the university of akron summit college business technology dept n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
The University of Akron Summit College Business Technology Dept. PowerPoint Presentation
Download Presentation
The University of Akron Summit College Business Technology Dept.

Loading in 2 Seconds...

play fullscreen
1 / 56

The University of Akron Summit College Business Technology Dept. - PowerPoint PPT Presentation


  • 126 Views
  • Uploaded on

The University of Akron Summit College Business Technology Dept. 2440: 141 Web Site Administration Introduction to Security Instructor: Enoch E. Damson. Information Security. Consists of the procedures and measures taken to protect each component of information systems

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'The University of Akron Summit College Business Technology Dept.' - haile


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the university of akron summit college business technology dept

The University of AkronSummit CollegeBusiness Technology Dept.

2440: 141Web Site Administration

Introduction to Security

Instructor: Enoch E. Damson

information security
Information Security
  • Consists of the procedures and measures taken to protect each component of information systems
    • Protecting data, hardware, software, networks, procedures and people
  • The concept of information security is based on the C.I.A triangle (according to the National Security Telecommunications and Information Security Committee – NSTISSC)
    • C – Confidentiality
    • I – Integrity
    • A – Availability

Introduction to Security

confidentiality
Confidentiality
  • Addresses two aspects of security with subtle differences
    • Prevents unauthorized individuals from knowing or accessing information
    • Safeguards confidential information and disclosing secret information only to authorized individuals by means of classifying information

Introduction to Security

integrity
Integrity
  • Ensures data consistency and accuracy
  • The integrity of the information system is measured by the integrity of its data
  • Data can be degraded into the following categories:
    • Invalid data – not all data is valid
    • Redundant data – the same data is recorded and stored in several places
    • Inconsistent data – redundant data is not identical
    • Data anomalies – one occurrence of repeated data is changed and the other occurrences are not
    • Data read inconsistency – a user does not always read the last committed data
    • Data non-concurrency – multiple users can access and read data at the same time but loose read consistency

Introduction to Security

availability
Availability
  • Ensures that data is accessible to authorized individuals to access information
  • An organization’s information system can be unavailable because of the following security issues
    • External attacks and lack of system protection
    • Occurrence of system failure with no disaster recovery strategy
    • Overly stringent and obscure security procedures and policies
    • Faulty implementation of authentication processes, causing failure to authenticate customers properly

Introduction to Security

information security architecture
Information Security Architecture
  • The model for protecting logical and physical assets
  • The overall design of a company’s implementation of the C.I.A triangle
  • Components range from physical equipment to logical security tools and utilities

Introduction to Security

components of information security architecture
Components of Information Security Architecture
  • The components of information security architecture are:
    • Policies and procedures – documented procedures and company policies that elaborate on how security is to be carried out
    • Security personnel and administrators – people who enforce and keep security in order
    • Detection equipment – devices to authenticate users and detect and equipment prohibited by the company

Introduction to Security

components of information security architecture1
Components of Information Security Architecture…
  • Other components of information security architecture include:
    • Security programs – tools to protect computer system’s servers from malicious code such as viruses
    • Monitoring equipment – devices to monitor physical properties, users, and important assets
    • Monitoring applications – utilities and applications used to monitor network traffic and Internet activities, downloads, uploads, and other network activities
    • Auditing procedures and tools – checks and controls to ensure that security measures are working

Introduction to Security

levels of security
Levels of Security
  • The levels of security include:
    • Highly restrictive
    • Moderately restrictive
    • Open

Introduction to Security

levels of security1
Levels of Security…
  • Before deciding on a level of security, answer these questions:
    • What must be protected?
    • From whom should data be protected?
    • What costs are associated with security being breached and data being lost or stolen?
    • How likely is it that a threat will actually occur?
    • Are the costs to implement security and train users to use a secure network outweighed by the need to provide an efficient, user-friendly environment?

Introduction to Security

highly restrictive security policies
Highly Restrictive Security Policies
  • Include features such as:
    • Data encryption
    • Complex password requirements
    • Detailed auditing and monitoring of computer/network access
    • Intricate authentication methods
    • Policies that govern use of the Internet/e-mail
  • Might require third-party hardware and software
  • Implementation cost is high
  • Cost of a security breach is high

Introduction to Security

moderately restrictive security policies
Moderately Restrictive Security Policies
  • Most organizations can opt for this type of policy
  • Requires passwords, but not overly complex ones
  • Auditing detects unauthorized logon attempts, network resource misuse, and attacker activity
    • Most network operating systems contain authentication, monitoring, and auditing features to implement the required policies
  • Infrastructure can be secured with moderately priced off-the-shelf hardware and software (firewalls, etc)
  • Costs are primarily in initial configuration and support

Introduction to Security

open security policies
Open Security Policies
  • Policy might have simple or no passwords, unrestricted access to resources, and probably no monitoring and auditing
  • May be implemented by a small company with the primary goal of making access to basic data resources
  • Internet access should probably not be possible via the company LAN
  • Sensitive data, if it exists, might be kept on individual workstations that are backed up regularly and are physically inaccessible to other employees

Introduction to Security

securing the web environment
Securing the Web Environment
  • Both Linux and Windows need to configured carefully to minimize security risks
    • Keep software patches up to date
  • Web servers with static pages are relatively easy to protect than those with dynamic pages
  • To secure transmission, data may be encrypted with Secure Socket Layer (SSL) and Secure Shell (SSH)
  • To isolate a Web server environment:
    • Firewalls may be used to block unwanted access to ports
    • Proxy servers may be used to isolate computers
  • To discover whether and how attackers have penetrated a system, intrusion detection software may be used

Introduction to Security

identifying threats and vulnerabilities
Identifying Threats and Vulnerabilities
  • Hackers sometimes want the challenge of penetrating a system and vandalizing it – other times they are after data
    • Data can be credit card numbers, user names and passwords, other personal data
  • Information can be gathered by hackers while it is being transmitted
  • Operating system flaws can often assist hackers

Introduction to Security

types of attacks vulnerabilities
Types of Attacks & Vulnerabilities
  • Some of the numerous methods to attack systems are as follows:
    • Virus – code that compromises the integrity and state of a system
    • Worm – code that disrupts the operation of a system
    • Trojan horse – malicious code that penetrates a computer system or network by pretending to be legitimate code
    • Denial of service – the act of flooding a Web site or network system with many requests with the intent of overloading the system and forcing it to deny service to legitimate requests
    • Spoofing – malicious code that looks like legitimate code
    • Bugs – software code that is faulty due to bad design, logic, or both

Introduction to Security

types of attacks vulnerabilities1
Types of Attacks & Vulnerabilities…
  • Other methods to attack systems include:
    • Email spamming – E-mail that is sent to many recipients without their permission
    • Boot sector virus – code that compromises the segment in the hard disk containing the program used to start the computer
    • Back door – an intentional design element of some software that allows developers of a system to gain access to the application for maintenance or technical problems
    • Rootkits and bots – malicious or legitimate software code that performs functions like automatically retrieving and collecting information from computer systems

Introduction to Security

examining tcp ip
Examining TCP/IP
    • TCP/IP was not designed to be secure but to allow systems to communicate
  • Hackers often take advantage of the ignorance about TCP/IP to access computers connected to the Internet
  • The following are parts of the IP header most relevant to security
    • Source address – start-point IP address
    • Destination address – end-point IP address
    • Packet identification, flags, fragment offset
    • Total length – length of packet in bytes
    • Protocol – TCP, UDP, ICMP

Introduction to Security

vulnerabilities of dns
Vulnerabilities of DNS
  • Historically, DNS has had security problems
  • BIND is the most common implementation of DNS and some older versions had serious bugs
  • Current versions of BIND have been more secure

Introduction to Security

vulnerabilities in operating systems
Vulnerabilities in Operating Systems
  • Operating systems are large and complex
    • Hence, more opportunities for attack
  • Inattentive administrators often fail to implement patches when available
  • Some attacks, such as buffer overruns, can allow the attacker to take over the computer

Introduction to Security

vulnerabilities in web servers
Vulnerabilities in Web servers
  • Static HTML pages pose virtually no problem
  • Programming environments and databases add complexity that a hacker can exploit

Introduction to Security

vulnerabilities of e mail servers
Vulnerabilities of E-mail Servers
  • By design, e-mail servers are open
  • E-mail servers can be harmed by a series of very large e-mail messages
  • Sending an overwhelming number of messages at the same time can prevent valid users from accessing the server
  • Viruses can be sent to e-mail users
  • Retrieving e-mail over the Internet often involves sending your user name and password as clear text

Introduction to Security

security basics
Security Basics
  • Some of the basic security rules are as follows:
    • Security and functionality are inversely related – the more security you implement, the less functionality you will have, and vice versa
    • No matter how much security you implement and no matter how secure your site is, if hackers want to break in, they will
    • The weakest link in security is human beings

Introduction to Security

security methods
Security Methods
  • People
    • Physical limits on access to hardware and documents
    • Through the processes of identification and authentication, make certain that the individual is who he/she claims to be through the use of devices, such as ID card, eye scans, passwords
    • Training courses on the importance of security and how to guard assets
    • Establishments of security policies and procedures

Introduction to Security

security methods1
Security Methods…
  • Applications
    • Authentication of users who access applications
    • Business rules
    • Single sign-on (a method for signing on once for different applications and Web sites)

Introduction to Security

security methods2
Security Methods…
  • Network
    • Firewalls – to block network intruders
    • Virtual private network (VPN) – a remote computer securely connected to a corporate network
    • Authentication

Introduction to Security

security methods3
Security Methods…
  • Operating System
    • Authentication
    • Intrusion detection
    • Password policy
    • Users accounts

Introduction to Security

security methods4
Security Methods…
  • Database Management Systems
    • Authentication
    • Audit mechanism
    • Database resource limits
    • Password policy

Introduction to Security

security methods5
Security Methods…
  • Data Files
    • File permissions
    • Access monitoring

Introduction to Security

securing access to data
Securing Access to Data
  • Securing data on a network has many facets:
    • Authentication and authorization – identifying who is permitted to access which network resources
    • Encryption/decryption – making data unusable to anyone except authorized users
    • Virtual Private Networks (VPNs) – allowing authorized remote access to a private network via the public Internet
    • Firewalls – installing software/hardware device to protect a computer or network from unauthorized access and attacks

Introduction to Security

securing access to data1
Securing Access to Data…
  • Other facets of securing data on a network include:
    • Virus and worm protection – securing data from software designed to destroy data or make computer or network operate inefficiently
    • Spyware protection – securing computers from inadvertently downloading and running programs that gather personal information and report on browsing and habits
    • Wireless security – implementing unique measures for protecting data and authorizing access to the wireless network

Introduction to Security

securing data transmission
Securing Data Transmission
  • To secure data on a network, you need to encrypt the data
  • Secure Socket Layer (SSL) is commonly used to encrypt data between a browser and Web server
  • Secure Shell (SSH) is a secured replacement for Telnet

Introduction to Security

securing the operating system
Securing the Operating System
  • Use the server for only necessary tasks
  • Minimize user accounts
  • Disable services that are not needed
  • Make sure that you have a secure password

Introduction to Security

securing windows
Securing Windows
  • Some services that are not needed in Windows for most Internet-based server applications may be turned off
  • Examples include:
    • Alerter
    • Computer browser
    • DHCP client
    • DNS client
    • Messenger
    • Server
    • Workstation
  • Also, the registry can be used to alter the configuration to make it more secure such as disabling short file names

Introduction to Security

securing linux
Securing Linux
  • Only run needed daemons
  • Generally, daemons are disabled by default
  • The command netstat -lgives you a list of daemons that are running
  • Use chkconfig to enable and disable daemons
    • chkconfigimap onwould enable imap

Introduction to Security

securing e mail
Securing E-mail
  • Tunneling POP3 can prevent data from being seen
  • Microsoft Exchange can also use SSL for protocols it uses
  • Set a size limit for each mailbox to prevent someone from sending large e-mail messages until the disk is full

Introduction to Security

securing the web server
Securing the Web Server
  • Enable the minimum features
    • If you do not need a programming language, do not enable it
  • Make sure programmers understand security issues
  • Implement SSL where appropriate

Introduction to Security

authenticating web users
Authenticating Web Users
  • Both Apache and IIS use HTTP to enable authentication
    • If HTTP tries to access a protected directory and fails then:
      • it requests authentication from the user in a dialog box
      • Accesses directory with user information
  • Used in conjunction with SSL

Introduction to Security

using a firewall
Using a Firewall
  • A firewall implements a security policy between networks
  • Limit access, especially from the Internet to your internal computers
    • Restrict access to Web servers, e-mail servers, and other related servers

Introduction to Security

types of filtering
Types of Filtering
  • Packet filtering
    • Looks at each individual packet
    • Based on rules, it determines whether to let it pass through the firewall
  • Circuit-level filtering (stateful or dynamic filtering)
    • Controls complete communication session, not just individual packets
    • Allows traffic initialized from within the organization to return, yet restricts traffic initialized from outside
  • Application-level
    • Instead of transferring packets, it sets up a separate connection to totally isolate applications such as Web and e-mail

Introduction to Security

using a proxy server
Using a Proxy Server
  • A proxy server delivers content on behalf of a user or server application
  • Proxy servers need to understand the protocol of the application that they proxy such as HTTP or FTP
  • Forward proxy servers isolate users from the Internet
    • Users contact proxy server which gets Web page
  • Reverse proxy servers isolate Web server environment from the Internet
    • When a Web page is requested from the Internet, the proxy server retrieves the page from the internal server

Introduction to Security

using intrusion detection software
Using Intrusion Detection Software
  • Intrusion detection is designed to show you that your defenses have been penetrated
  • With Microsoft Internet Security and Acceleration (ISA) Server, it only detects specific types of intrusion
  • In Linux, Tripwire tracks changes to files

Introduction to Security

tripwire
Tripwire
  • Tripwire allows you to set policies that allow you to monitor any changes to the files on the system
  • Tripwire can detect file additions, file deletions, and changes to existing files
  • By understanding the changes to the files, you can determine which ones are unauthorized and then try to find out the cause of the change

Introduction to Security

implementing secure authentication and authorization
Implementing Secure Authentication and Authorization
  • Administrators must control who has access to the network (authentication) and what logged on users can do to the network (authorization)
    • Network operating systems have tools to specify options and restrictions on how/when users can log on to network
    • File system access controls and user permission settings determine what a user can access on a network and what actions a user can perform

Introduction to Security

cryptography
Cryptography
  • The science of encrypting and decrypting information to ensure that data and information cannot be easily understood or modified by unauthorized individuals
    • Allows encryption of data from its original form into a form that can only be read with a correct decryption key
  • Some of security functions addressed by cryptography methods are:
    • Authentication
    • Privacy
    • Message integrity
    • Provisions of data signatures

Introduction to Security

vocabulary of cryptography
Vocabulary of Cryptography
  • Cryptanalysis – the process of evaluating cryptographic algorithms to discover their flaws
  • Cryptanalyst – a person who uses cryptanalysis to find flaws in cryptographic algorithms
  • Cryptographer – a person trained in the science of cryptograpy
  • Alphabet – set of symbols used in cryptographic to either input or output messages
  • Plaintext (cleartext or raw data)– the original data in its raw form
  • Cipher (algorithm)– a cryptographic encryption algorithm for transforming data from one form to another
  • Cyphertext - the encrypted data

Introduction to Security

encryption
Encryption
  • The act of encoding readable data into a format that is unreadable without a decoding key
    • Decryption – the act of decoding encoded data back into the original readable format
  • Encryption provides privacy (confidentiality)

Introduction to Security

encryption methodology
Encryption Methodology
  • There are two elements in encryption:
    • Encryption method (ciper or algorithm)– specifies the mathematical process used in encryption
    • Key – the special string of bits used in encryption

Introduction to Security

types of cryptographic ciphers
Types of Cryptographic Ciphers
  • Ciphers fall into one of two major categories:
    • Symmetric (single-key) ciphers – the same key is used to both encryption and decryption
    • Asymmetric (public-key) ciphers – different keys are used for encryption and decryption

Introduction to Security

symmetric single key ciphers
Symmetric (Single Key) Ciphers
  • The most common and simplest form of encryption
  • Both parties in the encryption process use the same key and must keep the key secret
  • Symmetric ciphers are divided into:
    • Steam ciphers – encrypt the bits of message one at a time
    • Block ciphers – encrypt a number of bits as a single unit
  • Some symmetric ciphers include:
    • Data Encryption Standard (DES), Triple-DES, DESX, RDES, Blowfish, Twofish, AES (Advanced Encryption Standard), and IDEA (International Data Encryption Algorithm), Serpent

Introduction to Security

asymmetric public key ciphers
Asymmetric (Public Key) Ciphers
  • There are two keys for each party
    • The sender and receiver each has a private and public key
    • Public key – senders will encrypt data using non-secure connections with the receivers’ public key
    • Private key – the receivers use their private keys to decrypt data
  • The only person who can decrypt the ciphertext is the owner of the private key that corresponds to the public key used for the encryption
  • Well regarded asymmetric techniques include: RSA (Rivest, Shamir, and Adleman), DSS (Digital Signature Standard), andEIGamal
  • Internet protocols using asymmetric ciphers include: Secure Socket Layer (SSL), Transport Layer Security (TLS), Secure Shell (SSH), Pretty Good Privacy (PGP), and GNU Privacy Guard (GPG)

Introduction to Security

encryption example
Encryption Example
  • Alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ
  • Plaintext: Meet me on the corner
  • Cipher (algorithm): C = P + K
    • C – the ciphertext character
    • P – the plaintext character
    • K – the value of the key
  • Key: 3
  • The algorithm simply states that to encrypt a plaintext character (P) and generate a ciphertext (C), add the value of the key (K) to the plaintext character
    • Shift the plaintext character to the right of the alphabet by three characters
      • D replaces A, E replaces B, F replaces C, etc
  • The following message is generated:
    • Ciphertext: Phhw ph rq wkh fruqhu

Introduction to Security

authentication
Authentication
  • One purpose of encryption is to prevent anyone who intercepts a message from being able to read the message
    • It brings authorization (confidentiality) – only authorized users can use data
  • In contrast, authentication proves the sender’s identity

Introduction to Security

forms of authentication
Forms of Authentication
  • There are many forms of authentication:
    • Passwords
    • Authentication cards – ATMs use these with coded information
    • Biometrics – measures body dimensions like finger-print analyzers
    • Public key authorization – uses digital signatures
      • Digital signature – the electronic version of a physical signature

Introduction to Security

security experts
Security Experts
  • Two of the most prominent computer security organizations are the CERT Coordination Center (CERT/CC) and the Systems Administration, Networking, and Security (SANS) Institute
    • CERT/CC – a federally funded software engineering institute operated by Carnegie Mellon University
    • SANS – a prestigious and well-regarded education and research organization with members including some of the leading computer security experts in the country

Introduction to Security

security resources
Security Resources
  • Computer Security Resources
    • http://www.sans.org (SANS Institute)
    • http://www.cert.org (CERT/CC)
    • http://www.first.org (FIRST – Forum of Incident Response and Security Teams)
    • http://csrc.nist.gov (NIST – National Institute of Standards and Technology, Computer Security Resource Center)
    • http://www.securityfocus.com (Security Focus Forum)

Introduction to Security