Welcome to Information Systems Security (503009) · 2015. 1. 1. · Information Systems Security...

transcript

Welcome to Information Systems Security

(503009)

Nguyen Thi Ai Thao

Faculty of Computer Science & Engineering

HCMC University of Technology

thaonguyen@cse.hcmut.edu.vn

Ho Chi Minh City University of Technology

Faculty of Computer Science and Engineering

Information Systems Security

Chapter 1: Introduction to Information Systems Security

Course Outline

Week Lectures

1 Information systems security: basic concepts

2,3 Basic cryptography & key exchange protocols

4 Identification & Authentication

5,6 Discretionary Access Controls

7,8 Mandatory Access Controls

9 Auditing & Accountability

10, 11,

12, 13,

Presentations

15 Revision

References

[1] M. Gertz, S. Jajodia (2008). Handbook of Database Security: Applications and Trends, Springer Verlag, ISBN 978-0-387-48532-4.

[2] S. Castano, M. Fugini, G. Martella, and P. Samarati (1995). Database Security, ACM Press & Addison-Wesley, ISBN 0-201-59375-0.

[3] D.C. Knox (2004). Effective Oracle Database 10g Security by Design, Oracle Press, ISBN 0-07-223130-0.

[4] T.R. Peltier, J. Peltier, J. Blackley (2005). Information Security Fundamentals, Auerbach Publications, ISBN 0-8493-1957-9.

[5] W. Mao (2003). Modern Cryptography: Theory and Practice, 3rd Ed., Prentice Hall, ISBN 0-13-066943-1.

Course Outline - Details

Week Lectures References

1. Introduction

1.1 Basic concepts

1.2 Picture of DB security

1.3 Framework for DB & Applications security

[1,2,3,4,5]

2. Basic cryptography & key exchange protocols

2.1 Cryptography-related concepts

2.2 Key channel

2.3 Perfect encryption

2. Basic cryptography & key exchange protocols

2.4 Dolev-Yao threat model

2.5 Protocols

3. Identification & Authentication

3.1 Introduction

3.2 Identification techniques

3.3 Authentication techniques

3.2 Authentication protocols

[2,3,4]

3. Discretionary Access Controls

3.1 Introduction to DAC

3.2 Models for DAC

[2,3,4]

3. Discretionary Access Controls

3.3 SQL for Data Control

3.4 DAC & Information Flow Controls

[2,3,4]

4. Mandatory Access Control

4.1 Introduction to MAC

4.2 Models for MAC

[2,3,4]

8 4. Mandatory Access Control

4.3 Case study: Oracle Label Security [2,3,4]

5. Auditing & Accountability

5.1 Introduction to Auditing & Accountability

5.2 Techniques to Auditing

5.3 Case study: Auditing in Oracle

Presentation Tbc.

Assessments

Credits: 3

No mid-term test

Open-book exams

Assessment Pattern %

Presentation 1 15

Presentation 2 15

Assignment 20

Final Examination 50

Presentation

Group of 2-3 students

Presentation topics:

http://cse.hcmut.edu.vn/~thaonguyen >> Teaching

Register for the presentations:

Send to thaonguyen@cse.hcmut.edu.vn

Deadline: February 3rd , 2015

Chapter 1: Introduction to

Nguyen Thi Ai Thao

Faculty of Computer Science & Engineering

HCMC University of Technology

thaonguyen@cse.hcmut.edu.vn

Outline

Picture of DB Security 2

Framework for DB & Applications Security 3

Basic concepts 1 Basic concepts 1

Basic Concepts

Data and Information

Information System

Information Security

Information System Security Requirements

Countermeasures

Basic Steps in Information Security Process

Basic Concepts - Information Systems Security

Data are plain facts. When data are processed, organized,

structured or presented in a given context so as to make them

useful, they are called Information.

Information System refers to a system of people, data

records and activities that process the data and information

in an organization.

Process

People

Information Security means protecting information and

information systems from unauthorized access, use,

disclosure, disruption, modification or destruction.

Basic Concepts - Security Requirements

Information System Security Requirements :

Confidentiality

Non-repudiation

Availability

Integrity

Information System Security Requirements:

Confidentiality: Protection of data from unauthorized

disclosure

Example: In a bank system, preventing a client from finding

out the information of another client, such as balance.

Integrity: Only authorized users should be allowed to modify

Example: In a bank system, preventing a client from changing

his or her balance.

Information System Security Requirements:

Availability: Making data available to the authorized users

and application programs

Example: In a bank system, ensuring that the invoices are

printed on time as required by law.

Non-repudiation: The ability to prevent the effective denial

of an act.

Example: In a bank system, providing proof of the origin and

delivery of transactions from a client.

Basic Concepts - Countermeasures

Countermeasures ensures these security requirements for

information systems. There are some countermeasures:

Access control

Inference control

Flow control

Encryption

Basic Concepts - Access Control

Access Control: The security mechanism for restricting

access to the database as a whole

Handled by creating user accounts and passwords to control

login process by the Database Management System (DBMS).

Two types of access control system

Closed system

Open system

Basic Concepts – Closed System

Is there a rule

authorizing the

access?

Access request

Access permitted Access denied

Rules:

authorized

accesses

Closed system

Basic Concepts – Opened System

Access permitted Access denied

Is there a rule

denying the

access?

Access request

Rules:

denied

accesses

Opened system

Basic Concepts - Inference control

Inference control: The security problem associated with

databases is that of controlling the access to a statistical

database, which is used to provide statistical information or

summaries of values based on various criteria.

The countermeasures to statistical database security problem

is called inference control measures.

Inference attack

Access control

Meta data

Non-sensitive database

Sensitive database

Access denied Access permitted

Inference control

Access control

Meta data

Non-sensitive database

Sensitive database

Access denied Access permitted

INFERENCE CONTROL

Basic Concepts - Flow control

Flow control prevents information from flowing in such a

way that it reaches unauthorized users.

Channels that are pathways for information to flow

implicitly in ways that violate the security policy of an

organization are called Covert Channels.

Storage channel

Timing channel

Convert chanel – Timing Chanel

In Python:

def validate_password(actual_pw,

typed_pw):

if len(actual_pw) <> len(typed_pw):

return 0

for i in len(actual_pw):

if actual_pw[i] <> typed_pw[i]:

return 0

return 1

Basic Concepts - Encryption

Data encryption refers to mathematical calculations and

algorithmic schemes that transform plaintext into cyphertext,

a form that is non-readable to unauthorized parties.

Only the user having a correct key can decrypt the

cyphertext, transforming it to the original plaintext version.

Data encryption is used to protect sensitive data (such as

credit card numbers).

Basic Concepts

Basic Steps in Access control Process:

Identification

A user presents an identity to the database

Authentication:

The user proves that the identity is valid

Authorization:

What privileges and authorizations the user has

Outline

Basic concepts 1

Các thành phần cần bảo vệ trong một HTTT

Identify &Authenticate

Access control

Auditing & Accountability

Encryption

Design

Security in OBDS

Encryption

Key exchange protocols

Physical security

Training

Auditing & Accountability

Outline

Basic concepts 1

Framework for DB & Applications Security

Privacy, Dependable Information Management, Secure Information Management Technologies, Data Mining and Security, Digital Forensics, Secure Knowledge Management Technologies, Secure Semantic Web, Biometrics

Relational DB Security, Distributed/Federated DB Security, Web DB Security, Object/Multimedia DB Security, Data Warehouse Security, Inference Problem, Sensor DB and Stream Data Processing Security

Database Systems, Information Retrieval, Knowledge Management, Information Management, Information & Computer Security

Welcome to Information Systems Security (503009) · 2015. 1. 1. · Information Systems Security...

Documents