Saad Haj Bakry, PhD, CEng, FIEE 1 Security Policy Issues Saad Haj Bakry, PhD, CEng, FIEE.

Saad Haj Bakry, PhD, CEng, FIEE

1

Security Policy IssuesSaad Haj Bakry, PhD, CEng, FIEE

Saad Haj Bakry, PhD, CEng, FIEE 2

Definition (1)

ISO Information Processing Vocabulary

Term DefinitionData The representation of facts, concepts

and instructions in a formalized manner suitable for communication, interpretation, or processing.

Information The meaning that is currently assigned to data by means of conventions applied to that data.

Security Policy Issues


Definition (1)

ISO Information Processing Vocabulary

Term DefinitionData Integrity The data quality that exists as long

as accidental or malicious destruction, alteration, or loss of data does not occur

Data Corruption / Contamination

The violation of data integrity.



Definition (1)ISO Information Processing Vocabulary

Term DefinitionFunctional

UnitThe entity of hardware, or software, or both capable of accomplishing a specific purpose.

Data Source The functional unit that originates data for transmission.

Data Source The functional unit that accepts transmitted data.



Definition (1)Signal Processing of Voice / Data / Video

Term DefinitionSource

EncodingCoding signal in digital form:

Telephone Voice (64 kbps) / Video (135 Mbps)

Compression Reduction of transmission bandwidth.Telephone Voice (32 kbps) / Video (45 Mbps)

Encryption Using encoding (encryption / enciphering) as means for protecting data from interception by unauthorized parties



Definition (1)

A Cipher / An Encryption MethodDefinition A procedure / an algorithm / a process

and a transformation key

Procedure / Algorithm / Process

A designed sequence of steps for transforming a plain text into a cipher text using a transformation key

Transformation Key

The key determines a particular transformation (digital string) from a set of possible transformations.




Term DefinitionSecurity The condition of being secure

or the condition of being protected from or exposed danger.

Privacy The state or quality of being private.




Term DefinitionCryptography A discipline involving

principles, means, and methods for changing data so that it is not readable.

Cryptanalysis An attack on one of the principles, means, or methods (to recover readability)




Term DefinitionEncryption / Enciphering

The process of changing data (plain text) so that it becomes unreadable (cipher text).

Decryption / Deciphering

The process of transforming cipher text back into plain text.




Computer System SecurityThe technological and the administrative safeguards established and applied to data processing to protect hardware, software, and data from accidental or malicious destruction or disclosure.


Analysis of Definition (2)

Issue DescriptionObject

(to be protected)

Hardware / Software / Data

Challenges (source)

Accidental / Malicious

Effect (protection from)

Destruction / Disclosure

Means (of

protection)

Technological / Administrative



Privacy ProtectionThe implementation of appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of data records, and to protect both security and confidentiality against any threat or hazard that could result in substantial harm, embarrassment, inconvenience or unfairness to any individual about whom such information is maintained.


Analysis of Definition (3)Issue Description

Object (to be

protected)

Information / Data: Records (associated with individuals, or organizations: privacy)

Challenge (to object)

Security / Privacy

Effect (protection

from)

Threat & hazard that could result in harm, embarrassment, inconvenience,

or unfairness

Means (of protection)

Physical / Administrative / Technical


Definition (2)ISO-OSI Special Interest Group on Security

Network Security GoalsProtection of data against: undetected loss and repetition unauthorized modification unauthorized disclosure

Data is Sequenced

Sealed

Private

Ensuring correct identity of sender & receiver

Signed by Sender Stamped by Receiver


Definition (3)Intranet-Internet Flow / Flooding

Security of Network FlowProtection from undesired data

streams entering the Intranet (Private / National Networks)

Firewalls

Protection of private data streams from leaking out of the Intranet

Protection from denial of service :

Flooding: undesired generation of data.

Anti-Virus


Basic Data Security TermsTerm Definition

Plaintext Source text / Unencrypted data

Cryptography Transforming “plaintext” to “cipher text” (encrypted text) using a “cipher” and a “key”

Cipher text Encrypted text / Incomprehensible data

Cipher /

Cryptosystem

A technique / A procedure / An algorithm (a computer science term) for encrypting data / messages

A Key A string of digits used to encrypt data (like a password) / Longer keys lead to stronger encryption

Cryptanalysis Breaking / cracking encyption


Risk v. Cost

Cost

Risk

Balance


Profile Benefits

Current State

A Security Map of Broad Scope:“A Base for Investigations”

Future Policy“Reengineering”

Management“TQM”

Risk / Cost“Balance”


Profile Principles: Scope

T

PO

Technology

Organization People

Environment

Challenges

Accidental

Malicious

ProtectionTechnical

Administrative

Challenges: Technology / Organization / People / Environment

Protection: Awareness / Practices / Legal / Management

Access / identity / Integrity / Confidentiality / Flow / Contingency


Profile Principles: Levels / Modules

The Internet Level (Module)Potential World Wide Business Activities

The Extranet Level (Module)Partners / Suppliers / Customers “Business Activities”

The Intranet Level (Module)Intra-organization Activities

Security


Challenges: Organization / People

Levels Non-Malicious MaliciousOrganization:

Intranet /

Business: Extranet /

Public: Internet

Management “Environment”

/ Misbehaviour

/ Misuse

Conflicting Objectives

Hostility

Hackers (Internal / External)


Challenges: Technology

Levels Non-Malicious MaliciousOrganization: Intranet /


Public: Internet

Design / Implementation Vulnerability: System Failure Logical Deficiencies Protocol

Un-robustness

Computer Viruses: Undesired (harmful)

technology

components Spreading the

Disease (network)


Challenges: Environment

Levels Accidental / Malicious

Non- Malicious

Organization: Intranet /


Public: Internet

Noise

Power Failure

Disasters: Flood / Fire /

Earth quick / …

Rules: Regulations / Practices / Legal Issues

Management: Policy / Practices


Challenges: Effect / Results

Denial of Service

Performance Degradation

Loss of Privacy

Data Corruption

System Failures Loss of Data

Flooding

Problems of Identity


Protection: Technical (See Paper)

Firewalls

Reliable Technology

Traffic Padding

Access Control Authentication

of Identities Cryptography

Error Detection & Correction

Anti-Virus

Measures


Protection: Administrative (Issues)

Awareness: For Who: Users / IT Staff Subject: Understanding

Network

Security

Legal

Issues:National /

International

Rules

(IT Security /

Punishment)

Job Practices

& Management:People’s

Interaction

with Other

People

& with Machines


Protection: Administrative (Organizations)

International

Government

Professional

Private

Intranet /

Extranets

Standards

Management

Technical

Laws


Cost Effectiveness Scope / Objectives / Requirements

Cost / Benefits

Priorities

Internet / Extranet / Intranet


Profile: Generic Architecture Level Description

Computer Tools

User InterfaceComputer Database

Security Components

Elements (Products)

Economy (Cost / Benefit)

Positions / Functions

Profile

Base

Security: Tools

Security: Challenges / Protection

Intranet Extranet Internet


Profile: Use / Benefits Use Description

Current State Mapping / understanding current state

Policy Development

Assessing / diagnosing (problems) Evaluation criteria (requirements) The problem of choice.

Target State Developing / mapping target state

Implementation / Testing

Monitoring / follow up progress Testing performance

Management / Improvement

Gradual improvement (TQM) Incremental improvement (Reengineering)


Development: Profile / Policy / Application

Building

Profile

Architecture

Mapping

Current State

Policy

Development

Mapping

Target State

Implementation

/ TestingManagement/ Improvement

TQMReengineering

Incremental Gradual


Security Policies

Key to the security of the Organization / Network / Information

Vulnerability Possible Attackers Possible Threats Possible Damage Data Theft

www.cerias.com

www.baselinesoft.com

www.sans.org

Response Security Needs Security V. Performance


Cyber-Crimes

National Security Policy: USA National Infrastructure Protection ActDenial of Service Attack / Distribution of Viruses

(Federal Crimes: Fines & Jail Time).

Web Sites

www.usdoj.gov/criminal/cybercrime/ compcrime.html

www.cybertime.gov


Reference

H.M. Deitel, P.J. Deitel, K. Steinbuhler, e-Business and e-Commerce for Managers, Prentice-Hall, Upper Saddler River, New Jersey, 2001

Date post:	31-Dec-2015
Category:	Documents
Upload:	annis-copeland
View:	226 times
Download:	1 times

Saad Haj Bakry, PhD, CEng, FIEE 1 Security Policy Issues Saad Haj Bakry, PhD, CEng, FIEE.

Documents