lec 01-reviswed jan 2011

8/7/2019 Lec 01-Reviswed Jan 2011

http://slidepdf.com/reader/full/lec-01-reviswed-jan-2011 1/52

1

Data security is ...Data security is ...

�� SecuritySecurity is about the protection of is about the protection of assets (for example, your privateassets (for example, your privatehome):home):

± ±preventionprevention

± ±detectiondetection

± ±reactionreaction

�� DataData SecuritySecurity is about theis about theprotection of the asset called dataprotection of the asset called data(for example, data regarding your (for example, data regarding your

credit card transactions).credit card transactions).



2

Why Data Security?Why Data Security?

�� µµSewage¶ Hacker jailed ± 8th May2002

� Analysts: Insiders may posesecurity threat ± 15th Oct, 2001

� White House DoS attack - May

2001



3



4

Computer

Emergency

Reporting

Team



5

DDOS AttackDDOS Attack

Attacker¶s

Contr olling

Console

Handler

Handler

Victim

Host

Agent

Agent

Agent

Agent

Agent

AgentControl

Traffic

FloodTraffic



6

Hackers have hijacked the account

details of 400,000 Optus Internet dial-up customers.



7

µWaterfall¶ Model for µWaterfall¶ Model for

Secure System DevelopmentSecure System Development

Analyse Threat & Risk

Write Security Policy

Design protection mechanism



8

Data Security GoalsData Security Goals

�� ConfidentialityConfidentiality

± ± access to data & processes is restricted toaccess to data & processes is restricted to

authorised peopleauthorised people

�� IntegrityIntegrity

± ± the ³system´ (hardware + software +the ³system´ (hardware + software +

facilities + network + people) hasn¶t beenfacilities + network + people) hasn¶t been

compromisedcompromised

�� Availability Availability

± ±continuous/ uninterrupted servicecontinuous/ uninterrupted service



9

Data Security GoalsData Security Goals

�� NonNon--RepudiationRepudiation

± ± You cannot deny that you have performedYou cannot deny that you have performedsome action on the datasome action on the data

�� Authentication Authentication

± ± You can prove your identity or the origin of You can prove your identity or the origin of the datathe data



10

Security ThreatsSecurity Threats

�� InterruptionInterruption ± ±When your assets become unavailableWhen your assets become unavailable

�� InterceptionInterception

± ± Some unauthorised party has gainedSome unauthorised party has gainedaccess to your assetsaccess to your assets

�� ModificationModification

± ± Some unauthorised party tampers withSome unauthorised party tampers withyour assetsyour assets

�� FabricationFabrication

± ± Counterfeits of your assets are madeCounterfeits of your assets are made



11

Normal FlowNormal Flow

InformationSource

InformationDestination



12

InterruptionInterruption

InformationSource


Attack on availabilityAttack on availability



13

InterceptionInterception

InformationSource


Attack on confidentialityAttack on confidentiality



14

ModificationModification

InformationSource


Attack on integrity

Attack on integrity



15

FabricationFabrication

InformationSource


A

ttack on authenticityA

ttack on authenticity



16

Defence MechanismsDefence Mechanisms

People

Media

Computer

DATADATA

�� Involve 3 components in systemInvolve 3 components in system



17


�� Low TechnologyLow Technology ± ±Security PolicySecurity Policy: A documented plan of : A documented plan of

action and principles for an organisationaction and principles for an organisation

± ±TrainingTraining against deception, blackmail, &against deception, blackmail, &

³social engineering´³social engineering´

± ±Secure disposalSecure disposal of paper & storage mediaof paper & storage media

± ±Employee vettingEmployee vetting & reference checking& reference checking

± ±ChangeChange controlcontrol ++ auditaudit trails + followtrails + follow--upup

± ±contingency planningcontingency planning + training ++ training +

rehearsalrehearsal



18


�� High TechnologyHigh Technology

± ±Ciphers and digital signaturesCiphers and digital signatures

± ±Access control systems Access control systems ± ±FirewallsFirewalls

± ±Tamper Tamper--resistantresistant systemssystems ± ±TTrusted systemsrusted systems



19



21

Threat & Risk AnalysisThreat & Risk Analysis

�� A security policy must incorporate a A security policy must incorporate a

realistic assessment of threatsrealistic assessment of threats

± ±What is to be protected?What is to be protected?

± ±What can go wrong?What can go wrong?

± ±If it goes wrong, how will it affect me?If it goes wrong, how will it affect me?



22

S ecurity Policy

business needs analysis

� asset valuation

� risk analysis

� impact analysis

Security PolicySecurity Policy

�� security policy is a statement of rulessecurity policy is a statement of rules�� security is defined by a security policy security is defined by a security policy �� goal of security is to enforce the policy goal of security is to enforce the policy �� ³standards´ in OS I 7498 ³standards´ in OS I 7498--2 RFC 2196 & BS 7799 & AS 2 RFC 2196 & BS 7799 & AS

44444444



23

Security PolicySecurity Policy

TheThe Proportionality PrincipleProportionality Principle::�� identifyingidentifying and invoking a set of and invoking a set of

protective mechanismsprotective mechanisms andandprocedures (e.g. data encryption)procedures (e.g. data encryption)

�� whichwhich matchmatch the perceivedthe perceived riskrisk totoandand

�� thethe valuevalue of an organization¶sof an organization¶s(information) assets(information) assets



24



25

CryptographyCryptography

People

Media

Computer

DATADATA



26

CiphersCiphers

encryptionalgorithm

message encryptedmessage

decryption

algorithm

original

message

plaintext ciphertext

encryption

key

decryption key



27

0 1 1 1 0 1 0 0 plaintext

1 0 1 1 0 1 0 1 key

1 1 0 0 0 0 0 1 ciphertext

1 0 1 1 0 1 0 1 key

A simple example... A simple example...

this message is highly secret

t

0 1 1 1 0 1 0 0 plaintext

�

�t

exclusive-OR

plaintext

ASCII representation



28

Categories of ciphers...Categories of ciphers...

unbreakable cipherse.g Vernan cipher computationallysecure ciphers

symmetric-key

ciphers

e.g. DES

asymmetric-key

ciphers

e.g RSA



29

SymmetricSymmetric--key cipher key cipher

Plaintext Encryption Ciphertext Decryption Plaintext

encryption

algorithm

+key

decryption

algorithm

+key

message text

transmitted

over network

message

same key

E xamples...

Data E ncryption S tandard (DES)

Advanced E ncryption S tandard (AES)

key must be

distributed first



30

Asymmetric Asymmetric--key cipher key cipher

Plaintext Encryption Ciphertext Decryption Plaintext

message message

Receiver¶s Public Key Receiver¶s Private Keydifferent keys

encryptionalgorithm

+

public key

decryptionalgorithm

+

private key

texttransmitted

over

network

E xamples: RS A(Rivest, Shamir and Adleman)

, elliptic-curve ci her



31

RequirementsRequirements

�� EE--commerce needs ciphers which are:commerce needs ciphers which are: ± ±practicalpractical to implement and manage,to implement and manage,

± ±computationallycomputationally efficientefficient,,

± ±computationallycomputationally securesecure (highly(highly--effective),effective),

�� key managementkey management

± ± scalability across networks,scalability across networks,

± ± cost of key distribution (security)cost of key distribution (security)

± ± cost of key revocation (find and replacecost of key revocation (find and replace

every key),every key),



32

Access Control Access Control&&

Authentication Authentication



33

Access control and Access control and

User AuthenticationUser Authentication

People

Media

Computer

DATADATA



34

BasicBasic Principles of AuthenticationPrinciples of Authentication

�� something you...something you... ± ±knowknow

�� e.g. password, PINe.g. password, PIN

± ±havehave

�� e.g. magnetice.g. magnetic--stripe card, smart cardstripe card, smart card

± ±can docan do

�� e.g. signature, encrypt a messagee.g. signature, encrypt a message

± ±areare (i.e distinguishing personal traits)(i.e distinguishing personal traits)�� e.g. biometricse.g. biometrics

�� more effective if used in combinationsmore effective if used in combinations



36

NetworkNetwork

SecuritySecurity



37

Network SecurityNetwork Security

People

Media

Computer

DATADATA



38

A view of A view of TCP/ITCP/IPP

Br owser

TCPSoftware

IP

Software

Ethernet

LAN

Software

client PC

r outer Web server

TCPSoftware

IP

Software

Ethernet

LAN

Software

server

IP

Software

Ethernet

LAN

Software

WAN

Software



39

The Secure Sockets Layer The Secure Sockets Layer

Br owser

TCP

Software

IP

Software

client PC

Web server

TCP

Software

IP

Software

server

SSL SSLSecure Sockets Layer



40

FirewallFirewallss

Internal Network

(trusted )

E xternal Network

(untrusted )Firewall

internal

router

external

router

bastion host

�� filter packets based on IP addressfilter packets based on IP address

�� direct each application to a proxy on thedirect each application to a proxy on the

firewallfirewall



41

Views on Data SecurityViews on Data Security

�� Data security is oftenData security is often inconvenientinconvenient

�� Data security is oftenData security is often not very securenot very secure

�� Data security is aData security is a balancebalance�� PeoplePeople issueissue more than a technologymore than a technology

issueissue

�� ReactiveReactive not proactivenot proactive -- sometimes thesometimes theneed for data security is not obviousneed for data security is not obvious

until it is too lateuntil it is too late



42



43

�� 11



45



46



47



48



49



50



52

lec 01-reviswed jan 2011

Documents