Model Information Security Planning

By Mohammed Ashfaq Ahmed

• Adopt multilayered security model

Follow defense-in-depth strategy

Defense-in-depth: design from inside out but tested from the outside in,

Information lies at core and most reliable protection element lie close to it

Penetration of attackers occurs from outside in

Seven layer security model… It covers both the security of information as

well as the security of the information systemThe layers of the model are Information at the core Cryptographic method layer Verification and authentication layer OS hardening layer Information system architecture and design Web services layer The 8 ps of security layer

Benefits of this model..

vigorously protects information Will slow down perpetrators as they

attempt any attack Discourage attackers Assist in identification of hackers Low cost and effective

1. Information at the core..

Information reside at the core of the model

Why information at the core why not information system

Reason..The information system is too vast and

cannot be narrowed sufficiently

Information has many properties like disguise, protect, authenticate, test..

The most important and interesting quality of information is changing state and still retaining all of its semantic value

These factors allows us to effectively manage the

information

2. Cryptographic method layer..

It is the second layer and actually the most important from a security countermeasure point

It represents a formidable barrier that coats and protects information

It uses the properties of information

Advantages..

Cryptography disguises information

Cryptographic methods are extremely complex and require significant time and cost to break

it provides an elegant linkage to the authentication and verification layer

Cryptographic layers are many and varied

3.Authentication and verification layer..

It is closely related to cryptographic layer It has two distinct parts1. The inner authentication and verification

which pertains to the information exclusively Ex. Digital signatures, code signing, etc.

2. The outer half which provides an authentication and verification for the information system

Ex. Password, access controls, etc

Authentication is the process of determining if the information presented is real or fake

Authentication techniques usually take advantage of any of the following four factors to authenticate access to information

1. Possession factor: something you have that grant access to information

ex: smartcard, token etc.2. Biometric factor: something that you are

that identifies you uniquely ex: finger print, face print, DNA etc.

3. Knowledge factor: something you know that is secret

Ex. Password, username etc.4. Integrity factor: something that

allows the authentication routines to authenticate your actions after you are admitted access

Ex. Message authentication code( mac’s)

Authentication techniques can be used either directly with information or as a part of information system

Verification is the one-to-one process of matching the user by name against an authentication template, maintained by trusted third party and provide the authentication status

My Question……?

Answer

The model is design from the inside out and tested from outside in. It mean that information is at the core to the model ant the most reliable protection elements of the plan are placed closest to it. penetration by attackers occurs from outside in, this concept is known as defense in depth.