information security methodology sunil paudel [email protected]
TRANSCRIPT
Need of Information Security An Information System (IS) is much more than computer
hardware; it is the entire set of software, hardware, data, people, and procedures necessary to use information as a resource in the organization
The value of information comes from the characteristics it possesses. Availability Accuracy Authenticity Confidentiality Integrity
AIC Traid Confidentiality - Is the concept
of protecting the secrecy and privacy of information
Integrity - Is the concept of protecting the “accuracy” of information processing and data from improper modification.
Availability - Is the concept of ensuring that the systems and data can be accessed when required.
CNSS Security Model
• Intersection of information states (x-axis)• Key objectives of C.I.A. (y-axis), and• Three primary means to implement (policy, education and technology).
Securing the Components
The computer can be either or both the subject of an attack and/or the object of an attack
When a computer is the subject of an attack, it is used as an active
tool to conduct the attack the object of an attack, it is the entity being
attacked
Balancing Security and Access
It is impossible to obtain perfect security - it is not an absolute; it is a process
Security should be considered a balance between protection and availability
To achieve balance, the level of security must allow reasonable access, yet protect against threats
Malware Summary
Code Type Characteristics
Virus Attaches itself to program and copies to other program
Trojan Horse Contains unexpected, additional functionality
Logic Bomb Triggers action when condition occurs
Time Bomb Triggers action when specified time occurs
Trapdoor Allows unauthorized access to functionality
Worm Propagates copies of itself through the network
Root Kit Hooks standard OS calls to hide data
• Malware covers all kinds of intruder software
Why we have so much malware?
• Users are ill-educated, resulting in distribution as Trojans and viruses– Because computers are fast-changing and still
relatively new
• Software has vulnerabilities, resulting in distribution of worms and viruses– Because it is badly written or badly designed– Because the designers have historically favoured
user convenience over security
• The PC is an open platform– Users can install software, in contrast with (old
fashioned) mobile phones, mp3 players, set-top boxes, embedded computers, etc.
Anti-virus software detects malware and can destroy it before any damage is done
Install and maintain anti-virus and anti-spyware software
Be sure to keep anti-virus software updatedMany free and pay options exist
13National Information Technology Center
Password Types Password that contain only letters Password that contain only numbers Password that contain only special characters Password that contain letters and numbers Password that contain only letters and special characters Password that contain only special characters and
numbers Password that contain letters, special characters and
numbers
Guessable Password Passwords can sometimes be guessed by humans with knowledge of the
user's personal information. Examples of guessable passwords include:• blank (none)• the words "password", "passcode", "admin" and their derivatives• a row of letters from the qwerty keyboard -- qwerty itself, asdf, or
qwertyuiop)• the user's name or login name• the name of their significant other, a friend, relative or pet• their birthplace or date of birth, or a friend's, or a relative's• their automobile license plate number, or a friend's, or a relative's• their office number, residence number or most commonly, their
mobile number.• a name of a celebrity they like• a simple modification of one of the preceding, such as suffixing a
digit, particularly 1, or reversing the order of the letters.• a swear word. • and so, extensively, on.
Types of password AttacksDictionary attackBrute force attackSocial engineeringShoulder surfingDumpster diving
Public-key CryptographyEach person’s public key is published while the
private key is kept secretCommunications involve only the public keys,
and no private key is ever transmitted or shared.The public keys are associated with their users
in a trusted manner
What is a Digital SignatureA person having the initial message and the
singer’s public key can accurately determine Whether the transformation was created using the
private key that corresponds to the signer’s public key Whether the initial message has been altered since
the transformation was made
A Digital Signature is: Intended by the party using it to have the same force and
effect as the use of a manual signature Unique to the party using it Capable of verification Under the sole control of the party using it Linked to data in such a manner that it is invalidated if
the data is changed In conformity with rules adopted by Office of Controller of
Certification (a Certificate Authority) pursuant to this act
Certificate AuthorityThe Certificate Authority is an individual
organization that acts as a notary to authenticate the identity of users of a public-key encryption
A Certificate Authority is used to: 1) Associate a pair of keys with a person 2) Publishing the public keys in a directory 3) Maintain functions associated with the keys
Digital Signature Creation
Message HashFunction
MessageDigest
SignatureFunction
Digital Signature
Message
Signature Private Key
Digital Signature Verification
Message Hash Function MessageDigest
Digest Signature
SignatureFunction
MessageDigest
If the message
digest are identical,
the signature is valid.
If they are different,
the signature is not
valid.
Signer’s Public Key
Access ControlIdentification, Authentication, and Authorization are
distinct functions. Identification
• Method of establishing the subject’s (user, program, process) identity.
Authentication• Method of proving the identity.
Authorization• Determines that the proven identity has some set of
characteristics associated with it that gives it the right to access the requested resources.
24
Authentication MethodsThere are 3 primary authentication methods.
Sensitive or critical information should be protected by employing at least two of them (two-or three-factor authentication). Knowledge-Something you know, such as a
password, passphrase or PIN. Ownership-For example, tokens and Smart cards. Characteristics-Biometrics are digitized
representations of physical features (such as fingerprints) or physical actions (such as signatures).
25
Access Control ModelsDiscretionary Access Control (DAC)
Access control is at the discretion of the owner.Mandatory Access Control (MAC)
Users have security clearances and resources have security labels that contain data classifications.
This model is used in environments where information classification and confidentiality is very important (e.g., the military).
Role Based Access Control Models Role Based Access Control (RBAC) uses a centrally
administered set of controls to determine how subjects and objects interact.
26
Disaster Recovery
Thunderstorms Tornadoes Lightning Earthquakes Volcanoes Tsunami Landslides Floods, droughts Epidemics
Acts of people Technological
system failures Hazardous materials Environmental Nuclear Aviation, railways Fires, collapse
Workplace violence Civil disobedience
- Labor riots- Political riots
Terrorism Weapons of mass
destruction
27
Benefits from DR centerSignificantly reducing the impact of sales,
financial, and customer losses during unforeseen interruptions to the business operations
DR Site selection:• US : 40 miles (64Km, out of the same influence of
the hurricane)• Japan : on a different tectonic plate, a different
seismic activity zone• EU : 5~10Km (against bombing attack)• Korea : similar to the situation in EU, usually
+30km away
28
Information System Audit
IS Audit: Any audit that wholly or partially evaluates automated information processing system, related non-automated processes, & their interfaces
Reviewinternal control
Prepare & present report
Simplified Audit Process
Plan audit & gather info.
Perform tests
Concluding remarksAssign accountability for security Implement a thorough security policy Conduct a security awareness program Install anti-virus software and update it regularly Limit access to sensitive information Develop and communicate an incident response
process Perform security audits on an ongoing basis
30