Академический Документы
Профессиональный Документы
Культура Документы
Paul Bryant
Introduction
What is security
Models for Discussing Security Issues
Attacks
Defence in depth
What is Security?
The term security is used in a variety of
contexts.
Personal, corporate, personnel, national, energy,
operational, communications, system, financial, etc.
What is Security?
In the most general terms, security seems
to mean something like
protection of assets against threats.
What assets?
What kinds of threats?
What does protection mean?
Does the nature of protection vary
depending on the threat?
4
Definition Information
Security
protecting information and information systems from unauthorised
access, use, disclosure, disruption, modification or destruction (p.2)
Information Security
1.1.14. Information security is considered a higher level of abstraction
than cyber security relating to the protection of information regardless of
its form (electronic or physical). The accepted definition of information
security within government is: measures relating to the confidentiality,
availability and integrity of information.
1.1.15. This is sometimes described as cyber security. A number of
specialised security areas contribute to information security within
government; these include: physical security, personnel security,
communications security and information and communications
technology (ICT) security along with their associated governance
measures. (NZISMv2, 2014)
5
CIA Triad
Confidentiality
The protection of information within systems
so that unauthorised people, programs, and
processes cannot access that information.
Sensitive information is protected against
unauthorised disclosure.
Encryption is a primary tool to ensure
confidentiality.
9
Integrity
The protection of information or processes
from intentional or accidental unauthorised
changes.
Integrity Business accuracy, logic,
relevance, ethicality, etc. of information
Integrity = No unauthorised alteration
10
Protecting Integrity
Need to protect the process or program used to manipulate
information, e.g.,
Air traffic control systems
Welfare systems
Payroll systems
Availability
The assurance that information and systems are
accessible by authorised users whenever needed.
Protected against denial-of-service (DoS) attacks and
vandalism
Protected against losses stemming from natural
disasters or human errors and actions (this type
probably is more common)
13
DAD Triad
Disclosure
Unauthorized individuals gain access to confidential
information
Alteration
Data is modified through some unauthorized mechanism
Denial
Authorized users cannot gain access to a system for
legitimate purposes
Parkerian Hexad
15
Parkerian Hexan
Encompasses traditional C-I-A concepts
Variance in integrity
Parker doesnt account for authorised, but incorrect,
modification of data
Rather focuses on state of data itself
16
Encrypted
Possession problem but not confidentiality
17
18
19
Non-Repudiation
Prevents the parties to a transaction from
subsequently denying involvement in the
transaction.
Someone cannot deny that she did send a
message, sign an electronic contract, etc.
Public-key encryption (digital signature to be
exact) is instrumental to achieving nonrepudiation.
20
Attacks
21
More terminology
Assets: Things we want to protect (stored
data / data in transit)
Threats: Something that has the potential
to cause harm
Attacks: Attempts to make threats happen
Vulnerabilities: Weaknesses that can be
used to harm us
22
More terminology
Risk: The chance that something bad will
happen
Impact: A measure of how serious an
attack would be
23
Controls
Help mitigate risk
Three categories of controls
Physical
Protect physical environment
Access, HVAC, fire, fences, locks, gates, etc
Controls cont.
Administrative
Based on rules, laws, policies, procedures,
guidelines
Example is AUP governing use of REDNet and
Production networks at WelTec.
25
Incident Response
If risk management efforts fail, incident
response exists to react to such events
Incident response process at high level:
Preparation
Detection and analysis
Containment
Eradication
Recovery
Post-incident activity
26
McCumber Model
Desired Goals
Information States
Safeguards
http://en.wikipedia.org/wiki/McCumber_cube
27
NSTISSC Model
28
Source: it210web.groups.et.byu.net/lectures/MSRW%20Paper.pdf
29
30
Source: P. Griffith, The Vauban Fortifications of France, Osprey.
32
Layered Protection
Broached by the SANS Institute.
Organisation must have a layered defence at the
perimeter, network, equipment, and data layers.
Because there are so many potential attackers taking
advantage of numerous attack vectors, there is no
single method for successfully protecting a network.
Instead, we should protect a network with a variety of
defensive mechanisms so that if one mechanism
fails, another will already in place to thwart an attack.
33
Layered Protection
34
Based on Carr et l, The Management of Network Security,
35