Date post: | 02-Jan-2016 |
Category: |
Documents |
Upload: | benjamin-miller |
View: | 215 times |
Download: | 0 times |
John Carpenter 2008 702904 & 711908 lecture - 01 1
702904 & 711908 Information Security
2008
Lecture 1: Subject Introduction and
Security Fundamentals
John Carpenter 2008 702904 & 711908 lecture - 01 2
Lecturer
• Mr John Carpenter
B Eng (Electrical)
M Eng Sc (Systems Theory, Pattern Recognition)
M Arts (Philosophy – Theory of Mind)
• Work experience: Embedded Systems
Pathology Instrumentation and Databases
Project manager
Lecturer in Computer Technology,Project Management, and Security
John Carpenter 2008 702904 & 711908 lecture - 01 3
702904 & 711908 Information Security Lecture Introduction
• Welcome • Student Handout:• Subject Introduction • Assessment• Texts• Tutorials
• Lecture 1 Objectives
John Carpenter 2008 702904 & 711908 lecture - 01 4
702904 & 711908 Information Security
• Principles of Security
• Securing individual computer systems
• Models for securing information systems
• Securing local networks
• Cryptography as a basis for securing transactions passing across open networks
• Maybe: Introduction to securing websites
• Maybe: Securing databases
John Carpenter 2008 702904 & 711908 lecture - 01 5
Objectives of Lecture 1
• Subject Administration
• Define the objectives of information security
• Some definitions
• The four Threats
• Controls
• The layers of technology and hence the layers of controls
• A different point of view
• Physical security
John Carpenter 2008 702904 & 711908 lecture - 01 6
References
• Pfleeger & Pleeger Ch 1, Section 8.4
Gollman Computer Security Ch 1
John Carpenter 2008 702904 & 711908 lecture - 01 7
There are Problems
• Theft - of equipment, of proprietary software
• Theft - Copying of confidential material
• Fabrication - for gain - Adding false names to company payroll
• Modification - malicious - Virus infections
• Access - easy for ‘us’
• Access - difficult for ‘them’
John Carpenter 2008 702904 & 711908 lecture - 01 8
What is Security ?
• Protection of assets - can take several forms:
• Prevention
• Detection
• Reaction
• What does this mean for computer assets ?
John Carpenter 2008 702904 & 711908 lecture - 01 9
What is Information Security ?
• The objectives of information security are:
• Confidentiality
• Integrity
• Availability
• to give us: Secure Data
John Carpenter 2008 702904 & 711908 lecture - 01 10
Confidentiality
• Only accessible by authorised parties
• Not revealed
• More than not reading• Confidentiality is distinct from secrecy and
privacy ( for you to think about)
John Carpenter 2008 702904 & 711908 lecture - 01 11
Integrity
• Associated with loss and corruption
• Data Integrity: Computerised data to be the same as the external,
source data
Data not exposed to alteration or destruction
• No inappropriate modification
John Carpenter 2008 702904 & 711908 lecture - 01 12
Availability
• The property of being accessible and useable (without delay) upon demand by an authorised entity
• We want there to be
• no denial of service
John Carpenter 2008 702904 & 711908 lecture - 01 13
Other security issues
• Accountability
• Reliability
• Safety
• Dependability
John Carpenter 2008 702904 & 711908 lecture - 01 14
• Computer security deals with the prevention
and detection of unauthorised actions by users of a computer system
• security deals with the ready availability of valuable assets by authorised agents, and the denial of that access to all others
John Carpenter 2008 702904 & 711908 lecture - 01 15
Some Definitions• Vulnerability
A weakness of some sort
• AttackWhen a weakness is exploited
• ThreatA circumstance with a potential for loss
• ExposureWhen a vulnerability is visible
• ControlA protective measure
• NOTE the CLOSED nature of these definitions, the concept of PERIMETER CONTROL.
John Carpenter 2008 702904 & 711908 lecture - 01 16
Breaches of Security The Four Threats
• Interruption
• Interception
• Modification
• Fabrication
John Carpenter 2008 702904 & 711908 lecture - 01 17
Some Principles of Security
• Principle of Easiest PenetrationAn intruder will use any means of penetration
• Principle of TimelinessItems only need to be protected until they lose their value
(Only protect valuable items)
• Principle of EffectivenessControls must work, and they should be efficient, easy to
use, and appropriate
John Carpenter 2008 702904 & 711908 lecture - 01 18
Costs
• The costs of additional resources to implement security mechanisms can be quantified (measured)
• Security mechanisms interfere with users, and can lead to loss of productivity
• Managing security also costs
• (Risk Analysis will be covered)
John Carpenter 2008 702904 & 711908 lecture - 01 19
Controls
• A control is a protective mechanismA lock with a key
An ATM card is a PIN number
A login with a password
An e-mail message that is encrypted
• What should be the focus of controls ?
• Should protection mechanisms focus on data,
• or operations on that data,
• or should we focus on the users ?
John Carpenter 2008 702904 & 711908 lecture - 01 20
There are layers of information systems technology
• Applications
• Services
• Operating system
• Kernel
• Hardware
• In which layer (or layers) should security mechanisms be placed ?
• Should controls be placed in more that one layer ?
John Carpenter 2008 702904 & 711908 lecture - 01 21
Layers
• The presence of layers is a feature of technology
• Separate layers often perform very different functions
• Similar functions are combined in one layer
• The boundary between two layers is usually easily defined
• Layers can often be independently implemented
John Carpenter 2008 702904 & 711908 lecture - 01 22
One Architecture of Controls
• Administrative Policies
• Physical
• Computer and Network Hardware
• Software
• Encryption (concealing)
John Carpenter 2008 702904 & 711908 lecture - 01 23
Controls: The Onion Model
•
• Simple mechanisms, or lots of features ?
• Should defining and enforcing security be a centralised function ?
• How to prevent access to the layer below the security mechanism ?
John Carpenter 2008 702904 & 711908 lecture - 01 24
Attack on the layer below
• An important concept
• Needs an understanding of the layers that are used to gain access to an asset
• When an intruder finds they are blocked at one layer, this intruder may attempt to attack the next layer closer to the asset
• Circumventing the protection Smashing a door
Posing as an employee
Posing as a programmer
An email pretending to be from your bank
John Carpenter 2008 702904 & 711908 lecture - 01 25
A Different View:Security as a Person problem
• Roles of individuals in an organisationDirectors
Managers
Professionals
Clerks
IT staff
• Personality types Adventurous
Anti-social
Gregarious
John Carpenter 2008 702904 & 711908 lecture - 01 26
Physical Security
• Control ACCESS
• Control PORTABILITY
• Detect EXIT VIOLATIONS
John Carpenter 2008 702904 & 711908 lecture - 01 27
Site Security
• The concern is with physical things
• Fire
• Flood
• Electric Power
• Access
John Carpenter 2008 702904 & 711908 lecture - 01 28
Securing ‘Closed’ Computer systems
• Media
• Equipment
• SiteCold Site
Warm Site
Hot Site
John Carpenter 2008 702904 & 711908 lecture - 01 29
Next week
• Identity and Authentication
• References:Pfleeger and Pfleeger section 4.5
• Gollman Chapter 2
• (Anderson Security Engineering )