Post on 30-Mar-2021
transcript
Welcome to Information Systems Security
(503009)
Nguyen Thi Ai Thao
Faculty of Computer Science & Engineering
HCMC University of Technology
thaonguyen@cse.hcmut.edu.vn
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
2
Course Outline
2
Week Lectures
1 Information systems security: basic concepts
2,3 Basic cryptography & key exchange protocols
4 Identification & Authentication
5,6 Discretionary Access Controls
7,8 Mandatory Access Controls
9 Auditing & Accountability
10, 11,
12, 13,
14
Presentations
15 Revision
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
3
References
[1] M. Gertz, S. Jajodia (2008). Handbook of Database Security: Applications and Trends, Springer Verlag, ISBN 978-0-387-48532-4.
[2] S. Castano, M. Fugini, G. Martella, and P. Samarati (1995). Database Security, ACM Press & Addison-Wesley, ISBN 0-201-59375-0.
[3] D.C. Knox (2004). Effective Oracle Database 10g Security by Design, Oracle Press, ISBN 0-07-223130-0.
[4] T.R. Peltier, J. Peltier, J. Blackley (2005). Information Security Fundamentals, Auerbach Publications, ISBN 0-8493-1957-9.
[5] W. Mao (2003). Modern Cryptography: Theory and Practice, 3rd Ed., Prentice Hall, ISBN 0-13-066943-1.
3
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
4
Course Outline - Details
Week Lectures References
1
1. Introduction
1.1 Basic concepts
1.2 Picture of DB security
1.3 Framework for DB & Applications security
[1,2,3,4,5]
2
2. Basic cryptography & key exchange protocols
2.1 Cryptography-related concepts
2.2 Key channel
2.3 Perfect encryption
[4,5]
3
2. Basic cryptography & key exchange protocols
2.4 Dolev-Yao threat model
2.5 Protocols
[4,5]
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
5
Course Outline - Details
Week Lectures References
4
3. Identification & Authentication
3.1 Introduction
3.2 Identification techniques
3.3 Authentication techniques
3.2 Authentication protocols
[2,3,4]
5
3. Discretionary Access Controls
3.1 Introduction to DAC
3.2 Models for DAC
[2,3,4]
6
3. Discretionary Access Controls
3.3 SQL for Data Control
3.4 DAC & Information Flow Controls
[2,3,4]
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
6
Course Outline - Details
Week Lectures References
7
4. Mandatory Access Control
4.1 Introduction to MAC
4.2 Models for MAC
[2,3,4]
8 4. Mandatory Access Control
4.3 Case study: Oracle Label Security [2,3,4]
9
5. Auditing & Accountability
5.1 Introduction to Auditing & Accountability
5.2 Techniques to Auditing
5.3 Case study: Auditing in Oracle
[2,3]
10,
11,
12,
13,
14
Presentation Tbc.
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
7
Assessments
Credits: 3
No mid-term test
Open-book exams
7
Assessment Pattern %
Presentation 1 15
Presentation 2 15
Assignment 20
Final Examination 50
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
8
Presentation
Group of 2-3 students
Presentation topics:
http://cse.hcmut.edu.vn/~thaonguyen >> Teaching
Register for the presentations:
Send to thaonguyen@cse.hcmut.edu.vn
Deadline: February 3rd , 2015
8
Chapter 1: Introduction to
Information Systems Security
Nguyen Thi Ai Thao
Faculty of Computer Science & Engineering
HCMC University of Technology
thaonguyen@cse.hcmut.edu.vn
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
10
Outline
Picture of DB Security 2
Framework for DB & Applications Security 3
Basic concepts 1 Basic concepts 1
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
11
Basic Concepts
Data and Information
Information System
Information Security
Information System Security Requirements
Countermeasures
Basic Steps in Information Security Process
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
12
Basic Concepts - Information Systems Security
Data are plain facts. When data are processed, organized,
structured or presented in a given context so as to make them
useful, they are called Information.
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
13
Basic Concepts - Information Systems Security
Information System refers to a system of people, data
records and activities that process the data and information
in an organization.
Data
Process
People
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
14
Basic Concepts - Information Systems Security
Information Security means protecting information and
information systems from unauthorized access, use,
disclosure, disruption, modification or destruction.
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
15
Basic Concepts - Security Requirements
Information System Security Requirements :
Confidentiality
Non-repudiation
Availability
Integrity
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
16
Basic Concepts - Security Requirements
Information System Security Requirements:
Confidentiality: Protection of data from unauthorized
disclosure
Example: In a bank system, preventing a client from finding
out the information of another client, such as balance.
Integrity: Only authorized users should be allowed to modify
data.
Example: In a bank system, preventing a client from changing
his or her balance.
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
17
Basic Concepts - Security Requirements
Information System Security Requirements:
Availability: Making data available to the authorized users
and application programs
Example: In a bank system, ensuring that the invoices are
printed on time as required by law.
Non-repudiation: The ability to prevent the effective denial
of an act.
Example: In a bank system, providing proof of the origin and
delivery of transactions from a client.
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
18
Basic Concepts - Countermeasures
Countermeasures ensures these security requirements for
information systems. There are some countermeasures:
Access control
Inference control
Flow control
Encryption
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
19
Basic Concepts - Access Control
Access Control: The security mechanism for restricting
access to the database as a whole
Handled by creating user accounts and passwords to control
login process by the Database Management System (DBMS).
Two types of access control system
Closed system
Open system
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
20
Basic Concepts – Closed System
Is there a rule
authorizing the
access?
Access request
Access permitted Access denied
Rules:
authorized
accesses
Closed system
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
21
Basic Concepts – Opened System
Access permitted Access denied
Is there a rule
denying the
access?
Access request
Rules:
denied
accesses
Opened system
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
22
Basic Concepts - Inference control
Inference control: The security problem associated with
databases is that of controlling the access to a statistical
database, which is used to provide statistical information or
summaries of values based on various criteria.
The countermeasures to statistical database security problem
is called inference control measures.
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
23
Inference attack
Infer
Access control
Meta data
Non-sensitive database
Sensitive database
Access denied Access permitted
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
24
Inference control
Access control
Meta data
Non-sensitive database
Sensitive database
Access denied Access permitted
INFERENCE CONTROL
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
25
Basic Concepts - Flow control
Flow control prevents information from flowing in such a
way that it reaches unauthorized users.
Channels that are pathways for information to flow
implicitly in ways that violate the security policy of an
organization are called Covert Channels.
Storage channel
Timing channel
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
26
Convert chanel – Timing Chanel
In Python:
def validate_password(actual_pw,
typed_pw):
if len(actual_pw) <> len(typed_pw):
return 0
for i in len(actual_pw):
if actual_pw[i] <> typed_pw[i]:
return 0
return 1
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
27
Basic Concepts - Encryption
Data encryption refers to mathematical calculations and
algorithmic schemes that transform plaintext into cyphertext,
a form that is non-readable to unauthorized parties.
Only the user having a correct key can decrypt the
cyphertext, transforming it to the original plaintext version.
Data encryption is used to protect sensitive data (such as
credit card numbers).
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
28
Basic Concepts
Basic Steps in Access control Process:
Identification
A user presents an identity to the database
Authentication:
The user proves that the identity is valid
Authorization:
What privileges and authorizations the user has
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
29
Outline
Picture of DB Security 2
Framework for DB & Applications Security 3
Basic concepts 1
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
30
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
31
Các thành phần cần bảo vệ trong một HTTT
Identify &Authenticate
Access control
Auditing & Accountability
Encryption
Design
Security in OBDS
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
32
Các thành phần cần bảo vệ trong một HTTT
Encryption
Key exchange protocols
Physical security
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
33
Các thành phần cần bảo vệ trong một HTTT
Physical security
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
34
Các thành phần cần bảo vệ trong một HTTT
Training
Auditing & Accountability
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
38
Outline
Picture of DB Security 2
Framework for DB & Applications Security 3
Basic concepts 1
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
39
Framework for DB & Applications Security
Privacy, Dependable Information Management, Secure Information Management Technologies, Data Mining and Security, Digital Forensics, Secure Knowledge Management Technologies, Secure Semantic Web, Biometrics
Relational DB Security, Distributed/Federated DB Security, Web DB Security, Object/Multimedia DB Security, Data Warehouse Security, Inference Problem, Sensor DB and Stream Data Processing Security
Database Systems, Information Retrieval, Knowledge Management, Information Management, Information & Computer Security
Ho Chi Minh City University of Technology
Faculty of Computer Science and Engineering
© 2011
Information Systems Security
Chapter 1: Introduction to Information Systems Security
40