Download Lecture1

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
Document related concepts

Cracking of wireless networks wikipedia , lookup

Next-Generation Secure Computing Base wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Distributed firewall wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Access control wikipedia , lookup

Multilevel security wikipedia , lookup

Airport security wikipedia , lookup

Wireless security wikipedia , lookup

Cyberwarfare wikipedia , lookup

Security printing wikipedia , lookup

Information security wikipedia , lookup

Cyberattack wikipedia , lookup

Unix security wikipedia , lookup

Mobile security wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Security-focused operating system wikipedia , lookup

Computer security wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
Introduction to
Information Systems Security
Lecture #1
May 27, 2011
Dr. Bhavani Thuraisingham
5/25/2017 10:03
Outline
0 What is Cyber Security?
0 What is C. I. A.?
0 Ten Major Modules of Cyber Security
0 Some Topics in Cyber Security
5/25/2017 10:03
Cyber Security
0 Security traditionally has been about CIA (Confidentiality, Integrity,
Availability)
0 Security now also includes areas like Trustworthiness, Quality,
Privacy
0 Dependability includes Security, Reliability and Fault Tolerance
0 Initially the term used was Computer Security (Compusec); it then
evolved into Infosec – Information security – to include data and
networks – now with web its called Cyber Security
5/25/2017 10:03
C. I.A.
0 Confidentiality: Preventing from unauthorized disclosure
0 Integrity: Preventing from unauthorized modification
0 Availability: Preventing denial of service
5/25/2017 10:03
Ten Major Modules of Cyber Security
0 Information Security and Risk Management
0 Access Control
0 Security Architecture and Design
0 Physical and Environmental Security
0 Telecommunications Security
0 Cryptography
0 Business Continuity Planning
0 Legal Regulations, Compliance and Investigations
0 Applications Security
0 Operations Security
5/25/2017 10:03
Information Security and Risk Management
0 Security Management
0 Security Administration
0 Organizational Security Model
0 Information Risk Management
0 Risk Analysis
0 Policies, Standards, Guidelines, Procedures
0 Information Classification
0 Layers of Responsibility
0 Security Awareness Training
5/25/2017 10:03
Access Control
0 Security Principles
0 Identification, Authentication, Authorization, Accountability
0 Access Control Models
0 Access Control techniques
0 Access Control Administration
0 Access Control Methods
0 Access Control Types
0 Accountability
0 Access Control practices
0 Access Control Monitoring
0 Threats to Access Control
5/25/2017 10:03
Security Architecture and Design
0 Computer Architecture
0 Systems Architecture
0 Security Models
0 Security Modes of Operation
0 Systems Evaluation Methods
0 Open vs. Closed Systems
0 Enterprise Architecture
0 Security Threats
5/25/2017 10:03
Physical and Environmental Security
0 What is Physical Security
0 Planning Process
0 Protecting assets
0 Internal Support Systems
0 Perimeter Security
0 Other aspects
5/25/2017 10:03
Telecommunications and Network Security
0 Open Systems Interconnection Reference Model
0 TCP/IP
0 Types of Transmission
0 LAN Networking
0 Routing Protocols
0 Networking Devices
0 Networking services and protocols
0 Intranets and Extranets
0 Metropolitan Area networks
0 Remote access
0 Wireless technologies
0 Rootkits
5/25/2017 10:03
Cryptography
0 History, Definitions and Concepts
0 Types of Ciphers
0 Methods of Encryption
0 Type of Asymmetric Systems
0 Message Integrity
0 PKI
0 Key Management
0 Link / End-to-end Encryption
0 Email standards
0 Internet security
0 Attacks
5/25/2017 10:03
Legal Regulation and Compliance Investigation
0 Cyber law and Cyber crime
0 Intellectual property law
0 Privacy
0 Liability and Ramifications
0 Digital Forensics and Investigations
0 Ethics
5/25/2017 10:03
Applications Security
0 Software and applications security issues
0 Database Security
0 Secu4e systems development
0 Application development and security
0 Object-oriented systems and security
0 Distributed computing and security
0 Expert systems and security
0 Web security
0 Mobile code
0 Patch management
5/25/2017 10:03
Operations Security
0 Role of the Operations Department
0 Administrative Management
0 Assurance Levels
0 Configuration management
0 Media Controls
0 Data Leakage
0 Network and Resource Availability
0 Mainframes
0 Email Security
0 Vulnerability testing
5/25/2017 10:03
Introduction to Cyber Security
0 Operating Systems Security
0 Network Security
0 Designing and Evaluating Systems
0 Web Security
0 Data Mining for Malware Detection
0 Other Security Technologies
5/25/2017 10:03
Operating System Security
0 Access Control
- Subjects are Processes and Objects are Files
- Subjects have Read/Write Access to Objects
- E.g., Process P1 has read acces to File F1 and write access to
File F2
0 Capabilities
- Processes must presses certain Capabilities / Certificates to
access certain files to execute certain programs
- E.g., Process P1 must have capability C to read file F
5/25/2017 10:03
Mandatory Security
0 Bell and La Padula Security Policy
- Subjects have clearance levels, Objects have sensitivity levels;
clearance and sensitivity levels are also called security levels
- Unclassified < Confidential < Secret < TopSecret
- Compartments are also possible
- Compartments and Security levels form a partially ordered
lattice
0 Security Properties
- Simple Security Property: Subject has READ access to an object
of the subject’s security level dominates that of the objects
- Star (*) Property: Subject has WRITE access to an object if the
subject’s security level is dominated by that of the objects\
5/25/2017 10:03
Covert Channel Example
0 Trojan horse at a higher level covertly passes data to a Trojan
horse at a lower level
0 Example:
- File Lock/Unlock problem
- Processes at Secret and Unclassified levels collude with
one another
- When the Secret process lock a file and the Unclassified
process finds the file locked, a 1 bit is passed covertly
- When the Secret process unlocks the file and the
Unclassified process finds it unlocked, a 1 bit is passed
covertly
- Over time the bits could contain sensitive data
5/25/2017 10:03
Steps to Designing a Secure System
0 Requirements, Informal Policy and model
0 Formal security policy and model
0 Security architecture
- Identify security critical components; these components must be
trusted
0 Design of the system
0 Verification and Validation
0 End to End Security?
0 Building a Secure System with Untrusted Components
5/25/2017 10:03
Product Evaluation
0 Orange Book
- Trusted Computer Systems Evaluation Criteria
0 Classes C1, C2, B1, B2, B3, A1 and beyond
- C1 is the lowest level and A1 the highest level of assurance
- Formal methods are needed for A1 systems
0 Interpretations of the Orange book for Networks (Trusted Network
Interpretation) and Databases (Trusted Database Interpretation)
0 Several companion documents
- Auditing, Inference and Aggregation, etc.
0 Many products are now evaluated using the federal Criteria
5/25/2017 10:03
Network Security
0 Security across all network layers
0
0
0
0
0
- E.g., Data Link, Transport, Session, Presentation,
Application
Network protocol security
- Ver5ification and validation of network protocols
Intrusion detection and prevention
- Applying data mining techniques
Encryption and Cryptography
Access control and trust policies
Other Measures
- Prevention from denial of service, Secure routing, - - -
5/25/2017 10:03
Data Security: Access Control
0 Access Control policies were developed initially for file systems
- E.g., Read/write policies for files
0 Access control in databases started with the work in System R and
Ingres Projects
- Access Control rules were defined for databases, relations,
tuples, attributes and elements
- SQL and QUEL languages were extended
= GRANT and REVOKE Statements
= Read access on EMP to User group A Where
EMP.Salary < 30K and EMP.Dept <> Security
- Query Modification:
= Modify the query according to the access control rules
= Retrieve all employee information where salary < 30K and
Dept is not Security
5/25/2017 10:03
Multilevel Secure Data Management
 What is MLS/DBMS ?
 Users are cleared at different security levels
 Data in the database is assigned different sensitivity levels-multilevel database
 Users share the multilevel database
 MLS/DBMS is the software that ensures that users only obtain
information at or below their level
 In general, a user reads at or below his level and writes at his
level
 Need for MLS/DBMS
 Operating systems control access to files; coarser grain of
granularity
 Database stores relationships between data
 Content, Context, and Dynamic access control
 Traditional operating systems access control to files is not
sufficient
 Need multilevel access control for DBMSs
5/25/2017 10:03
Inference Problem
 Inference is the process of forming conclusions from premises
 If the conclusions are unauthorized, it becomes a problem
 Inference problem in a multilevel environment
 Aggregation problem is a special case of the inference
problem - collections of data elements is Secret but the
individual elements are Unclassified
 Association problem: attributes A and B taken together is
Secret - individually they are Unclassified
5/25/2017 10:03
Security Threats to Web/E-commerce
Security
Threats and
Violations
Access
Control
Violations
Denial of
Service/
Infrastructure
Attacks
Integrity
Violations
Fraud
Sabotage
Confidentiality
Authentication
Nonrepudiation
Violations
5/25/2017 10:03
Intrusion Detection / Malware Detection
0
An intrusion can be defined as “any set of actions that attempt to
compromise the integrity, confidentiality, or availability of a resource”.
0
0
Attacks are: Host-based attacks; Network-based attacks
Intrusion detection systems are split into two groups:
0
- Anomaly detection systems; Misuse detection systems
Use audit logs: Capture all activities in network and hosts.
0
Mine the Audit Logs
0
Malware: Virus, Worms, Trojan Horses, - - -
0
Malware changes patterns; need data mining techniques to detect
novel classes
5/25/2017 10:03
Some Security Technologies
0 Digital Identity Management
0 Digital Forensics
0 Digital Watermarking
0 Risk/Cost Analysis
0 Biometrics
0 Other Applications
5/25/2017 10:03
Digital Identity Management
0 Digital identity is the identity that a user has to access an
electronic resource
0 A person could have multiple identities
- A physician could have an identity to access medical
resources and another to access his bank accounts
0 Digital identity management is about managing the multiple
identities
- Manage databases that store and retrieve identities
- Resolve conflicts and heterogeneity
- Make associations
- Provide security
0 Ontology management for identity management is an
emerging research area
5/25/2017 10:03
Digital Identity Management - II
0 Federated Identity Management
- Corporations work with each other across organizational
boundaries with the concept of federated identity
- Each corporation has its own identity and may belong to
multiple federations
- Individual identity management within an organization
and federated identity management across organizations
0 Technologies for identity management
- Database management, data mining, ontology
management, federated computing
5/25/2017 10:03
Digital Forensics
0 “Digital forensics, also known as computer forensics,
involved the preservation, identification, extraction, and
documentation of computer evidence stored as data or
magnetically encoded information”, by John Vacca
0 Digital evidence may be used to analyze cyber crime (e.g.
Worms and virus), physical crime (e.g., homicide) or crime
committed through the use of computers (e.g., child
pornography)
0 Objective of Computer Forensics: To recover, analyze and
present computer based material in such a way that it is
usable as evidence in a court of law
5/25/2017 10:03
Steganography and Digital Watermarking
0 Steganography is about hiding information within other
information
- E.g., hidden information is the message that terrorist may
be sending to their pees in different parts of the worlds
- Information may be hidden in valid texts, images, films
etc.
- Difficult to be detected by the unsuspecting human
0 Steganalysis is about developing techniques that can analyze
text, images, video and detect hidden messages
- May use data mining techniques to detect hidden patters
0 Steganograophy makes the task of the Cyber crime expert
difficult as he/she ahs to analyze for hidden information
- Communication protocols are being developed
5/25/2017 10:03
Steganography and Digital Watermarking - II
0 Digital water marking is about inserting information without
being detected for valid purposes
- It has applications in copyright protection
- A manufacturer may use digital watermarking to copyright
a particular music or video without being noticed
- When music is copies and copyright is violated, one can
detect two the real owner is by examining the copyright
embedded in the music or video
5/25/2017 10:03
Risk/Cost Analysis
0 Analyzing risks
- Before installing a secure system or a network one needs to
conduct a risk analysis study
- What are the threats? What are the risks?
- Quantitative approach: Events are ranked in the order of risks
and decisions are made based on then risks
Qualitative approach: estimates are used for risks
0 Security vs Cost
- If risks are high and damage is significant then it may be worth
the cost of incorporating security; If risks and damage are not
high, then security may be an additional cost burden
- Develop cost models
- Cost vs. Risk/Threat study
5/25/2017 10:03
Biometrics: Overview
0 Biometrics are automated methods of recognizing a person
0
0
0
0
0
0
based on a physiological or behavioral characteristic
Features measured: Face, Fingerprints, Hand geometry,
handwriting, Iris, Retinal, Vein and Voice
Identification and personal certification solutions for highly
secure applications
Biometrics replaces Traditional Authentication Methods
- Provides better security; More convenient; Better
accountability
Applications : Fraud detection and Fraud deterrence
Dual purpose: Cyber Security and National Security
Numerous applications: medical, financial, child care,
computer access etc.
5/25/2017 10:03
Biometrics: Process
0 Three-steps: Capture-Process-Verification
0 Capture: A raw biometric is captured by a sensing device
such as fingerprint scanner or video camera
0 Process: The distinguishing characteristics are extracted
from the raw biometrics sample and converted into a
processed biometric identifier record
- Called biometric sample or template
0 Verification and Identification
- Matching the enrolled biometric sample against a single
record; is the person really what he claims to be?
- Matching a biometric sample against a database of
identifiers
0 Study the attacks of biometrics systems
- Modifying fingerprints; Modifying facial features
Related documents
Instructor Rubric for Presentations
Instructor Rubric for Presentations
WWW Lab1
WWW Lab1
Sustainable Consumption & Production
Sustainable Consumption & Production
Public Relations and Strategic Communication Courses Fall 2016
Public Relations and Strategic Communication Courses Fall 2016
Document
Document
Tapeworm Diseases - AAP Red Book
Tapeworm Diseases - AAP Red Book
Document
Document
Back to School 2006
Back to School 2006
Math 130
Math 130
Slide 1
Slide 1
Marketing Essentials: Intro to Marketing
Marketing Essentials: Intro to Marketing