basic concepts of information security · • protect own reputation. ... • the higher level must...
TRANSCRIPT
![Page 1: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/1.jpg)
Basic Concepts of Information Security
Timo KiravuoHelsinki University of Technology
Telecommunication Software and Multimedia Laboratory
Based on slides by:
Prof., Dr. Sci. Teemupekka Virtanen
![Page 2: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/2.jpg)
Security, why
• Protect valuable assets • Compliance with laws• Meet the customer requirements• Prevent breakdowns in production• Keep personnel happy• Protect own reputation
![Page 3: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/3.jpg)
Confidentiality- Luottamuksellisuus• Secrecy of information• Who is allowed to know something• Bell-LaPadula –model• A real property of information
– Classification must be the same every place the same information is processed
![Page 4: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/4.jpg)
Availability – Käytettävyys(Saatavuus)
• Availability of service (information)• What is the maximum time delay for getting
service• Sometimes probability of not losing information• Some close areas
– availability– reliability– usability
• A property of the system– The same information may have different
classification in different systems
![Page 5: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/5.jpg)
Integrity - Eheys
• The meaning of integrity has changed during time• Originally integrity in transactions
– There must been no partial transactions
• Now much broader definition– Data was correct in the beginning– All changes have be legal, accountable and correct– Data is still correct
• Accountability is usually required to maintain integrity
![Page 6: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/6.jpg)
Threat – Uhka
• Something harmful that may happen• Possibility to happen is the numerical value of a
threat• Examples
– Fire– Death of key person– Malfunction of hard disk– Cracker breaking in– IRS comes to inspect the files
![Page 7: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/7.jpg)
Risk - Riski
• The expectancy of a threat• Two components
– Threat (probability)– Damage (amount)
• Risk = threat * damage
![Page 8: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/8.jpg)
Vulnerability - Haavoittuvuus• Weakness in the information system
– Makes it possible for a threat to occur– Increase probability of a threat– Increase damage
• Examples– Weak passwords– Weak encryption– No secondary power supply– A backdoor in the system
![Page 9: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/9.jpg)
From Threat to Risk
Threat Vulnerability Loss
Risk
Eliminaterisk
Minimizerisk
Acceptrisk
![Page 10: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/10.jpg)
The Balance between Risks and Costs
Tota
l cos
t
Resources to avoid an accident
Cost of risk
Minimal costs
Costs of avoiding accidents
Costs of accidents
![Page 11: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/11.jpg)
Data protection – Tietosuoja
• Privacy protection is a civil right in many countries including Finland
• Restriction on gathering personal information– What kind of information– From whom– How to use information– How to protect information
• Required by legislation
![Page 12: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/12.jpg)
Protocol - Protokolla
• A formal description of discussion• Vocabulary• Order of words• How to do handshake• Between computers, diplomats, companies
![Page 13: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/13.jpg)
AAA
• Authentication - Todennus– Mechanism for confirming the identity of user and
integrity and authenticity of information
• Authorization – Valtuutus– Who is allowed to do what
• Accountability – Kohdennettavuus– It is possible afterward to find out who has made any
operations
• Identification – Tunnistus– Connects a user to the real person– Usually additional authentication is needed to verify the
identity
![Page 14: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/14.jpg)
Anonymity - Anonymiteetti
• An entity can not be identified– Protects the privacy of the entity
• Can still be authorized to perform actions– By using e.g. certificates– E.g. when you buy something and pay only cash, the
transaction is anonymous, but authorized
• This can often be a design requirement – E.g. government systems
![Page 15: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/15.jpg)
Pseudonymity -pseudonymiteetti
• We can authenticate and entity and connect it to previous occurances, but we can not identify the person connected to the pseudonym– E.g. web cookies
• Using the same pseudonym in different situations can lead to identification of the entity
![Page 16: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/16.jpg)
Non-repudiation -Kiistämättömyys
• It is not possible for a user to afterward deny an operation he has made
• Methods– Electronic signature– Trusted Third Party– Time Stamps– Accountability may maintain also non-repudiation
![Page 17: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/17.jpg)
Classification
• Classification – Luokittelu– Labeling sensitive information– CIA-model– (Confidentiality, Integrity, Availability)
• Clearance – Luokittelu– Classification of users of information
![Page 18: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/18.jpg)
Corporate Security
![Page 19: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/19.jpg)
The Assets
• Everything required for production• Everything valuable• All good reputation• Investments
![Page 20: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/20.jpg)
Material
• Production– Buildings– Machinery– Raw material– Stocks
• Valuables– Money– Art
• Other investments– Cars
![Page 21: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/21.jpg)
People
• Production– Skilled workers
• Information– Databank
• Reputation– Value itself
![Page 22: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/22.jpg)
Information
• Production– Prints– Orders
• Corporate management– Plans– Customer information– Personnel information
• Investments– Databases
• Compliance– Bookkeeping– Privacy
![Page 23: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/23.jpg)
Reputation
• Good manufacturer– No malfunctions– No faulty products
• Good neighbor– Environmental protection– Safe traffic
• Good employer– Safety in work
![Page 24: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/24.jpg)
Security Management
• Set the goals• Define the security level• Define the acceptance of risk• Define protection principles
![Page 25: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/25.jpg)
Security Policy
• A high level statement• Defines the baseline security• Defines the acceptable risk• Defines protection principles• Basic document
![Page 26: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/26.jpg)
Legislation and security
• Assets may be protected by legislation– An intruder is a criminal and will be punished
• Special capabilities are guaranteed to protect assets
• Legislation sets requirements for security
![Page 27: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/27.jpg)
Baseline Security
• The minimal required security level• The procedures to protect others• Usually more is required
– Production– Customers– Legislation
![Page 28: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/28.jpg)
Asset Management
• Recognize the important assets• Classification
![Page 29: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/29.jpg)
Physical Security
• Security domains• Protection prevents outsiders from intruding
– Fences, walls– Guards
• Authenticate the insiders– Keys, access control
• Detection– Alarms– Delay in detection– Precision of detection
• Active response– Time to reach the site– Amount of strength to prevent intrusion
![Page 30: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/30.jpg)
How much is enough
• S(Tp + Tg) > Ta + Tt– Tp time to go through a passive barrier– Tg time to go to the next barrier– Ta delay in alarm– Tt time for a guard to reach the site
![Page 31: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/31.jpg)
The Goal of Physical Security• People in the domain may work efficiently
– All the people are authenticated– All the people are trusted– No outsiders to look after
• Good working conditions– Safety– Fire prevention
• Don’t prevent or disturb working of authenticated people
![Page 32: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/32.jpg)
Personnel Security
• Accepts insiders– Background checking
• Prevents accidents– Education
• Preserves motivation– Personnel management
• Personnel lifecycle– Hiring, working, firing
![Page 33: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/33.jpg)
Operational Security
• Job management– Enough people– Possibility to work in a secure way
• Safety procedures– Safe working conditions
• Sharing of duties• Key persons
![Page 34: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/34.jpg)
Information Technology Security
• Computer security• Communication security• Security domains• Protection against outsiders• Authentication of insiders• Notification of intrusion
![Page 35: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/35.jpg)
Security in a Modern Organization
• Security requirements are part of management• The lower level in hierarchy must meet the
requirements of higher level• The higher level must accept the cost of security• Management in each level has to make decisions
in security
![Page 36: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/36.jpg)
Security in Outsourcing
• Security requirements as part of the service• Defined in contracts• Evaluation, certification• Costs are part of the service
– Service provider has to be able to include the costs in the price
![Page 37: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/37.jpg)
Security Costs
• Part of normal operational costs• Have to take into accounting when
– calculate the investments– pricing products– pricing services
![Page 38: Basic Concepts of Information Security · • Protect own reputation. ... • The higher level must accept the cost of security ... Perusteet.ppt Author: kiravuo Created Date:](https://reader031.vdocuments.us/reader031/viewer/2022011805/5bb362ce09d3f2d3728b4eaa/html5/thumbnails/38.jpg)
Conclusion
• Security is a prevention of incidents which may cause losses to the organization
• Security is optimization between losses and costs of protection
• There are several methods for protection