session 1 introduction to information security n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Session 1 – Introduction to Information Security PowerPoint Presentation
Download Presentation
Session 1 – Introduction to Information Security

Loading in 2 Seconds...

play fullscreen
1 / 32

Session 1 – Introduction to Information Security - PowerPoint PPT Presentation


  • 121 Views
  • Uploaded on

Session 1 – Introduction to Information Security. Security Objectives. Confidentiality (includes privacy) Integrity Availability . Security Processes. Identification Authentication Authorization Logging Monitoring . Common Security Measures. Password

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Session 1 – Introduction to Information Security' - hera


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
security objectives
Security Objectives
  • Confidentiality (includes privacy)
  • Integrity
  • Availability

ITEC 4100, Fall 2007, D Chan

security processes
Security Processes
  • Identification
  • Authentication
  • Authorization
  • Logging
  • Monitoring

ITEC 4100, Fall 2007, D Chan

common security measures
Common Security Measures
  • Password
  • Two-factor authentication
  • Biometrics
  • Access control lists for granting authorization to information
  • Locks
  • Encryption
  • Anti-virus
  • Usage and rejection reports

ITEC 4100, Fall 2007, D Chan

passwords
Passwords
  • Should not be shared
  • Should be changed by user
  • Should be changed frequently and upon compromise (suspected unauthorized disclosure)

ITEC 4100, Fall 2007, D Chan

passwords1
Passwords
  • Long, at least 8 characters
  • Alphanumeric
  • Hashed (one-way scrambling)
  • System should allow only a few attempts before locking out account

ITEC 4100, Fall 2007, D Chan

passwords2
Passwords
  • An 8-letter password is 676 times stronger than a 6-letter password.
  • A 6-character alphanumeric password is 6 times stronger than a 6-letter password.
  • Strength should depend on user’s privilege and locality of system.

ITEC 4100, Fall 2007, D Chan

two factor authentication
Two-factor Authentication
  • Used to compensate for the inherent weaknesses of passwords, i.e., guessing and hacking.
  • Uses what the user has and what the user knows.
  • Examples are to use a token with a dynamic password and ATM.

ITEC 4100, Fall 2007, D Chan

biometrics
Biometrics
  • Can include fingerprint, hand geometry, voice etc.
  • Held back by privacy concerns.
  • Not recognised legally in place of signature

ITEC 4100, Fall 2007, D Chan

operating system security
Operating System Security
  • Use a standard checklist for configuration
  • Implement vendor updates
  • Use scanning software to detect vulnerabilities before implementation and periodically

ITEC 4100, Fall 2007, D Chan

firewall
Firewall
  • Can be hardware based only, e.g., a router.
  • Can be a server with sophisticated software, more granular and reliable than a router, provides better logs.
  • Can use artificial intelligence to check for patterns.

ITEC 4100, Fall 2007, D Chan

firewall1
Firewall
  • Every organization that hosts a web site should have a firewall to protect its internal network from hackers
  • The firewall would block traffic that is definitely unacceptable.

ITEC 4100, Fall 2007, D Chan

firewall2
Firewall
  • A typical firewall uses rules to determine whether traffic is acceptable, e.g., port scanning is not allowed by some organizations.
  • A data packet typically consists of a source Internet Protocol (IP) address, a port and a destination Internet Protocol address.

ITEC 4100, Fall 2007, D Chan

firewall3
Firewall
  • A port is a logical connection point in a network device including a computer.
  • It is used to standardize Internet traffic, e.g., web browsing uses port 80, e-commerce uses port 443.

ITEC 4100, Fall 2007, D Chan

virus protection
Virus Protection
  • Companies around the world spend about US $20 billion a year to clean up viruses
  • All critical servers are protected
  • All internet email is scanned
  • Automated identification of workstations that do not have up-to-date signature files
  • Organizations should block common virus file types to be proactive

ITEC 4100, Fall 2007, D Chan

virtual private network
Virtual Private Network
  • To secure remote access to company systems by staff or contractors.
  • Should require two-factor authentication.
  • Encrypted traffic, bypasses firewall, secure tunnel should end at another firewall with traffic decrypted.

ITEC 4100, Fall 2007, D Chan

intrusion detection system
Intrusion Detection System
  • Installed at critical points of a network to inspect incoming and outgoing traffic for anomalies and malicious messages.
  • Alerts systems administrators to take pre-emptive or corrective actions.

ITEC 4100, Fall 2007, D Chan

intrusion prevention system
Intrusion Prevention System
  • Combines firewall and intrusion detection technologies.
  • Rejects highly questionable or unacceptable traffic.
  • More effective than firewalls but may have false positive.

ITEC 4100, Fall 2007, D Chan

encryption
Encryption
  • Uses mathematics to scramble data.
  • Uses a key and an algorithm . Commercial algorithms are public knowledge.
  • Symmetric key.
  • Asymmetric keys (private/public key pair).

ITEC 4100, Fall 2007, D Chan

symmetric key encryption
Symmetric Key Encryption
  • The same key is used to decrypt and encrypt
  • Simple to encrypt and decrypt
  • Large number of keys required for one-on-one secret communication
  • Number of keys for N people is N(N-1)/2
  • Need to secure the key

ITEC 4100, Fall 2007, D Chan

asymmetric encryption
Asymmetric Encryption
  • A pair of key is generated by a user, a private key and a corresponding public key.
  • The public key can be disclosed. The private key is secured.
  • People can use the public key to encrypt material.

ITEC 4100, Fall 2007, D Chan

asymmetric encryption1
Asymmetric Encryption
  • The corresponding private key is needed to decrypt.
  • The 2 keys cannot be reengineered, i.e., you cannot use the public key to derive the private key.
  • Longer keys than symmetric and therefore a longer process to encrypt and decrypt.

ITEC 4100, Fall 2007, D Chan

asymmetric encryption2
Asymmetric Encryption
  • Needed for email encryption.
  • Used for e-commerce, digital certificates and digital signatures.
  • Number of keys for N users is 2N.

ITEC 4100, Fall 2007, D Chan

digital signature
Digital Signature
  • A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and to ensure that the original content of the message or document that has been sent is unchanged.

ITEC 4100, Fall 2007, D Chan

digital signature1
Digital Signature
  • The sender uses an algorithm to compute a hash (garbled digest) of the document
  • Sender uses its private key to encrypt the hash.
  • Recipient uses same algorithm to hash the plain text document when received.
  • Recipient uses the public key to decrypt the digital signature and compare to the hash the recipient created, to confirm integrity.

ITEC 4100, Fall 2007, D Chan

digital certificate
Digital Certificate
  • An electronic business card that establishes your credentials when doing business or other transactions on the Web.
  • It is issued and digitally signed by a certification authority. It contains your name, a serial number, expiration dates, the certificate authority’s name and public key, and your public key.
  • People can use the certificate authority’s public key to verify the signature.

ITEC 4100, Fall 2007, D Chan

certificate authority
Certificate Authority
  • An organization that issues digital certificates to companies and individuals
  • An organization can issue digital certificates to its own customers or employees to authenticate local transactions
  • The certificate authority will do due diligence to confirm the existence and authenticity of the party before issuing a certificate.

ITEC 4100, Fall 2007, D Chan

e commerce encryption
E-commerce Encryption
  • Uses both symmetric keys and asymmetric keys
  • Enforced by the merchant
  • Merchant sends its certificate and public key to the browser

ITEC 4100, Fall 2007, D Chan

e commerce encryption1
E-commerce Encryption
  • Browser generates a symmetric key
  • Browser encrypts the symmetric key with the merchant’s public key
  • Browser authenticates the digital certificate
  • Encrypted symmetric key is sent to merchant

ITEC 4100, Fall 2007, D Chan

e commerce encryption2
E-commerce Encryption
  • Merchant decrypts the symmetric key with its private key
  • The symmetric key is used for all subsequent transfer of information between the 2 parties until the user logs off.

ITEC 4100, Fall 2007, D Chan

email encryption
Email Encryption
  • Sender uses the recipient’s public key to encrypt the message
  • Sender signs the message with own private key
  • Recipient uses own private key to decrypt message
  • Recipient uses sender’s public key to authenticate the digital signature

ITEC 4100, Fall 2007, D Chan

conclusion
Conclusion
  • Security is increasingly important because of e-commerce.
  • Security is the responsibility of every employee.
  • Organizations should designate a chief information security officer to coordinate.

ITEC 4100, Fall 2007, D Chan