data security and cryptology, iii vulnerabilities of information assets. appliable safeguards...
TRANSCRIPT
![Page 1: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/1.jpg)
Data Security and Cryptology, III
Vulnerabilities of Information Assets. Appliable Safeguards
Data Security and Cryptology, III
Vulnerabilities of Information Assets. Appliable Safeguards
September 17th, 2014
Valdo Praust
Lecture Course in Estonian IT CollegeAutumn 2014
September 17th, 2014
Valdo Praust
Lecture Course in Estonian IT CollegeAutumn 2014
![Page 2: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/2.jpg)
Components of Information Security
Infortmation security (infoturve) or data security (andmeturve) is a complex concept consisting of following three properties (security goals):• information availability (käideldavus)• information integrity (terviklus)• information confidentiality (konfidentsiaalsus)
Infortmation security (infoturve) or data security (andmeturve) is a complex concept consisting of following three properties (security goals):• information availability (käideldavus)• information integrity (terviklus)• information confidentiality (konfidentsiaalsus)
These three properties – called branches or goals of secrity – must be maintained for all information/data items we possess
![Page 3: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/3.jpg)
Standard Model of Security Harming1. Threats (ohud) influence the data (via IT assets)
2. Threats use the vulnerabilities (nõrkused, turvaaugud) of IT assets or components of IT system
3. Threats with co-influence the vulnerabilites will determine the risk or security risk (risk, turvarisk)
4. When a certain risk realises, there will appear a security loss or security breach or security incident (turvakadu, turvarike, turvaintsident)
5. In order to minimize the risks there’s necessary to minimise vulnerabilities using safeguards of security measures (turvameetmeid)
![Page 4: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/4.jpg)
Harming of Security
![Page 5: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/5.jpg)
Influence of Safeguard(s)
![Page 6: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/6.jpg)
Security and Residual Risk
Instead of absolute security usually the concept acceptable residual risk by the business process ((äriprotsessi jaoks) aktsepteeritav jääkrisk) is used
NB! It does not matter how many safeguards we implement, we never achieve the absolute security. If we implement more safeguards we only minimise the probability that security (availability, integrity of confidentiality) will be harmed but it will never fall into zero
NB! It does not matter how many safeguards we implement, we never achieve the absolute security. If we implement more safeguards we only minimise the probability that security (availability, integrity of confidentiality) will be harmed but it will never fall into zero
An acceptable residual risk is a situation where the total price of all implemented safeguards is approximately equal to the forecasted total loss of security (measured by the amount of money)
![Page 7: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/7.jpg)
Economical View of Data Security
![Page 8: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/8.jpg)
Peculiarities of Securing Digital Data• Cryptography is a very essential tool for achieving
both confidentiality and integrity. The metods for archiving confidentiality and integrity are completly different from the methods used in the paper document practice
• The essential part is an authentication (in a front of computer or information system) – ensuring for a technical device/entity, who is using it (which is usually followed by granting appropriate right for executing, reading, writing etc. access)
• Availability is often ensured by the network (Intrenet). Several distributed client-server systems are very wide-spread
![Page 9: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/9.jpg)
The Role of Cryptography
This basic technique can be used:
• For ensuring the confidentiality – without the key it’s impossible to decipher the data, i.e. to get the information beared by the (encrypted) data
• For ensuring the integrity – without a special private key it’s impossible to change the data without the notice. It allows to associate the data with the certaing subjects (it also a basic principle of digital signature)
Encryption or enciphering (krüpteerimine, šifreerimine) is a technique where data are converted to the certain non-readable form. The converting process usually uses a special amount of data which are usually kept secret – a key (võti)
![Page 10: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/10.jpg)
1. Spontaneous or accidential threats (stiihilised ohud):• environmental threats (keskkonnaohud)• technical failures and defects (tehnilised
ohud ja defektid)• human threats and failures (inimohud)
2. Deliberate acts or attacks (ründed) which are characterized by a clear intentional (human) activity (selge tahtlik (inim)tegevus)
Threats Classification by the Source
![Page 11: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/11.jpg)
Spontaneous or Accidential Threats
Spontaneous (accidential) threats (stiihilised ohud) can be caused by:
• the force majeure (vääramatu (looduslik) jõud), which can be both occasional (lightning, flooding) or regular (wearing, material fatigue, contamination etc)
• human failures (inimvead) which can caused by inadequate skills, negligence, mis-management, environmental factors etc
![Page 12: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/12.jpg)
Attacks
Attacks or deliberate acts (ründed) are always based on humans who make a certain intended or deliberate action (sihilik tegevus) to harm the security goals (lead by a personal interest, private or state intelligence, hooliganism etc)
Attacks or deliberate acts (ründed) are always based on humans who make a certain intended or deliberate action (sihilik tegevus) to harm the security goals (lead by a personal interest, private or state intelligence, hooliganism etc)
Attacks are usually classified by the attack sources, attacking methods and attackable objects
![Page 13: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/13.jpg)
Sources of Attack1. Authorized users of IT systems
Available stastics show that they are the most important source. Main motives:• providing illegal (financial) profit• revenge of hired/harried people• political / ideological
2. Intelligence (economical, state-based, military etc) agents
3. Crackers, often also mis-called hackers (kräkkerid, häkkerid) an increasing factor
4. Other (in Estonia mainly criminal element)
![Page 14: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/14.jpg)
1. Instant contact with an attackable object (IT component/device, personal, infrastrcture etc)
2. Networks (mass-used for all client-server systems). The most common attacking way (channel)
3. Portable data carriers (memory sticks etc) – were historically important but during last years are again very actual
Attack Channels
![Page 15: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/15.jpg)
Vulnerabilities
Vulnerabilities (nõrkused ehk turvaaugud) are all such a properties of a protectable object through which (security) threats can be realised
Vulnerabilities (nõrkused ehk turvaaugud) are all such a properties of a protectable object through which (security) threats can be realised
Can be divied to:• infrastructure vulnerabilities• IT vulnerabilities• personal-related vulnerabilities• organisational vulnerabilities
![Page 16: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/16.jpg)
Infrastructure Vulnerabilites
1. Unfavorable (physical) location of a protectable object
Increases realisation probabilities of several threats
2. Primitive or depreciated infrastructure
Doesn’t allow to implement several sefaguards (mainly physical and IT-related sefaguards)
![Page 17: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/17.jpg)
IT(-related) Vulnerabilities• limited resources
• false installation of equipment or connection lines
• errors, defects and/or undocumented features of software (hardware)
• shortcomings of protocols (incl. communication protocols)
• shortcomings of data management
• inconvenience of safeguards (NB! Safeguards can’t heavily impair a normal work (normal availability)
![Page 18: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/18.jpg)
Personal-related Vulnerabilities
• incorrect procedures (often due to ignorance or convenience, often systematic)
• ignorance and lack of motivation (as a rule extends to all employees of the organization)
• ignoring the safeguards (both intentionally and negligently)
![Page 19: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/19.jpg)
Organisational Vulnerabilities• Deficiencies of work organization (rules, adapting to
new circumstances etc)• Shortcomings of resource management (computers,
communications, maintenance, testing, storage media, etc.)
• Incomplete documentation (of IT equipment, communicatimperfectnesses of safeguard selection ion lines, data storage, etc.)
• Incomplete inplementation (safeguards are implemented incorrectly, in the wrong place / configuration etc)
• Shortcomings of safeguards management (monitoring, audit etc)
![Page 20: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/20.jpg)
Interaction Between Threats and Vulnerabilities
Main rule: threats always exploit some vulnerabilities typical to them
Main rule: threats always exploit some vulnerabilities typical to them
Information system security as a whole is weaker so far:
• the probability of threats is bigger
• there are more vulnerabilities exploitable by the threats and these vulnerabilitires are more seroius
![Page 21: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/21.jpg)
Safeguards (Security Measures)
Safeguards (turvameetmed):
• enable to minimize vulnerabilities
• through minimizing of vulnerabilities enable to minimize the residual risk
![Page 22: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/22.jpg)
Classification of Safeguards
• by the purpose (prevents threat, frightens attask, repairs defect etc)
• by the influented security component/goal (availability, integrity, confidentiality)
• by the type of (harmable) IT asset
• mean of implementation or realisation (procedure, technical equipment, program, building construction etc)
• by the strength of security
Safeguards (turvameetmed) can by classified differently:
![Page 23: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/23.jpg)
Purpose of Safeguards
By porpore the safeguards are divided to:• preventive safeguards (profülaktilised
meetmed)• identifying safeguards (tuvastusmeetmed)• reconstructive safeguads (taastemeetmed)
Several safeguards are polyfunctional (for example error correcting code)
![Page 24: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/24.jpg)
Preventive SafeguardsPreventive safeguards (profülaktilised turvameetmed) enable to prevent security incidents: • to minimize vulnerabilities• to prevent attacks• to minimize security risk probabilities• to decrease the influence of security incidents to
IT assets• to facilitate site (object) restoration
Can be divided into three categories:• reinforcable safeguards (tugevdusmeetmed)• scaring safeguards (peletusmeetmed)• separative safeguards (eraldusmeetmed)
![Page 25: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/25.jpg)
Reinforcable Safeguards
Reinforcable safeguards (tugevdusmeetmed) will influence mainly the minimizing of security risk caused by the spontaneous threats
Reinforcable safeguards (tugevdusmeetmed) will influence mainly the minimizing of security risk caused by the spontaneous threats
Will consists of:• order or systematicness (kord)• working conditions
(töötingimused)• preventive check (ennetav
kontroll)• security awareness
(turvateadlikkus)
![Page 26: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/26.jpg)
Examples:• internal rules• accurate job descriptions• standards• regular maintenance of infrastructure and
facilities• established procurement procedures• documentation of equipment• labeling of date carries and cables • version management • resource management• security policies, security plans, security
guidelines etc
Reinforcable Safeguards: Order
![Page 27: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/27.jpg)
• micro-climate (temperature, humidity, air cleanliness)
• ergonomic design and layout of workplace
• corporartive social climate, positive human relations
• corporative promotion and career principles
Reinforcable Safeguards: Working Conditions
![Page 28: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/28.jpg)
Reinforcable Safeguards: Preventive Check
• verification and testing of IT products and security mechanisms
• regular monitoring of IT security-related information
• test-attacks of safeguards and security mechanisms
• auditing of IT systems (by standard methodics)
![Page 29: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/29.jpg)
Main branches: • suitable choosing of
employees• regular training of
employees• regular (and irrregular)
awaring events• test alarms
Reinforcable Safeguards: Sacurity Awareness
![Page 30: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/30.jpg)
Scaring SafeguardsScaring safeguards (peletusmeetmed) minimize the probability of attacking attempts. Scaring influence is often a useful additional feature of a safeguard - the mere knowledge about safeguards often reduces the risk (especially in the cases where the expected yield for an attacker can’t compensate the risk)
Scaring safeguards (peletusmeetmed) minimize the probability of attacking attempts. Scaring influence is often a useful additional feature of a safeguard - the mere knowledge about safeguards often reduces the risk (especially in the cases where the expected yield for an attacker can’t compensate the risk)
Examples:• different sanctions (legal etc)• warning signs on documents, data carriers, gates, walls,
doors, etc.visible safeguards - a guard, a camera, illumination of the territory, security doors, card locks etc
![Page 31: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/31.jpg)
Saparative SafeguardsSeparative safeguards (eraldusmeetmed) fend off mainly the attacks. They usually defend all aspects of security (availability, integrity, confidentiality)
Separative safeguards (eraldusmeetmed) fend off mainly the attacks. They usually defend all aspects of security (availability, integrity, confidentiality)
Can be divided into:• spatial isolation (ruumiline isoleerimine)• temporal isolation (ajaline isoleerimine)• logical isolation (loogiline isoleerimine)
![Page 32: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/32.jpg)
Spatial Isolation• using different computers for the
data of different security levels• using different data carriers to
store the data of different security levels (with different authorized users)
• using separate lines for a data of different security levels
• using separate rooms for storing the documents of different security levels
![Page 33: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/33.jpg)
Temporal Isolation• using a computer at different
times for a data of different level of security
• using different software at different times on the same computer
• using of (office) rooms at different times for the events of different sensitivity
![Page 34: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/34.jpg)
Logical IsolationLogical isolation (loogiline isoleerimine) is the dividing of IT assets (for example: data) into the small elements that can be treated separately and/or grouped together
Logical isolation (loogiline isoleerimine) is the dividing of IT assets (for example: data) into the small elements that can be treated separately and/or grouped together
Realisation:• access control (password protection,
card lock etc)• service broker (eg, firewall, database
query processor)• securing (encrypting, hiding,
destroying, erasing etc)
![Page 35: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/35.jpg)
Identifying SafeguardsBy the minimization of security loss we tend towards the following goals• avoiding the security incident• operative identifying the incident• registrating the incident (and identifying it later)• to proving the incident later
Identifying safeguards (avastavad turvameetmed) can be divided to:• operative identification (operatiivtuvastus)• post-identification (järeltuvastus)• evidence-based identification (tõendtuvastus)
![Page 36: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/36.jpg)
Operative IdentificationOperative identification (operatiivtuvastus) involves methods which are able to identify security incidents as soon as they occur, and respond to them immediately
Operative identification (operatiivtuvastus) involves methods which are able to identify security incidents as soon as they occur, and respond to them immediately
Examples:• guard, fire and security alarm, environmental
monitoring etc• warning message caused by the blocked
(prohibited) operations, false authentication attempt etc
• debugging of software
![Page 37: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/37.jpg)
Post-Identification
Post-identification (järeltuvastus) bases on registration of the events and proving the security incident later by them
Post-identification (järeltuvastus) bases on registration of the events and proving the security incident later by them
Examples: • logfiles of computers and lock systems• several testing and diagnostic tools• different methods of verification, auditing,
testing etc
![Page 38: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/38.jpg)
Evidence-Based Identification
Evidence-based identification (tõendtuvastus) bases on several security elements (which are added to IT assets and data) enabling to check the integrity and/or confidentiality
Evidence-based identification (tõendtuvastus) bases on several security elements (which are added to IT assets and data) enabling to check the integrity and/or confidentiality
Examples:• parity bit, checksum, cryptographic message
digest• digital signature and timestamp• steganographic watermark • physical security elements (visible or low-
noticeable threads, seals, labels etc)
![Page 39: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/39.jpg)
Reconstructive SafeguardsAfter a security incident there’s always necessary to restore the normal operability of a harmed object. It can be done as fast and to a greater extent as the more importance the object (IT asset) has for us
After a security incident there’s always necessary to restore the normal operability of a harmed object. It can be done as fast and to a greater extent as the more importance the object (IT asset) has for us
Main branches of reconstructive safeguards (taastavad turvameetmed) are:• backuping (varundamine)• renovation (ennistamine)• replacing (asendamine)
![Page 40: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/40.jpg)
Backuping
Backuping (varundamine) is the main and more important premise for an any restoring
Backuping (varundamine) is the main and more important premise for an any restoring
Examples:• regular backup of data (once in a day, week
etc)• parallel (backup) computer system• RAID hard disk system
![Page 41: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/41.jpg)
RenovationRenovation (ennistamine) involves the removing of faults, errors and defects
Renovation (ennistamine) involves the removing of faults, errors and defects
Examples:• repairing of IT equipment • repairing and modifying of software using version
management methods• repairing of infastructures (cables, power
supplies etc)• removing of malware (viruses) with anti-virus
software
![Page 42: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/42.jpg)
Replacing
Replacing (asendamine) must be prepared for the cases of non-repairable damages
Replacing (asendamine) must be prepared for the cases of non-repairable damages
Examples:• keeping some PCs and/or laptops in
company’s stock• rapid delivery agreements of IT equipment• substituting plans of employees (for a cases
of illness, vacation, death etc)• backup office rooms (or readiness for rooms)
![Page 43: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/43.jpg)
German BSI IT Baseline Security Method (2005, English version):
• generic aspects• infrastructure• IT systems• network• applications
Classification of Safeguards by IT Assets
![Page 44: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/44.jpg)
ISO and Estonian National Data Security Standard EVS- ISO/IEC 13335:
• physical assets• information / data• software• ability to produce some
product or provide a service• people• intangibles
Classification of Safeguards by IT Assets
![Page 45: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/45.jpg)
Classification of Safeguards by Realization
• organisational safeguards
• physical safeguards
• IT-related sefaguards
The most essential branch is organisational safeguards – without them any physical or IT-related sefaguards has no real influence
The most essential branch is organisational safeguards – without them any physical or IT-related sefaguards has no real influence
![Page 46: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/46.jpg)
Organisational Safeguards
Organisational safeguards (organisatsioonilised turvameetmed) include security administration, security system design, management and security incident handling activities and operations
Organisational safeguards (organisatsioonilised turvameetmed) include security administration, security system design, management and security incident handling activities and operations
Organisational safeguards should be implemented in the first order beginning from security policy formulating, risk analysis and the security plan composing
![Page 47: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/47.jpg)
Organisational Safeguards
... include four main components:
• activities that a certain person must do
• activities which are prohibited for a certain person
• things what happen when someone does something forbidden
• things what happen when someone doesn’t make necessary things
![Page 48: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/48.jpg)
Physical SafeguardsPhysical safeguards (füüsilised turvameetmed) involve:
1. Infrastructure of a protectable object: • structural barriers• communications• heating and air conditioning• security doors and windows, gates etc
2. Mechanical components: locks, signs, packaging, labels etc
Usually physical safeguards involve also guards, employees of entrance building etc
![Page 49: Data Security and Cryptology, III Vulnerabilities of Information Assets. Appliable Safeguards September 17th, 2014 Valdo Praust mois@mois.ee Lecture Course](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649de65503460f94adfc44/html5/thumbnails/49.jpg)
IT-related SafeguardsIT-related Safeguards (infotehnilised turvameetmed) are mainly used for a performing a logical separation and an identification of a security incident
IT-related Safeguards (infotehnilised turvameetmed) are mainly used for a performing a logical separation and an identification of a security incident
Two main branches of practical tools:• software-based access control
to data and IT systems (incl. authentication techniques)
• cryptography means – for achieving of both confidentiality and integrity