Class Organization One class Weekly
One Tutorial Weekly
• Most probably taught by myself
3-4 theoretical assignments
3-4 practical assignments (Labs)
Term paper / project
2
Textbooks
Michael G. Solomon and Mike chapple, Information Security Illuminated, 2005
William Stallings, Cryptography and Network Security, fourth Edition
Behrouz A. Forouzan, “Cryptography and Network
Security,” 2008 Edition
Some other research materials
3
Tentative Grading
40% Final – comprehensive 20% Mid-term exam 5% Assignments 5% Lecture participation 20% Project / Term paper 10% Quizzes 2 out of 3
4
Lets have fun before we start
5
Game No. 1
Study the circles below.Work out what number should replace the question mark.
7
Hit
4 * 5 + 3* 6 = 38
8 * 4 + 3 * 5 = 47
Game No. 2 Draw a square made up of dots like this one on your
piece of paper
Now, without lifting the pencil from the page, draw no more than four straight lines which will cross through all nine dots
Hint
One line can go out of the paper
Solution Solution
• Lessons Learned • Do not discard small details
• Ask questions
• You might think that things are
very complicated but with
little guide it becomes very easy
Video Part
11
Play
What does it tell you?
Be Smart and Think Smartly
The Role of Security
Security is like adding brakes to cars. The Security is like adding brakes to cars. The purpose of brakes is not to stop you; it is to purpose of brakes is not to stop you; it is to enable you to go faster. Brakes help avoid enable you to go faster. Brakes help avoid accidents caused by mechanical failures in accidents caused by mechanical failures in other cars, rude drivers, and road hazards.other cars, rude drivers, and road hazards.
Better security is an enabler for greater freedom Better security is an enabler for greater freedom and confidence in the Cyber world.and confidence in the Cyber world.
12
Why Information Security?
Play
Play
13
Historical Aspects of InfoSec In old days , to be secure,
• Information maintained physically on a secure place
• Few authorized persons have access to it (confidentiality)
• Protected from unauthorized change (integrity)
• Available to authorized entity when is needed (availability)
Nowadays, • Information are stored on computers
• Confidentiality are achieved few authorized persons can access the files.
• Integrity is achieved few are allowed to make change
• Availability is achieved at least one person has access to the files all the time
14
Historical Aspects of InfoSec In the 1970s, Federal Information Processing Standards (FIPS)
examines DES (Data Encryption Standard) for information protection
DARPA creates a report on vulnerabilities on military information systems in 1978
In 1979 two papers were published dealing with password security and UNIX security in remotely shared systems
In the 1980s the security focus was concentrated on operating systems as they provided remote connectivity
15
16
Historical Aspects of InfoSec
In the 1990s, the growth of the Internet and the growth of the LANs contributed to new threats to information stored in remote systems
IEEE, ISO, ITU-T, NIST and other organizations started developing many standards for secure systems
Information security is the protection of information ,the systems, and hardware that use, store, and transmit information
17
CNSS Model
CNSS stands for Committee on National Security Systems (a group belonging to the National Security Agency [NSA]).
CNSS has developed a National Security Telecommunications and Information Systems Security (NSTISSI) standards.
NSTISSI standards are 4011, 4012, 4013, 4014, 4015, 4016.
18
CNSS Security Model
Storage Processing Transmission
Confidentiality
Integrity
Availability
Technology
Education
Policy
19
CNSS Security Model The model identifies a 3 x 3 x 3 cube with 27 cells
Security applies to each of the 27 cells
These cells deal with people, hardware, software, data, and procedures
A hacker uses a computer (hardware) to attack another computer (hardware). Procedures describe steps to follow in preventing an attack.
An attack could be either direct or indirect
In a direct attack one computer attacks another. In an indirect attack one computer causes another computer to launch an attack.
20
Systems Development Life Cycle for InfoSec (SDLC)
SDLC for InfoSec is very similar to SDLC for any project The Waterfall model would apply to InfoSec as well
Investigate
Analyze
Logical Design
Physical Design
Implement
Maintain
21
Systems Development Life Cycle for InfoSec
Investigation phase involves feasibility study based on a security program idea for the organization
Analysis phase involves risk assessment Logical design phase involves continuity planning, disaster
recovery, and incident response
Investigate
Analyze
Logical Design
Physical Design
Implement
Maintain
Systems Development Life Cycle for InfoSec
Physical design phase involves considering alternative options possible to construct the idea of the physical design
Maintenance phase involves implementing the design, evaluating the functioning of the system, and making changes as needed
22
Investigate
Analyze
Logical Design
Physical Design
Implement
Maintain
23
What is a Computer Security?
Different answers
• It is the password that I use to enter the system or required set of rules (lock the computer before you leave) – End User
• It is the proper combination of firewall technologies with encryption systems and access controls – Administrator
• Keeping the bad guys out of my computer– Manager
23
What is a computer security?
A computer is secure if you can depend on it and its software to behave as you expect– Simson and Gene in “Practical Unix and Internet Security “ book
Which definition is correct ?
• All of them. However,
• We need to keep all of these prospective in mind
24
CIA Triad
Security Goals• Confidentiality,
• Integrity , and
• Availability
25
Confidentiality The property of preventing disclosure of information
to unauthorized individuals or systems. Real Scenario
• a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network.
• The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored.
• If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred.
26
To ensure confidentiality
To ensure confidentiality
To ensure confidentiality
To ensure confidentiality
Integrity
Data cannot be modified without authorization. Real scenarios:
• Integrity is violated when an employee (accidentally or with malicious intent) deletes important data files,
• when a computer virus infects a computer,
• when an employee is able to modify his own salary in a payroll database,
• when an unauthorized user vandalizes a web site,
• when someone is able to cast a very large number of votes in an online poll, and so on.
Preventing by Access Control and Encryption
27
Availability
The information must be available when it is needed. High availability systems aim to remain available at
all times. Real Scenarios
• Power outages,
• hardware failures,
• DoS attacks (denial-of-service attacks).
Preventions by fault tolerance , access control, and attack prevention mechanisms.
28
Security Goals (Summary)
29
Confidentiality• Ensures that computer-related assets are accessed only by
authorized parties.
• Sometimes called secrecy or privacy.
Integrity• Assets can be modified only by authorized parties or only in
authorized ways.
Availability • assets are accessible to authorized parties at appropriate times.
• The opposite is denial of service.
Security Goals
30
Strong protection is based on Goals relations