principles of information security unit i n.
Skip this Video
Loading SlideShow in 5 Seconds..
Principles of Information Security: Unit -I PowerPoint Presentation
Download Presentation
Principles of Information Security: Unit -I

Principles of Information Security: Unit -I

1617 Views Download Presentation
Download Presentation

Principles of Information Security: Unit -I

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Principles of Information Security:Unit -I Sanjay Rawat

  2. Introduction • Text book: • Principles of Information Security : Michael E. Whitman, Herbert J. Mattord, CENGAGE Learning, 4th Ed. • History of IS: ARPANET -> ETHENET -> INTERNET • To read (optional): Protection Analysis: Final Report, Richard Biswey & Dennis Hollingworth

  3. What is Security? • State of being secure, protected. • Elusion? • Being safe until someone finds a vulnerability to exploit.. • CIA – ONLY intended actors can: • Know -> confidentiality • Modify -> integrity • Have access ->availability • Too coarse.. Access, Assets, Risk, Threat….

  4. High-level View All alone in the world -> no security? Access control, network security etc. Physical security software security etc.

  5. Contemporary whole picture Access control outbound Internet LAN AV Routing tables simple ACL Crypto router ID/PS AV Access control inbound DMZ HTTP, SMTP, FTP WAN

  6. Definitions • CONTROL SPHERE: a set of resources and behaviors that are accessible to a single actor, or a group of actors. • SECURITY POLICY: a specification by the product or user that defines one or more control spheres for one or more actors • PROTECTION MECHANISM: a behavior or set of behaviors that helps to enforce an intended security policy for the product

  7. Definitions conti… • ATTACK: an attempt by an actor to violate the intended security policy. • ATTACKER: an actor who attempts an attack. • WEAKNESS: a type of behavior that has the potential for allowing an attack. • VULNERABILITY: a set of one or more related weaknesses within a specific software product or protocol that allows an actor to access resources or behaviors that are outside of that actor's control sphere.

  8. CNSS Model • CNSS = Committee on National Security Systems • McCumberCube – Cubes-inside-cube detailed model for planning and implementing security across organization. • It emphasizes issues beyond CIA); • Context dependent security risk evaluation; • Context dependent measurements to address those issues.

  9. CNSS Model conti…

  10. Components of IS • Software: ever changing -> difficult to secure . Low-level bugs etc. • Hardware: Relates to physical security aspect • Data: ultimate target • People: unpredictable • Procedures/Policies • Networks: Eluding physical security?

  11. Balancing Security and Access (usability) • No security -> complete access • Complete security -> no access • Optimal Security AND required access

  12. Few more terms (~ CIA connection) • Accuracy: Property of being unmodified? • Authenticity: is it genuine? • Utility: Is data/information remained useful? • Possession: Information is in safe hands?

  13. Security Implementation Approaches • Bottom-Up approach: low-level to top • Top-Down approach: higher management to low-level (people who really work  ) Project!!

  14. Software Development Life Cycle • Investigation : What problem is being solved? • Analysis: Step 1 vs. current status of the organization’s environment. • Logical Design: blue print of the desired solution. Emphasis is on “how the proposed system will solve the problem at hand”. • Physical Design: Proof of concept. • Implementation: Real product is created and tested along with supporting doc etc. • Maintenance and Change: support and patch.

  15. SecSDLCPrevention is better than cure • Investigation: outlines the implementation of a security program within the organization. • Analysis: Risk analysis, security and privacy issues (legal, e.g. HIPAA). • Logical Design: develops the blueprints for information security e.g. BCP & DR. • Physical Design: evaluates the information security technology needed to support the blueprint. • Implementation: security solutions are acquired, tested, implemented. • Maintenance: keep evaluating after the deployment and do remediation.

  16. SecSDLCconti… “… computer security is more than mechanisms and mathematics. It includes being able to analyze a situation to figure out what constitutes security, being able to specify those requirements, being able to design a system or program to meet those requirements, being able to implement the system or program correctly, and being able to make configuration and maintenance simple.” – Matt Bishop, UC, Davis, US.

  17. SecSDCLPrevention is better than cure • To read: Security Considerations in the System Development Life Cycle - NIST • Microsoft SDL: