Information System Information System SecuritySecurity

Lecture 1Lecture 1

Introduction to Information System Introduction to Information System SecuritySecurity

22

OutlineOutline

1.1. What is Security?What is Security?

2.2. What is Information Security?What is Information Security?

3.3. Why Information System Security?Why Information System Security?

4.4. Vulnerability, Threat and AttackVulnerability, Threat and Attack

5.5. Security PoliciesSecurity Policies

6.6. Security MeasuresSecurity Measures

7.7. Security RequirementsSecurity Requirements

8.8. Security ServicesSecurity Services

9.9. Security MechanismsSecurity Mechanisms

33

1. What is security?1. What is security?

SecuritySecurity: : protecting general assetsprotecting general assets Security can be realized through:Security can be realized through:

1.1. PreventionPrevention: take measures that prevent your assets from being damaged.: take measures that prevent your assets from being damaged.

2.2. DetectionDetection: take measures so that you can detect when, how, and by : take measures so that you can detect when, how, and by whom an asset has been damaged.whom an asset has been damaged.

3.3. ReactionReaction: take measures so that you can recover your assets or to recover : take measures so that you can recover your assets or to recover from a damage to your assets from a damage to your assets

Examples: next slideExamples: next slide

There are many branches of Security: national security, There are many branches of Security: national security, economic security, economic security, information securityinformation security, etc., etc.

44

ExamplesExamples

Ex. 1 - Private propertyEx. 1 - Private property

– Prevention: locks at doors, window bars, walls around the property.Prevention: locks at doors, window bars, walls around the property.

– Detection: stolen items aren’t there any more, burglar alarms, CCTV, …Detection: stolen items aren’t there any more, burglar alarms, CCTV, …

– Reaction: call the police,…Reaction: call the police,…

55

ExamplesExamples

Ex. 2 - eCommerceEx. 2 - eCommerce

– Prevention: encrypt your orders, rely on the merchant to perform checks Prevention: encrypt your orders, rely on the merchant to perform checks on the caller,…on the caller,…

– Detection: an unauthorized transaction appears on your credit card Detection: an unauthorized transaction appears on your credit card statementstatement

– Reaction: complain, ask for a new credit card number, …Reaction: complain, ask for a new credit card number, …

66

2. What is Information 2. What is Information Security?Security?

Information securityInformation security:: is concerned with protecting information is concerned with protecting information and information resources such as: books, faxes, computer data, and information resources such as: books, faxes, computer data, voice communications, etc.voice communications, etc.

Information security isInformation security is determining: determining: what what needs to be protected,needs to be protected, i.e. i.e., assets , assets and and why why (Security requirements which include CIA), (Security requirements which include CIA), whatwhat needs to be protected from (Threats, vulnerabilities, risks), needs to be protected from (Threats, vulnerabilities, risks), and and howhow (Security measures) to protect it for as long as it exists (Security measures) to protect it for as long as it exists

– Security measures which are implemented according to a security policySecurity measures which are implemented according to a security policy

77

3. What is Information 3. What is Information System Security (ISS)? System Security (ISS)?

InformationInformationSystems Systems (assets)(assets)

SecurityMeasures

Attackers

Policies

Taken from K. Martin’s lecture, RHUL

88

Information System Information System SecuritySecurity

ISS is concerned with protecting Information ISS is concerned with protecting Information system assets such as PCs, software, applications, system assets such as PCs, software, applications, etc.etc.

In order to ensure the security of Information In order to ensure the security of Information Systems, we need to determine:Systems, we need to determine:1.1. Assets (i.e., Information systems) to be protectedAssets (i.e., Information systems) to be protected

2.2. Security requirements; CIASecurity requirements; CIA

3.3. Threats, vulnerabilities, risksThreats, vulnerabilities, risks

4.4. Security policiesSecurity policies

5.5. Security measuresSecurity measures

99

4. Vulnerability, Threat and 4. Vulnerability, Threat and AttackAttack

A A vulnerabilityvulnerability: is a weakness in system design or : is a weakness in system design or implementation and can be in hardware or software.implementation and can be in hardware or software.– Example: a software bug exists in the OS, or no password rules are set. Example: a software bug exists in the OS, or no password rules are set.

A A threatthreat::– Is a set of circumstances that has the potential to cause loss or harmIs a set of circumstances that has the potential to cause loss or harm

– is an indication of potential undesirable event is an indication of potential undesirable event

– It refers to a situation in which It refers to a situation in which a person could do something undesirable (an attacker initiating a denial-of-a person could do something undesirable (an attacker initiating a denial-of-

service attack against an organization's email server), orservice attack against an organization's email server), or a natural occurrence could cause an undesirable outcome (a fire damaging an a natural occurrence could cause an undesirable outcome (a fire damaging an

organization's information technology hardware).organization's information technology hardware).

1010

4. Vulnerability, Threat and 4. Vulnerability, Threat and AttackAttack

A A RiskRisk is the possibility of suffering harm or loss.is the possibility of suffering harm or loss.

An An attackattack: is a realization of a threat: is a realization of a threat

An An attackerattacker: is a person who exploit a vulnerability: is a person who exploit a vulnerability

An attacker must have means, opportunity, and motiveAn attacker must have means, opportunity, and motive– Synonyms: enemy, adversary, opponent, eavesdropper, intruderSynonyms: enemy, adversary, opponent, eavesdropper, intruder

1111

Vulnerability, Attack and Vulnerability, Attack and ThreatThreat

A A hackerhacker::– A person who have advanced knowledge of operating systems and A person who have advanced knowledge of operating systems and

programming languagesprogramming languages– Might discover holes within systems and the reasons for such holesMight discover holes within systems and the reasons for such holes– Share what they discover but never intentionally damage dataShare what they discover but never intentionally damage data

A A crackercracker::– The one who breaks into or violates the system integrity of remote machines The one who breaks into or violates the system integrity of remote machines

with the malicious intent, i.e., gaining unauthorized accesswith the malicious intent, i.e., gaining unauthorized access– Might destroy vital data, deny legitimate users servicesMight destroy vital data, deny legitimate users services

A A passive adversarypassive adversary is an adversary who is capable only of reading is an adversary who is capable only of reading from an unsecured channelfrom an unsecured channel

An An active adversaryactive adversary is an adversary who may also transmit, alter, or is an adversary who may also transmit, alter, or delete information on an unsecured channeldelete information on an unsecured channel

1212

Common security attacksCommon security attacks

InterruptionInterruption, delay, denial of receipt or denial of service, delay, denial of receipt or denial of service– System assets or information become unavailable or are rendered unavailableSystem assets or information become unavailable or are rendered unavailable

Interception or snoopingInterception or snooping– Unauthorized party gains access to information by browsing through files or Unauthorized party gains access to information by browsing through files or

reading communications.reading communications.

Modification or alterationModification or alteration– Unauthorized party changes information in transit or information stored for Unauthorized party changes information in transit or information stored for

subsequent access.subsequent access.

Masquerade or spoofingMasquerade or spoofing– Spurious information is inserted into the system or network by making it appears Spurious information is inserted into the system or network by making it appears

as if it is from a legitimate entity.as if it is from a legitimate entity.

Repudiation of originRepudiation of origin– False denial that an entity created something.False denial that an entity created something.

1313

5. Security Policy5. Security Policy

A A security policysecurity policy states what is, and is not, allowed states what is, and is not, allowed Is a document describing a company’s security controls and Is a document describing a company’s security controls and

activities.activities. Does not specify technologies.Does not specify technologies. Examples:Examples:

– Policy: Password constructionPolicy: Password construction Account names must not be used in Account names must not be used in passwords. passwords.

– Policy: Confidentiality of Personal informationPolicy: Confidentiality of Personal information all personal all personal information must be treated as confidential.information must be treated as confidential.

A security Policy is a guideline for implementing security A security Policy is a guideline for implementing security measures.measures.

1414

6. Security measures6. Security measures

Security measuresSecurity measures include techniques for ensuring: include techniques for ensuring:– Prevention: such as Prevention: such as encryptionencryption, , user authenticationuser authentication, , one time one time

passwordpassword, , anti-virusanti-virus, , firewalfirewall, etc. l, etc.

– Detection: such as Detection: such as IDS (Intrusion Detection Systems)IDS (Intrusion Detection Systems), Monitoring tools, , Monitoring tools, Firewall log, Firewall log, digital signaturedigital signature, etc., etc.

– Reaction (or recovery): Such as Backup systems, OS’s recovery points, Reaction (or recovery): Such as Backup systems, OS’s recovery points, etc.etc.

Encryption (lectures 2 & 3)Encryption (lectures 2 & 3) Digital Signature (lecture 4)Digital Signature (lecture 4) User Authentication (lecture 5)User Authentication (lecture 5) Antivirus (lecture 7)Antivirus (lecture 7) IDS and firewalls (Lectures 8 & 9) IDS and firewalls (Lectures 8 & 9)

Database security (lecture 6)

1515

7. Security Requirements7. Security Requirements

Most important security requirements are:Most important security requirements are:

– ConfidentialityConfidentiality: keeping information secret from all but : keeping information secret from all but those who are authorized to see it.those who are authorized to see it.

Also called secrecy or privacy Also called secrecy or privacy

– IntegrityIntegrity: ensuring information has not been altered by : ensuring information has not been altered by unauthorized or unknown means.unauthorized or unknown means.

– AvailabilityAvailability:: keeping information accessible by keeping information accessible by authorized users when requiredauthorized users when required

1616

Security RequirementsSecurity Requirements

Other requirements:Other requirements:– Entity authenticationEntity authentication:: corroboration of the identity of an corroboration of the identity of an

entity (e.g., a person, a credit card, etc.)entity (e.g., a person, a credit card, etc.) Identification, identity verificationIdentification, identity verification

– Message authenticationMessage authentication: corroborating the source of : corroborating the source of information; also known as information; also known as data origin authenticationdata origin authentication..

Message authentication implicitly provides data integrityMessage authentication implicitly provides data integrity

– Digital SignatureDigital Signature: a means to bind information to an : a means to bind information to an entityentity

– Non-repudiationNon-repudiation: : preventing the denial of previous preventing the denial of previous commitments or actionscommitments or actions

1717

Security RequirementsSecurity Requirements

– AuthorizationAuthorization: conveyance, to another party, of official : conveyance, to another party, of official sanction to do or to be something.sanction to do or to be something.

– Access controlAccess control: restricting access to resources to : restricting access to resources to privileged entities.privileged entities.

– ValidationValidation: a means to provide timeliness of authorization : a means to provide timeliness of authorization to use or manipulate information or resources.to use or manipulate information or resources.

These Requirements are referred to as These Requirements are referred to as ISS ISS objectivesobjectives (another definition of ISS) (another definition of ISS). .

1818

8. Security services8. Security services

An An information security serviceinformation security service is a method to provide some is a method to provide some specific aspects of securityspecific aspects of security

– ExamplesExamples Confidentiality is a security objective (requirement), encryption is an Confidentiality is a security objective (requirement), encryption is an

information security serviceinformation security service

Integrity is another security objective (requirement), a method to ensure Integrity is another security objective (requirement), a method to ensure integrity is a security service.integrity is a security service.

BreakingBreaking a security service implies defeating the objective of a security service implies defeating the objective of the intended service.the intended service.

1919

9. Security mechanisms9. Security mechanisms

A A security mechanismsecurity mechanism encompasses Protocols, algorithms, encompasses Protocols, algorithms, Non-cryptographic techniques (hardware protection) to Non-cryptographic techniques (hardware protection) to achieve specific security objectives (confidentiality, integrity, achieve specific security objectives (confidentiality, integrity, …).…).

2020