L1 5294 Introduction

8/11/2019 L1 5294 Introduction

http://slidepdf.com/reader/full/l1-5294-introduction 1/68

Lecture 1

Introduction



CS4394/CS5294 ISM/ISTM - Introduction 2

Information Security staff

Lecturer :

Dr. L. F. KWOK, Y6417, 34428625

[email protected]

Teaching Assistant: Mr. LI Chen, 34425945

[email protected]




Teaching Pattern

Lecture (2 hours):Information sessions

Tutorial (1 hour):

Discussion focussing on weekly

question sheet based on lecture

materials/readings but flexible




Assessment

30% assignments due: 3 October 2014 A1 Week 5

6 November 2014 A2 Week 10

20 November 2014 test Week 12

Late assignments penalties

70% final examination Plagiarism will not be tolerated




Course Content

Not just facts

Need to

understand concepts

apply those concepts

think about implications

understand limitations




Text Books A single textbook cannot help

Something good to read: Merkow and Breithaupt, Information Security: Principles

and Practices, Pearson 2005 (ISBN 0-13-154729-1)

Greene, Security Policies and Procedures: Principles

and Practices, Pearson 2006 (ISBN 0-13-186691-5) Whitman and Mattord, Management of Information

Security, 4e, Cengage Learning 2010

Some other references:

Information Security Management Standard, ISO/IEC

27002:2005

Pfleeger & Pfleeger, Security in Computing, 3e, Prentice

Hall 2003 (QA76.9.A25 P45 2003)



Some Basic Concepts




Learning

An exercise of constructing personal

knowledge that requires a learner to bementally active rather than passive;

interpreting rather than recording

information.




Information security is ... Security is about the protection of assets

(for example, your private home): prevention

detection

reaction Information Security is about the

protection of the information asset (for

example, data regarding your credit cardtransactions).




Information Security Goals

Confidentiality

access to data & processes is restricted toauthorized people

Integrity

the system (hardware + software +

facilities + network + people) has not been

compromised Availability

continuous/ uninterrupted service




Information Security Goals

Non-Repudiation

You cannot deny that you have performedsome action on the data

Authentication

You can prove your identity or the origin of

the data




Information Security

We do:

Examine the risks/threats of security incomputing

Consider available countermeasuresor controls

Stimulate thought about uncovered

vulnerabilities Identify areas where more work is

needed




Information Security

We talk about:

What kinds of vulnerabilities

Why these vulnerabilities are exploited

Who is involved

How to prevent possible attacks




Threats, Vulnerabilities, Controls

Threat – a set of circumstances that has

the potential to cause loss or harm Vulnerability – a weakness in the security

system Control – a protective measure

A threat is blocked by control of a

vulnerability




Security Threats

Interruption

When your assets become unavailable

Interception

Some unauthorised party has gained access to

your assets

Modification

Some unauthorised party tampers with your assets

Fabrication

Counterfeits of your assets are made



Attack examples Viruses/Worms: continuous Source of challenges,

regular adaptation of protection software and patternsrequired

Denial-of-Service-Attacks: different ways of attack

(load or vulnerability), intended to overload a service

DNS-Attacks: various levels of the Domain Name

Service is attacked and link-information manipulated

Spam: unwanted emails, annoying and/or threatening

(transport mechanism for other attacks) Spyware: unwanted monitoring of user behavior or

transmission of user data




More Attack examples Attacks on Embedded Systems: intelligent devices are

increasingly targets of attacks WLAN-Attacks: non-configured access point are

targets for “war drivers”

Zero-day threats: Attacks on vulnerabilities of systems,

faster than manufacturers can react

Shared Code in Service-oriented Architectures:

distributed systems inherit function and weaknesses of

code Voice over IP: Telecommunication faces a whole set of

new/additional threats




Non-technical Attacks Social Engineering: Avoiding technical hurdles by

exploiting human error/weakness/vulnerability Phishing: deceptive presentation of fake input pages/

forms in order to gather valuable personal information

Over-regulation: Overloading Security professional with

formal/legal requirements and compliance requests





System Intrusion

Any part of an information system can be

the target of a crime System components : hardware, software,

data, network, personnel

Principle of Easiest Penetration




Vulnerabilities

Hardware Vulnerabilities

Software Vulnerabilities

Data Vulnerabilities

Network Vulnerabilities

Personnel Vulnerabilities




Hardware Vulnerabilities

Mainly physical attack

Protect by installing physical security

systems




Software Vulnerabilities

Software Deletion

Software Modification

Logic bomb, Trojan horse, virus,

trapdoor, information leaks

Software Theft

Software Fault




Data Vulnerabilities

Data Confidentiality

Data Integrity



Network Vulnerabilities Intercept data in transit

Modify data in transit Gain unauthorized access to programs or data in

remote hosts

Modify programs or data in remote hosts

Insert communications

Replay previous communication

Block selected/all traffic

Run a program at a remote host




Personnel Vulnerabilities Employees, contractors and third party users of

information processing facilities conduct activities of

theft, fraud or misuse of facilities





Methods of Defense

We seek to:

Prevent

Deter

Deflect Detect

Recover




Methods of Defence (Controls)

Encryption

Software Controls

Hardware Controls

Policies and Procedures

Physical Controls




Encryption

Deal with Data

Data are scrambled

Cannot be read generally

Cannot easily be changed in a

meaningful manner

Ensure data confidentiality andintegrity




Software Controls

Internal program controls

Operating system and network

system controls

Independent control programs

Development controls




Hardware Controls

Hardware or smart card

implementations of encryption

Devices to verify user’s identities

Firewalls

Intrusion detection systems

Circuit boards that control access tostorage media




Policies and Procedures security policy- a documented plan of

action and principles for an organisation training against deception, blackmail, &

social engineering

secure disposal of paper & storage media employee vetting & reference checking

change control + audit trails + follow-up

contingency planning + training + rehearsal




Security Policy

business needs analysis

• asset valuation

• risk analysis• impact analysis

Security Policy

security policy is a statement of rules

security is defined by a security policy

goal of security is to enforce the policy

standards in OSI 7498-2/ RFC 2196/ ISO/IEC 27002




Physical Controls

Easiest, most effective and least

expensive

Locks on doors, guards at entry

points, backup copies of importantsoftware and data

Physical site planning that reducesthe risk of natural disasters




Views on Information Security often inconvenient

often not very secure a balance

people issue > technology issue

reactive not proactive

sometimes the need for information

security is not obvious until it is too late a technology problem or a

management problem




Given enough time, tools, skills, and

inclination, a hacker can breakthrough any security measure

Information Security Principles:

#1 There Is No Such Thing as Absolute Security




Protect the confidentiality of data Confidentiality models are primarily intended to

assure that no unauthorized access to information ispermitted and that accidental disclosure of sensitiveinformation is not possible

Preserve the integrity of data Integrity models keep data pure and trustworthy by

protecting system data from intentional andaccidental changes

Promote the availability of data for authorizeduse Availability models keep data and resources

available for authorized use


#2 Three Security Goals




Defense in depth

Security implemented in overlappinglayers that provide the three elements

needed to secure assets: prevention,

detection, and response

The weaknesses of one security layer

are offset by the strengths of two ormore layers


#3 Defense in Depth as Strategy




Takes little to convince someone to give up their

credentials in exchange for trivial or worthlessgoods

Many people are easily convinced to double-

click on the attachment

Subject: Here you have, ;o)Message body: Hi: Check This!

Attachment: AnnaKournikova.jpg.vbs


#4 When left on their own, people tend to makethe worst security decisions




Functional requirements

Describe what a system should do Assurance requirements

Describe how functional requirements should be

implemented and testedDoes the system do the right things in the right way?

Verification: the process of confirming that one or

more predetermined requirements or specifications are

met

Validation: a determination of the correctness or

quality of the mechanisms used in meeting the needs


#5 Functional and Assurance Requirements




Many people believe that if hackers do not

know how software is secured, security isbetter

Although this seems logical, it’s actually not TRUE

Obscuring security leads to a false sense of

security, which is often more dangerous than

not addressing security at all


#6 Security through obscurity is NOT an answer




Security is not concerned with eliminating all threats

within a system or facility but with eliminating known

threats and minimizing losses if an attacker

succeeds in exploiting a vulnerability

Risk analysis and risk management are central

themes to securing information systems

Risk assessment and risk analysis are concerned with

placing an economic value on assets to best

determine appropriate countermeasures that protect

them from losses


#7 Security = Risk Management




A security mechanism serves a purpose by

preventing a compromise, detecting that acompromise or compromise attempt is

underway, or responding to a compromise

while it is happening or after it has beendiscovered


#8 Security Controls: Preventative, Detective,and Responsive




The more complex a system gets, the

harder it is to secure


#9 Complexity Is The Enemy of Security




Information security managers must justify all

investments in security using techniques of the

trade

When spending resources can be justified with

good, solid business rationale, security requests

are rarely denied


#10 Fear, Uncertainty, and Doubt (FUD) Do NotWork in Selling Security




People, process, and technology controls are

essential elements of security practices

including operations security, applications

development security, physicalsecurity, and cryptography


#11 People, Process and Technology are allNeeded

TechnologyPeople

Process




Growing IT Security Importance Increased services to both vendors and

employees create worlds of possibilitiesin satisfying customer needs, but …

they also create risks to the

confidentiality, integrity, andavailability of confidential or sensitivedata




Becoming an InfoSec Specialist Get the right certification

Certified Information Systems SecurityProfessional (CISSP)

Global Information Assurance Certification

(GIAC):

Consider earning a graduate degree in

INFOSEC Increase your disaster recovery and risk

management skills




Contextualizing Information Security Information security

draws upon the best

practices andexperiences frommultiple domains

AntivirusSoftware

DevelopmentSecurity

Administration

PermissionControls

PhysicalSecurity

IncidentResponse

Compliance

Auditing

KeyManagement

AccessControls

SecurityTesting

Trainingand

Awareness

DisasterRecovery

Public KeyInfrastructure

IntrustionDetection andPrevention

Policies

Standards

OperationsControls




Information Security Careers common positions and career opportunities

Security administrators Access coordinators

Security architects and network engineers

Security consultants Security testers

Policymakers and standards developers

Compliance officers Incident response team members

Governance and vendor managers




International Information Systems Security

Certification Consortium (ISC2

) Maintaining a CBK for information security

Certifying industry professionals and practitioners

Administering training and certification examinations Ensuring credentials are maintained

Two primary certifications

Certified Information Systems Security Professional(CISSP)

System Security Certified Practitioner (SSCP)

Certification for People




Information Security CBK The CBK is a compilation and

distillation of all security informationcollected that is relevant to

information security professionals CISSP certification includes a working

knowledge of all 10 domains

(www.isc2.org)




InfoSecurity CBK – 10 Domains Security Management

Practices (4) Security Architecture

and Models (5)

Business Continuity

Planning (6)

Law, Investigations,

and Ethics (7)

Physical Security (8)

Operations Security (9)

Access Control Systems

and Methodology (10)

Cryptography (11)

Telecommunications,

Network, and InternetSecurity (12)

Applications Development

Security (13)

(Chapter number in) Merkow and Breithaupt, Information Security:

Principles and Practices, Pearson 2005 (ISBN 0-13-154729-1)



Course Overview




Intended Learning OutcomesUpon completion of the course, students

should be able to: Describe threats in IT environment; and recognize the

relationship of threat, vulnerability, countermeasure, andimpact in organizational information security;

Write simple information security policy for anorganization and produce appropriate guidelines inimplementing the policy;

Recognize the information security management

framework and the roles of Information SecurityManagement Standards in this framework;

Recognize the legal issues in information security.




Course Overview 1. Introduction

2. Abstract Security Model 3. Access control

4. Cryptography and PKI

5. Network security 6-9. Info Sec management and Standards

10-11. Info Sec Risk Management

12. Legal Aspects 13. Revision




Lecture 1

Introduction:

Basic introduction to informationsecurity

Lecture Overview




Lecture 2

Abstract Security models:

Overview of security models

Security evaluation

Bell-LaPadula model

Clark-Wilson model

Brewer-Nash Chinese Wall model

L t 3




Lecture 3

Access Control Mechanisms:

Management of privileges

Monitoring access

Identification and authentication of

users

L t 4




Lecture 4

Cryptography and PKI:

What is cryptography ?

Ciphers

Cryptographic Applications

Public Key Infrastructure




Lecture 5

Network security:

Common Network attacks Network security solutions

IPSec VPNs

Firewalls

TLS and SSL

Lectures 6 9




Lectures 6-9

Security management:

Introduction to information security

management

Security policies

Security management standards

Lecture 10 11




Lecture 10-11

Information Security Risk

Management: Approach

Process

Audit

Lectures 12




Lectures 12

Legal Aspects:

Cyber Crime

Personal Data (Privacy) Ordinance

Electronic Transactions Ordinance




Lecture 13

Review




Readings

Merkow and Breithaupt,

Information Security:Principles and Practices,

Pearson 2005

Chapter 1, 2 and 3



Readings


Whitman and Mattord,

Management ofInformation Security

(4e), Cengage 2013

Chapter 1

L1 5294 Introduction

Documents

Transcript of L1 5294 Introduction