Course information Course Resources - Forsiden · Draft Lecture Plan Week Date # Topic W04...

INF3

510

Info

rmat

ion

Secu

rity

Lect

ure

01:

-Cou

rse

info

-Bas

ic c

once

pts

in in

form

atio

n se

curit

y

Uni

vers

ity o

f Osl

o, s

prin

g 20

16

Cou

rse

info

rmat

ion

•C

ours

e or

gani

zatio

n•

Prer

equi

site

s•

Sylla

bus

and

text

boo

k•

Lect

ure

plan

•H

ome

exam

•As

sess

men

t and

exa

ms

•Se

curit

y ed

ucat

ion

•AF

Sec

urity

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y2

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y3

Cou

rse

orga

nisa

tion

•C

ours

e a

ctiv

ities

–At

tend

2 h

ours

lect

ures

per

wee

k•

Lect

ure

note

s av

aila

ble

at le

ast o

ne d

ay p

rior t

o le

ctur

e–

Wor

k on

the

wor

ksho

p qu

estio

ns•

Will

be d

iscu

ssed

dur

ing

the

follo

win

g w

eek’

s w

orks

hop

whi

ch

follo

ws

imm

edia

tely

afte

r the

2-h

our l

ectu

re–

Wor

k on

the

hom

e ex

am•

Topi

c fo

r the

ass

ignm

ent c

an b

e fre

ely

chos

en.

•N

ot ju

st a

bout

fact

s, y

ou a

lso

need

to–

unde

rsta

nd c

once

pts

–ap

ply

thos

e co

ncep

ts–

thin

k ab

out i

mpl

icat

ions

–un

ders

tand

lim

itatio

ns

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y4

Cou

rse

Res

ourc

es

•Le

arni

ng m

ater

ial i

s av

aila

ble

at:

–ht

tp://

ww

w.u

io.n

o/st

udie

r/em

ner/m

atna

t/ifi/

INF3

510/

v16/

–le

ctur

e pr

esen

tatio

ns, w

orks

hop

ques

tions

, etc

.–

List

of E

nglis

h se

curit

y te

rms

trans

late

d to

Nor

weg

ian

•As

sign

men

t top

ic fo

r hom

e ex

am o

n:–

http

s://w

iki.u

io.n

o/m

n/ifi

/INF3

510-

2016

•Va

rious

onl

ine

reso

urce

s –

E.g.

NIS

T sp

ecia

l com

pute

r sec

urity

pub

licat

ions

http

://cs

rc.n

ist.g

ov/p

ublic

atio

ns/P

ubsS

Ps.h

tml

Lect

urer

•Pr

of. A

udun

Jøs

ang,

•Ed

ucat

ion

–C

ISSP

200

5, C

ISM

201

0,–

PhD

Info

rmat

ion

Secu

rity,

NTN

U, 1

998

–M

Sc In

form

atio

n Se

curit

y, R

oyal

Hol

low

ay C

olle

ge, L

ondo

n, 1

993

–BS

c Te

lem

atic

s, N

TH 1

987

–Ba

ccal

aure

at, L

ycée

Cor

neille

, Fra

nce,

198

1•

Wor

k–

Prof

esso

r, U

iO, 2

008

–As

soci

ate

Prof

esso

r, Q

UT,

Aus

tralia

, 200

5-20

07–

Res

earc

h Le

ader

, DST

C, A

ustra

lia 2

000-

2004

–As

soci

ate

Prof

esso

r, N

TNU

, 199

8-19

99–

Syst

em d

esig

n en

gine

er, A

lcat

el, B

elgi

um 1

988-

1992

L01

-IN

F351

0 In

form

atio

n Se

curit

yU

iO S

prin

g 20

165

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y6

Prer

equi

site

s

•Pr

ereq

uisi

tes

–Ba

sic

com

pute

r and

net

wor

k te

chno

logy

–

Basi

c m

athe

mat

ics

•Th

eore

tic fo

cus

on a

bas

ic le

vel

–D

iscr

ete

mat

hem

atic

s, n

umbe

r the

ory,

mod

ular

arit

hmet

ic–

Info

rmat

ion

theo

ry–

Prob

abilit

y ca

lcul

us–

Com

pute

r and

net

wor

k ar

chite

ctur

e

Sylla

bus

and

text

boo

k•

The

sylla

bus

for t

his

cour

se c

onsi

sts

of th

e m

ater

ial p

rese

nted

dur

ing

the

lect

ures

, as

desc

ribed

in th

e le

ctur

e no

tes.

•Ad

equa

te c

ompr

ehen

sion

of t

he m

ater

ial r

equi

res

that

you

als

o–

read

par

ts o

f the

text

boo

k an

d ot

her d

ocum

ents

–w

ork

out a

nsw

ers

to th

e w

orks

hop

ques

tions

–fo

llow

the

lect

ures

.•

Text

boo

k:

CIS

SP A

ll-in

-One

Exa

m G

uide

6th

Editi

on, 2

013

Auth

or: S

hon

Har

ris(7

th e

ditio

n in

May

201

6)•

The

book

cov

ers

the

10 C

BK d

omai

ns (C

omm

on B

ody

of K

now

ledg

e)

for t

he C

ISSP

Exa

m (C

ertif

ied

Info

rmat

ion

Syst

ems

Secu

rity

Prof

essi

onal

).•

Easy

to o

rder

boo

k fro

m a

maz

on.c

om, p

rice:

US$

50

http

://w

ww

.am

azon

.com

/CIS

SP-A

ll-O

ne-G

uide

-Edi

tion/

dp/0

0717

8174

9

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y7

Shon

Har

ris

How

to u

se H

arris

’ CIS

SP b

ook

(6th

ed.

)

•14

30 p

ages

in to

tal

–Bu

t exc

lude

•C

h.1

(Bec

omin

g a

CIS

SP)

•50

pag

es o

f app

endi

x, g

loss

ary

and

inde

x•

300

page

s of

tips

, Q&A

•Pa

rts o

f cha

pter

s–

Arou

nd 8

00 p

ages

of r

eada

ble

mat

eria

l–

The

book

is v

ery

easy

to re

ad

–So

met

imes

long

exp

lana

tions

and

exa

mpl

es

•Ea

ch c

hapt

er h

as M

ain

Sect

ions

(big

font

) and

Su

bsec

tions

(sm

all f

ont),

but

no

num

berin

g, a

bit

conf

usin

g.•

Don

’t re

ad d

istr

actin

g co

mm

ents

in it

alic

s und

er s

ectio

n tit

les

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y8

Draft Lecture Plan UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y9

Wee

kD

ate

#To

pic

W04

25.0

1.20

161

Cou

rse

Info

rmat

ion.

Bas

ic C

once

pts

in IS

W05

01.0

2.20

162

IS M

anag

emen

t, H

uman

Fac

tors

for I

SW

0608

.02.

2016

3R

isk

Man

agem

ent a

nd B

usin

ess

Con

tinui

ty P

lann

ing

W07

15.0

2.20

164

Com

pute

r Sec

urity

W08

22.0

2.20

165

Cry

ptog

raph

yW

0929

.02.

2016

6Ke

y M

anag

emen

t and

PKI

W10

07.0

3.20

167

Dig

ital F

oren

sics

W11

14.0

3.20

168

Use

r Aut

hent

icat

ion

W12

Eas

ter b

reak

W13

Eas

ter b

reak

W14

04.0

4.20

169

Iden

tity

Man

agem

ent a

nd A

cces

s C

ontro

lW

1511

.03.

2016

10N

etw

ork

Secu

rity

W16

18.0

4.20

1611

Net

wor

k Pe

rimet

er S

ecur

ityW

17N

o le

ctur

eW

1802

.05.

2016

12D

evel

opm

ent a

nd A

pplic

atio

n Se

curit

yW

19N

o le

ctur

eW

20N

o le

ctur

eW

2123

.05.

2016

Rev

iew

W22

No

lect

ure

W23

08.0

6.20

16D

igita

l exa

m, t

ime:

09:

00h

-13:

00h

(4 h

ours

)

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y10

Hom

e Ex

am

•W

rite

an e

ssay

on

a se

curit

y to

pic

chos

en b

y yo

u•

Wor

k in

divi

dual

ly, o

r in

grou

p of

2 o

r 3 s

tude

nts

•Se

lect

topi

c an

d sp

ecify

gro

up o

n w

iki

http

s://w

iki.u

io.n

o/m

n/ifi

/INF3

510-

2016

/•

Leng

th: 5

000

-100

00 w

ords

(app

rox.

10

–15

pag

es)

•D

ue d

ate:

13.

05.2

016

•As

sess

men

t crit

eria

:–

Stru

ctur

e an

d pr

esen

tatio

n: w

eigh

t ¼

–Sc

ope

and

dept

h of

con

tent

: wei

ght ¼

–

Evid

ence

of i

ndep

ende

nt re

sear

ch a

nd a

naly

sis:

wei

ght ¼

–

Prop

er u

se o

f ref

eren

ces:

wei

ght ¼

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y11

Asse

ssm

ent a

nd M

arki

ng

•C

ours

e w

eigh

t: 10

stu

dy p

oint

s•

Asse

ssm

ent i

tem

s:–

Hom

e ex

am: w

eigh

t 0.4

–

Dig

ital e

xam

: wei

ght 0

.6•

Req

uire

d to

get

a p

ass

scor

e on

bot

h as

sess

men

t ite

ms

–At

leas

t 40%

on

hom

e ex

am a

nd 4

0% o

n w

ritte

n ex

am–

Rel

ativ

ely

easy

to g

et a

hig

h sc

ore

on h

ome

exam

–R

elat

ivel

y di

fficu

lt to

get

a h

igh

scor

e on

writ

ten

exam

•Ac

adem

ic d

isho

nest

y (in

clud

ing

plag

iaris

m a

nd c

heat

ing)

is

activ

ely

disc

oura

ged

•Se

e: h

ttp://

ww

w.u

io.n

o/en

glis

h/st

udie

s/ad

min

/exa

min

atio

ns/c

heat

ing/

•Sh

ould

be

no p

robl

em

Exam

sta

tistic

s fro

m p

revi

ous

year

s

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y12

Year

# st

uden

ts#

A(%

)#

B(%

)#

C(%

)#

D(%

)#

E(%

)#

F(%

)

2015

121

10 (9%

)30

(25%

)45

(37%

)9

(7%

)9

(7%

)18

(15%

)

2014

103

4(4

%)

8(7

.5%

)45

(44%

)14

(13.

5%)

9(4

.5%

)23

(22.

5%)

2013

0Fo

r the

201

3 sp

ring

sem

este

r the

cou

rse

was

can

celle

d du

e to

facu

lty p

oliti

cs.

2012

342

(6%

)6

(18%

)14

(41%

)0

(0.0

%)

6(1

7.5%

)6

(17.

5%)

2011

701

(2%

)10

(14%

)33

(47%

)9

(13%

)10

(14%

)7

(10%

)

2010

581

(2%

)15

(26%

)25

(43%

)7

(12%

)3

(5%

)7

(12%

)

Oth

er s

ecur

ity c

ours

es a

t IFI

•U

NIK

4220

: Int

rodu

ctio

n to

Cry

ptog

raph

y–

Leif

Nils

en (

autu

mn,

taug

ht a

t IFI

)•

UN

IK42

50: S

ecur

ity in

Dis

tribu

ted

Syst

ems

–N

ils A

gne

Nor

dbot

ten

(spr

ing)

•U

NIK

4270

: Sec

urity

in O

S an

d So

ftwar

e–

Audu

n Jø

sang

(Aut

umn,

taug

ht a

t IFI

)•

UN

IK47

40: I

nfoS

ec in

Indu

stria

l Sen

sor a

nd M

obile

Sys

tem

s–

Judi

th R

osse

bø (a

utum

n)•

INF5

150

-Una

ssai

labl

e IT

-sys

tem

s–

Ketil

Stø

len

(aut

umn)

•IT

LED

4230

Led

else

av

info

rmas

jons

sikk

erhe

t–

Audu

n Jø

sang

(aut

umn)

–Fo

r pro

fess

iona

ls (f

ee N

OK

25K)

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y13

Why

stu

dy in

form

atio

n se

curit

y ?

•Be

ing

an IT

exp

ert r

equi

res

know

ledg

e ab

out I

T se

curit

y–

Imag

ine

build

ing

arch

itect

s w

ithou

t kno

wle

dge

abou

t fire

saf

ety

•Bu

ildin

g IT

sys

tem

s w

ithou

t con

side

ring

secu

rity

will

lead

to

vul

nera

ble

IT s

yste

ms

•G

loba

l IT

infra

stru

ctur

e is

vul

nera

ble

to c

yber

atta

cks

•IT

exp

erts

with

out s

ecur

ity s

kills

are

par

t of t

he p

robl

em !

•Le

arn

abou

t IT

secu

rity

to b

ecom

e pa

rt of

the

solu

tion

•In

form

atio

n se

curit

y is

a p

oliti

cal i

ssue

–O

ften

seen

as

a co

st, b

ut s

aves

cos

ts in

the

long

term

–O

ften

give

n lo

w p

riorit

y in

IT in

dust

ry a

nd IT

edu

catio

n

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y14

Cer

tific

atio

ns fo

r IS

Prof

essi

onal

s

•M

any

diffe

rent

type

s of

cer

tific

atio

ns a

vaila

ble

–ve

ndor

neu

tral o

r ven

dor s

peci

fic–

from

non

-pro

fit o

rgan

isat

ions

or c

omm

erci

al fo

r-pro

fit o

rgan

isat

ions

•C

ertif

icat

ion

give

s as

sura

nce

of k

now

ledg

e an

d sk

ills,

–ne

eded

in jo

b fu

nctio

ns–

give

s cr

edib

ility

for c

onsu

ltant

s, a

pply

ing

for j

obs,

for p

rom

otio

n•

Som

etim

es re

quire

d–

US

Gov

ernm

ent I

T Se

curit

y jo

bs•

Know

ledg

e do

mai

ns re

flect

cur

rent

topi

cs in

IT S

ecur

ity–

Gen

eral

ly k

ept u

p-to

-dat

e

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y15

ISAC

A C

ertif

icat

ions

(Info

rmat

ion

Syst

ems

Audi

t and

Con

trol A

ssoc

iatio

n)

•IS

ACA

prom

otes

IT g

over

nanc

e fra

mew

ork

CO

BIT

(C

ontro

l Obj

ectiv

es fo

r Inf

orm

atio

n an

d R

elat

ed T

echn

olog

ies)

•IS

ACA

prov

ides

cer

tific

atio

n fo

r IT

prof

essi

onal

s–

CIS

M-C

ertif

ied

Info

rmat

ion

Secu

rity

Man

ager

–C

ISA

-Cer

tifie

d In

form

atio

n Sy

stem

Aud

itor

–C

GIT

-Cer

tifie

d in

the

Gov

erna

nce

of E

nter

pris

e IT

–C

RSI

C-C

ertif

ied

in R

isk

and

Info

rmat

ion

Syst

ems

Con

trol

•C

ISM

is th

e m

ost p

opul

ar IS

ACA

secu

rity

certi

ficat

ion

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y16

CIS

M: C

ertif

ied

Info

rmat

ion

Secu

rity

Man

ager

•Fo

cuse

s on

4 d

omai

ns o

f IS

man

agem

ent

1.In

form

atio

n Se

curit

y G

over

nanc

e2.

Info

rmat

ion

Ris

k M

anag

emen

t3.

Info

rmat

ion

Secu

rity

Prog

ram

Dev

elop

men

t and

M

anag

emen

t4.

Info

rmat

ion

Secu

rity

Inci

dent

Man

agem

ent

•O

ffici

al p

rep

man

ual p

ublis

hed

by IS

ACA

–14

thed

ition

2016

–ht

tps:

//ww

w.is

aca.

org/

book

stor

e/Pr

ice:

US

$135

($10

5 fo

r ISA

CA

mem

bers

)–

http

s://w

ww

.isac

a.or

g/bo

okst

ore/

Page

s/C

ISM

-Exa

m-R

esou

rces

.asp

x

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y17

CIS

M E

xam

•Ex

ams

norm

ally

twic

e pe

r yea

r wor

ldw

ide

•N

ext e

xam

in O

slo

(and

wor

ldw

ide)

: Jun

e 20

16–

Dea

dlin

e fo

r reg

iste

ring:

Apr

il 20

15

–R

egis

ter f

or e

xam

at w

ww

.isac

a.or

g–

Exam

fee

appr

ox. U

S $5

00–

Mul

tiple

cho

ice

exam

–R

equi

res

5 ye

ars

prof

essi

onal

exp

erie

nce

–Ye

arly

CIS

M m

aint

enan

ce fe

e ap

prox

. US

$100

–R

equi

res

120

hour

s “p

ract

ice

time”

per

3 y

ears

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y18

(ISC

)2C

ertif

icat

ions

Inte

rnat

iona

l Inf

orm

atio

n Sy

stem

s Se

curit

y C

ertif

icat

ion

Con

sorti

um

•(IS

C)2

prov

ides

cer

tific

atio

n fo

r inf

orm

atio

n se

curit

y pr

ofes

sion

als

–C

ISSP

-Cer

tifie

d In

form

atio

n Sy

stem

s Se

curit

y Pr

ofes

sion

al–

ISSA

P -I

nfor

mat

ion

Syst

ems

Secu

rity

Arch

itect

ure

Prof

essi

onal

–IS

SMP

-Inf

orm

atio

n Sy

stem

s Se

curit

y M

anag

emen

t Pro

fess

iona

l–

ISSE

P -I

nfor

mat

ion

Syst

ems

Secu

rity

Engi

neer

ing

Prof

essi

onal

–C

AP-C

ertif

icat

ion

and

Accr

edita

tion

Prof

essi

onal

–SS

CP

-Sys

tem

s Se

curit

y C

ertif

ied

Prac

titio

ner

–C

SSLP

-C

ertif

ied

Secu

re S

oftw

are

Life

cycl

e Pr

ofes

sion

al•

CIS

SP is

the

mos

t com

mon

IT s

ecur

ity c

ertif

icat

ion

–M

ost I

T Se

curit

y C

onsu

ltant

s ar

e C

ISSP

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y19

CIS

SP E

xam

:C

ertif

ied

Info

rmat

ion

Syst

em S

ecur

ity P

rofe

ssio

nal

•M

any

diffe

rent

boo

ks to

pre

pare

for C

ISSP

exa

m•

e.g.

text

boo

k us

ed fo

r IN

F351

0 co

urse

CIS

SP A

ll-in

-One

Exa

m G

uide

6th

Editi

on, 2

013

Auth

or: S

hon

Har

ris(7

thed

ition

to a

ppea

r in

May

201

6)

•€

560

fee

to s

it C

ISSP

exa

m•

Exam

thro

ugh

http

://w

ww

.pea

rson

vue.

com

/isc2

/•

Test

Cen

tre in

Osl

o: h

ttp://

ww

w.g

lass

pape

r.no/

Br

ynsv

eien

12, B

ryn,

Osl

o •

Mos

t of t

he o

f the

mat

eria

l pre

sent

ed in

the

INF3

510

cour

se is

take

n fro

m th

e sy

llabu

s of

the

CIS

SP C

BK (C

omm

on B

ody

of K

now

ledg

e).

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y20

CIS

SP C

BK (C

omm

on B

ody

of K

now

ledg

e)8

dom

ains

(unt

il 20

15 th

ere

wer

e 10

dom

ains

)

5.Id

entit

y an

d A

cces

s M

anag

emen

t(C

ontro

lling

Acce

ss a

nd M

anag

ing

Iden

tity)

6.

Secu

rity

Ass

essm

ent a

nd T

estin

g (D

esig

ning

, Per

form

ing,

and

An

alyz

ing

Secu

rity

Test

ing)

7.

Secu

rity

Ope

ratio

ns (F

ound

atio

nal

Con

cept

s, In

vest

igat

ions

, Inc

iden

t M

anag

emen

t, an

d D

isas

ter

Rec

over

y)

8.So

ftwar

e D

evel

opm

ent S

ecur

ity

(Und

erst

andi

ng, A

pply

ing,

and

En

forc

ing

Softw

are

Secu

rity)

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y21

1.Se

curit

y an

d R

isk

Man

agem

ent (

Secu

rity,

Ris

k,

Com

plia

nce,

Law

, Reg

ulat

ions

, an

d Bu

sine

ss C

ontin

uity

) 2.

Ass

et S

ecur

ity (P

rote

ctin

g Se

curit

y of

Ass

ets)

3.

Secu

rity

Engi

neer

ing

(Eng

inee

ring

and

Man

agem

ent

of S

ecur

ity)

4.C

omm

unic

atio

n an

d N

etw

ork

Secu

rity

(Des

igni

ng a

nd

Prot

ectin

g N

etw

ork

Secu

rity)

Secu

rity

Surv

eys

•U

sefu

l for

kno

win

g th

e tre

nd a

nd c

urre

nt s

tate

of

info

rmat

ion

secu

rity

thre

ats

and

atta

cks

–C

SI C

ompu

ter C

rime

& Se

curit

y Su

rvey

(http

://go

csi.c

om/s

urve

y)–

Veriz

on D

ata

Brea

ch R

epor

t:ht

tp://

ww

w.v

eriz

onen

terp

rise.

com

/DBI

R/

–PW

C: h

ttp://

ww

w.p

wc.

com

/gx/

en/c

onsu

lting

-ser

vice

s/in

form

atio

n-se

curit

y-su

rvey

/–

US

IC3

(The

Inte

rnet

Crim

e C

ompl

aint

Cen

ter):

http

://w

ww

.ic3.

gov/

med

ia/a

nnua

lrepo

rts.a

spx

–M

ørke

talls

unde

rsøk

else

n; h

ttp://

ww

w.n

sr-o

rg.n

o/m

oerk

etal

l/

+ m

any

othe

rs

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y22

Secu

rity

Advi

sorie

s•

Use

ful f

or le

arni

ng a

bout

new

thre

ats

and

vuln

erab

ilitie

s–

Nor

CER

T: F

or g

over

nmen

t sec

tor:

http

s://w

ww

.nsm

.sta

t.no/

–N

orSI

S: F

or p

rivat

e se

ctor

: http

://w

ww

.nor

sis.

no/

–U

S C

ERT:

http

://w

ww

.cer

t.org

/–

Aust

ralia

Aus

CER

T: h

ttp://

ww

w.a

usce

rt.or

g.au

/

+ m

any

othe

rs

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y23

Acad

emic

For

um o

n Se

curit

y

•M

onth

ly s

emin

ar o

n in

form

atio

n se

curit

y•

http

s://w

iki.u

io.n

o/m

n/ifi

/AFS

ecur

ity/

•G

uest

spe

aker

s•

Nex

t AFS

ecur

ity:

–W

edne

sday

27

Janu

ary

2016

, 14:

00h

–To

pic:

Blu

etoo

th B

eaco

n P

rivac

y–

Spea

ker:

Atle

Årn

es (D

atat

ilsyn

et)

•Al

l int

eres

ted

are

wel

com

e !

UiO

Spr

ing

2016

24L0

1 -I

NF3

510

Info

rmat

ion

Secu

rity

AFS

ecur

ity

Info

rmat

ion

Secu

rity

Basi

c C

once

pts

Goo

d an

d ba

d tra

nsla

tion

Engl

ish

•Se

curit

y•

Safe

ty•

Cer

tain

ty

•Se

curit

y•

Safe

ty•

Cer

tain

ty

Nor

weg

ian

•Si

kker

het

•Tr

yggh

et•

Viss

het

•Si

kker

het

Bad

Goo

d

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y26

Wha

t is

secu

rity

in g

ener

al

•Se

curit

y is

abo

ut p

rote

ctin

g as

sets

from

dam

age

or h

arm

•Fo

cuse

s on

all

type

s of

ass

ets

–Ex

ampl

e: y

our b

ody,

pos

sess

ions

, the

env

ironm

ent,

the

natio

n•

Secu

rity

and

rela

ted

conc

epts

–N

atio

nal s

ecur

ity (p

oliti

cal s

tabi

lity)

–Sa

fety

(hea

lth)

–En

viro

nmen

tal s

ecur

ity (c

lean

env

ironm

ent)

–In

form

atio

n se

curit

y –

etc.

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y27

Wha

t is

Info

rmat

ion

Secu

rity

•In

form

atio

n Se

curit

y fo

cuse

s on

pro

tect

ing

info

rmat

ion

asse

tsfro

m d

amag

e or

har

m•

Wha

t are

the

asse

ts to

be

prot

ecte

d?–

Exam

ple:

dat

a fil

es, s

oftw

are,

IT e

quip

men

t and

infra

stru

ctur

e•

Cov

ers

both

inte

ntio

nal a

nd a

ccid

enta

l eve

nts

–Th

reat

age

nts

can

be p

eopl

e or

act

s of

nat

ure

–Pe

ople

can

cau

se h

arm

by

acci

dent

or b

y in

tent

•In

form

atio

n Se

curit

y de

fined

:–

The

pres

erva

tion

of c

onfid

entia

lity,

inte

grity

and

ava

ilabi

lity

of

info

rmat

ion;

in a

dditi

on, o

ther

pro

perti

es s

uch

as a

uthe

ntic

ity,

acco

unta

bilit

y, n

on-re

pudi

atio

n an

d re

liabi

lity

can

also

be

invo

lved

. (IS

O27

001)

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y28

Scop

e of

info

rmat

ion

secu

rity

•IS

man

agem

ent h

as a

s go

al to

avo

id d

amag

e an

d to

con

trol r

isk

of d

amag

e to

info

rmat

ion

asse

ts•

IS m

anag

emen

t foc

uses

on:

–U

nder

stan

ding

thre

ats

and

vuln

erab

ilitie

s–

Man

agin

g th

reat

s by

redu

cing

vul

nera

bilit

ies

or th

reat

ex

posu

res

–D

etec

tion

of a

ttack

s an

d re

cove

ry fr

om a

ttack

s–

Inve

stig

ate

and

colle

ct e

vide

nce

abou

t inc

iden

ts

(fore

nsic

s)

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y29

The

Nee

d fo

r Inf

orm

atio

n Se

curit

y

•W

hy n

ot s

impl

y so

lve

all s

ecur

ity p

robl

ems

once

for a

ll?•

Rea

sons

why

that

’s im

poss

ible

:–

Rap

id in

nova

tion

cons

tant

ly g

ener

ates

new

tech

nolo

gy w

ith n

ew

vuln

erab

ilitie

s–

Mor

e ac

tiviti

es g

o on

line

–C

rime

follo

ws

the

mon

ey–

Info

rmat

ion

secu

rity

is a

sec

ond

thou

ght w

hen

deve

lopi

ng IT

–N

ew a

nd c

hang

ing

thre

ats

–M

ore

effe

ctiv

e an

d ef

ficie

nt a

ttack

tech

niqu

e an

d to

ols

are

bein

g de

velo

ped

•C

oncl

usio

n: In

form

atio

n se

curit

y do

esn’

t hav

e a

final

goa

l, it’

s a

cont

inui

ng p

roce

ssU

iO S

prin

g 20

1630

L01

-IN

F351

0 In

form

atio

n Se

curit

y

Inte

rnet

Sto

rm S

urvi

val T

ime

Mea

sure

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y31

The

surv

ival

tim

e is

cal

cula

ted

as th

e av

erag

e tim

e be

twee

n at

tack

s ag

ains

t ave

rage

targ

et IP

add

ress

.ht

tp://

isc.

sans

.org

/sur

viva

ltim

e.ht

ml

Mal

war

e Tr

end

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y32

Secu

rity

cont

rol c

ateg

orie

s

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y33

Phys

ical

con

trol

s•F

acilit

y pr

otec

tion

•Sec

urity

gua

rds

•Loc

ks•M

onito

ring

•Env

ironm

enta

l con

trols

•Intru

sion

det

ectio

n

Tech

nica

l con

trol

s•L

ogic

al a

cces

s co

ntro

l•C

rypt

ogra

phic

con

trols

•Sec

urity

dev

ices

•Use

r aut

hent

icat

ion

•Intru

sion

det

ectio

n•F

oren

sics

Adm

inis

trat

ive

cont

rols

•Pol

icie

s•S

tand

ards

•Pro

cedu

res

& pr

actic

e•P

erso

nnel

scr

eeni

ng•A

war

enes

s tra

inin

g

Info

rmat

ion

Secu

rity

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y34

Secu

rity

cont

rol f

unct

iona

l typ

es

•Pr

even

tive

cont

rols

: –

prev

ent a

ttem

pts

to e

xplo

it vu

lner

abilit

ies

•Ex

ampl

e: e

ncry

ptio

n of

file

s•

Det

ectiv

eco

ntro

ls:

–w

arn

of a

ttem

pts

to e

xplo

it vu

lner

abilit

ies

•Ex

ampl

e: In

trusi

on d

etec

tion

syst

ems

(IDS)

•C

orre

ctiv

eco

ntro

ls:

–co

rrect

erro

rs o

r irre

gula

ritie

s th

at h

ave

been

det

ecte

d.

•Ex

ampl

e: R

esto

ring

all a

pplic

atio

ns fr

om th

e la

st k

now

n go

od im

age

to b

ring

a co

rrupt

ed s

yste

m b

ack

onlin

e

•U

se a

com

bina

tion

of c

ontro

ls to

hel

p en

sure

that

th

e or

gani

satio

nal p

roce

sses

, peo

ple,

and

te

chno

logy

ope

rate

with

in p

resc

ribed

bou

nds.

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y35

Con

trols

by

Info

rmat

ion

Stat

es

•In

form

atio

n se

curit

y in

volv

es p

rote

ctin

g in

form

atio

n as

sets

from

har

m o

r dam

age.

•In

form

atio

n is

con

side

red

in o

ne o

f thr

ee p

ossi

ble

stat

es:

–D

urin

g st

orag

e•

Info

rmat

ion

stor

age

cont

aine

rs•

Elec

troni

c, p

hysi

cal,

hum

an

–D

urin

g tra

nsm

issi

on•

Phys

ical

or e

lect

roni

c

–D

urin

g pr

oces

sing

(use

)•

Phys

ical

or e

lect

roni

c

•Se

curit

y co

ntro

ls fo

r all

info

rmat

ion

stat

es a

re n

eede

d

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y36

Secu

rity

Serv

ices

and

Pro

perti

es•

A se

curit

y se

rvic

e is

a h

igh

leve

l sec

urity

pro

perty

•Th

e tra

ditio

nal d

efin

ition

of i

nfor

mat

ion

secu

rity

is to

pr

eser

ve th

e th

ree

CIA

pro

perti

es fo

r dat

a an

d se

rvic

es:

–C

onfid

entia

lity:

–In

tegr

ity

–A

vaila

bilit

y:

•Th

e C

IA p

rope

rties

are

the

thre

e m

ain

secu

rity

serv

ices

Dat

a an

dSe

rvic

esAv

aila

bilit

y

Secu

rity

serv

ices

and

con

trols

•Se

curit

y se

rvic

es (a

ka. g

oals

or p

rope

rties

)–

impl

emen

tatio

n in

depe

nden

t–

supp

orte

d by

spe

cific

con

trols

•Se

curit

y co

ntro

ls (a

ka. m

echa

nism

s)–

Prac

tical

mec

hani

sms,

act

ions

, too

ls o

r pro

cedu

res

that

are

use

d to

pro

vide

sec

urity

ser

vice

s

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y37

e.g.

Con

fiden

tialit

y –

Inte

grity

–Av

aila

bilit

y

e.g.

Enc

rypt

ion

–Fi

rew

alls

– A

war

enes

s

Secu

rity

serv

ices:

Secu

rity

cont

rols:

supp

ort

Con

fiden

tialit

y

•Th

e pr

oper

ty th

at in

form

atio

n is

not

mad

e av

aila

ble

or

disc

lose

d to

una

utho

rized

indi

vidu

als,

ent

ities

, or

proc

esse

s. (I

SO 2

7001

)•

Can

be

divi

ded

into

:–

Secr

ecy:

Pro

tect

ing

busi

ness

dat

a–

Priv

acy:

Pro

tect

ing

pers

onal

dat

a–

Anon

ymity

: Hid

e w

ho is

eng

agin

g in

wha

t act

ions

•M

ain

thre

at: I

nfor

mat

ion

thef

t, un

inte

ntio

nal d

iscl

osur

e•

Con

trols

: Enc

rypt

ion,

Acc

ess

Con

trol,

Perim

eter

def

ence

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y38

Inte

grity

•D

ata

Inte

grity

: The

pro

perty

that

dat

a ha

s no

t bee

n al

tere

d or

des

troye

d in

an

unau

thor

ized

man

ner.

(X.8

00)

•Sy

stem

Inte

grity

:The

pro

perty

of s

afeg

uard

ing

the

accu

racy

and

com

plet

enes

s of

ass

ets

(ISO

270

01)

•M

ain

thre

at: D

ata

and

syst

em c

orru

ptio

n•

Con

trols

: –

Cry

ptog

raph

ic in

tegr

ity c

heck

,–

Encr

yptio

n,–

Acce

ss C

ontro

l–

Perim

eter

def

ence

–Au

dit

–Ve

rific

atio

n of

sys

tem

s an

d ap

plic

atio

ns

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y39

Avai

labi

lity

•Th

e pr

oper

ty o

f bei

ng a

cces

sibl

e an

d us

able

up

on d

eman

d by

an

auth

oriz

ed e

ntity

.

(IS

O 2

7001

)•

Mai

n th

reat

: Den

ial o

f Ser

vice

(DoS

)–

The

prev

entio

n of

aut

horiz

ed a

cces

s to

reso

urce

s or

the

dela

ying

of t

ime

criti

cal o

pera

tions

•C

ontro

ls: R

edun

danc

y of

reso

urce

s, tr

affic

fil

terin

g, in

cide

nt re

cove

ry, i

nter

natio

nal

colla

bora

tion

and

polic

ing

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y40

Auth

entic

ity

(Sec

urity

Ser

vice

)

•U

ser a

uthe

ntic

atio

n:–

The

proc

ess

of v

erify

ing

a cl

aim

ed id

entit

y of

a (l

egal

) use

r w

hen

acce

ssin

g a

syst

em o

r an

appl

icat

ion.

•O

rgan

isat

ion

auth

entic

atio

n:–

The

proc

ess

of v

erify

ing

a cl

aim

ed id

entit

y of

a (l

egal

) or

gani

satio

n in

an

onlin

e in

tera

ctio

n/se

ssio

n•

Syst

em a

uthe

ntic

atio

n (p

eer e

ntity

aut

hent

icat

ion)

: –

The

corro

bora

tion

(ver

ifica

tion)

that

a p

eer e

ntity

(sys

tem

) in

an

asso

ciat

ion

(con

nect

ion,

ses

sion

) is

the

one

clai

med

(X.8

00).

•D

ata

orig

in a

uthe

ntic

atio

n (m

essa

ge a

uthe

ntic

atio

n):

–Th

e co

rrobo

ratio

n (v

erifi

catio

n) th

at th

e so

urce

of d

ata

rece

ived

is

as

clai

med

(X.8

00).

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y41

The

CIA

pro

perti

es a

re q

uite

gen

eral

sec

urity

ser

vice

s.

Oth

er s

ecur

ity s

ervi

ces

are

ofte

n m

entio

ned.

Au

then

ticat

ion

is v

ery

impo

rtant

, with

var

ious

type

s:

Taxo

nom

y of

Aut

hent

icat

ion

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y42

Auth

entic

atio

n

Entit

y Au

then

ticat

ion

Use

r Au

then

ticat

ion

Org

anis

atio

n Au

then

ticat

ion

Dat

a Au

then

ticat

ion

Syst

em

Auth

entic

atio

n

MAC

, D

igSi

g&PK

I

pass

wor

ds, t

oken

s,

OTP

, bio

met

rics,

PKI

cryp

to p

roto

cols

,e.

g. IP

Sec,

PKI

cryp

to p

roto

cols

, e.

g. T

LS, P

KI

Use

r Ide

ntifi

catio

n an

d Au

then

ticat

ion

•Id

entif

icat

ion

–W

ho y

ou c

laim

to b

e–

Met

hod:

(use

r)nam

e, b

iom

etric

s•

Use

r aut

hent

icat

ion

–Pr

ove

that

you

are

the

one

you

clai

m to

be

•M

ain

thre

at: U

naut

horiz

ed a

cces

s•

Con

trols

:–

Pass

wor

ds,

–Pe

rson

al c

rypt

ogra

phic

toke

ns,

•O

TP g

ener

ator

s, e

tc.

–Bi

omet

rics

•Id

car

ds–

Cry

ptog

raph

ic s

ecur

ity/a

uthe

ntic

atio

n pr

otoc

ols

Auth

entic

atio

n to

ken

Alic

e W

onde

rland

D.O

.B. 3

1.12

.198

5C

hesh

ire, E

ngla

nd

Stud

ent n

r.330

33U

nive

rsity

of O

xfor

d

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y43

Syst

em A

uthe

ntic

atio

n

•G

oal

–Es

tabl

ish

the

corre

ct id

entit

y of

rem

ote

host

s•

Mai

n th

reat

: –

Net

wor

k in

trusi

on–

Mas

quer

adin

g at

tack

s,–

Rep

lay

atta

cks

–(D

)DO

S at

tack

s•

Con

trols

:–

Cry

ptog

raph

ic a

uthe

ntic

atio

n pr

otoc

ols

base

d on

has

hing

and

en

cryp

tion

algo

rithm

s–

Exam

ples

: TLS

, VPN

, IPS

EC

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y44

Hos

t AH

ost B

Dat

a O

rigin

Aut

hent

icat

ion

(Mes

sage

aut

hent

icat

ion)

•G

oal:

Rec

ipie

nt o

f a m

essa

ge (i

.e. d

ata)

can

ver

ify th

e co

rrect

ness

of c

laim

ed s

ende

r ide

ntity

–Bu

t 3rd

par

ty m

ay n

ot b

e ab

le to

ver

ify it

•M

ain

thre

ats:

–Fa

lse

trans

actio

ns–

Fals

e m

essa

ges

and

data

•C

ontro

ls:

–En

cryp

tion

with

sha

red

secr

et k

ey–

MAC

(Mes

sage

Aut

hent

icat

ion

Cod

e)–

Secu

rity

prot

ocol

s–

Dig

ital s

igna

ture

with

priv

ate

key

–El

ectro

nic

sign

atur

e,

•i.e

. any

dig

ital e

vide

nce

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y45

Non

-Rep

udia

tion

(Sec

urity

Ser

vice

)•

Goa

l: M

akin

g se

ndin

g an

d re

ceiv

ing

mes

sage

s un

deni

able

th

roug

h un

forg

ible

evi

denc

e.–

Non

-repu

diat

ion

of o

rigin

: pro

of th

at d

ata

was

sen

t.–

Non

-repu

diat

ion

of d

eliv

ery:

pro

of th

at d

ata

was

rece

ived

.–

NB:

impr

ecis

e in

terp

reta

tion:

Has

a m

essa

ge b

een

rece

ived

and

read

ju

st b

ecau

se it

has

bee

n de

liver

ed to

you

r mai

lbox

?•

Mai

n th

reat

s:–

Send

er fa

lsel

y de

nyin

g ha

ving

sen

t mes

sage

–R

ecip

ient

fals

ely

deny

ing

havi

ng re

ceiv

ed m

essa

ge•

Con

trol:

digi

tal s

igna

ture

–C

rypt

ogra

phic

evi

denc

e th

at c

an b

e co

nfirm

ed b

y a

third

par

ty•

Dat

a or

igin

aut

hent

icat

ion

and

non-

repu

diat

ion

are

sim

ilar

–D

ata

orig

in a

uthe

ntic

atio

n on

ly p

rovi

des

proo

f to

reci

pien

t par

ty–

Non

-repu

diat

ion

also

pro

vide

s pr

oof t

o th

ird p

artie

sU

iO S

prin

g 20

16L0

1 -I

NF3

510

Info

rmat

ion

Secu

rity

46

Acco

unta

bilit

y(S

ecur

ity S

ervi

ce)

•G

oal:

Trac

e ac

tion

to a

spe

cific

use

r and

hol

d th

em

resp

onsi

ble

–A

udit

info

rmat

ion

mus

t be

sele

ctiv

ely

kept

and

pro

tect

ed s

o th

at

actio

ns a

ffect

ing

secu

rity

can

be tr

aced

to th

e re

spon

sibl

e pa

rty

(TC

SEC

/Ora

nge

Book

)•

Mai

n th

reat

s:–

Inab

ility

to id

entif

y so

urce

of i

ncid

ent

–In

abilit

y to

mak

e at

tack

er re

spon

sibl

e•

Con

trols

:–

Iden

tify

and

auth

entic

ate

user

s –

Log

all s

yste

m e

vent

s (a

udit)

–El

ectro

nic

sign

atur

e–

Non

-repu

diat

ion

base

d on

dig

ital s

igna

ture

–Fo

rens

ics

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y47

Auth

oriz

atio

n•

Auth

oriz

atio

n is

to s

peci

fy a

cces

s an

d us

age

perm

issi

ons

for

entit

ies,

role

s or

pro

cess

es–

Auth

oriz

atio

n po

licy

norm

ally

def

ined

by

hum

ans

–Is

sued

by

an a

utho

rity

with

in th

e do

mai

n/or

gani

satio

n•

Auth

ority

can

be

dele

gate

d– –

Impl

emen

ted

in IT

sys

tem

s as

con

figur

atio

n/po

licy

•Be

war

e of

con

fusi

on (a

lso

in H

arris

text

boo

k):

–C

orre

ct: H

arris

6th

ed. p

.161

: "A

use

r may

be

auth

oriz

ed to

acc

ess

the

files

on

the

file

serv

er, b

ut u

ntil

she

is p

rope

rly id

entif

ied

and

auth

entic

ated

, tho

se re

sour

ces

are

out o

f rea

ch."

–W

rong

: Har

ris 6

thed

. p.1

61: "

If th

e sy

stem

det

erm

ines

that

the

subj

ect

may

acc

ess

the

reso

urce

, it a

utho

rizes

the

subj

ect".

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y48

Iden

tity

and

Acce

ss M

anag

emen

t (IA

M)

Phas

es

Iden

tific

atio

nC

laim

iden

tity

Prov

e cl

aim

ed

iden

tity

Are

you

auth

oriz

ed?

Auth

entic

atio

n

Acce

ss

cont

rol

Reg

istra

tion

Prov

isio

ning

Auth

oriz

atio

nD

e-re

gist

ratio

n

Dea

ctiv

ate

cred

entia

ls

Conf

igur

atio

n ph

ase

Oper

atio

n ph

ase

Term

inat

ion

phas

e

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y49

Rev

oke

auth

oriz

atio

n

Con

fusi

on a

bout

Aut

horiz

atio

n

•Th

e te

rm “a

utho

rizat

ion”

is o

ften

wro

ngly

use

d in

the

sens

e of

“acc

ess

cont

rol”

–e.

g. “I

f the

sys

tem

det

erm

ines

that

the

subj

ect m

ay a

cces

s th

e re

sour

ce, i

t aut

horiz

esth

e su

bjec

t” (e

.g. H

arris

6th

ed. p

.161

)–

Com

mon

in te

xt b

ooks

and

tech

nica

l spe

cific

atio

ns (R

FC 2

196

…)

–C

isco

AAA

Ser

ver (

Auth

entic

atio

n, A

utho

rizat

ion

and

Acco

untin

g)•

Wro

ng u

sage

of “

auth

oriz

atio

n” le

ads

to a

bsur

d si

tuat

ions

:1.

You

get s

omeb

ody’

s pa

ssw

ord,

and

use

s it

to a

cces

s ac

coun

t2.

Logi

n sc

reen

giv

es w

arni

ng: “

Onl

y au

thor

ized

use

rs m

ay a

cces

s th

is s

yste

m”

3.Yo

u ar

e ca

ught

and

take

n to

cou

rt4.

You

say:

“The

text

boo

k at

uni

vers

ity s

aid

I was

aut

horiz

ed if

the

syst

em g

rant

ed a

cces

s, w

hich

it d

id, s

o I w

as a

utho

rized

”

UiO

Spr

ing

2016

L01

-IN

F351

0 In

form

atio

n Se

curit

y50

Iden

tity

and

Acce

ss M

anag

emen

t Con

cept

sSy

stem

Ow

ner D

omai

n

Iden

tity

Prov

ider

Sy

stem

Ow

ner

Acce

ss c

ontro

l fu

nctio

n

regi

stra

tion

Syst

em re

sour

ce

PAP

PAP:

Polic

y Ad

min

istra

tion

Poin

tPE

P:Po

licy

Enfo

rcem

ent P

oint

Reg

istra

tion

PDP:

Polic

y D

ecis

ion

Poin

tId

P:Id

entit

y Pr

ovid

erO

pera

tions

polic

y

PDP

PEP

prov

isio

ning

2

1

3

67 8

Use

r au

then

ticat

ion

func

tion

deci

sion

acce

ss

requ

est

requ

est

auth

oriz

atio

n

requ

est

re

sour

ce &

acce

ss ty

pe

5

4

log-

onId

Cr

+

Use

r

UiO

Spr

ing

2016

51L0

1 -I

NF3

510

Info

rmat

ion

Secu

rity

End

of le

ctur

e

Date post:	26-May-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Course information Course Resources - Forsiden · Draft Lecture Plan Week Date # Topic W04...

Documents