L1 5294 Introduction
Transcript of L1 5294 Introduction
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 1/68
Lecture 1
Introduction
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 2/68
CS4394/CS5294 ISM/ISTM - Introduction 2
Information Security staff
Lecturer :
Dr. L. F. KWOK, Y6417, 34428625
Teaching Assistant: Mr. LI Chen, 34425945
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 3/68
CS4394/CS5294 ISM/ISTM - Introduction 3
Teaching Pattern
Lecture (2 hours):Information sessions
Tutorial (1 hour):
Discussion focussing on weekly
question sheet based on lecture
materials/readings but flexible
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 4/68
CS4394/CS5294 ISM/ISTM - Introduction 4
Assessment
30% assignments due: 3 October 2014 A1 Week 5
6 November 2014 A2 Week 10
20 November 2014 test Week 12
Late assignments penalties
70% final examination Plagiarism will not be tolerated
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 5/68
CS4394/CS5294 ISM/ISTM - Introduction 5
Course Content
Not just facts
Need to
understand concepts
apply those concepts
think about implications
understand limitations
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 6/68
CS4394/CS5294 ISM/ISTM - Introduction 6
Text Books A single textbook cannot help
Something good to read: Merkow and Breithaupt, Information Security: Principles
and Practices, Pearson 2005 (ISBN 0-13-154729-1)
Greene, Security Policies and Procedures: Principles
and Practices, Pearson 2006 (ISBN 0-13-186691-5) Whitman and Mattord, Management of Information
Security, 4e, Cengage Learning 2010
Some other references:
Information Security Management Standard, ISO/IEC
27002:2005
Pfleeger & Pfleeger, Security in Computing, 3e, Prentice
Hall 2003 (QA76.9.A25 P45 2003)
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 7/68
Some Basic Concepts
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 8/68
CS4394/CS5294 ISM/ISTM - Introduction 8
Learning
An exercise of constructing personal
knowledge that requires a learner to bementally active rather than passive;
interpreting rather than recording
information.
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 9/68
CS4394/CS5294 ISM/ISTM - Introduction 9
Information security is ... Security is about the protection of assets
(for example, your private home): prevention
detection
reaction Information Security is about the
protection of the information asset (for
example, data regarding your credit cardtransactions).
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 10/68
CS4394/CS5294 ISM/ISTM - Introduction 10
Information Security Goals
Confidentiality
access to data & processes is restricted toauthorized people
Integrity
the system (hardware + software +
facilities + network + people) has not been
compromised Availability
continuous/ uninterrupted service
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 11/68
CS4394/CS5294 ISM/ISTM - Introduction 11
Information Security Goals
Non-Repudiation
You cannot deny that you have performedsome action on the data
Authentication
You can prove your identity or the origin of
the data
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 12/68
CS4394/CS5294 ISM/ISTM - Introduction 12
Information Security
We do:
Examine the risks/threats of security incomputing
Consider available countermeasuresor controls
Stimulate thought about uncovered
vulnerabilities Identify areas where more work is
needed
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 13/68
CS4394/CS5294 ISM/ISTM - Introduction 13
Information Security
We talk about:
What kinds of vulnerabilities
Why these vulnerabilities are exploited
Who is involved
How to prevent possible attacks
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 14/68
CS4394/CS5294 ISM/ISTM - Introduction 14
Threats, Vulnerabilities, Controls
Threat – a set of circumstances that has
the potential to cause loss or harm Vulnerability – a weakness in the security
system Control – a protective measure
A threat is blocked by control of a
vulnerability
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 15/68
CS4394/CS5294 ISM/ISTM - Introduction 15
Security Threats
Interruption
When your assets become unavailable
Interception
Some unauthorised party has gained access to
your assets
Modification
Some unauthorised party tampers with your assets
Fabrication
Counterfeits of your assets are made
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 16/68
Attack examples Viruses/Worms: continuous Source of challenges,
regular adaptation of protection software and patternsrequired
Denial-of-Service-Attacks: different ways of attack
(load or vulnerability), intended to overload a service
DNS-Attacks: various levels of the Domain Name
Service is attacked and link-information manipulated
Spam: unwanted emails, annoying and/or threatening
(transport mechanism for other attacks) Spyware: unwanted monitoring of user behavior or
transmission of user data
CS4394/CS5294 ISM/ISTM - Introduction 16
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 17/68
More Attack examples Attacks on Embedded Systems: intelligent devices are
increasingly targets of attacks WLAN-Attacks: non-configured access point are
targets for “war drivers”
Zero-day threats: Attacks on vulnerabilities of systems,
faster than manufacturers can react
Shared Code in Service-oriented Architectures:
distributed systems inherit function and weaknesses of
code Voice over IP: Telecommunication faces a whole set of
new/additional threats
CS4394/CS5294 ISM/ISTM - Introduction 17
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 18/68
Non-technical Attacks Social Engineering: Avoiding technical hurdles by
exploiting human error/weakness/vulnerability Phishing: deceptive presentation of fake input pages/
forms in order to gather valuable personal information
Over-regulation: Overloading Security professional with
formal/legal requirements and compliance requests
CS4394/CS5294 ISM/ISTM - Introduction 18
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 19/68
CS4394/CS5294 ISM/ISTM - Introduction 19
System Intrusion
Any part of an information system can be
the target of a crime System components : hardware, software,
data, network, personnel
Principle of Easiest Penetration
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 20/68
CS4394/CS5294 ISM/ISTM - Introduction 20
Vulnerabilities
Hardware Vulnerabilities
Software Vulnerabilities
Data Vulnerabilities
Network Vulnerabilities
Personnel Vulnerabilities
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 21/68
CS4394/CS5294 ISM/ISTM - Introduction 21
Hardware Vulnerabilities
Mainly physical attack
Protect by installing physical security
systems
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 22/68
CS4394/CS5294 ISM/ISTM - Introduction 22
Software Vulnerabilities
Software Deletion
Software Modification
Logic bomb, Trojan horse, virus,
trapdoor, information leaks
Software Theft
Software Fault
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 23/68
CS4394/CS5294 ISM/ISTM - Introduction 23
Data Vulnerabilities
Data Confidentiality
Data Integrity
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 24/68
Network Vulnerabilities Intercept data in transit
Modify data in transit Gain unauthorized access to programs or data in
remote hosts
Modify programs or data in remote hosts
Insert communications
Replay previous communication
Block selected/all traffic
Run a program at a remote host
CS4394/CS5294 ISM/ISTM - Introduction 24
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 25/68
Personnel Vulnerabilities Employees, contractors and third party users of
information processing facilities conduct activities of
theft, fraud or misuse of facilities
CS4394/CS5294 ISM/ISTM - Introduction 25
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 26/68
CS4394/CS5294 ISM/ISTM - Introduction 26
Methods of Defense
We seek to:
Prevent
Deter
Deflect Detect
Recover
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 27/68
CS4394/CS5294 ISM/ISTM - Introduction 27
Methods of Defence (Controls)
Encryption
Software Controls
Hardware Controls
Policies and Procedures
Physical Controls
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 28/68
CS4394/CS5294 ISM/ISTM - Introduction 28
Encryption
Deal with Data
Data are scrambled
Cannot be read generally
Cannot easily be changed in a
meaningful manner
Ensure data confidentiality andintegrity
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 29/68
CS4394/CS5294 ISM/ISTM - Introduction 29
Software Controls
Internal program controls
Operating system and network
system controls
Independent control programs
Development controls
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 30/68
CS4394/CS5294 ISM/ISTM - Introduction 30
Hardware Controls
Hardware or smart card
implementations of encryption
Devices to verify user’s identities
Firewalls
Intrusion detection systems
Circuit boards that control access tostorage media
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 31/68
CS4394/CS5294 ISM/ISTM - Introduction 31
Policies and Procedures security policy- a documented plan of
action and principles for an organisation training against deception, blackmail, &
social engineering
secure disposal of paper & storage media employee vetting & reference checking
change control + audit trails + follow-up
contingency planning + training + rehearsal
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 32/68
CS4394/CS5294 ISM/ISTM - Introduction 32
Security Policy
business needs analysis
• asset valuation
• risk analysis• impact analysis
Security Policy
security policy is a statement of rules
security is defined by a security policy
goal of security is to enforce the policy
standards in OSI 7498-2/ RFC 2196/ ISO/IEC 27002
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 33/68
CS4394/CS5294 ISM/ISTM - Introduction 33
Physical Controls
Easiest, most effective and least
expensive
Locks on doors, guards at entry
points, backup copies of importantsoftware and data
Physical site planning that reducesthe risk of natural disasters
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 34/68
CS4394/CS5294 ISM/ISTM - Introduction 34
Views on Information Security often inconvenient
often not very secure a balance
people issue > technology issue
reactive not proactive
sometimes the need for information
security is not obvious until it is too late a technology problem or a
management problem
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 35/68
CS4394/CS5294 ISM/ISTM - Introduction 35
Given enough time, tools, skills, and
inclination, a hacker can breakthrough any security measure
Information Security Principles:
#1 There Is No Such Thing as Absolute Security
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 36/68
CS4394/CS5294 ISM/ISTM - Introduction 36
Protect the confidentiality of data Confidentiality models are primarily intended to
assure that no unauthorized access to information ispermitted and that accidental disclosure of sensitiveinformation is not possible
Preserve the integrity of data Integrity models keep data pure and trustworthy by
protecting system data from intentional andaccidental changes
Promote the availability of data for authorizeduse Availability models keep data and resources
available for authorized use
Information Security Principles:
#2 Three Security Goals
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 37/68
CS4394/CS5294 ISM/ISTM - Introduction 37
Defense in depth
Security implemented in overlappinglayers that provide the three elements
needed to secure assets: prevention,
detection, and response
The weaknesses of one security layer
are offset by the strengths of two ormore layers
Information Security Principles:
#3 Defense in Depth as Strategy
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 38/68
CS4394/CS5294 ISM/ISTM - Introduction 38
Takes little to convince someone to give up their
credentials in exchange for trivial or worthlessgoods
Many people are easily convinced to double-
click on the attachment
Subject: Here you have, ;o)Message body: Hi: Check This!
Attachment: AnnaKournikova.jpg.vbs
Information Security Principles:
#4 When left on their own, people tend to makethe worst security decisions
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 39/68
CS4394/CS5294 ISM/ISTM - Introduction 39
Functional requirements
Describe what a system should do Assurance requirements
Describe how functional requirements should be
implemented and testedDoes the system do the right things in the right way?
Verification: the process of confirming that one or
more predetermined requirements or specifications are
met
Validation: a determination of the correctness or
quality of the mechanisms used in meeting the needs
Information Security Principles:
#5 Functional and Assurance Requirements
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 40/68
CS4394/CS5294 ISM/ISTM - Introduction 40
Many people believe that if hackers do not
know how software is secured, security isbetter
Although this seems logical, it’s actually not TRUE
Obscuring security leads to a false sense of
security, which is often more dangerous than
not addressing security at all
Information Security Principles:
#6 Security through obscurity is NOT an answer
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 41/68
CS4394/CS5294 ISM/ISTM - Introduction 41
Security is not concerned with eliminating all threats
within a system or facility but with eliminating known
threats and minimizing losses if an attacker
succeeds in exploiting a vulnerability
Risk analysis and risk management are central
themes to securing information systems
Risk assessment and risk analysis are concerned with
placing an economic value on assets to best
determine appropriate countermeasures that protect
them from losses
Information Security Principles:
#7 Security = Risk Management
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 42/68
CS4394/CS5294 ISM/ISTM - Introduction 42
A security mechanism serves a purpose by
preventing a compromise, detecting that acompromise or compromise attempt is
underway, or responding to a compromise
while it is happening or after it has beendiscovered
Information Security Principles:
#8 Security Controls: Preventative, Detective,and Responsive
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 43/68
CS4394/CS5294 ISM/ISTM - Introduction 43
The more complex a system gets, the
harder it is to secure
Information Security Principles:
#9 Complexity Is The Enemy of Security
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 44/68
CS4394/CS5294 ISM/ISTM - Introduction 44
Information security managers must justify all
investments in security using techniques of the
trade
When spending resources can be justified with
good, solid business rationale, security requests
are rarely denied
Information Security Principles:
#10 Fear, Uncertainty, and Doubt (FUD) Do NotWork in Selling Security
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 45/68
CS4394/CS5294 ISM/ISTM - Introduction 45
People, process, and technology controls are
essential elements of security practices
including operations security, applications
development security, physicalsecurity, and cryptography
Information Security Principles:
#11 People, Process and Technology are allNeeded
TechnologyPeople
Process
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 46/68
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 47/68
CS4394/CS5294 ISM/ISTM - Introduction 47
Growing IT Security Importance Increased services to both vendors and
employees create worlds of possibilitiesin satisfying customer needs, but …
they also create risks to the
confidentiality, integrity, andavailability of confidential or sensitivedata
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 48/68
CS4394/CS5294 ISM/ISTM - Introduction 48
Becoming an InfoSec Specialist Get the right certification
Certified Information Systems SecurityProfessional (CISSP)
Global Information Assurance Certification
(GIAC):
Consider earning a graduate degree in
INFOSEC Increase your disaster recovery and risk
management skills
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 49/68
CS4394/CS5294 ISM/ISTM - Introduction 49
Contextualizing Information Security Information security
draws upon the best
practices andexperiences frommultiple domains
AntivirusSoftware
DevelopmentSecurity
Administration
PermissionControls
PhysicalSecurity
IncidentResponse
Compliance
Auditing
KeyManagement
AccessControls
SecurityTesting
Trainingand
Awareness
DisasterRecovery
Public KeyInfrastructure
IntrustionDetection andPrevention
Policies
Standards
OperationsControls
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 50/68
CS4394/CS5294 ISM/ISTM - Introduction 50
Information Security Careers common positions and career opportunities
Security administrators Access coordinators
Security architects and network engineers
Security consultants Security testers
Policymakers and standards developers
Compliance officers Incident response team members
Governance and vendor managers
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 51/68
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 52/68
CS4394/CS5294 ISM/ISTM - Introduction 52
International Information Systems Security
Certification Consortium (ISC2
) Maintaining a CBK for information security
Certifying industry professionals and practitioners
Administering training and certification examinations Ensuring credentials are maintained
Two primary certifications
Certified Information Systems Security Professional(CISSP)
System Security Certified Practitioner (SSCP)
Certification for People
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 53/68
CS4394/CS5294 ISM/ISTM - Introduction 53
Information Security CBK The CBK is a compilation and
distillation of all security informationcollected that is relevant to
information security professionals CISSP certification includes a working
knowledge of all 10 domains
(www.isc2.org)
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 54/68
CS4394/CS5294 ISM/ISTM - Introduction 54
InfoSecurity CBK – 10 Domains Security Management
Practices (4) Security Architecture
and Models (5)
Business Continuity
Planning (6)
Law, Investigations,
and Ethics (7)
Physical Security (8)
Operations Security (9)
Access Control Systems
and Methodology (10)
Cryptography (11)
Telecommunications,
Network, and InternetSecurity (12)
Applications Development
Security (13)
(Chapter number in) Merkow and Breithaupt, Information Security:
Principles and Practices, Pearson 2005 (ISBN 0-13-154729-1)
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 55/68
Course Overview
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 56/68
CS4394/CS5294 ISM/ISTM - Introduction 56
Intended Learning OutcomesUpon completion of the course, students
should be able to: Describe threats in IT environment; and recognize the
relationship of threat, vulnerability, countermeasure, andimpact in organizational information security;
Write simple information security policy for anorganization and produce appropriate guidelines inimplementing the policy;
Recognize the information security management
framework and the roles of Information SecurityManagement Standards in this framework;
Recognize the legal issues in information security.
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 57/68
CS4394/CS5294 ISM/ISTM - Introduction 57
Course Overview 1. Introduction
2. Abstract Security Model 3. Access control
4. Cryptography and PKI
5. Network security 6-9. Info Sec management and Standards
10-11. Info Sec Risk Management
12. Legal Aspects 13. Revision
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 58/68
CS4394/CS5294 ISM/ISTM - Introduction 58
Lecture 1
Introduction:
Basic introduction to informationsecurity
Lecture Overview
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 59/68
CS4394/CS5294 ISM/ISTM - Introduction 59
Lecture 2
Abstract Security models:
Overview of security models
Security evaluation
Bell-LaPadula model
Clark-Wilson model
Brewer-Nash Chinese Wall model
L t 3
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 60/68
CS4394/CS5294 ISM/ISTM - Introduction 60
Lecture 3
Access Control Mechanisms:
Management of privileges
Monitoring access
Identification and authentication of
users
L t 4
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 61/68
CS4394/CS5294 ISM/ISTM - Introduction 61
Lecture 4
Cryptography and PKI:
What is cryptography ?
Ciphers
Cryptographic Applications
Public Key Infrastructure
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 62/68
CS4394/CS5294 ISM/ISTM - Introduction 62
Lecture 5
Network security:
Common Network attacks Network security solutions
IPSec VPNs
Firewalls
TLS and SSL
Lectures 6 9
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 63/68
CS4394/CS5294 ISM/ISTM - Introduction 63
Lectures 6-9
Security management:
Introduction to information security
management
Security policies
Security management standards
Lecture 10 11
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 64/68
CS4394/CS5294 ISM/ISTM - Introduction 64
Lecture 10-11
Information Security Risk
Management: Approach
Process
Audit
Lectures 12
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 65/68
CS4394/CS5294 ISM/ISTM - Introduction 65
Lectures 12
Legal Aspects:
Cyber Crime
Personal Data (Privacy) Ordinance
Electronic Transactions Ordinance
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 66/68
CS4394/CS5294 ISM/ISTM - Introduction 66
Lecture 13
Review
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 67/68
CS4394/CS5294 ISM/ISTM - Introduction 67
Readings
Merkow and Breithaupt,
Information Security:Principles and Practices,
Pearson 2005
Chapter 1, 2 and 3
8/11/2019 L1 5294 Introduction
http://slidepdf.com/reader/full/l1-5294-introduction 68/68
Readings
CS4394/CS5294 ISM/ISTM - Introduction 68
Whitman and Mattord,
Management ofInformation Security
(4e), Cengage 2013
Chapter 1