Overview of Information Security

Similar documents
L1: Computer Security Overview. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Networks and security Data bases

ISO/IEC Common Criteria. Threat Categories

Cryptography and Network Security Chapter 1

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Cryptography and Network Security

AIT 682: Network and Systems Security. Instructor: Dr. Kun Sun

Lecture 1 Applied Cryptography (Part 1)

Trusted Platform for Mobile Devices: Challenges and Solutions

Discovering Computers Living in a Digital World

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

Privacy Challenges in Big Data and Industry 4.0

Cryptography and Network Security Overview & Chapter 1. Network Security. Chapter 0 Reader s s Guide. Standards Organizations.

Cyber Criminal Methods & Prevention Techniques. By

German OWASP Day 2016 CarIT Security: Facing Information Security Threats. Tobias Millauer

Define information security Define security as process, not point product.

Introduction to Security

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

Information Security

Security Policies and Procedures Principles and Practices

Post-Class Quiz: Access Control Domain

II.C.4. Policy: Southeastern Technical College Computer Use

SMart esolutions Information Security

Securing Information Systems

_isms_27001_fnd_en_sample_set01_v2, Group A

CHAPTER 8 SECURING INFORMATION SYSTEMS

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

Introduction to Security

Distributed Systems. Lecture 14: Security. Distributed Systems 1

IT443 Network Security Administration Spring Gabriel Ghinita University of Massachusetts at Boston

Distributed Systems. Lecture 14: Security. 5 March,

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

IT ACCEPTABLE USE POLICY

Securing Information Systems

CS 591: Introduction to Computer Security. Lecture 3: Policy

HIPAA Security and Privacy Policies & Procedures

Management of IT Infrastructure Security by Establishing Separate Functional Area with Spiral Security Model

EXHIBIT A. - HIPAA Security Assessment Template -

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Securing Information Systems

E-Commerce Security Pearson Prentice Hall, Electronic Commerce 2008, Efraim Turban, et al.

Lecture III : Communication Security Mechanisms

Network Security Assessment

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Cyberspace : Privacy and Security Issues

19.1. Security must consider external environment of the system, and protect it from:

Operating systems and security - Overview

Operating systems and security - Overview

Ethics and Information Security. 10 주차 - 경영정보론 Spring 2014

MULTILEVEL POLICY BASED SECURITY IN DISTRIBUTED DATABASE

CIS 4360 Secure Computer Systems Applied Cryptography

itexamdump 최고이자최신인 IT 인증시험덤프 일년무료업데이트서비스제공

HIPAA Federal Security Rule H I P A A

Introduction to Computer Security

DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY

AIM Enterprise Platform Software IBM z/transaction Processing Facility Enterprise Edition 1.1.0

KALASALINGAM UNIVERSITY

Corporate Policy. Revision Change Date Originator Description Rev Erick Edstrom Initial

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

ISACA CISA. ISACA CISA ( Certified Information Systems Auditor ) Download Full Version :

Meeting the Meaningful Use Security and Privacy Measure

Network Working Group Request for Comments: 1984 Category: Informational August 1996

ASC Chairman. Best Practice In Data Security In The Cloud. Speaker Name Dr. Eng. Bahaa Hasan

U N IV ERS IT Y O F O S LO

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

CompTIA Security+ (Exam SY0-401) Course 01 Security Fundamentals

Network Security Issues and Cryptography

Threat Modeling Using STRIDE

COMPUTER NETWORK SECURITY

The Protocols that run the Internet

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

E-guide Getting your CISSP Certification

SECURITY & PRIVACY DOCUMENTATION

Five steps to securing personal data online Gary Shipsey Managing Director

Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016

What is ISO ISMS? Business Beam

CS475 Network and Information Security

Systems and Network Security (NETW-1002)

Acceptable Use Policy

IS Today: Managing in a Digital World 9/17/12

Elements of Security

CS682 Advanced Security Topics

Information Security. How to be GDPR compliant? 08/06/2017

Electronic Network Acceptable Use Policy

Effective security is a team effort involving the participation and support of everyone who handles Company information and information systems.

A Security Model for Space Based Communication. Thom Stone Computer Sciences Corporation

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 1 Introduction

Management Information Systems. B15. Managing Information Resources and IT Security

Ohio Supercomputer Center

Chapter 12. Information Security Management

Objectives of the Security Policy Project for the University of Cyprus

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Database Auditing and Forensics for Privacy Compliance: Challenges and Approaches. Bob Bradley Tizor Systems, Inc. December 2004

1-7 Attacks on Cryptosystems

Lecture Note 6 KEY MANAGEMENT. Sourav Mukhopadhyay

CSC 474/574 Information Systems Security

Consolidated Privacy Notice

2.1 Basic Cryptography Concepts

Security in Computing

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

Transcription:

Overview of Information Security Lecture By Dr Richard Boateng, UGBS, Ghana Email: richard@pearlrichards.org Original Slides by Elisa Bertino CERIAS and CS &ECE Departments, Pag. 1 and UGBS

Outline Information Security: basic concepts Privacy: basic concepts and comparison with security Pag. 2

Information Security: Basic Concepts Pag. 3

Information Security A state of being free from unauthorized use of the system and its resources, misuse of the system and its resources, and disturbance of the system's operations The field of study about techniques for achieving and maintaining such a secure state Pag. 4

Information Protection - Why? Information are an important strategic and operational asset for any organization Damages and misuses of information affect not only a single user or an application; they may have disastrous consequences on the entire organization Additionally, the advent of the Internet as well as networking capabilities has made the access to information much easier Pag. 5

Information Security: Main Requirements Confidentiality Information Security Integrity Availability Pag. 6

Information Security: Examples Consider a payroll database in a corporation, it must be ensured that: salaries of individual employees are not disclosed to arbitrary users of the database salaries are modified by only those individuals that are properly authorized paychecks are printed on time at the end of each pay period Pag. 7

Information Security: Examples In a military environment, it is important that: the target of a missile is not given to an unauthorized user the target is not arbitrarily modified the missile is launched when it is fired Pag. 8

Information Security - main requirements Confidentiality - it refers to information protection from unauthorized read operations the term privacy is often used when data to be protected refer to individuals Integrity - it refers to information protection from modifications; it involves several goals: Assuring the integrity of information with respect to the original information (relevant especially in web environment) often referred to as authenticity Protecting information from unauthorized modifications Protecting information from incorrect modifications referred to as semantic integrity Availability - it ensures that access to information is not denied to authorized subjects Pag. 9

Information Security additional requirements Information Quality it is not considered traditionally as part of information security but it is very relevant Completeness it refers to ensure that subjects receive all information they are entitled to access, according to the stated security policies Pag. 10

Possible Targets of Security Threats Information: Unauthorized Access to the Information Stored in the System Control: Executing Unauthorized Control of the System or Its Component(s) Functionality / Performance / Availability: Disabling or Degrading the functionality, Performance or Availability of the System Pag. 11

Classes of Threats Disclosure Snooping, Trojan Horses Deception and Social Engineering Modification, spoofing, repudiation of origin, denial of receipt Disruption Modification Usurpation Modification, spoofing, delay, denial of service Pag. 12

Possible Source(s) of Threats Inside the System Outside the System Interface to the System (including communication channels) Pag. 13

It consists of: Information Security: A Complete Solution first defining a security policy then choosing some mechanism to enforce the policy finally providing assurance that both the mechanism and the policy are sound SECURITY LIFE-CYCLE Pag. 14

Policies and Mechanisms Policy says what is, and is not, allowed This defines security for the information Mechanisms enforce policies Composition of policies If policies conflict, discrepancies may create security vulnerabilities Pag. 15

Approaches to Information Security 1. Prevention of Threats Policies Attempt to design a system so that it's perfectly secure 2. Exclusion of Unknown Entities Identification and Authentication Attempt to distinguish well-known entities from suspicious entities 3. Hiding Important Information Cryptography Attempt to make critical information incomprehensible Theoretically, except one-time pad, there is no encryption scheme perfectly secure. 4. Detection of Potential Threats Monitoring, Auditing, Detection, and Confinement Attempt to identify violation of security policies or possible trials of intrusion to a system Pag. 16

Encryption In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special information, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). Pag. 17

Information Security Mechanisms Confidentiality is enforced by the access control mechanism Integrity is enforced by the access control mechanism and by the semantic integrity constraints Availability is enforced by the recovery mechanism and by detection techniques for DoS attacks an example of which is query flood Pag. 18

Information Security How? Additional mechanisms User authentication - to verify the identity of subjects wishing to access the information Information authentication - to ensure information authenticity - it is supported by signature mechanisms Encryption - to protect information when being transmitted across systems and when being stored on secondary storage Intrusion detection to protect against impersonation of legitimate users and also against insider threats Pag. 19

Information Security How? Information must be protected at various levels: The operating system The network The data management system Physical protection is also important Pag. 20

Data vs Information which is important? Computer security is about controlling access to information and resources Controlling access to information can sometimes be quite elusive and it is often replaced by the more straightforward goal of controlling access to data The distinction between data and information is subtle but it is also the root of some of the more difficult problems in computer security Data represents information. Information is the (subjective) interpretation of data Pag. 21

Inference - Example Name Sex Programme Units Grade Ave Alma F MBA 8 63 Bill M CS 15 58 Carol F CS 16 70 Don M MIS 22 75 Errol M CS 8 66 Flora F MIS 16 81 Gala F MBA 23 68 Homer M CS 7 50 Igor M MIS 21 70 Pag. 22

Assurance Assurance is a measure of how well the system meets its requirements; more informally, how much you can trust the system to do what it is supposed to do. It does not say what the system is to do; rather, it only covers how well the system does it. Specification Requirements analysis Statement of desired functionality Design How system will meet specification Implementation Programs/systems that carry out design Pag. 23

Case Studies Pag. 24

Management and Legal Issues Cost-Benefit Analysis Is it more cost-effective to prevent or recover? Risk Analysis Should we protect some information? How much should we protect this information? Laws and Customs Are desired security measures illegal? Will people adopt them? Pag. 25

Human Factor Issues Organizational Problems Power and responsibility Financial benefits People problems Outsiders and insiders Social engineering Pag. 26

Key Points Policies define security, and mechanisms enforce security Confidentiality Integrity Availability Importance of assurance The human factor Pag. 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback