IT Security From an Organizational Perspective

Slides:



Advertisements
Similar presentations
5-Network Defenses Dr. John P. Abraham Professor UTPA.
Advertisements

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Chapter 12 Network Security.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Business Data Communications, Fourth Edition Chapter 10: Network Security.
Organizational Security 1 IT Security From an Organizational Perspective Ulrika Norman Jeffy Mwakalinga Reference: 1) Enterprise Security. Robert C. Newman.
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Network Security Lecture 9 Presented by: Dr. Munam Ali Shah.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption.
Information Systems Security
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Database Security Tampere University of Technology, Introduction to Databases. Oleg Esin.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Overview of Firewalls. Outline Objective Background Firewalls Software Firewall Hardware Firewall Demilitarized Zone (DMZ) Firewall Types Firewall Configuration.
Chapter 40 Network Security (Access Control, Encryption, Firewalls)
Invitation to Computer Science 5 th Edition Chapter 8 Information Security.
CPT 123 Internet Skills Class Notes Internet Security Session B.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Information Systems Design and Development Security Precautions Computing Science.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)
1 Network Security. 2 Security Services Confidentiality: protection of any information from being exposed to unintended entities. –Information content.
Defining Network Infrastructure and Network Security Lesson 8.
Security fundamentals
Unit 3 Section 6.4: Internet Security
Security Issues in Information Technology
Chapter 40 Internet Security.
Securing Information Systems
CompTIA Security+ Study Guide (SY0-401)
Chapter 5 Electronic Commerce | Security Threats - Solution
Network Security Presented by: JAISURYA BANERJEA MBA, 2ND Semester.
Security Using Armstrong Numbers and Authentication using Colors
Working at a Small-to-Medium Business or ISP – Chapter 8
Network Security (the Internet Security)
USAGE OF CRYPTOGRAPHY IN NETWORK SECURITY
NETWORK SECURITY Cryptography By: Abdulmalik Kohaji.
Controlling Computer-Based Information Systems, Part II
Securing the Network Perimeter with ISA 2004
Chapter 5 Electronic Commerce | Security Threats - Solution
Click to edit Master subtitle style
Security of a Local Area Network
Security in Networking
CompTIA Security+ Study Guide (SY0-401)
Security Securing IS.
IS4550 Security Policies and Implementation
INFORMATION SYSTEMS SECURITY and CONTROL
The Secure Sockets Layer (SSL) Protocol
Module 2 OBJECTIVE 14: Compare various security mechanisms.
Introduction to Network Security
ONLINE SECURE DATA SERVICE
Designing IIS Security (IIS – Internet Information Service)
Protection Mechanisms in Security Management
Presentation transcript:

IT Security From an Organizational Perspective 1 IT Security From an Organizational Perspective Ulrika Norman Jeffy Mwakalinga This presentation contains some slides about data security Reference: 1) Enterprise Security. Robert C. Newman. ISBN: 0-13-047458-4 2) Corporate Computer and Network Security. Raymond R. Panko. ISBN: 0-13-101774-8

Outline PART I Security Overview PART II: Organizational Security 2 Outline PART I Security Overview Introduction Security Services and Implementation Overview of Existing Security Systems Implementing Security in a System PART II: Organizational Security 1) Introduction 2) Securing Information Systems of an Organization 3) Corporate Security Planning 4) Adding a Security Department

Introduction Information Security Security Management Security 3 Introduction Information Security Security Management Security Technology Information Technology Security Physical Security Applications Security Communication Security Computer Security Wired Security Mobile (wireless) Security

Information security is defined as methods and technologies 4 Introduction Information security is defined as methods and technologies for deterrence (scaring away hackers), protection, detection, response, recovery and extended functionalities

Generic Security Principles 5 Generic Security Principles Detergence (Scare away) Recovery Response Detection Protection Generic Security System Information while in transmission Information while in storage Hacker Hardware

PART I: Security Overview 6 PART I: Security Overview Introduction Security Services and Implementation Overview of Existing Security Systems Implementing security in a system

Security Services and Implementation : Confidentiality 7 Security Services and Implementation : Confidentiality Confidentiality To keep a message secret to those that are not authorized to read it Authentication Access Control Integrity Non-repudiation Availability

Security Services: Authentication 8 Security Services: Authentication Confidentiality To verify the identity of the user / computer Authentication Access Control Integrity Non-repudiation Availability

Security Services: Access Control 9 Security Services: Access Control Confidentiality To be able to tell who can do what with which resource Authentication Access Control Integrity Non-repudiation Availability

Security Services: Integrity 10 Security Services: Integrity Confidentiality To make sure that a message has not been changed while on Transfer, storage, etc Authentication Access Control Integrity Non-repudiation Availability

Security Services: Non-repudiation 11 Security Services: Non-repudiation Confidentiality To make sure that a user/server can’t deny later having participated in a transaction Authentication Access Control Integrity Non-repudiation Availability

Security Services: Availability 12 Security Services: Availability Confidentiality To make sure that the services are always available to users. Authentication Access Control Integrity Non-repudiation Availability

Providing Security Services: Confidentiality Cryptography 13 Providing Security Services: Confidentiality We use cryptography  Science of transforming information so it is secure during transmission or storage Encryption: Changing original text into a secret, encoded message Decryption: Reversing the encryption process to change text back to original, readable form

Encryption E n c r y p t i o n Some confidential text (message) 14 Encryption Some confidential text (message) in clear (readable) form Someconfid entialtext essage) in clear E n c r y p t i o n

Decryption D e c r y p t i o n Some confidential text (message) 15 Decryption Some confidential text (message) in clear (readable) form Someconfid entialtext essage) in clear D e c r y p t i o n

STOCKHOLM VWRFNKROP A B C D E F G . . . . X Y Z 16 Example STOCKHOLM A B C D E F G . . . . X Y Z L G T U W O M . . . . I A C VWRFNKROP

Symmetric Key Encryption – One Key System 17 Symmetric Key Encryption – One Key System Symmetric Key Note: A single key is used to encrypt and decrypt in both directions. Plaintext “Hello” Encryption Method & Key Ciphertext “11011101” Interceptor Internet Same Symmetric Key Anders Ciphertext “11011101” Decryption Method & Key Plaintext “Hello” Karin

Single Key System: Symmetric System 18 Single Key System: Symmetric System Same secret key is used to encrypt and decrypt messages. Secret Key must remain secret Some confidential text (message) in clear (readable) form Someconfid entialtext essage) in clear E n c r y p t i o n D e c r y p t i o n Crypto key

Advanced Encryption Algorithm (AES) 19 Advanced Encryption Algorithm (AES) 1, 2, 3, ... ... .128, 192,256 1, 2, 3, ... ... ... ... ... ...128 Key Message K-1 If key = 128 Rounds = 9 If key = 192 Rounds = 11 If key = 256 Rounds = 13 K-2 K-Rounds Encrypted message 1, 2, 3, ... ... ... ... ... ...... 64

Two Keys System: Asymmetric System 20 Two Keys System: Asymmetric System System with two keys: Private key and Public key. Example: Rivest Shamir Adleman system (RSA) Some confidential text (message) in clear (readable) form Someconfid entialtext essage) in clear E n c r y p t i o n D e c r y p t i o n Key 2 Key 1

Providing Security Services: Authentication 21 Providing Security Services: Authentication -something who you are -something what you have something what you know -where you are - terminal WWW Server User

Authentication (continued) 22 Authentication (continued) Fingerprint scanner Passwords Smart cards certificates Biometrics Biometrics used for door locks, can also be used for access control to personal computers Fingerprint scanners

Providing Security Services: Access Control 23 Providing Security Services: Access Control Access control Who can do ... what ... with which resource ? File A File B Read Copy

Access Control Matrix File1 File2 File3 File4 File5 File6 read, write 24 Access Control Matrix Subject1 Subject2 Subject3 Subject4 Subject5 Subject6 File1 File2 File3 File4 File5 File6 read, write delete

Providing Security Services : Integrity 25 Providing Security Services : Integrity Some confidential text (message) in clear (readable) form Change to Binary form 1011100011001101010101010011101 0011 1010 1001 Compress (Hashing) It is called Message Digest 1101 0011 1010 1001

Providing Integrity Hashing System message Message Digest 26 Providing Integrity message Hashing System Message Digest Message Digest ~ Message Authentication Code (MAC)

Providing Security Services : Non-repudiation - Signatures 27 14 Providing Security Services : Non-repudiation - Signatures Hashing System message RSA (signing) Sender’s private RSA key MAC Signature message Signature PKCS#1

PART I: Security Overview 28 PART I: Security Overview Introduction Security Services Overview of Existing Security Systems Implementing security in a system

29 Overview of Existing Security Systems : Firewalls Used even for Deterring (Scaring attackers) Firewalls  Designed to prevent malicious packets from entering Software based  Runs as a local program to protect one computer (personal firewall) or as a program on a separate computer (network firewall) to protect the network Hardware based  separate devices that protect the entire network (network firewalls)

30 Overview of Existing Security Systems : Detection -Intrusion Detection Systems Intrusion Detection System (IDS)  Examines the activity on a network Goal is to detect intrusions and take action Two types of IDS: Host-based IDS  Installed on a server or other computers (sometimes all) Monitors traffic to and from that particular computer Network-based IDS  Located behind the firewall and monitors all network traffic

31 Overview of Existing Security Systems : Network Address Translation (NAT) Network Address Translation (NAT) Systems  Hides the IP address of network devices Located just behind the firewall. NAT device uses an alias IP address in place of the sending machine’s real one “You cannot attack what you can’t see”

Overview of Existing Security Systems : Proxy Servers 32 Overview of Existing Security Systems : Proxy Servers Proxy Server  Operates similar to NAT, but also examines packets to look for malicious content Replaces the protected computer’s IP address with the proxy server’s address Protected computers never have a direct connection outside the networkThe proxy server intercepts requests. Acts “on behalf of” the requesting client

Adding a Special Network called Demilitarized Zone (DMZ) 33 Adding a Special Network called Demilitarized Zone (DMZ) Demilitarized Zones (DMZ)  Another network that sits outside the secure network perimeter. Outside users can access the DMZ, but not the secure network Some DMZs use two firewalls. This prevents outside users from even accessing the internal firewall  Provides an additional layer of security

Overview of Existing Security Systems : Virtual Private Networks (VPN) 34 Overview of Existing Security Systems : Virtual Private Networks (VPN) Virtual Private Networks (VPNs)  A secure network connection over a public network Allows mobile users to securely access information Sets up a unique connection called a tunnel

Overview of Existing Security Systems : Virtual Private Networks (VPN) 35 Overview of Existing Security Systems : Virtual Private Networks (VPN)

Overview of Existing Security Systems : Honeypots 36 Overview of Existing Security Systems : Honeypots Honeypots  Computer located in a DMZ and loaded with files and software that appear to be authentic, but are actually imitations Intentionally configured with security holes Goals: Direct attacker’s attention away from real targets; Examine the techniques used by hackers

Overview of Existing Security Systems : Secure Socket Layer (SSL) 37 Overview of Existing Security Systems : Secure Socket Layer (SSL) SSL is used for securing communication between clients and servers. It provides mainly confidentiality, integrity and authentication Establish SSL connection - communication protected Client WWW Server

PART I: Security Overview 38 PART I: Security Overview Introduction Security Services and Implementation Overview of Existing Security Systems Implementing security in a system

Implementing Security in a System Involves: 39 Implementing Security in a System Involves: Patching software - Getting the latest versions Hardening systems - by using different security systems available Blocking attacks – By having different security tools to prevent attacks Testing defenses Regularly testing from outside and inside the network or an organization

Protecting one Computer Summary (continued) 40 Protecting one Computer Operating system hardening is the process of making a PC operating system more secure Patch management Antivirus software – to protect your pc from viruses Antispyware software Firewalls – to deter (scare), protect Setting correct permissions for shares Intrusion detection Systems – to detect intrusions Cryptographic systems

Protecting a Wired Network 41 Protecting a Wired Network Use Firewalls, Intrusion Detection Systems, Network Address Translation, Virtual Private net Networks, honey pots, cryptographic systems, etc

Protecting a Wireless Local Area Network (WLAN) 42 Protecting a Wireless Local Area Network (WLAN)

Security in a Wireless LAN 43 Security in a Wireless LAN WLANs include a different set of security issues Steps to secure: Turn off broadcast information MAC address filtering Encryption Password protect the access point Physically secure the access point Use enhanced WLAN security standards whenever possible Use cryptographic systems

PART II: Organizational Security 44 PART II: Organizational Security Introduction Securing Information Systems of an Organization Corporate Security Planning Adding a security Department

Introduction - Traditional Organization 45 Introduction - Traditional Organization Production Marketing Customers Research Supply Services Management Sales Organization Web Clients Business to Business Partners (Outsource)

Introduction: Adding Information System 46 Introduction: Adding Information System IS for Production Marketing Customers Research Supply Services Information System (IS) for Management Sales Organization + IS Web Clients IS 4 Business to Business IS 4 Partners (Outsource) How do we secure the IS of the organization?

PART II: Organizational Security 47 PART II: Organizational Security Introduction Securing Information Systems of an Organization Corporate Security Planning Adding a security Department

Securing Information Systems of an Organization 48 Securing Information Systems of an Organization IS for Production Marketing Customers Research Supply Services Information System for Management Sales IS organization Web Clients IS for B2B IS 4 Partners (Outsource) Internet Security S E C U R I T y

Holistic (Generic) Security Approach 49 Holistic (Generic) Security Approach Security Organization Technology (servers, …) People Information Protection Detection Response Recovery Detergence (Scare away)

Analysis Detergence (Scare away) Protection Detection Response 50 Analysis Detergence (Scare away) Protection Detection Response Recovery How much to spend on Response? How much to spend on Recovery? How much to spend on Protection? How much to spend on Detection? How much to spend on Deterrence? 10%? 50%? 20%? 10%? 10%? How much responsibility on employees? How much responsibility on employees? How much responsibility on employees? How much responsibility on employees? How much responsibility on employees? How much responsibility on organization? How much responsibility on organization? How much responsibility on organization? How much responsibility on organization? How much responsibility on organization? How much responsibility on government? How much responsibility on government? How much responsibility on government? How much responsibility on government? How much responsibility on government?

51 Analysis continued Detergence (Scare away) Protection Detection Response Recovery Implementation: By Software? n% By People s% By Hardware t% Implementation By Software m% By People p% By Hardware h% Implementation By Software f% By People g% By Hardware r% Implementation By Software x% By People y% By Hardware z% Implementation By Software k% By People d% By Hardware c% Which standards to use for Protection? Which standards to use for detection? Which standards to use for response? Which standards to use for Recovery? Which standards to use for deterring? To do the analysis we need corporate security planning?

PART II: Organizational Security 52 PART II: Organizational Security Introduction Securing Information Systems of an Organization Corporate Security Planning Adding a security Department

Corporate Security Planning 53 Corporate Security Planning Security requirements Assessment Business Continuity Planning How to perform network management? Administration How to test and troubleshoot?

Security requirements Assessment: Continuous process 54 Security requirements Assessment: Continuous process Finish one round Start Audit Evaluate Identify Implement Design Analyze Identify the organization’s security issues and assets Analyze security risks, threats and vulnerabilities Design the security architecture and the associated processes Audit the impact of the security technology and processes Evaluate the effectiveness of current architecture and policies

Business Continuity Planning (1) 55 Business Continuity Planning (1) A business continuity plan specifies how a company plans to restore core business operations when disasters occur Business Process Analysis Identification of business processes and their interrelationships Prioritizations of business processes Communicating, Testing, and Updating the Plan Testing (usually through walkthroughs) needed to find weaknesses Updated frequently because business conditions change and businesses reorganize constantly

Business Continuity Planning - continued 56 Business Continuity Planning - continued Disaster Recovery Disaster recovery looks specifically at the technical aspects of how a company can get back into operation using backup facilities Backup Facilities Hot sites Ready to run (with power, computers): Just add data Cold sites Building facilities, power, communication to outside world only No computer equipments Might require too long to get operating Restoration of Data and Programs Testing the Disaster Recovery Plan

Network management Functions (ISO) 57 Network management Functions (ISO) Fault Management Ability to detect, isolate, and correct abnormal conditions that occur in a network. Configuration management Ability to identify components configure them according to the security policy Performance Management Ability to evaluate activities of the network and improve network performance Security management Ability to monitor, control access, securely store information, examine audit records; etc. Accounting management The ability to track the use of network resources. Identify costs and charges related to the use of network resources

Some Network management Standards 58 Some Network management Standards Simple Network Management Protocol (SNMP) Common Management Information protocol (CMIP). The main functions provided by this protocol are : alarm reporting, access control, accounting, event report management, lo control, object management, state management, security audit, test management, summarization, relation management. 1) Network Management Station 2) Application program SNMP SNMP 1) Management Agent 2) Management Information base (MIB) 1) Management Agent 2) Management Information base (MIB) Network Element no: 1 (research section) Network Element no: N (services section)

Administration Computer and Network administration section Duties: 59 Administration Computer and Network administration section Duties: Software installation and upgrade Database access approval and maintenance User identities and password management Back up and restoral processes Training employees about security awareness

How to test and troubleshoot? 60 How to test and troubleshoot? Test whether the systems and components are behaving in accordance to the security plans Test from inside the organization and from outside the organization Trouble shooting: Define the situation, prioritize the problem, develop information about the problem, identify possible causes, eliminate the possibilities one at a time, ensure the fix does not cause additional problems, document the solution

PART II: Organizational Security 61 PART II: Organizational Security Introduction Securing Information Systems of an Organization Corporate Security Planning Adding a security Department

Adding a security Department 62 Adding a security Department Security Management section Security planning Security requirements Assessment Business continuity planning Security Technology section Computer and Network administration Network management Testing and troubleshooting

Organization with a Security Department 63 Organization with a Security Department IS for Production Marketing Customers Research Supply Services Information System for Management Sales IS organization Web Clients IS for B2B IS 4 Partners (Outsource) Internet Security S E C U R I T y

PART II: Organizational Security 64 PART II: Organizational Security Introduction Securing Information Systems of an Organization Corporate Security Planning Adding a security Department

Summary PART I Security Overview Introduction 65 Summary PART I Security Overview Introduction Security Services and Implementation Overview of Existing Security Systems Implementing Security in a System PART II: Organizational Security 1) Introduction 2) Securing Information Systems of an Organization 3) Corporate Security Planning 4) Adding a Security Department

66 Questions ?