the university of akron summit college
DESCRIPTION
TRANSCRIPT
The University of AkronThe University of AkronSummit CollegeSummit College
Business Technology Dept.Business Technology Dept.2440: 1412440: 141
Web Site Administration Web Site Administration Introduction to SecurityIntroduction to Security
Instructor: Enoch E. DamsonInstructor: Enoch E. Damson
SecuritySecurity 22
Information SecurityInformation Security Consists of the procedures and measures taken Consists of the procedures and measures taken
to protect each component of information to protect each component of information systemssystems Protecting data, hardware, software, networks, Protecting data, hardware, software, networks,
procedures and peopleprocedures and people The concept of information security is based on The concept of information security is based on
the the C.I.A triangleC.I.A triangle (according to the National (according to the National Security Telecommunications and Information Security Telecommunications and Information Security Committee – NSTISSC)Security Committee – NSTISSC) C – ConfidentialityC – Confidentiality I – IntegrityI – Integrity A – AvailabilityA – Availability
SecuritySecurity 33
ConfidentialityConfidentiality
Addresses two aspects of security with Addresses two aspects of security with subtle differencessubtle differencesPrevents unauthorized individuals from Prevents unauthorized individuals from
knowing or accessing informationknowing or accessing informationSafeguards confidential information and Safeguards confidential information and
disclosing secret information only to disclosing secret information only to authorized individuals by means of classifying authorized individuals by means of classifying informationinformation
SecuritySecurity 44
IntegrityIntegrity Ensures data consistency and accuracyEnsures data consistency and accuracy The integrity of the information system is measured by The integrity of the information system is measured by
the integrity of its datathe integrity of its data Data can be degraded into the following categories:Data can be degraded into the following categories:
Invalid dataInvalid data – not all data is valid – not all data is valid Redundant dataRedundant data – the same data is recorded and stored in – the same data is recorded and stored in
several placesseveral places Inconsistent dataInconsistent data – redundant data is not identical – redundant data is not identical Data anomaliesData anomalies – one occurrence of repeated data is changed – one occurrence of repeated data is changed
and the other occurrences are notand the other occurrences are not Data read inconsistencyData read inconsistency – a user does not always read the last – a user does not always read the last
committed datacommitted data Data non-concurrencyData non-concurrency – multiple users can access and read – multiple users can access and read
data at the same time but loose read consistencydata at the same time but loose read consistency
SecuritySecurity 55
AvailabilityAvailability Ensures that data is accessible to authorized Ensures that data is accessible to authorized
individuals to access informationindividuals to access information An organization’s information system can be An organization’s information system can be
unavailable because of the following security unavailable because of the following security issuesissues External attacks and lack of system protectionExternal attacks and lack of system protection Occurrence of system failure with no disaster Occurrence of system failure with no disaster
recovery strategyrecovery strategy Overly stringent and obscure security procedures and Overly stringent and obscure security procedures and
policiespolicies Faulty implementation of authentication processes, Faulty implementation of authentication processes,
causing failure to authenticate customers properlycausing failure to authenticate customers properly
SecuritySecurity 66
Information Security ArchitectureInformation Security Architecture
The model for protecting logical and The model for protecting logical and physical assetsphysical assets
The overall design of a company’s The overall design of a company’s implementation of the C.I.A triangleimplementation of the C.I.A triangle
Components range from physical Components range from physical equipment to logical security tools and equipment to logical security tools and utilitiesutilities
SecuritySecurity 77
Components of Information Components of Information Security ArchitectureSecurity Architecture
The components of information security The components of information security architecture are:architecture are:Policies and proceduresPolicies and procedures – documented – documented
procedures and company policies that procedures and company policies that elaborate on how security is to be carried outelaborate on how security is to be carried out
Security personnel and administratorsSecurity personnel and administrators – – people who enforce and keep security in people who enforce and keep security in orderorder
Detection equipmentDetection equipment – devices to – devices to authenticate users and detect and equipment authenticate users and detect and equipment prohibited by the companyprohibited by the company
SecuritySecurity 88
Components of Information Components of Information Security Architecture…Security Architecture…
Other components of information security Other components of information security architecture include:architecture include: Security programsSecurity programs – tools to protect computer – tools to protect computer
system’s servers from malicious code such as virusessystem’s servers from malicious code such as viruses Monitoring equipmentMonitoring equipment – devices to monitor physical – devices to monitor physical
properties, users, and important assetsproperties, users, and important assets Monitoring applicationsMonitoring applications – utilities and applications – utilities and applications
used to monitor network traffic and Internet activities, used to monitor network traffic and Internet activities, downloads, uploads, and other network activitiesdownloads, uploads, and other network activities
Auditing procedures and toolsAuditing procedures and tools – checks and – checks and controls to ensure that security measures are workingcontrols to ensure that security measures are working
SecuritySecurity 99
Levels of SecurityLevels of Security
The levels of security include: The levels of security include: highly restrictivehighly restrictivemoderately restrictivemoderately restrictiveopenopen
SecuritySecurity 1010
Levels of Security…Levels of Security…
Before deciding on a level of security, answer Before deciding on a level of security, answer these questions:these questions: What must be protected?What must be protected? From whom should data be protected?From whom should data be protected? What costs are associated with security being What costs are associated with security being
breached and data being lost or stolen?breached and data being lost or stolen? How likely is it that a threat will actually occur?How likely is it that a threat will actually occur? Are the costs to implement security and train users to Are the costs to implement security and train users to
use a secure network outweighed by the need to use a secure network outweighed by the need to provide an efficient, user-friendly environment?provide an efficient, user-friendly environment?
SecuritySecurity 1111
Highly Restrictive Security Highly Restrictive Security PoliciesPolicies
Include features such as:Include features such as: Data encryptionData encryption Complex password requirementsComplex password requirements Detailed auditing and monitoring of computer/network Detailed auditing and monitoring of computer/network
accessaccess Intricate authentication methodsIntricate authentication methods Policies that govern use of the Internet/e-mailPolicies that govern use of the Internet/e-mail
Might require third-party hardware and softwareMight require third-party hardware and software Implementation cost is highImplementation cost is high Cost of a security breach is highCost of a security breach is high
SecuritySecurity 1212
Moderately Restrictive Security Moderately Restrictive Security PoliciesPolicies
Most organizations can opt for this type of policyMost organizations can opt for this type of policy Requires passwords, but not overly complex onesRequires passwords, but not overly complex ones Auditing detects unauthorized logon attempts, network Auditing detects unauthorized logon attempts, network
resource misuse, and attacker activityresource misuse, and attacker activity Most network operating systems contain authentication, Most network operating systems contain authentication,
monitoring, and auditing features to implement the required monitoring, and auditing features to implement the required policiespolicies
Infrastructure can be secured with moderately priced off-Infrastructure can be secured with moderately priced off-the-shelf hardware and software (firewalls, etc)the-shelf hardware and software (firewalls, etc)
Costs are primarily in initial configuration and supportCosts are primarily in initial configuration and support
SecuritySecurity 1313
Open Security PoliciesOpen Security Policies Policy might have simple or no passwords, unrestricted Policy might have simple or no passwords, unrestricted
access to resources, and probably no monitoring and access to resources, and probably no monitoring and auditingauditing
May be implemented by a small company with the May be implemented by a small company with the primary goal of making access to basic data resourcesprimary goal of making access to basic data resources
Internet access should probably not be possible via the Internet access should probably not be possible via the company LANcompany LAN
Sensitive data, if it exists, might be kept on individual Sensitive data, if it exists, might be kept on individual workstations that are backed up regularly and are workstations that are backed up regularly and are physically inaccessible to other employeesphysically inaccessible to other employees
SecuritySecurity 1414
Types of Attacks & VulnerabilitiesTypes of Attacks & Vulnerabilities
Some of the numerous methods to attack systems are Some of the numerous methods to attack systems are as follows:as follows: VirusVirus – code that compromises the integrity and state of a – code that compromises the integrity and state of a
systemsystem WormWorm – code that disrupts the operation of a system – code that disrupts the operation of a system Trojan horseTrojan horse – malicious code that penetrates a computer – malicious code that penetrates a computer
system or network by pretending to be legitimate codesystem or network by pretending to be legitimate code Denial of serviceDenial of service – the act of flooding a Web site or network – the act of flooding a Web site or network
system with many requests with the intent of overloading the system with many requests with the intent of overloading the system and forcing it to deny service to legitimate requestssystem and forcing it to deny service to legitimate requests
SpoofingSpoofing – malicious code that looks like legitimate code – malicious code that looks like legitimate code BugsBugs – software code that is faulty due to bad design, logic, or – software code that is faulty due to bad design, logic, or
bothboth
SecuritySecurity 1515
Types of Attacks & Vulnerabilities…Types of Attacks & Vulnerabilities…
Other methods to attack systems include:Other methods to attack systems include: Email spammingEmail spamming – E-mail that is sent to many – E-mail that is sent to many
recipients without their permissionrecipients without their permission Boot sector virusBoot sector virus – code that compromises the – code that compromises the
segment in the hard disk containing the program used segment in the hard disk containing the program used to start the computerto start the computer
Back doorBack door – an intentional design element of some – an intentional design element of some software that allows developers of a system to gain software that allows developers of a system to gain access to the application for maintenance or technical access to the application for maintenance or technical problemsproblems
Rootkits and botsRootkits and bots – malicious or legitimate software – malicious or legitimate software code that performs functions like automatically code that performs functions like automatically retrieving and collecting information from computer retrieving and collecting information from computer systemssystems
SecuritySecurity 1616
Security ResourcesSecurity Resources
Computer Security ResourcesComputer Security Resourceshttp://www.sans.orghttp://www.cert.orghttp://www.first.orghttp://csrc.nist.govhttp://www.securityfocus.com
SecuritySecurity 1717
Security BasicsSecurity Basics
Some of the basic security rules are as Some of the basic security rules are as follows:follows:Security and functionality are inversely related Security and functionality are inversely related
– the more security you implement, the less – the more security you implement, the less functionality you will have, and vice versafunctionality you will have, and vice versa
No matter how much security you implement No matter how much security you implement and no matter how secure your site is, if and no matter how secure your site is, if hackers want to break in, they willhackers want to break in, they will
The weakest link in security is human beingsThe weakest link in security is human beings
SecuritySecurity 1818
Security MethodsSecurity Methods
PeoplePeople Physical limits on access to hardware and documentsPhysical limits on access to hardware and documents Through the processes of identification and Through the processes of identification and
authentication, make certain that the individual is who authentication, make certain that the individual is who he/she claims to be through the use of devices, such he/she claims to be through the use of devices, such as ID card, eye scans, passwordsas ID card, eye scans, passwords
Training courses on the importance of security and Training courses on the importance of security and how to guard assetshow to guard assets
Establishments of security policies and proceduresEstablishments of security policies and procedures
SecuritySecurity 1919
Security Methods…Security Methods…
ApplicationsApplicationsAuthentication of users who access Authentication of users who access
applicationsapplicationsBusiness rulesBusiness rulesSingle sign-on (a method for signing on once Single sign-on (a method for signing on once
for different applications and Web sites)for different applications and Web sites)
SecuritySecurity 2020
Security Methods…Security Methods…
NetworkNetworkFirewallsFirewalls – to block network intruders – to block network intrudersVirtual private network (VPN) Virtual private network (VPN) – a remote – a remote
computer securely connected to a corporate computer securely connected to a corporate networknetwork
Authentication Authentication
SecuritySecurity 2121
Security Methods…Security Methods…
Operating SystemOperating SystemAuthenticationAuthentication Intrusion detectionIntrusion detectionPassword policyPassword policyUsers accountsUsers accounts
SecuritySecurity 2222
Security Methods…Security Methods…
Database Management SystemsDatabase Management SystemsAuthenticationAuthenticationAudit mechanismAudit mechanismDatabase resource limitsDatabase resource limitsPassword policyPassword policy
SecuritySecurity 2323
Security Methods…Security Methods…
Data FilesData FilesFile permissionsFile permissionsAccess monitoringAccess monitoring
SecuritySecurity 2424
Securing Access to DataSecuring Access to Data Securing data on a network has many facets:Securing data on a network has many facets:
Authentication and authorizationAuthentication and authorization – identifying who is permitted to – identifying who is permitted to access which network resourcesaccess which network resources
Encryption/decryptionEncryption/decryption – making data unusable to anyone except – making data unusable to anyone except authorized usersauthorized users
Virtual Private Networks (VPNs)Virtual Private Networks (VPNs) – allowing authorized remote access – allowing authorized remote access to a private network via the public Internetto a private network via the public Internet
FirewallsFirewalls – installing software/hardware device to protect a computer or – installing software/hardware device to protect a computer or network from unauthorized access and attacksnetwork from unauthorized access and attacks
Virus and worm protectionVirus and worm protection – securing data from software designed to – securing data from software designed to destroy data or make computer or network operate inefficientlydestroy data or make computer or network operate inefficiently
Spyware protectionSpyware protection – securing computers from inadvertently – securing computers from inadvertently downloading and running programs that gather personal information and downloading and running programs that gather personal information and report on browsing and habitsreport on browsing and habits
Wireless securityWireless security – implementing unique measures for protecting data – implementing unique measures for protecting data and authorizing access to the wireless networkand authorizing access to the wireless network
SecuritySecurity 2525
Implementing Secure Implementing Secure Authentication and AuthorizationAuthentication and Authorization
Administrators must control who has access to Administrators must control who has access to the network (the network (authenticationauthentication) and what logged ) and what logged on users can do to the network (on users can do to the network (authorizationauthorization)) Network operating systems have tools to specify Network operating systems have tools to specify
options and restrictions on how/when users can log options and restrictions on how/when users can log on to networkon to network
File system access controls and user permission File system access controls and user permission settings determine what a user can access on a settings determine what a user can access on a network and what actions a user can performnetwork and what actions a user can perform
SecuritySecurity 2626
Securing Data TransmissionSecuring Data Transmission
Encryption is used to safeguard data as it travels Encryption is used to safeguard data as it travels across a networkacross a network
Tools such as Telnet and FTP are very Tools such as Telnet and FTP are very vulnerable since it sends data in clear textvulnerable since it sends data in clear text Secured socket layer (SSL) Secured socket layer (SSL) is the most common is the most common
method of encrypting data transmissionsmethod of encrypting data transmissions Most Web sites that encrypt sensitive data such as credit Most Web sites that encrypt sensitive data such as credit
card information, etc use SSLcard information, etc use SSL
SecuritySecurity 2727
EncryptionEncryption
The act of encoding readable data into a The act of encoding readable data into a format that is unreadable without a decoding format that is unreadable without a decoding keykeyDecryptionDecryption – the act of decoding encoded – the act of decoding encoded
data back into the original readable formatdata back into the original readable format Encryption provides privacy (confidentiality)Encryption provides privacy (confidentiality) Encryption and decryption are the two major Encryption and decryption are the two major
processes that make up the science of processes that make up the science of cryptographycryptography
SecuritySecurity 2828
CryptographyCryptography The science of encrypting and decrypting information to The science of encrypting and decrypting information to
ensure that data and information cannot be easily ensure that data and information cannot be easily understood or modified by unauthorized individualsunderstood or modified by unauthorized individuals Allows encryption of data from its original form into a form that Allows encryption of data from its original form into a form that
can only be read with a correct decryption keycan only be read with a correct decryption key Some of security functions addressed by cryptography Some of security functions addressed by cryptography
methods are:methods are: AuthenticationAuthentication PrivacyPrivacy Message integrityMessage integrity Provisions of data signaturesProvisions of data signatures
SecuritySecurity 2929
Vocabulary of CryptographyVocabulary of Cryptography CryptanalysisCryptanalysis – the process of evaluating cryptographic algorithms – the process of evaluating cryptographic algorithms
to discover their flawsto discover their flaws CryptanalystCryptanalyst – a person who uses cryptanalysis to find flaws in – a person who uses cryptanalysis to find flaws in
cryptographic algorithmscryptographic algorithms CryptographerCryptographer – a person trained in the science of cryptograpy – a person trained in the science of cryptograpy AlphabetAlphabet – set of symbols used in cryptographic to either input or – set of symbols used in cryptographic to either input or
output messagesoutput messages Plaintext (cleartext)Plaintext (cleartext) – the original data in its raw form – the original data in its raw form CipherCipher – a cryptographic encryption algorithm for transforming data – a cryptographic encryption algorithm for transforming data
from one form to anotherfrom one form to another CyphertextCyphertext - the encrypted data - the encrypted data
SecuritySecurity 3030
Encryption Methodology Encryption Methodology
There are two elements in encryption:There are two elements in encryption:Encryption methodEncryption method – specifies the – specifies the
mathematical process used in encryptionmathematical process used in encryptionKeyKey – the special string of bits used in – the special string of bits used in
encryptionencryption
SecuritySecurity 3131
Encryption ExampleEncryption Example AlphabetAlphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ: ABCDEFGHIJKLMNOPQRSTUVWXYZ PlaintextPlaintext: Meet me on the corner: Meet me on the corner CipherCipher (algorithm): C = P + K (algorithm): C = P + K
C – the ciphertext characterC – the ciphertext character P – the plaintext characterP – the plaintext character K – the value of the keyK – the value of the key
KeyKey: 3: 3 The algorithm simply states that to encrypt a plaintext character (P) and The algorithm simply states that to encrypt a plaintext character (P) and
generate a ciphertext (C), add the value of the key (K) to the plaintext charactergenerate a ciphertext (C), add the value of the key (K) to the plaintext character Shift the plaintext character to the right of the alphabet by three charactersShift the plaintext character to the right of the alphabet by three characters
D replaces A, E replaces B, F replaces C, etcD replaces A, E replaces B, F replaces C, etc The following message is generated:The following message is generated:
Ciphertext: Ciphertext: Phhw ph rq wkh fruqhuPhhw ph rq wkh fruqhu
SecuritySecurity 3232
Types of Cryptographic CiphersTypes of Cryptographic Ciphers
Ciphers fall into one of two major Ciphers fall into one of two major categories:categories:Symmetric (single-key) ciphersSymmetric (single-key) ciphers – the same – the same
key is used to both encryption and decryptionkey is used to both encryption and decryptionAsymmetric (public-key) ciphersAsymmetric (public-key) ciphers – different – different
keys are used for encryption and decryptionkeys are used for encryption and decryption
SecuritySecurity 3333
Symmetric (Single) Key EncryptionSymmetric (Single) Key Encryption
The most common and simplest form of encryptionThe most common and simplest form of encryption Both parties in the encryption process must keep the key Both parties in the encryption process must keep the key
secretsecret There are several specific symmetric key encryption There are several specific symmetric key encryption
algorithmsalgorithms The most widely used is the The most widely used is the data encryption standard (DES)data encryption standard (DES) Other more secured encryption algorithms include: Triple-DES, Other more secured encryption algorithms include: Triple-DES,
DESX, RDES, Blowfish, AES, and IDEADESX, RDES, Blowfish, AES, and IDEA
SecuritySecurity 3434
Symmetric Key Encryption…Symmetric Key Encryption… Data Encryption Standard (DES) – Data Encryption Standard (DES) –
Developed by IBM for the US National Institute for Standards Developed by IBM for the US National Institute for Standards and Technology (NIST) in the 1970sand Technology (NIST) in the 1970s
The original algorithm is based on a 56-bit key that yields 2The original algorithm is based on a 56-bit key that yields 25656 possible keys (72 quadrillion keys)possible keys (72 quadrillion keys)
Breaks the plaintext into chunks of 64-bits (8 of the key bits are Breaks the plaintext into chunks of 64-bits (8 of the key bits are redundant) and encrypts each chunkredundant) and encrypts each chunk
In general, the larger the key the more secure the encryption isIn general, the larger the key the more secure the encryption is Widely used today but with some drawbacksWidely used today but with some drawbacks
Both the sender and receiver of the encrypted message must Both the sender and receiver of the encrypted message must know the key before they can communicateknow the key before they can communicate
Susceptible to attack especially in networked environmentsSusceptible to attack especially in networked environments
SecuritySecurity 3535
Asymmetric (Public) Key EncryptionAsymmetric (Public) Key Encryption
There are two keys for each partyThere are two keys for each party The sender and receiver each has a The sender and receiver each has a privateprivate and and public keypublic key Public keyPublic key – senders will encrypt data using nonsecure – senders will encrypt data using nonsecure
connections with the receivers’ public keyconnections with the receivers’ public key Private keyPrivate key – the receivers use their private keys to decrypt – the receivers use their private keys to decrypt
datadata The only person who can decrypt the ciphertext is the owner The only person who can decrypt the ciphertext is the owner
of the private key that corresponds to the public key used for of the private key that corresponds to the public key used for the encryptionthe encryption
SecuritySecurity 3636
AuthenticationAuthentication
One purpose of encryption is to prevent One purpose of encryption is to prevent anyone who intercepts a message from anyone who intercepts a message from being able to read the messagebeing able to read the message It brings It brings authorizationauthorization ( (confidentialityconfidentiality) – ) –
only authorized users can use dataonly authorized users can use data In contrast, In contrast, authenticationauthentication proves the proves the
sender’s identitysender’s identity
SecuritySecurity 3737
Forms of AuthenticationForms of Authentication
There are many forms of authentication:There are many forms of authentication:PasswordsPasswordsAuthentication cardsAuthentication cards – ATMs use these with – ATMs use these with
coded informationcoded informationBiometricsBiometrics – measures body dimensions like – measures body dimensions like
finger-print analyzersfinger-print analyzersPublic key authorizationPublic key authorization – uses digital – uses digital
signaturessignaturesDigital signatureDigital signature – the electronic version of a – the electronic version of a
physical signaturephysical signature