lec 01-reviswed jan 2011
TRANSCRIPT
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 1/52
1
Data security is ...Data security is ...
�� SecuritySecurity is about the protection of is about the protection of assets (for example, your privateassets (for example, your privatehome):home):
± ±preventionprevention
± ±detectiondetection
± ±reactionreaction
�� DataData SecuritySecurity is about theis about theprotection of the asset called dataprotection of the asset called data(for example, data regarding your (for example, data regarding your
credit card transactions).credit card transactions).
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 2/52
2
Why Data Security?Why Data Security?
�� µµSewage¶ Hacker jailed ± 8th May2002
� Analysts: Insiders may posesecurity threat ± 15th Oct, 2001
� White House DoS attack - May
2001
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 3/52
3
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 4/52
4
Computer
Emergency
Reporting
Team
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 5/52
5
DDOS AttackDDOS Attack
Attacker¶s
Contr olling
Console
Handler
Handler
Victim
Host
Agent
Agent
Agent
Agent
Agent
AgentControl
Traffic
FloodTraffic
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 6/52
6
Hackers have hijacked the account
details of 400,000 Optus Internet dial-up customers.
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 7/52
7
µWaterfall¶ Model for µWaterfall¶ Model for
Secure System DevelopmentSecure System Development
Analyse Threat & Risk
Write Security Policy
Design protection mechanism
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 8/52
8
Data Security GoalsData Security Goals
�� ConfidentialityConfidentiality
± ± access to data & processes is restricted toaccess to data & processes is restricted to
authorised peopleauthorised people
�� IntegrityIntegrity
± ± the ³system´ (hardware + software +the ³system´ (hardware + software +
facilities + network + people) hasn¶t beenfacilities + network + people) hasn¶t been
compromisedcompromised
�� Availability Availability
± ±continuous/ uninterrupted servicecontinuous/ uninterrupted service
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 9/52
9
Data Security GoalsData Security Goals
�� NonNon--RepudiationRepudiation
± ± You cannot deny that you have performedYou cannot deny that you have performedsome action on the datasome action on the data
�� Authentication Authentication
± ± You can prove your identity or the origin of You can prove your identity or the origin of the datathe data
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 10/52
10
Security ThreatsSecurity Threats
�� InterruptionInterruption ± ±When your assets become unavailableWhen your assets become unavailable
�� InterceptionInterception
± ± Some unauthorised party has gainedSome unauthorised party has gainedaccess to your assetsaccess to your assets
�� ModificationModification
± ± Some unauthorised party tampers withSome unauthorised party tampers withyour assetsyour assets
�� FabricationFabrication
± ± Counterfeits of your assets are madeCounterfeits of your assets are made
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 11/52
11
Normal FlowNormal Flow
InformationSource
InformationDestination
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 12/52
12
InterruptionInterruption
InformationSource
InformationDestination
Attack on availabilityAttack on availability
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 13/52
13
InterceptionInterception
InformationSource
InformationDestination
Attack on confidentialityAttack on confidentiality
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 14/52
14
ModificationModification
InformationSource
InformationDestination
Attack on integrity
Attack on integrity
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 15/52
15
FabricationFabrication
InformationSource
InformationDestination
A
ttack on authenticityA
ttack on authenticity
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 16/52
16
Defence MechanismsDefence Mechanisms
People
Media
Computer
DATADATA
�� Involve 3 components in systemInvolve 3 components in system
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 17/52
17
Defence MechanismsDefence Mechanisms
�� Low TechnologyLow Technology ± ±Security PolicySecurity Policy: A documented plan of : A documented plan of
action and principles for an organisationaction and principles for an organisation
± ±TrainingTraining against deception, blackmail, &against deception, blackmail, &
³social engineering´³social engineering´
± ±Secure disposalSecure disposal of paper & storage mediaof paper & storage media
± ±Employee vettingEmployee vetting & reference checking& reference checking
± ±ChangeChange controlcontrol ++ auditaudit trails + followtrails + follow--upup
± ±contingency planningcontingency planning + training ++ training +
rehearsalrehearsal
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 18/52
18
Defence MechanismsDefence Mechanisms
�� High TechnologyHigh Technology
± ±Ciphers and digital signaturesCiphers and digital signatures
± ±Access control systems Access control systems ± ±FirewallsFirewalls
± ±Tamper Tamper--resistantresistant systemssystems ± ±TTrusted systemsrusted systems
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 19/52
19
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 20/52
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 21/52
21
Threat & Risk AnalysisThreat & Risk Analysis
�� A security policy must incorporate a A security policy must incorporate a
realistic assessment of threatsrealistic assessment of threats
± ±What is to be protected?What is to be protected?
± ±What can go wrong?What can go wrong?
± ±If it goes wrong, how will it affect me?If it goes wrong, how will it affect me?
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 22/52
22
S ecurity Policy
business needs analysis
� asset valuation
� risk analysis
� impact analysis
Security PolicySecurity Policy
�� security policy is a statement of rulessecurity policy is a statement of rules�� security is defined by a security policy security is defined by a security policy �� goal of security is to enforce the policy goal of security is to enforce the policy �� ³standards´ in OS I 7498 ³standards´ in OS I 7498--2 RFC 2196 & BS 7799 & AS 2 RFC 2196 & BS 7799 & AS
44444444
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 23/52
23
Security PolicySecurity Policy
TheThe Proportionality PrincipleProportionality Principle::�� identifyingidentifying and invoking a set of and invoking a set of
protective mechanismsprotective mechanisms andandprocedures (e.g. data encryption)procedures (e.g. data encryption)
�� whichwhich matchmatch the perceivedthe perceived riskrisk totoandand
�� thethe valuevalue of an organization¶sof an organization¶s(information) assets(information) assets
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 24/52
24
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 25/52
25
CryptographyCryptography
People
Media
Computer
DATADATA
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 26/52
26
CiphersCiphers
encryptionalgorithm
message encryptedmessage
decryption
algorithm
original
message
plaintext ciphertext
encryption
key
decryption key
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 27/52
27
0 1 1 1 0 1 0 0 plaintext
1 0 1 1 0 1 0 1 key
1 1 0 0 0 0 0 1 ciphertext
1 0 1 1 0 1 0 1 key
A simple example... A simple example...
this message is highly secret
t
0 1 1 1 0 1 0 0 plaintext
�
�t
exclusive-OR
plaintext
ASCII representation
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 28/52
28
Categories of ciphers...Categories of ciphers...
unbreakable cipherse.g Vernan cipher computationallysecure ciphers
symmetric-key
ciphers
e.g. DES
asymmetric-key
ciphers
e.g RSA
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 29/52
29
SymmetricSymmetric--key cipher key cipher
Plaintext Encryption Ciphertext Decryption Plaintext
encryption
algorithm
+key
decryption
algorithm
+key
message text
transmitted
over network
message
same key
E xamples...
Data E ncryption S tandard (DES)
Advanced E ncryption S tandard (AES)
key must be
distributed first
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 30/52
30
Asymmetric Asymmetric--key cipher key cipher
Plaintext Encryption Ciphertext Decryption Plaintext
message message
Receiver¶s Public Key Receiver¶s Private Keydifferent keys
encryptionalgorithm
+
public key
decryptionalgorithm
+
private key
texttransmitted
over
network
E xamples: RS A(Rivest, Shamir and Adleman)
, elliptic-curve ci her
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 31/52
31
RequirementsRequirements
�� EE--commerce needs ciphers which are:commerce needs ciphers which are: ± ±practicalpractical to implement and manage,to implement and manage,
± ±computationallycomputationally efficientefficient,,
± ±computationallycomputationally securesecure (highly(highly--effective),effective),
�� key managementkey management
± ± scalability across networks,scalability across networks,
± ± cost of key distribution (security)cost of key distribution (security)
± ± cost of key revocation (find and replacecost of key revocation (find and replace
every key),every key),
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 32/52
32
Access Control Access Control&&
Authentication Authentication
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 33/52
33
Access control and Access control and
User AuthenticationUser Authentication
People
Media
Computer
DATADATA
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 34/52
34
BasicBasic Principles of AuthenticationPrinciples of Authentication
�� something you...something you... ± ±knowknow
�� e.g. password, PINe.g. password, PIN
± ±havehave
�� e.g. magnetice.g. magnetic--stripe card, smart cardstripe card, smart card
± ±can docan do
�� e.g. signature, encrypt a messagee.g. signature, encrypt a message
± ±areare (i.e distinguishing personal traits)(i.e distinguishing personal traits)�� e.g. biometricse.g. biometrics
�� more effective if used in combinationsmore effective if used in combinations
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 35/52
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 36/52
36
NetworkNetwork
SecuritySecurity
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 37/52
37
Network SecurityNetwork Security
People
Media
Computer
DATADATA
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 38/52
38
A view of A view of TCP/ITCP/IPP
Br owser
TCPSoftware
IP
Software
Ethernet
LAN
Software
client PC
r outer Web server
TCPSoftware
IP
Software
Ethernet
LAN
Software
server
IP
Software
Ethernet
LAN
Software
WAN
Software
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 39/52
39
The Secure Sockets Layer The Secure Sockets Layer
Br owser
TCP
Software
IP
Software
client PC
Web server
TCP
Software
IP
Software
server
SSL SSLSecure Sockets Layer
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 40/52
40
FirewallFirewallss
Internal Network
(trusted )
E xternal Network
(untrusted )Firewall
internal
router
external
router
bastion host
�� filter packets based on IP addressfilter packets based on IP address
�� direct each application to a proxy on thedirect each application to a proxy on the
firewallfirewall
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 41/52
41
Views on Data SecurityViews on Data Security
�� Data security is oftenData security is often inconvenientinconvenient
�� Data security is oftenData security is often not very securenot very secure
�� Data security is aData security is a balancebalance�� PeoplePeople issueissue more than a technologymore than a technology
issueissue
�� ReactiveReactive not proactivenot proactive -- sometimes thesometimes theneed for data security is not obviousneed for data security is not obvious
until it is too lateuntil it is too late
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 42/52
42
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 43/52
43
�� 11
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 44/52
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 45/52
45
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 46/52
46
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 47/52
47
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 48/52
48
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 49/52
49
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 50/52
50
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 51/52
8/7/2019 Lec 01-Reviswed Jan 2011
http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 52/52
52