Information system securit lecture 1y .ppt
ranjan317165
10 views
35 slides
Aug 22, 2024
Slide 1 of 35
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
About This Presentation
INS
Slide Content
Dr. Bhavani Thuraisingham
Introduction to
Information Systems Security
Lecture #1
May 27, 2011
Introduction to
Information Systems Security
Lecture #1
May 27, 2011
08/22/24 07:22
Outline
0What is Cyber Security?
0What is C. I. A.?
0Ten Major Modules of Cyber Security
0Some Topics in Cyber Security
Outline
0What is Cyber Security?
0What is C. I. A.?
0Ten Major Modules of Cyber Security
0Some Topics in Cyber Security
08/22/24 07:22
Cyber Security
0Security traditionally has been about CIA (Confidentiality, Integrity,
Availability)
0Security now also includes areas like Trustworthiness, Quality,
Privacy
0Dependability includes Security, Reliability and Fault Tolerance
0Initially the term used was Computer Security (Compusec); it then
evolved into Infosec – Information security – to include data and
networks – now with web its called Cyber Security
Cyber Security
0Security traditionally has been about CIA (Confidentiality, Integrity,
Availability)
0Security now also includes areas like Trustworthiness, Quality,
Privacy
0Dependability includes Security, Reliability and Fault Tolerance
0Initially the term used was Computer Security (Compusec); it then
evolved into Infosec – Information security – to include data and
networks – now with web its called Cyber Security
08/22/24 07:22
C. I.A.
0Confidentiality: Preventing from unauthorized disclosure
0Integrity: Preventing from unauthorized modification
0Availability: Preventing denial of service
C. I.A.
0Confidentiality: Preventing from unauthorized disclosure
0Integrity: Preventing from unauthorized modification
0Availability: Preventing denial of service
08/22/24 07:22
Ten Major Modules of Cyber Security
0Information Security and Risk Management
0Access Control
0Security Architecture and Design
0Physical and Environmental Security
0Telecommunications Security
0Cryptography
0Business Continuity Planning
0Legal Regulations, Compliance and Investigations
0Applications Security
0Operations Security
Ten Major Modules of Cyber Security
0Information Security and Risk Management
0Access Control
0Security Architecture and Design
0Physical and Environmental Security
0Telecommunications Security
0Cryptography
0Business Continuity Planning
0Legal Regulations, Compliance and Investigations
0Applications Security
0Operations Security
08/22/24 07:22
Information Security and Risk Management
0Security Management
0Security Administration
0Organizational Security Model
0Information Risk Management
0Risk Analysis
0Policies, Standards, Guidelines, Procedures
0Information Classification
0Layers of Responsibility
0Security Awareness Training
Information Security and Risk Management
0Security Management
0Security Administration
0Organizational Security Model
0Information Risk Management
0Risk Analysis
0Policies, Standards, Guidelines, Procedures
0Information Classification
0Layers of Responsibility
0Security Awareness Training
08/22/24 07:22
Access Control
0Security Principles
0Identification, Authentication, Authorization, Accountability
0Access Control Models
0Access Control techniques
0Access Control Administration
0Access Control Methods
0Access Control Types
0Accountability
0Access Control practices
0Access Control Monitoring
0Threats to Access Control
Access Control
0Security Principles
0Identification, Authentication, Authorization, Accountability
0Access Control Models
0Access Control techniques
0Access Control Administration
0Access Control Methods
0Access Control Types
0Accountability
0Access Control practices
0Access Control Monitoring
0Threats to Access Control
08/22/24 07:22
Security Architecture and Design
0Computer Architecture
0Systems Architecture
0Security Models
0Security Modes of Operation
0Systems Evaluation Methods
0Open vs. Closed Systems
0Enterprise Architecture
0Security Threats
Security Architecture and Design
0Computer Architecture
0Systems Architecture
0Security Models
0Security Modes of Operation
0Systems Evaluation Methods
0Open vs. Closed Systems
0Enterprise Architecture
0Security Threats
08/22/24 07:22
Physical and Environmental Security
0What is Physical Security
0Planning Process
0Protecting assets
0Internal Support Systems
0Perimeter Security
0Other aspects
Physical and Environmental Security
0What is Physical Security
0Planning Process
0Protecting assets
0Internal Support Systems
0Perimeter Security
0Other aspects
08/22/24 07:22
Telecommunications and Network Security
0Open Systems Interconnection Reference Model
0TCP/IP
0Types of Transmission
0LAN Networking
0Routing Protocols
0Networking Devices
0Networking services and protocols
0Intranets and Extranets
0Metropolitan Area networks
0Remote access
0Wireless technologies
0Rootkits
Telecommunications and Network Security
0Open Systems Interconnection Reference Model
0TCP/IP
0Types of Transmission
0LAN Networking
0Routing Protocols
0Networking Devices
0Networking services and protocols
0Intranets and Extranets
0Metropolitan Area networks
0Remote access
0Wireless technologies
0Rootkits
08/22/24 07:22
Cryptography
0History, Definitions and Concepts
0Types of Ciphers
0Methods of Encryption
0Type of Asymmetric Systems
0Message Integrity
0PKI
0Key Management
0Link / End-to-end Encryption
0Email standards
0Internet security
0Attacks
Cryptography
0History, Definitions and Concepts
0Types of Ciphers
0Methods of Encryption
0Type of Asymmetric Systems
0Message Integrity
0PKI
0Key Management
0Link / End-to-end Encryption
0Email standards
0Internet security
0Attacks
08/22/24 07:22
Legal Regulation and Compliance Investigation
0Cyber law and Cyber crime
0Intellectual property law
0Privacy
0Liability and Ramifications
0Digital Forensics and Investigations
0Ethics
Legal Regulation and Compliance Investigation
0Cyber law and Cyber crime
0Intellectual property law
0Privacy
0Liability and Ramifications
0Digital Forensics and Investigations
0Ethics
08/22/24 07:22
Applications Security
0Software and applications security issues
0Database Security
0Secu4e systems development
0Application development and security
0Object-oriented systems and security
0Distributed computing and security
0Expert systems and security
0Web security
0Mobile code
0Patch management
Applications Security
0Software and applications security issues
0Database Security
0Secu4e systems development
0Application development and security
0Object-oriented systems and security
0Distributed computing and security
0Expert systems and security
0Web security
0Mobile code
0Patch management
08/22/24 07:22
Operations Security
0Role of the Operations Department
0Administrative Management
0Assurance Levels
0Configuration management
0Media Controls
0Data Leakage
0Network and Resource Availability
0Mainframes
0Email Security
0Vulnerability testing
Operations Security
0Role of the Operations Department
0Administrative Management
0Assurance Levels
0Configuration management
0Media Controls
0Data Leakage
0Network and Resource Availability
0Mainframes
0Email Security
0Vulnerability testing
08/22/24 07:22
Introduction to Cyber Security
0Operating Systems Security
0Network Security
0Designing and Evaluating Systems
0Web Security
0Data Mining for Malware Detection
0Other Security Technologies
Introduction to Cyber Security
0Operating Systems Security
0Network Security
0Designing and Evaluating Systems
0Web Security
0Data Mining for Malware Detection
0Other Security Technologies
08/22/24 07:22
Operating System Security
0Access Control
-Subjects are Processes and Objects are Files
-Subjects have Read/Write Access to Objects
-E.g., Process P1 has read acces to File F1 and write access to
File F2
0Capabilities
-Processes must presses certain Capabilities / Certificates to
access certain files to execute certain programs
-E.g., Process P1 must have capability C to read file F
Operating System Security
0Access Control
-Subjects are Processes and Objects are Files
-Subjects have Read/Write Access to Objects
-E.g., Process P1 has read acces to File F1 and write access to
File F2
0Capabilities
-Processes must presses certain Capabilities / Certificates to
access certain files to execute certain programs
-E.g., Process P1 must have capability C to read file F
08/22/24 07:22
Mandatory Security
0Bell and La Padula Security Policy
-Subjects have clearance levels, Objects have sensitivity levels;
clearance and sensitivity levels are also called security levels
-Unclassified < Confidential < Secret < TopSecret
-Compartments are also possible
-Compartments and Security levels form a partially ordered
lattice
0Security Properties
-Simple Security Property: Subject has READ access to an object
of the subject’s security level dominates that of the objects
-Star (*) Property: Subject has WRITE access to an object if the
subject’s security level is dominated by that of the objects\
Mandatory Security
0Bell and La Padula Security Policy
-Subjects have clearance levels, Objects have sensitivity levels;
clearance and sensitivity levels are also called security levels
-Unclassified < Confidential < Secret < TopSecret
-Compartments are also possible
-Compartments and Security levels form a partially ordered
lattice
0Security Properties
-Simple Security Property: Subject has READ access to an object
of the subject’s security level dominates that of the objects
-Star (*) Property: Subject has WRITE access to an object if the
subject’s security level is dominated by that of the objects\
08/22/24 07:22
Covert Channel Example
0Trojan horse at a higher level covertly passes data to a Trojan
horse at a lower level
0Example:
-File Lock/Unlock problem
-Processes at Secret and Unclassified levels collude with
one another
-When the Secret process lock a file and the Unclassified
process finds the file locked, a 1 bit is passed covertly
-When the Secret process unlocks the file and the
Unclassified process finds it unlocked, a 1 bit is passed
covertly
-Over time the bits could contain sensitive data
Covert Channel Example
0Trojan horse at a higher level covertly passes data to a Trojan
horse at a lower level
0Example:
-File Lock/Unlock problem
-Processes at Secret and Unclassified levels collude with
one another
-When the Secret process lock a file and the Unclassified
process finds the file locked, a 1 bit is passed covertly
-When the Secret process unlocks the file and the
Unclassified process finds it unlocked, a 1 bit is passed
covertly
-Over time the bits could contain sensitive data
08/22/24 07:22
Steps to Designing a Secure System
0Requirements, Informal Policy and model
0Formal security policy and model
0Security architecture
-Identify security critical components; these components must be
trusted
0Design of the system
0Verification and Validation
0End to End Security?
0Building a Secure System with Untrusted Components
Steps to Designing a Secure System
0Requirements, Informal Policy and model
0Formal security policy and model
0Security architecture
-Identify security critical components; these components must be
trusted
0Design of the system
0Verification and Validation
0End to End Security?
0Building a Secure System with Untrusted Components
08/22/24 07:22
Product Evaluation
0Orange Book
-Trusted Computer Systems Evaluation Criteria
0Classes C1, C2, B1, B2, B3, A1 and beyond
-C1 is the lowest level and A1 the highest level of assurance
-Formal methods are needed for A1 systems
0Interpretations of the Orange book for Networks (Trusted Network
Interpretation) and Databases (Trusted Database Interpretation)
0Several companion documents
-Auditing, Inference and Aggregation, etc.
0Many products are now evaluated using the federal Criteria
Product Evaluation
0Orange Book
-Trusted Computer Systems Evaluation Criteria
0Classes C1, C2, B1, B2, B3, A1 and beyond
-C1 is the lowest level and A1 the highest level of assurance
-Formal methods are needed for A1 systems
0Interpretations of the Orange book for Networks (Trusted Network
Interpretation) and Databases (Trusted Database Interpretation)
0Several companion documents
-Auditing, Inference and Aggregation, etc.
0Many products are now evaluated using the federal Criteria
08/22/24 07:22
Network Security
0Security across all network layers
-E.g., Data Link, Transport, Session, Presentation,
Application
0Network protocol security
-Ver5ification and validation of network protocols
0Intrusion detection and prevention
-Applying data mining techniques
0Encryption and Cryptography
0Access control and trust policies
0Other Measures
-Prevention from denial of service, Secure routing, - - -
Network Security
0Security across all network layers
-E.g., Data Link, Transport, Session, Presentation,
Application
0Network protocol security
-Ver5ification and validation of network protocols
0Intrusion detection and prevention
-Applying data mining techniques
0Encryption and Cryptography
0Access control and trust policies
0Other Measures
-Prevention from denial of service, Secure routing, - - -
08/22/24 07:22
Data Security: Access Control
0Access Control policies were developed initially for file systems
-E.g., Read/write policies for files
0Access control in databases started with the work in System R and
Ingres Projects
-Access Control rules were defined for databases, relations,
tuples, attributes and elements
-SQL and QUEL languages were extended
=GRANT and REVOKE Statements
=Read access on EMP to User group A Where
EMP.Salary < 30K and EMP.Dept <> Security
-Query Modification:
=Modify the query according to the access control rules
=Retrieve all employee information where salary < 30K and
Dept is not Security
Data Security: Access Control
0Access Control policies were developed initially for file systems
-E.g., Read/write policies for files
0Access control in databases started with the work in System R and
Ingres Projects
-Access Control rules were defined for databases, relations,
tuples, attributes and elements
-SQL and QUEL languages were extended
=GRANT and REVOKE Statements
=Read access on EMP to User group A Where
EMP.Salary < 30K and EMP.Dept <> Security
-Query Modification:
=Modify the query according to the access control rules
=Retrieve all employee information where salary < 30K and
Dept is not Security
08/22/24 07:22
Multilevel Secure Data Management
What is MLS/DBMS ?
Users are cleared at different security levels
Data in the database is assigned different sensitivity levels--
multilevel database
Users share the multilevel database
MLS/DBMS is the software that ensures that users only obtain
information at or below their level
In general, a user reads at or below his level and writes at his
level
Need for MLS/DBMS
Operating systems control access to files; coarser grain of
granularity
Database stores relationships between data
Content, Context, and Dynamic access control
Traditional operating systems access control to files is not
sufficient
Need multilevel access control for DBMSs
Multilevel Secure Data Management
What is MLS/DBMS ?
Users are cleared at different security levels
Data in the database is assigned different sensitivity levels--
multilevel database
Users share the multilevel database
MLS/DBMS is the software that ensures that users only obtain
information at or below their level
In general, a user reads at or below his level and writes at his
level
Need for MLS/DBMS
Operating systems control access to files; coarser grain of
granularity
Database stores relationships between data
Content, Context, and Dynamic access control
Traditional operating systems access control to files is not
sufficient
Need multilevel access control for DBMSs
08/22/24 07:22
Inference Problem
Inference is the process of forming conclusions from premises
If the conclusions are unauthorized, it becomes a problem
Inference problem in a multilevel environment
Aggregation problem is a special case of the inference problem
- collections of data elements is Secret but the individual
elements are Unclassified
Association problem: attributes A and B taken together is
Secret - individually they are Unclassified
Inference Problem
Inference is the process of forming conclusions from premises
If the conclusions are unauthorized, it becomes a problem
Inference problem in a multilevel environment
Aggregation problem is a special case of the inference problem
- collections of data elements is Secret but the individual
elements are Unclassified
Association problem: attributes A and B taken together is
Secret - individually they are Unclassified
08/22/24 07:22
Security Threats to Web/E-commerce
Security
Threats and
Violations
Access
Control
Violations
Integrity
Violations
Fraud
Denial of
Service/
Infrastructure
Attacks
Sabotage
Confidentiality
Authentication
Nonrepudiation
Violations
Security Threats to Web/E-commerce
Security
Threats and
Violations
Access
Control
Violations
Integrity
Violations
Fraud
Denial of
Service/
Infrastructure
Attacks
Sabotage
Confidentiality
Authentication
Nonrepudiation
Violations
08/22/24 07:22
Intrusion Detection / Malware Detection
0An intrusion can be defined as “any set of actions that attempt to
compromise the integrity, confidentiality, or availability of a resource”.
0Attacks are: Host-based attacks; Network-based attacks
0Intrusion detection systems are split into two groups:
-Anomaly detection systems; Misuse detection systems
0Use audit logs: Capture all activities in network and hosts.
0Mine the Audit Logs
0Malware: Virus, Worms, Trojan Horses, - - -
0Malware changes patterns; need data mining techniques to detect
novel classes
Intrusion Detection / Malware Detection
0An intrusion can be defined as “any set of actions that attempt to
compromise the integrity, confidentiality, or availability of a resource”.
0Attacks are: Host-based attacks; Network-based attacks
0Intrusion detection systems are split into two groups:
-Anomaly detection systems; Misuse detection systems
0Use audit logs: Capture all activities in network and hosts.
0Mine the Audit Logs
0Malware: Virus, Worms, Trojan Horses, - - -
0Malware changes patterns; need data mining techniques to detect
novel classes
08/22/24 07:22
Some Security Technologies
0Digital Identity Management
0Digital Forensics
0Digital Watermarking
0Risk/Cost Analysis
0Biometrics
0Other Applications
Some Security Technologies
0Digital Identity Management
0Digital Forensics
0Digital Watermarking
0Risk/Cost Analysis
0Biometrics
0Other Applications
08/22/24 07:22
Digital Identity Management
0Digital identity is the identity that a user has to access an
electronic resource
0A person could have multiple identities
-A physician could have an identity to access medical
resources and another to access his bank accounts
0Digital identity management is about managing the multiple
identities
-Manage databases that store and retrieve identities
-Resolve conflicts and heterogeneity
-Make associations
-Provide security
0Ontology management for identity management is an
emerging research area
Digital Identity Management
0Digital identity is the identity that a user has to access an
electronic resource
0A person could have multiple identities
-A physician could have an identity to access medical
resources and another to access his bank accounts
0Digital identity management is about managing the multiple
identities
-Manage databases that store and retrieve identities
-Resolve conflicts and heterogeneity
-Make associations
-Provide security
0Ontology management for identity management is an
emerging research area
08/22/24 07:22
Digital Identity Management - II
0Federated Identity Management
-Corporations work with each other across organizational
boundaries with the concept of federated identity
-Each corporation has its own identity and may belong to
multiple federations
-Individual identity management within an organization
and federated identity management across organizations
0Technologies for identity management
-Database management, data mining, ontology
management, federated computing
Digital Identity Management - II
0Federated Identity Management
-Corporations work with each other across organizational
boundaries with the concept of federated identity
-Each corporation has its own identity and may belong to
multiple federations
-Individual identity management within an organization
and federated identity management across organizations
0Technologies for identity management
-Database management, data mining, ontology
management, federated computing
08/22/24 07:22
Digital Forensics
0“Digital forensics, also known as computer forensics,
involved the preservation, identification, extraction, and
documentation of computer evidence stored as data or
magnetically encoded information”, by John Vacca
0Digital evidence may be used to analyze cyber crime (e.g.
Worms and virus), physical crime (e.g., homicide) or crime
committed through the use of computers (e.g., child
pornography)
0Objective of Computer Forensics: To recover, analyze and
present computer based material in such a way that it is
usable as evidence in a court of law
Digital Forensics
0“Digital forensics, also known as computer forensics,
involved the preservation, identification, extraction, and
documentation of computer evidence stored as data or
magnetically encoded information”, by John Vacca
0Digital evidence may be used to analyze cyber crime (e.g.
Worms and virus), physical crime (e.g., homicide) or crime
committed through the use of computers (e.g., child
pornography)
0Objective of Computer Forensics: To recover, analyze and
present computer based material in such a way that it is
usable as evidence in a court of law
08/22/24 07:22
Steganography and Digital Watermarking
0Steganography is about hiding information within other
information
-E.g., hidden information is the message that terrorist may
be sending to their pees in different parts of the worlds
-Information may be hidden in valid texts, images, films
etc.
-Difficult to be detected by the unsuspecting human
0Steganalysis is about developing techniques that can analyze
text, images, video and detect hidden messages
-May use data mining techniques to detect hidden patters
0Steganograophy makes the task of the Cyber crime expert
difficult as he/she ahs to analyze for hidden information
-Communication protocols are being developed
Steganography and Digital Watermarking
0Steganography is about hiding information within other
information
-E.g., hidden information is the message that terrorist may
be sending to their pees in different parts of the worlds
-Information may be hidden in valid texts, images, films
etc.
-Difficult to be detected by the unsuspecting human
0Steganalysis is about developing techniques that can analyze
text, images, video and detect hidden messages
-May use data mining techniques to detect hidden patters
0Steganograophy makes the task of the Cyber crime expert
difficult as he/she ahs to analyze for hidden information
-Communication protocols are being developed
08/22/24 07:22
Steganography and Digital Watermarking - II
0Digital water marking is about inserting information without
being detected for valid purposes
-It has applications in copyright protection
-A manufacturer may use digital watermarking to copyright
a particular music or video without being noticed
-When music is copies and copyright is violated, one can
detect two the real owner is by examining the copyright
embedded in the music or video
Steganography and Digital Watermarking - II
0Digital water marking is about inserting information without
being detected for valid purposes
-It has applications in copyright protection
-A manufacturer may use digital watermarking to copyright
a particular music or video without being noticed
-When music is copies and copyright is violated, one can
detect two the real owner is by examining the copyright
embedded in the music or video
08/22/24 07:22
Risk/Cost Analysis
0Analyzing risks
-Before installing a secure system or a network one needs to
conduct a risk analysis study
-What are the threats? What are the risks?
-Quantitative approach: Events are ranked in the order of risks
and decisions are made based on then risks
Qualitative approach: estimates are used for risks
0Security vs Cost
-If risks are high and damage is significant then it may be worth
the cost of incorporating security; If risks and damage are not
high, then security may be an additional cost burden
-Develop cost models
-Cost vs. Risk/Threat study
Risk/Cost Analysis
0Analyzing risks
-Before installing a secure system or a network one needs to
conduct a risk analysis study
-What are the threats? What are the risks?
-Quantitative approach: Events are ranked in the order of risks
and decisions are made based on then risks
Qualitative approach: estimates are used for risks
0Security vs Cost
-If risks are high and damage is significant then it may be worth
the cost of incorporating security; If risks and damage are not
high, then security may be an additional cost burden
-Develop cost models
-Cost vs. Risk/Threat study
08/22/24 07:22
Biometrics: Overview
0Biometrics are automated methods of recognizing a person
based on a physiological or behavioral characteristic
0Features measured: Face, Fingerprints, Hand geometry,
handwriting, Iris, Retinal, Vein and Voice
0Identification and personal certification solutions for highly
secure applications
0Biometrics replaces Traditional Authentication Methods
-Provides better security; More convenient; Better
accountability
0Applications : Fraud detection and Fraud deterrence
0Dual purpose: Cyber Security and National Security
0Numerous applications: medical, financial, child care,
computer access etc.
Biometrics: Overview
0Biometrics are automated methods of recognizing a person
based on a physiological or behavioral characteristic
0Features measured: Face, Fingerprints, Hand geometry,
handwriting, Iris, Retinal, Vein and Voice
0Identification and personal certification solutions for highly
secure applications
0Biometrics replaces Traditional Authentication Methods
-Provides better security; More convenient; Better
accountability
0Applications : Fraud detection and Fraud deterrence
0Dual purpose: Cyber Security and National Security
0Numerous applications: medical, financial, child care,
computer access etc.
08/22/24 07:22
Biometrics: Process
0Three-steps: Capture-Process-Verification
0Capture: A raw biometric is captured by a sensing device
such as fingerprint scanner or video camera
0Process: The distinguishing characteristics are extracted
from the raw biometrics sample and converted into a
processed biometric identifier record
-Called biometric sample or template
0Verification and Identification
-Matching the enrolled biometric sample against a single
record; is the person really what he claims to be?
-Matching a biometric sample against a database of
identifiers
0Study the attacks of biometrics systems
-Modifying fingerprints; Modifying facial features
Biometrics: Process
0Three-steps: Capture-Process-Verification
0Capture: A raw biometric is captured by a sensing device
such as fingerprint scanner or video camera
0Process: The distinguishing characteristics are extracted
from the raw biometrics sample and converted into a
processed biometric identifier record
-Called biometric sample or template
0Verification and Identification
-Matching the enrolled biometric sample against a single
record; is the person really what he claims to be?
-Matching a biometric sample against a database of
identifiers
0Study the attacks of biometrics systems
-Modifying fingerprints; Modifying facial features
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 10
- Slides 35
- Age 471 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
51 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
49 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
39 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
38 views
21
Know for Certain
DaveSinNM
24 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
27 views