L1 5294 Introduction

Lecture 1
Introduction
CS4394/CS5294 ISM/ISTM - Introduction 2
Information Security staff
Lecturer:
Dr. L. F. KWOK, Y6417, 34428625
cslfkwok@cityu.edu.hk
Teaching Assistant:
Mr. LI Chen, 34425945
richard.li@my.cityu.edu.hk
Teaching Pattern
Lecture (2 hours):
Information sessions
Tutorial (1 hour):
Discussion focussing on weekly
question sheet based on lecture
materials/readings but flexible
Assessment
30% assignments due:
3 October 2014 A1 Week 5
6 November 2014 A2 Week 10
20 November 2014 test Week 12
Late assignments penalties
70% final examination
Plagiarism will not be tolerated
Course Content
Not just facts
Need to
understand concepts
apply those concepts
think about implications
understand limitations
Text Books
A single textbook cannot help
Something good to read:
Merkow and Breithaupt, Information Security: Principles
and Practices, Pearson 2005 (ISBN 0-13-154729-1)
Greene, Security Policies and Procedures: Principles
and Practices, Pearson 2006 (ISBN 0-13-186691-5)
Whitman and Mattord, Management of Information
Security, 4e, Cengage Learning 2010
Some other references:
Information Security Management Standard, ISO/IEC
27002:2005
Pfleeger & Pfleeger, Security in Computing, 3e, Prentice
Hall 2003 (QA76.9.A25 P45 2003)
Some Basic Concepts
Learning
An exercise of constructing personal
knowledge that requires a learner to be
mentally active rather than passive;
interpreting rather than recording
information.
Information security is ...
Security is about the protection of assets
(for example, your private home):
prevention
detection
reaction
Information Security is about the
protection of the information asset (for
example, data regarding your credit card
transactions).
Information Security Goals
Confidentiality
access to data & processes is restricted to
authorized people
Integrity
the system (hardware + software +
facilities + network + people) has not been
compromised
Availability
continuous/ uninterrupted service
Information Security Goals
Non-Repudiation
You cannot deny that you have performed
some action on the data
Authentication
You can prove your identity or the origin of
the data
Information Security
We do:
Examine the risks/threats of security in
computing
Consider available countermeasures
or controls
Stimulate thought about uncovered
vulnerabilities
Identify areas where more work is
needed
We talk about:
What kinds of vulnerabilities
Why these vulnerabilities are exploited
Who is involved
How to prevent possible attacks
Threats, Vulnerabilities, Controls
Threat a set of circumstances that has
the potential to cause loss or harm
Vulnerability a weakness in the security
system
Control a protective measure
A threat is blocked by control of a
vulnerability
Security Threats
Interruption
When your assets become unavailable
Interception
Some unauthorised party has gained access to
your assets
Modification
Some unauthorised party tampers with your assets
Fabrication
Counterfeits of your assets are made
Attack examples
Viruses/Worms: continuous Source of challenges,
regular adaptation of protection software and patterns
required
Denial-of-Service-Attacks: different ways of attack
(load or vulnerability), intended to overload a service
DNS-Attacks: various levels of the Domain Name
Service is attacked and link-information manipulated
Spam: unwanted emails, annoying and/or threatening
(transport mechanism for other attacks)
Spyware: unwanted monitoring of user behavior or
transmission of user data
More Attack examples
Attacks on Embedded Systems: intelligent devices are
increasingly targets of attacks
WLAN-Attacks: non-configured access point are
targets for war drivers
Zero-day threats: Attacks on vulnerabilities of systems,
faster than manufacturers can react
Shared Code in Service-oriented Architectures:
distributed systems inherit function and weaknesses of
code
Voice over IP: Telecommunication faces a whole set of
new/additional threats
Non-technical Attacks
Social Engineering: Avoiding technical hurdles by
exploiting human error/weakness/vulnerability
Phishing: deceptive presentation of fake input pages/
forms in order to gather valuable personal information
Over-regulation: Overloading Security professional with
formal/legal requirements and compliance requests
System Intrusion
Any part of an information system can be
the target of a crime
System components : hardware, software,
data, network, personnel
Principle of Easiest Penetration
Vulnerabilities
Hardware Vulnerabilities
Software Vulnerabilities
Data Vulnerabilities
Network Vulnerabilities
Personnel Vulnerabilities
Hardware Vulnerabilities
Mainly physical attack
Protect by installing physical security
systems
Software Vulnerabilities
Software Deletion
Software Modification
Logic bomb, Trojan horse, virus,
trapdoor, information leaks
Software Theft
Software Fault
Data Vulnerabilities
Data Confidentiality
Data Integrity
Network Vulnerabilities
Intercept data in transit
Modify data in transit
Gain unauthorized access to programs or data in
remote hosts
Modify programs or data in remote hosts
Insert communications
Replay previous communication
Block selected/all traffic
Run a program at a remote host
Personnel Vulnerabilities
Employees, contractors and third party users of
information processing facilities conduct activities of
theft, fraud or misuse of facilities
Methods of Defense
We seek to:
Prevent
Deter
Deflect
Detect
Recover
Methods of Defence (Controls)
Encryption
Software Controls
Hardware Controls
Policies and Procedures
Physical Controls
Encryption
Deal with Data
Data are scrambled
Cannot be read generally
Cannot easily be changed in a
meaningful manner
Ensure data confidentiality and
integrity
Software Controls
Internal program controls
Operating system and network
system controls
Independent control programs
Development controls
Hardware Controls
Hardware or smart card
implementations of encryption
Devices to verify users identities
Firewalls
Intrusion detection systems
Circuit boards that control access to
storage media
Policies and Procedures
security policy- a documented plan of
action and principles for an organisation
training against deception, blackmail, &
social engineering
secure disposal of paper & storage media
employee vetting & reference checking
change control + audit trails + follow-up
contingency planning + training + rehearsal
Security Policy
business needs analysis
asset valuation
risk analysis
impact analysis
Security Policy
security policy is a statement of rules
security is defined by a security policy
goal of security is to enforce the policy
standards in OSI 7498-2/ RFC 2196/ ISO/IEC 27002
Physical Controls
Easiest, most effective and least
expensive
Locks on doors, guards at entry
points, backup copies of important
software and data
Physical site planning that reduces
the risk of natural disasters
Views on Information Security
often inconvenient
often not very secure
a balance
people issue > technology issue
reactive not proactive
sometimes the need for information
security is not obvious until it is too late
a technology problem or a
management problem
Given enough time, tools, skills, and
inclination, a hacker can break
through any security measure
Information Security Principles:
#1 There Is No Such Thing as Absolute Security
Protect the confidentiality of data
Confidentiality models are primarily intended to
assure that no unauthorized access to information is
permitted and that accidental disclosure of sensitive
information is not possible
Preserve the integrity of data
Integrity models keep data pure and trustworthy by
protecting system data from intentional and
accidental changes
Promote the availability of data for authorized
use
Availability models keep data and resources
available for authorized use
#2 Three Security Goals
Defense in depth
Security implemented in overlapping
layers that provide the three elements
needed to secure assets: prevention,
detection, and response
The weaknesses of one security layer
are offset by the strengths of two or
more layers
#3 Defense in Depth as Strategy
Takes little to convince someone to give up their
credentials in exchange for trivial or worthless
goods
Many people are easily convinced to double-
click on the attachment
Subject: Here you have, ;o)
Message body: Hi: Check This!
Attachment: AnnaKournikova.jpg.vbs
#4 When left on their own, people tend to make
the worst security decisions
Functional requirements
Describe what a system should do
Assurance requirements
Describe how functional requirements should be
implemented and tested
Does the system do the right things in the right way?
Verification: the process of confirming that one or
more predetermined requirements or specifications are
met
Validation: a determination of the correctness or
quality of the mechanisms used in meeting the needs
#5 Functional and Assurance Requirements
Many people believe that if hackers do not
know how software is secured, security is
better
Although this seems logical, its actually not TRUE
Obscuring security leads to a false sense of
security, which is often more dangerous than
not addressing security at all
#6 Security through obscurity is NOT an answer
Security is not concerned with eliminating all threats
within a system or facility but with eliminating known
threats and minimizing losses if an attacker
succeeds in exploiting a vulnerability
Risk analysis and risk management are central
themes to securing information systems
Risk assessment and risk analysis are concerned with
placing an economic value on assets to best
determine appropriate countermeasures that protect
them from losses
#7 Security = Risk Management
A security mechanism serves a purpose by
preventing a compromise, detecting that a
compromise or compromise attempt is
underway, or responding to a compromise
while it is happening or after it has been
discovered
#8 Security Controls: Preventative, Detective,
and Responsive
The more complex a system gets, the
harder it is to secure
#9 Complexity Is The Enemy of Security
Information security managers must justify all
investments in security using techniques of the
trade
When spending resources can be justified with
good, solid business rationale, security requests
are rarely denied
#10 Fear, Uncertainty, and Doubt (FUD) Do Not
Work in Selling Security
People, process, and technology controls are
essential elements of security practices
including operations security, applications
development security, physical
security, and cryptography
#11 People, Process and Technology are all
Needed
Technology People
Process
Keeping a given vulnerability secret from users
and from the software developer can only lead
to a false sense of security
The need to know trumps the need to keep
secrets in order to give users the right to protect
themselves
#12 Open Disclosure of Vulnerabilities Is Good
for Security
Growing IT Security Importance
Increased services to both vendors and
employees create worlds of possibilities
in satisfying customer needs, but
they also create risks to the
confidentiality, integrity, and
availability of confidential or sensitive
data
Becoming an InfoSec Specialist
Get the right certification
Certified Information Systems Security
Professional (CISSP)
Global Information Assurance Certification
(GIAC):
Consider earning a graduate degree in
INFOSEC
Increase your disaster recovery and risk
management skills
Contextualizing Information Security
Information security
draws upon the best
practices and
experiences from
multiple domains
Antivirus
Software
Development
Security
Administration
Permission
Controls
Physical
Security
Incident
Response
Compliance
Auditing
Key
Management
Access
Controls
Security
Testing
Training
and
Awareness
Disaster
Recovery
PublicKey
Infrastructure
Intrustion
Detectionand
Prevention
Policies
Standards
Operations
Controls
Information Security Careers
common positions and career opportunities
Security administrators
Access coordinators
Security architects and network engineers
Security consultants
Security testers
Policymakers and standards developers
Compliance officers
Incident response team members
Governance and vendor managers
Current Situation
The risks posed to networked systems
remain vulnerable to attacks from
within and outside an organization
The explosive growth of e-commerce and
the pervasive personal and business
uses of the Internet have created a
growing demand for INFOSEC
specialists
International Information Systems Security
Certification Consortium (ISC
2
)
Maintaining a CBK for information security
Certifying industry professionals and practitioners
Administering training and certification examinations
Ensuring credentials are maintained
Two primary certifications
Certified Information Systems Security Professional
(CISSP)
System Security Certified Practitioner (SSCP)
Certification for People
Information Security CBK
The CBK is a compilation and
distillation of all security information
collected that is relevant to
information security professionals
CISSP certification includes a working
knowledge of all 10 domains
(www.isc2.org)
InfoSecurity CBK 10 Domains
Security Management
Practices (4)
Security Architecture
and Models (5)
Business Continuity
Planning (6)
Law, Investigations,
and Ethics (7)
Physical Security (8)
Operations Security (9)
Access Control Systems
and Methodology (10)
Cryptography (11)
Telecommunications,
Network, and Internet
Security (12)
Applications Development
Security (13)
(Chapter number in) Merkow and Breithaupt, Information Security:
Principles and Practices, Pearson 2005 (ISBN 0-13-154729-1)
Course Overview
Intended Learning Outcomes
Upon completion of the course, students
should be able to:
Describe threats in IT environment; and recognize the
relationship of threat, vulnerability, countermeasure, and
impact in organizational information security;
Write simple information security policy for an
organization and produce appropriate guidelines in
implementing the policy;
Recognize the information security management
framework and the roles of Information Security
Management Standards in this framework;
Recognize the legal issues in information security.
Course Overview
1. Introduction
2. Abstract Security Model
3. Access control
4. Cryptography and PKI
5. Network security
6-9. Info Sec management and Standards
10-11. Info Sec Risk Management
12. Legal Aspects
13. Revision
Lecture 1
Introduction:
Basic introduction to information
security
Lecture Overview
Lecture 2
Abstract Security models:
Overview of security models
Security evaluation
Bell-LaPadula model
Clark-Wilson model
Brewer-Nash Chinese Wall model
Lecture 3
Access Control Mechanisms:
Management of privileges
Monitoring access
Identification and authentication of
users
Lecture 4
Cryptography and PKI:
What is cryptography ?
Ciphers
Cryptographic Applications
Public Key Infrastructure
Lecture 5
Network security:
Common Network attacks
Network security solutions
IPSec
VPNs
Firewalls
TLS and SSL
Lectures 6-9
Security management:
Introduction to information security
management
Security policies
Security management standards
Lecture 10-11
Information Security Risk
Management:
Approach
Process
Audit
Lectures 12
Legal Aspects:
Cyber Crime
Personal Data (Privacy) Ordinance
Electronic Transactions Ordinance
Lecture 13
Review
Readings
Merkow and Breithaupt,
Information Security:
Principles and Practices,
Pearson 2005
Chapter 1, 2 and 3
Readings
Whitman and Mattord,
Management of
(4e), Cengage 2013
Chapter 1

L1 5294 Introduction

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

L1 5294 Introduction

Загружено:

Авторское право:

Доступные форматы

Lecture 1

Вам также может понравиться