Information Security

Transcription

1 Information Security Dr. Rabie A. Ramadan GUC, Cairo Room C7-310 Lecture 1

2 Class Organization One class Weekly One Tutorial Weekly Most probably taught by myself 3-4 theoretical assignments 3-4 practical assignments (Labs) Term paper / project 2

3 Textbooks Michael G. Solomon and Mike chapple, Information Security Illuminated, 2005 William Stallings, Cryptography and Network Security, fourth Edition Behrouz A. Forouzan, Cryptography and Network Security, 2008 Edition Some other research materials 3

4 Tentative Grading 40% Final comprehensive 20% Mid-term exam 5% Assignments 5% Lecture participation 20% Project / Term paper 10% Quizzes 2 out of 3 4

5 Lets have fun before we start 5

6 Game No. 1 Study the circles below. Work out what number should replace the question mark.

7 Hit 4 * 5 + 3* 6 = 38 8 * * 5 = 47 7

8 Game No. 2 Draw a square made up of dots like this one on your piece of paper Now, without lifting the pencil from the page, draw no more than four straight lines which will cross through all nine dots

9 Hint One line can go out of the paper

10 Solution Lessons Learned Do not discard small details Ask questions You might think that things are very complicated but with little guide it becomes very easy

11 Video Part Play What does it tell you? Be Smart and Think Smartly 11

12 The Role of Security Security is like adding brakes to cars. The purpose of brakes is not to stop you; it is to enable you to go faster. Brakes help avoid accidents caused by mechanical failures in other cars, rude drivers, and road hazards. Better security is an enabler for greater freedom and confidence in the Cyber world. 12

13 Why Information Security? Play Play 13

14 Historical Aspects of InfoSec In old days, to be secure, Information maintained physically on a secure place Few authorized persons have access to it (confidentiality) Protected from unauthorized change (integrity) Available to authorized entity when is needed (availability) Nowadays, Information are stored on computers Confidentiality are achieved few authorized persons can access the files. Integrity is achieved few are allowed to make change Availability is achieved at least one person has access to the files all the time 14

15 Historical Aspects of InfoSec In the 1970s, Federal Information Processing Standards (FIPS) examines DES (Data Encryption Standard) for information protection DARPA creates a report on vulnerabilities on military information systems in 1978 In 1979 two papers were published dealing with password security and UNIX security in remotely shared systems In the 1980s the security focus was concentrated on operating systems as they provided remote connectivity 15

16 Historical Aspects of InfoSec In the 1990s, the growth of the Internet and the growth of the LANs contributed to new threats to information stored in remote systems IEEE, ISO, ITU-T, NIST and other organizations started developing many standards for secure systems Information security is the protection of information,the systems, and hardware that use, store, and transmit information 16

17 CNSS Model CNSS stands for Committee on National Security Systems (a group belonging to the National Security Agency [NSA]). CNSS has developed a National Security Telecommunications and Information Systems Security (NSTISSI) standards. NSTISSI standards are 4011, 4012, 4013, 4014, 4015,

18 CNSS Security Model Technology Education Policy Confidentiality Integrity Availability Storage Processing Transmission 18

19 CNSS Security Model The model identifies a 3 x 3 x 3 cube with 27 cells Security applies to each of the 27 cells These cells deal with people, hardware, software, data, and procedures A hacker uses a computer (hardware) to attack another computer (hardware). Procedures describe steps to follow in preventing an attack. An attack could be either direct or indirect In a direct attack one computer attacks another. In an indirect attack one computer causes another computer to launch an attack. 19

20 Systems Development Life Cycle for InfoSec (SDLC) SDLC for InfoSec is very similar to SDLC for any project The Waterfall model would apply to InfoSec as well Investigate Analyze Logical Design Physical Design Implement Maintain 20

21 Systems Development Life Cycle for InfoSec Investigation phase involves feasibility study based on a security program idea for the organization Analysis phase involves risk assessment Logical design phase involves continuity planning, disaster recovery, and incident response Investigate Analyze Logical Design Physical Design Implement Maintain 21

22 Systems Development Life Cycle for InfoSec Physical design phase involves considering alternative options possible to construct the idea of the physical design Maintenance phase involves implementing the design, evaluating the functioning of the system, and making changes as needed Investigate Analyze Logical Design Physical Design Implement Maintain 22

23 What is a Computer Security? Different answers It is the password that I use to enter the system or required set of rules (lock the computer before you leave) End User It is the proper combination of firewall technologies with encryption systems and access controls Administrator Keeping the bad guys out of my computer Manager 23

24 What is a computer security? A computer is secure if you can depend on it and its software to behave as you expect Simson and Gene in Practical Unix and Internet Security book Which definition is correct? All of them. However, We need to keep all of these prospective in mind 24

25 Security Goals Confidentiality, Integrity, and Availability CIA Triad 25

26 Confidentiality The property of preventing disclosure of information to unauthorized individuals or systems. Real Scenario To ensure a credit card transaction on the Internet requires the credit card confidentiality number to be transmitted from the buyer to the merchant and from the merchant to a transaction To ensure processing network. The system attempts confidentiality to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred. 26

27 Integrity Data cannot be modified without authorization. Real scenarios: Integrity is violated when an employee (accidentally or with malicious intent) deletes important data files, when a computer virus infects a computer, when an employee is able to modify his own salary in a payroll database, when an unauthorized user vandalizes a web site, when someone is able to cast a very large number of votes in an online poll, and so on. Preventing by Access Control and Encryption 27

28 Availability The information must be available when it is needed. High availability systems aim to remain available at all times. Real Scenarios Power outages, hardware failures, DoS attacks (denial-of-service attacks). Preventions by fault tolerance, access control, and attack prevention mechanisms. 28

29 Security Goals (Summary) Confidentiality Ensures that computer-related assets are accessed only by authorized parties. Sometimes called secrecy or privacy. Integrity Assets can be modified only by authorized parties or only in authorized ways. Availability assets are accessible to authorized parties at appropriate times. The opposite is denial of service. 29

30 Security Goals Strong protection is based on Goals relations 30