Information Security

Similar documents
AIT 682: Network and Systems Security. Instructor: Dr. Kun Sun

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

Instructor: Eric Rettke Phone: (every few days)

Define information security Define security as process, not point product.

Principles of Information Security, Fourth Edition. Chapter 1 Introduction to Information Security

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

CSE 3482 Introduction to Computer Security. Introduction to Information/Computer Security

Syllabus: AIT Information Systems Infrastructure Lifecycle Management

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center

E-guide Getting your CISSP Certification

Security Policies and Procedures Principles and Practices

Overview of Information Security

PCI Compliance. What is it? Who uses it? Why is it important?

Unit 3 Cyber security

University of Pittsburgh Security Assessment Questionnaire (v1.7)

MAKING SECURITY AWARENESS HAPPEN: APPENDICES

The Honest Advantage

E-guide CISSP Prep: 4 Steps to Achieve Your Certification

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Ethical Hacking & Information Security. Justin David G. Pineda Asia Pacific College

IS Today: Managing in a Digital World 9/17/12

CYBER SECURITY AND MITIGATING RISKS

Cyber Criminal Methods & Prevention Techniques. By

A Security Model for Space Based Communication. Thom Stone Computer Sciences Corporation

Voting System Security as per the VVSG

Pearson CISSP Cert Guide with Labs. Course Outline. Pearson CISSP Cert Guide with Labs. 17 Oct

ASC Chairman. Best Practice In Data Security In The Cloud. Speaker Name Dr. Eng. Bahaa Hasan

HOLY ANGEL UNIVERSITY COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY CYBER SECURITY COURSE SYLLABUS

CPSC 4600 Biometrics and Cryptography Fall 2013, Section 0

Introduction to Security

Course Outline. CISSP - Certified Information Systems Security Professional 2015 (Course & Labs)

SECURITY & PRIVACY DOCUMENTATION

CCISO Blueprint v1. EC-Council

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

COMPUTER AND NETWORK SUPPORT TECHNICIAN PROGRAM

The University of Jordan. Accreditation & Quality Assurance Center. COURSE Syllabus

HIPAA Federal Security Rule H I P A A

Featured Articles II Security Research and Development Research and Development of Advanced Security Technology

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

New Guidance on Privacy Controls for the Federal Government

Cyber Security Program

Policy and Procedure: SDM Guidance for HIPAA Business Associates

HIPAA Security and Privacy Policies & Procedures

Introduction to Information Security Dr. Rick Jerz

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Unit 2 Essentials of cyber security

CS475 Network and Information Security

Cybersecurity: Incident Response Short

Syllabus:))AIT)671)0)Information)Systems)Infrastructure)Lifecycle) Management)

COURSE OUTLINE. Last Amendment Edition Procedure No. Lecturer /blog Room No. Phone No. / Name.

EC-Council - EC-Council Certified Security Analyst (ECSA) v8

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Checklist: Credit Union Information Security and Privacy Policies

Technology Security Failures Common security parameters neglected. Presented by: Tod Ferran

Cryptography and Network Security Chapter 1

TEL2813/IS2820 Security Management

Data Classification, Security, and Privacy

7.16 INFORMATION TECHNOLOGY SECURITY

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

ISO/IEC INTERNATIONAL STANDARD

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

IT443 Network Security Administration Spring Gabriel Ghinita University of Massachusetts at Boston

Dr. Stephanie Carter CISM, CISSP, CISA

RYERSON UNIVERSITY Ted Rogers School of Information Technology Management And G. Raymond Chang School of Continuing Education

1/11/11. o Syllabus o Assignments o News o Lecture notes (also on Blackboard)

Security analysis and assessment of threats in European signalling systems?

CONTROL AUDIT AND SECURITY OF INFORMATION SYSTEM

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

MORGAN STATE UNIVERSITY DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING COURSE SYLLABUS FALL, 2015

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Principles of ICT Systems and Data Security

Putting It All Together:

Information Assurance 101

Objectives of the Security Policy Project for the University of Cyprus

Exam : Title : ASAM Advanced Security for Account Managers Exam. Version : Demo

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

CSE Computer Security (Fall 2007)

Security Standards for Electric Market Participants

A Guide to Ensuring Security and Resiliency

Information Security Policy

Introduction to Security

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Security Audit What Why

HIPAA COMPLIANCE AND

How can I use ISA/IEC (Formally ISA 99) to minimize risk? Standards Certification Education & Training Publishing Conferences & Exhibits

Introduction to Security

No Country for Old Security Compliance in the Cloud. Joel Sloss, CDSA Board of Directors May 2017

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

LO N LO CompTIA Network (Course & Labs) Course Outline. LO CompTIA Network (Course & Labs) 04 Apr 2018

LO CompTIA Network (Course & Labs) Course Outline. LO CompTIA Network (Course & Labs) ( Add-On ) 15 Jul 2018

Cryptography and Network Security

Privacy and Security are two sides of the same coin

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

CS682 Advanced Security Topics

Education Network Security

Managing Cybersecurity Risk

Transcription:

Information Security Dr. Rabie A. Ramadan GUC, Cairo Rabie.ramadan@guc.edu.eg Room C7-310 Lecture 1

Class Organization One class Weekly One Tutorial Weekly Most probably taught by myself 3-4 theoretical assignments 3-4 practical assignments (Labs) Term paper / project 2

Textbooks Michael G. Solomon and Mike chapple, Information Security Illuminated, 2005 William Stallings, Cryptography and Network Security, fourth Edition Behrouz A. Forouzan, Cryptography and Network Security, 2008 Edition Some other research materials 3

Tentative Grading 40% Final comprehensive 20% Mid-term exam 5% Assignments 5% Lecture participation 20% Project / Term paper 10% Quizzes 2 out of 3 4

Lets have fun before we start 5

Game No. 1 Study the circles below. Work out what number should replace the question mark.

Hit 4 * 5 + 3* 6 = 38 8 * 4 + 3 * 5 = 47 7

Game No. 2 Draw a square made up of dots like this one on your piece of paper Now, without lifting the pencil from the page, draw no more than four straight lines which will cross through all nine dots

Hint One line can go out of the paper

Solution Lessons Learned Do not discard small details Ask questions You might think that things are very complicated but with little guide it becomes very easy

Video Part Play What does it tell you? Be Smart and Think Smartly 11

The Role of Security Security is like adding brakes to cars. The purpose of brakes is not to stop you; it is to enable you to go faster. Brakes help avoid accidents caused by mechanical failures in other cars, rude drivers, and road hazards. Better security is an enabler for greater freedom and confidence in the Cyber world. 12

Why Information Security? Play Play 13

Historical Aspects of InfoSec In old days, to be secure, Information maintained physically on a secure place Few authorized persons have access to it (confidentiality) Protected from unauthorized change (integrity) Available to authorized entity when is needed (availability) Nowadays, Information are stored on computers Confidentiality are achieved few authorized persons can access the files. Integrity is achieved few are allowed to make change Availability is achieved at least one person has access to the files all the time 14

Historical Aspects of InfoSec In the 1970s, Federal Information Processing Standards (FIPS) examines DES (Data Encryption Standard) for information protection DARPA creates a report on vulnerabilities on military information systems in 1978 In 1979 two papers were published dealing with password security and UNIX security in remotely shared systems In the 1980s the security focus was concentrated on operating systems as they provided remote connectivity 15

Historical Aspects of InfoSec In the 1990s, the growth of the Internet and the growth of the LANs contributed to new threats to information stored in remote systems IEEE, ISO, ITU-T, NIST and other organizations started developing many standards for secure systems Information security is the protection of information,the systems, and hardware that use, store, and transmit information 16

CNSS Model CNSS stands for Committee on National Security Systems (a group belonging to the National Security Agency [NSA]). CNSS has developed a National Security Telecommunications and Information Systems Security (NSTISSI) standards. NSTISSI standards are 4011, 4012, 4013, 4014, 4015, 4016. 17

CNSS Security Model Technology Education Policy Confidentiality Integrity Availability Storage Processing Transmission 18

CNSS Security Model The model identifies a 3 x 3 x 3 cube with 27 cells Security applies to each of the 27 cells These cells deal with people, hardware, software, data, and procedures A hacker uses a computer (hardware) to attack another computer (hardware). Procedures describe steps to follow in preventing an attack. An attack could be either direct or indirect In a direct attack one computer attacks another. In an indirect attack one computer causes another computer to launch an attack. 19

Systems Development Life Cycle for InfoSec (SDLC) SDLC for InfoSec is very similar to SDLC for any project The Waterfall model would apply to InfoSec as well Investigate Analyze Logical Design Physical Design Implement Maintain 20

Systems Development Life Cycle for InfoSec Investigation phase involves feasibility study based on a security program idea for the organization Analysis phase involves risk assessment Logical design phase involves continuity planning, disaster recovery, and incident response Investigate Analyze Logical Design Physical Design Implement Maintain 21

Systems Development Life Cycle for InfoSec Physical design phase involves considering alternative options possible to construct the idea of the physical design Maintenance phase involves implementing the design, evaluating the functioning of the system, and making changes as needed Investigate Analyze Logical Design Physical Design Implement Maintain 22

What is a Computer Security? Different answers It is the password that I use to enter the system or required set of rules (lock the computer before you leave) End User It is the proper combination of firewall technologies with encryption systems and access controls Administrator Keeping the bad guys out of my computer Manager 23

What is a computer security? A computer is secure if you can depend on it and its software to behave as you expect Simson and Gene in Practical Unix and Internet Security book Which definition is correct? All of them. However, We need to keep all of these prospective in mind 24

Security Goals Confidentiality, Integrity, and Availability CIA Triad 25

Confidentiality The property of preventing disclosure of information to unauthorized individuals or systems. Real Scenario To ensure a credit card transaction on the Internet requires the credit card confidentiality number to be transmitted from the buyer to the merchant and from the merchant to a transaction To ensure processing network. The system attempts confidentiality to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred. 26

Integrity Data cannot be modified without authorization. Real scenarios: Integrity is violated when an employee (accidentally or with malicious intent) deletes important data files, when a computer virus infects a computer, when an employee is able to modify his own salary in a payroll database, when an unauthorized user vandalizes a web site, when someone is able to cast a very large number of votes in an online poll, and so on. Preventing by Access Control and Encryption 27

Availability The information must be available when it is needed. High availability systems aim to remain available at all times. Real Scenarios Power outages, hardware failures, DoS attacks (denial-of-service attacks). Preventions by fault tolerance, access control, and attack prevention mechanisms. 28

Security Goals (Summary) Confidentiality Ensures that computer-related assets are accessed only by authorized parties. Sometimes called secrecy or privacy. Integrity Assets can be modified only by authorized parties or only in authorized ways. Availability assets are accessible to authorized parties at appropriate times. The opposite is denial of service. 29

Security Goals Strong protection is based on Goals relations 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback