IS for Sales IS for Supply IS for Services Internet Security IS for Customers Security IS 4 Partners (Outsource) Security Security IS for B2B IS for Web Clients 48 Securing Information Systems of an Organization

  49. 49 Holistic (Generic) Security Approach Security Organization Technology (servers, …) People Information Protection Detection Response Recovery Detergence (Scare away)

  50. 50 Analysis Protection Detection Response Detergence (Scare away) Recovery How much to spend on Response? How much to spend on Recovery? How much to spend on Protection? How much to spend on Detection? How much to spend on Deterrence? 50%? 20%? 10%? 10%? 10%? How much responsibility on employees? How much responsibility on employees? How much responsibility on employees? How much responsibility on employees? How much responsibility on employees? How much responsibility on organization? How much responsibility on organization? How much responsibility on organization? How much responsibility on organization? How much responsibility on organization? How much responsibility on government? How much responsibility on government? How much responsibility on government? How much responsibility on government? How much responsibility on government?

More Related