Session 1 – Introduction to Information Security

ITEC 4100, Fall 2007, D Chan

Session 1 – Introduction to Information SecuritySession 1 – Introduction to Information Security


Security Objectives

Confidentiality (includes privacy)

IntegrityAvailability


Security Processes

IdentificationAuthenticationAuthorizationLoggingMonitoring


Common Security Measures

PasswordTwo-factor authenticationBiometricsAccess control lists for granting

authorization to informationLocksEncryptionAnti-virusUsage and rejection reports


Passwords

Should not be shared

Should be changed by user

Should be changed frequently and upon compromise (suspected unauthorized disclosure)


Passwords

Long, at least 8 characters

Alphanumeric

Hashed (one-way scrambling)

System should allow only a few attempts before locking out account


Passwords

An 8-letter password is 676 times stronger than a 6-letter password.

A 6-character alphanumeric password is 6 times stronger than a 6-letter password.

Strength should depend on user’s privilege and locality of system.


Two-factor Authentication

Used to compensate for the inherent weaknesses of passwords, i.e., guessing and hacking.

Uses what the user has and what the user knows.

Examples are to use a token with a dynamic password and ATM.


Biometrics

Can include fingerprint, hand geometry, voice etc.

Held back by privacy concerns.

Not recognised legally in place of signature


Operating System Security

Use a standard checklist for configuration

Implement vendor updates

Use scanning software to detect vulnerabilities before implementation and periodically


Firewall

Can be hardware based only, e.g., a router.

Can be a server with sophisticated software, more granular and reliable than a router, provides better logs.

Can use artificial intelligence to check for patterns.


Firewall

Every organization that hosts a web site should have a firewall to protect its internal network from hackers

The firewall would block traffic that is definitely unacceptable.


Firewall

A typical firewall uses rules to determine whether traffic is acceptable, e.g., port scanning is not allowed by some organizations.

A data packet typically consists of a source Internet Protocol (IP) address, a port and a destination Internet Protocol address.


Firewall

A port is a logical connection point in a network device including a computer.

It is used to standardize Internet traffic, e.g., web browsing uses port 80, e-commerce uses port 443.


Virus Protection

Companies around the world spend about US $20 billion a year to clean up viruses

All critical servers are protectedAll internet email is scannedAutomated identification of workstations

that do not have up-to-date signature filesOrganizations should block common virus

file types to be proactive


Virtual Private Network

To secure remote access to company systems by staff or contractors.

Should require two-factor authentication.

Encrypted traffic, bypasses firewall, secure tunnel should end at another firewall with traffic decrypted.


Intrusion Detection System

Installed at critical points of a network to inspect incoming and outgoing traffic for anomalies and malicious messages.

Alerts systems administrators to take pre-emptive or corrective actions.


Intrusion Prevention System

Combines firewall and intrusion detection technologies.

Rejects highly questionable or unacceptable traffic.

More effective than firewalls but may have false positive.


Encryption

Uses mathematics to scramble data.

Uses a key and an algorithm . Commercial algorithms are public knowledge.

Symmetric key.

Asymmetric keys (private/public key pair).


Symmetric Key Encryption

The same key is used to decrypt and encrypt

Simple to encrypt and decryptLarge number of keys required for

one-on-one secret communicationNumber of keys for N people is N(N-

1)/2Need to secure the key


Asymmetric Encryption

A pair of key is generated by a user, a private key and a corresponding public key.

The public key can be disclosed. The private key is secured.

People can use the public key to encrypt material.



The corresponding private key is needed to decrypt.

The 2 keys cannot be reengineered, i.e., you cannot use the public key to derive the private key.

Longer keys than symmetric and therefore a longer process to encrypt and decrypt.



Needed for email encryption.

Used for e-commerce, digital certificates and digital signatures.

Number of keys for N users is 2N.


Digital Signature

A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and to ensure that the original content of the message or document that has been sent is unchanged.


Digital Signature

The sender uses an algorithm to compute a hash (garbled digest) of the document

Sender uses its private key to encrypt the hash.

Recipient uses same algorithm to hash the plain text document when received.

Recipient uses the public key to decrypt the digital signature and compare to the hash the recipient created, to confirm integrity.


Digital Certificate

• An electronic business card that establishes your credentials when doing business or other transactions on the Web.

• It is issued and digitally signed by a certification authority. It contains your name, a serial number, expiration dates, the certificate authority’s name and public key, and your public key.

• People can use the certificate authority’s public key to verify the signature.


Certificate Authority

An organization that issues digital certificates to companies and individuals

An organization can issue digital certificates to its own customers or employees to authenticate local transactions

The certificate authority will do due diligence to confirm the existence and authenticity of the party before issuing a certificate.


E-commerce Encryption

Uses both symmetric keys and asymmetric keys

Enforced by the merchant

Merchant sends its certificate and public key to the browser



Browser generates a symmetric key

Browser encrypts the symmetric key with the merchant’s public key

Browser authenticates the digital certificate

Encrypted symmetric key is sent to merchant



Merchant decrypts the symmetric key with its private key

The symmetric key is used for all subsequent transfer of information between the 2 parties until the user logs off.


Email Encryption

Sender uses the recipient’s public key to encrypt the message

Sender signs the message with own private key

Recipient uses own private key to decrypt message

Recipient uses sender’s public key to authenticate the digital signature


Conclusion

Security is increasingly important because of e-commerce.

Security is the responsibility of every employee.

Organizations should designate a chief information security officer to coordinate.

Session 1 – Introduction to Information Security

Documents

Transcript of Session 1 – Introduction to Information Security