Session 1 – Introduction to Information Security
description
Transcript of Session 1 – Introduction to Information Security
ITEC 4100, Fall 2007, D Chan
Session 1 – Introduction to Information SecuritySession 1 – Introduction to Information Security
ITEC 4100, Fall 2007, D Chan
Security Objectives
Confidentiality (includes privacy)
IntegrityAvailability
ITEC 4100, Fall 2007, D Chan
Security Processes
IdentificationAuthenticationAuthorizationLoggingMonitoring
ITEC 4100, Fall 2007, D Chan
Common Security Measures
PasswordTwo-factor authenticationBiometricsAccess control lists for granting
authorization to informationLocksEncryptionAnti-virusUsage and rejection reports
ITEC 4100, Fall 2007, D Chan
Passwords
Should not be shared
Should be changed by user
Should be changed frequently and upon compromise (suspected unauthorized disclosure)
ITEC 4100, Fall 2007, D Chan
Passwords
Long, at least 8 characters
Alphanumeric
Hashed (one-way scrambling)
System should allow only a few attempts before locking out account
ITEC 4100, Fall 2007, D Chan
Passwords
An 8-letter password is 676 times stronger than a 6-letter password.
A 6-character alphanumeric password is 6 times stronger than a 6-letter password.
Strength should depend on user’s privilege and locality of system.
ITEC 4100, Fall 2007, D Chan
Two-factor Authentication
Used to compensate for the inherent weaknesses of passwords, i.e., guessing and hacking.
Uses what the user has and what the user knows.
Examples are to use a token with a dynamic password and ATM.
ITEC 4100, Fall 2007, D Chan
Biometrics
Can include fingerprint, hand geometry, voice etc.
Held back by privacy concerns.
Not recognised legally in place of signature
ITEC 4100, Fall 2007, D Chan
Operating System Security
Use a standard checklist for configuration
Implement vendor updates
Use scanning software to detect vulnerabilities before implementation and periodically
ITEC 4100, Fall 2007, D Chan
Firewall
Can be hardware based only, e.g., a router.
Can be a server with sophisticated software, more granular and reliable than a router, provides better logs.
Can use artificial intelligence to check for patterns.
ITEC 4100, Fall 2007, D Chan
Firewall
Every organization that hosts a web site should have a firewall to protect its internal network from hackers
The firewall would block traffic that is definitely unacceptable.
ITEC 4100, Fall 2007, D Chan
Firewall
A typical firewall uses rules to determine whether traffic is acceptable, e.g., port scanning is not allowed by some organizations.
A data packet typically consists of a source Internet Protocol (IP) address, a port and a destination Internet Protocol address.
ITEC 4100, Fall 2007, D Chan
Firewall
A port is a logical connection point in a network device including a computer.
It is used to standardize Internet traffic, e.g., web browsing uses port 80, e-commerce uses port 443.
ITEC 4100, Fall 2007, D Chan
Virus Protection
Companies around the world spend about US $20 billion a year to clean up viruses
All critical servers are protectedAll internet email is scannedAutomated identification of workstations
that do not have up-to-date signature filesOrganizations should block common virus
file types to be proactive
ITEC 4100, Fall 2007, D Chan
Virtual Private Network
To secure remote access to company systems by staff or contractors.
Should require two-factor authentication.
Encrypted traffic, bypasses firewall, secure tunnel should end at another firewall with traffic decrypted.
ITEC 4100, Fall 2007, D Chan
Intrusion Detection System
Installed at critical points of a network to inspect incoming and outgoing traffic for anomalies and malicious messages.
Alerts systems administrators to take pre-emptive or corrective actions.
ITEC 4100, Fall 2007, D Chan
Intrusion Prevention System
Combines firewall and intrusion detection technologies.
Rejects highly questionable or unacceptable traffic.
More effective than firewalls but may have false positive.
ITEC 4100, Fall 2007, D Chan
Encryption
Uses mathematics to scramble data.
Uses a key and an algorithm . Commercial algorithms are public knowledge.
Symmetric key.
Asymmetric keys (private/public key pair).
ITEC 4100, Fall 2007, D Chan
Symmetric Key Encryption
The same key is used to decrypt and encrypt
Simple to encrypt and decryptLarge number of keys required for
one-on-one secret communicationNumber of keys for N people is N(N-
1)/2Need to secure the key
ITEC 4100, Fall 2007, D Chan
Asymmetric Encryption
A pair of key is generated by a user, a private key and a corresponding public key.
The public key can be disclosed. The private key is secured.
People can use the public key to encrypt material.
ITEC 4100, Fall 2007, D Chan
Asymmetric Encryption
The corresponding private key is needed to decrypt.
The 2 keys cannot be reengineered, i.e., you cannot use the public key to derive the private key.
Longer keys than symmetric and therefore a longer process to encrypt and decrypt.
ITEC 4100, Fall 2007, D Chan
Asymmetric Encryption
Needed for email encryption.
Used for e-commerce, digital certificates and digital signatures.
Number of keys for N users is 2N.
ITEC 4100, Fall 2007, D Chan
Digital Signature
A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and to ensure that the original content of the message or document that has been sent is unchanged.
ITEC 4100, Fall 2007, D Chan
Digital Signature
The sender uses an algorithm to compute a hash (garbled digest) of the document
Sender uses its private key to encrypt the hash.
Recipient uses same algorithm to hash the plain text document when received.
Recipient uses the public key to decrypt the digital signature and compare to the hash the recipient created, to confirm integrity.
ITEC 4100, Fall 2007, D Chan
Digital Certificate
• An electronic business card that establishes your credentials when doing business or other transactions on the Web.
• It is issued and digitally signed by a certification authority. It contains your name, a serial number, expiration dates, the certificate authority’s name and public key, and your public key.
• People can use the certificate authority’s public key to verify the signature.
ITEC 4100, Fall 2007, D Chan
Certificate Authority
An organization that issues digital certificates to companies and individuals
An organization can issue digital certificates to its own customers or employees to authenticate local transactions
The certificate authority will do due diligence to confirm the existence and authenticity of the party before issuing a certificate.
ITEC 4100, Fall 2007, D Chan
E-commerce Encryption
Uses both symmetric keys and asymmetric keys
Enforced by the merchant
Merchant sends its certificate and public key to the browser
ITEC 4100, Fall 2007, D Chan
E-commerce Encryption
Browser generates a symmetric key
Browser encrypts the symmetric key with the merchant’s public key
Browser authenticates the digital certificate
Encrypted symmetric key is sent to merchant
ITEC 4100, Fall 2007, D Chan
E-commerce Encryption
Merchant decrypts the symmetric key with its private key
The symmetric key is used for all subsequent transfer of information between the 2 parties until the user logs off.
ITEC 4100, Fall 2007, D Chan
Email Encryption
Sender uses the recipient’s public key to encrypt the message
Sender signs the message with own private key
Recipient uses own private key to decrypt message
Recipient uses sender’s public key to authenticate the digital signature
ITEC 4100, Fall 2007, D Chan
Conclusion
Security is increasingly important because of e-commerce.
Security is the responsibility of every employee.
Organizations should designate a chief information security officer to coordinate.