mis jaiswal-chapter-11
TRANSCRIPT
CHAPTER 11INFORMATION SECURITY
MANAGEMENT
Information Security The protection of information systems
against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats
The result of any system of administrative policies and procedures for identifying, controlling, and protecting from unauthorized disclosure, information the protection of which is authorized by executive order
Information Security Management
Information Security Management provides:
- a systematic approach to achieving effective information security within an organization;
- a realistic understanding of information security risks and issues facing organizations; and
- effective techniques for matching information security requirements with business requirements.
- consists of various facets : security policy, risk analysis, risk management, contingency planning, and disaster recovery
Virus :A program which gets executed when ever a program is run on computer
Trojan Horse :A program which does its supposed job but also includes unsuspected and undesirable functions. e. g. deletion of desirable items
Worm :A self replicating program, creates its own copies and executes, works in networks.
Software agents and malicious code
Information Security Threats
Hackers can use electronic eavesdropping to trap user and un-encrypted passwords
Hackers can spoof or configure a system tomimic some other system
Hackers use popular UNIX programs to discover account names and guess passwords
Hackers have potential access to large systemswith prospects of security holes
Threats to Servers on Networks
Information Security Threats contd
Security Architecture
Network Security
Business
Procedural Security
Physical Security
Authentication and Authorization
Data and application security
External World
Information Security
Authentication Message received by B has actually come from A
Confidentiality Message is secured and not seen by any snooper
Integrity Message has not been distorted by accident or design
Non repudiation B can make A legally responsible for the message
Information Security Architecture
A sends a message to B
A B
Information Security
Encryption and Decryption Technology
Transfer Rs. 10,000 to the account of X
Encrypt
bjqhiudiiodo
Send
Decrypt Receive
Transfer Rs. 10,000 to the account of X
Information Security contd
Symmetric Encryption :The sender encrypts a message by using a secret key
and the receiver uses the same key for decryptionUseful where two parties are well knownDifficulties in sharing the keys especially in large networks
DATA ENCRYPTION STANDARD ( DES )• Secret Key, Symmetric Encryption
• 56 bit secret key which means 2^56 possibilities(56 Bit DES recently broken in a few hours, 128 bit Okay)
• Triple DES uses 112 bit key
• Bigger the bit size larger amount it takes for decryption
Information Security contd
Public and Private Key encryption
Both parties have one public key and one private key eachThe public keys are known to each other, Private key is not.Message is encrypted using B’s public keyIt can be opened only when B uses its private key
CONFIDENTIALITY IS ENSURED
RSA ( Rivest Shamir Adleman) algorithm for public key 768 bit RSA considered safe presently
Message
Encrypted with B’s public key
Message
Decrypted with B’s private key
Information Security contd
A B
Public and Private Key encryption
Message is encrypted using B’s public key.The packet of the message encrypted with B’s public key is further encrypted by A using A’s private key.It can be opened only when B uses the public key of A and its own private key
CONFIDENTIALITY AND AUTHENTICITY IS ENSURED
Message
Encrypted with B’s public key
Message
Encrypted with A’s private key
A B
Decrypted with A’s public key and B’s private key
Information Security contd
Digital signature and public key encryption
Message
Digital Signature using A’s private key
Encryption with A’s private key
Encrypted with B’s Public Key
CONFIDENTIALITY, INTEGRITY AND AUTHENTICITY ENSUREDBUT REPUDIATION POSSIBLE
Information Security contd
Digital Signature -A Sum check number called finger print (like Message Authentication Code (MAC) as used in banking industry) which is included in the message to ensure INTEGRITY
VERSION
Certificate Serial No.
Signature Algorithm ID.
ISSUER
VALIDITY Period
Subject
Subject Public KEY INFO.
ISSUER Unique Identifier
Subject Unique Identifier
Extensions
C.A.DIGITAL Signature
C.A.PRIVATE KEY
GENERATE DIGITAL
SIGNATURE
Information Security contd
Digital Certificate
Issued by Certifying Authority links the person with his public and private key Standard X.509
Set of agreed upon standards, certification authorities, structure between multiple authorities, methods to discover and validate certification paths,operational protocols, management protocols, inter operable tools and supporting legislature
Public Key Infrastructure
PKI Issues : Regulation
• Governments are producing legislation to govern e-commerce
• Who regulates Certification Authorities• C A Liability• Revocation of certificates
Information Security contd
Internet Security• Internet provides global reach at very low cost and high speed but is not secure due to its inherent weakness in TCP/IP• Growth of the Internet Exponential results in a rise of security incidents• Most ISP and user organisations use public domain software such as LINUX, Apache for Internet that are more prone to security threads• Default network OS setting and access to FTP, Telnet facilities becomes vulnerable
Types of Attack• Password - Based Attack
- cracking, FTP, Telnet, etc/password• IP Spoofing
- TCP/IP allows anyone to generate a message claiming to be another machine
• Session Hijacking- special type of IP Spoofing which an
intruder is able to determine the sequence used between two parties
• Network Snooping / Packet sniffing Packets can easily be intercepted at any point in the network
Security Threats to Internet
External Users
Web server
FTP server
Gopher server
Inbound traffic from the Internet to the internal networkOutbound traffic from the internal network
Inbound traffic from the Internet to public services
Inside
Internet Security Network level - Firewall
Internet Security Technology
Operational Technology• One-Time passwords• Network Monitoring Tools• Network Security Analysis Tools• Firewalls
Cryptography Policy based Technology
• Digital Signature• PKI Policy
Network Security - FirewallSecurity Architecture