Today’s Lecture Covers

Chapter 6 - IS Security

Dsheehy@grantthornton.ca

Security

The system is protected against unauthorized physical and logical access.

A typical network today?

INTERNET

ExternalRouter

Corporate Backbone

Human Resources

Payroll - Accounting

e-Business Network

Human Resources

AP Cyberwall

Payroll - Accounting

AP Cyberwall

IP Firewall

DMZ

IP Firewall

DMZ

Internal Firewall

DMZ SystemsDMZ Systems

Control over Info Transmission

procedures to protect in bound information and outbound information

network design should incorporate information integrity, confidentiality and availability requirements for transmissions

network implementation and config mgt needs to be controlled

Control over Data Mgt

roles and responsibilities for data mgt needed

database design and implementation needs to address security, integrity and control requirements

also incorporate reliability and availability requirements

Control over End-Using Computing

procedures to ensure that end-users conform with organizational strategy

stds for development, acquisition, documentation and operation of applications procedures.

Effective support and training

monitoring end-using computing

The issue of IT Security

must id risks and design effective security processes and practices

not too much security - causes rule breaking to do job

balance between enabling staff and others to access easily and efficiently and controlling that access

Security Controls- to prevent

unauthorized access to IS by outsiders

unauthorized access to IS by insiders

interruptions in processing

at application (into each program) and

general level (e.g., electronic access, physical security, back-up and recovery and contingency planning)

To meet Security Objectives

need an integrated approach: develop policies assign roles and responsibilities and

communicate them design a security control framework implement on risk-prioritized

and timely basis monitor

Broad Organizational Issues

policies and stds

risk assessment

plan, design, test and implement

user and mgt involvement

monitor and update

Policies & Stds

responsibility of all personnel

roles and responsibilities for security administrator

classify systems and data in terms of sensitivity

role of I/A

Risk Assessment

analyze risks and exposures

assess what is acceptable

need to understand potential losses

Plan Design Test and Implement

assess what is needed

test - ensure authorized accepted/unauthorized rejected

access time is reasonable

audit trails are adequate

Monitoring and Update

need logs

need to ensure controls up to date

adequate resources

Physical Access Controls -

Safeguard against physical abuse, damage and destruction.

Isolation and restriction - use locks, effective key management, video, sensing devices

Communication Access Controls

Firewalls - hardware and software between 2 networks, all traffic must go through it, only authorized traffic may pass, and is protected from tampering

Simplifies security mgt - only have to manage single point

Communication Access Controls

can hide internal network since no direct outside connection

can limit damage of security breaches

do not protect against insider attacks

often ineffective with viruses

do not protect against other connections that bypass firewall

Communication Access Controls

Packet filter gateway - router between 2 gateways, either forwards or blocks them (less secure than firewall)

Application gateway - all packets are addressed to a user layer application at the gateway that relays them between 2 communication points

Communication Access Controls

use proxies to prevent a direct connection between external and internal networks acts as middleman - decides whether traffic is secure

between the hosts , forwards only secure traffic

Stateful inspection - all packets queried + application, user and transportation method queried - both the state of the transmission and context in which used cannot deviate from expectations ; otherwise rejected

Dial-Up Lines

Modem lines create problems

use callback modems, terminal authentication devices (id terminal as authentic before connecting), passwords, encryption, human hook-ups, warnings and look at communication bills

Encryption

coding messagesrely on mathematical algorithmsprivate key system - receiver must know what key is used to encipher message. Such keys must be protectedpublic key system - use 2 keys encipher is made public different key used to decipher

Electronic Access Controls- first classify info

sensitivity - need to classify information as to confidentiality and access rights

access time requirements - classify according to range of tolerable access times- for example many users may need to access certain files at a particular time

authorized users - based on need to know basis

Access management

identification process - use userids personal characteristic userids - name - easy transferred

but easy to guess.. also little privacy functional characteristic id - based on job, no need for

personal id, more privacy - someone transfers however, must give new id

no association ids - arbitrary - best privacy and can use if transferred

Access management

authentication - obtaining proof that user is who says he/she is plastic magnetic-strip cards - atm cards, carry fixed

password (PIN), can be stolen/duplicated smart cards- contain processor that allows card to

interact with number of control devices and define boundary of each specific access

biometric devices - fingerprints, hand geometry, eye retina patterns

Access management

passwords - traditional for log-on procedure system-generated- randomly generated are less hard to

guess- problem is are not really random and are meaningless to users - therefore write them down makes easier to find

user- selected - has meaning but often easier to guess word association password - use cue lists that only user

should know - too much computer space req'd, must be uniform

Access management

Increased use of single-sign on- authenticate once across multiple platforms must be very careful due to potential access hazard

Could also use profile management - allocate standard access privileges to users based on their group, rather than individual basisreduces admin costs and allows easier access and rule setting

Access management

access control software- allows controlled access - locks out illegimate users