LM 2. Information Security Essentials Dr. Lei Li Wireless Security

Road Map Introduction WLAN Security Mobile Security Overview WLAN Threats & Vulnerabilities Mobile Security Security Auditing & Risk Analysis Evolution of Wireless Network Mobile Network Overview Infor. Security Essentials Cellular Network Security WLAN Security Mobile Security Threats WLAN Security Tools Mobile Devices Security

Learning Outcomes After this module, a student will be able to: Define Information Security and Wireless Security Describe the five pillars of information security. Discuss defense in depth in information security Define the AAA of information security Describe the five principles Information security: CIA triad, Non-repudiation and Accountability. Explain the difference between symmetric key cryptography (SKC) and public key cryptography (PKC). Describe how integrity is achieved through hash function. Describe how digital signature works Discuss the threats category to wireless network/device Discuss inf0rmation security standards and regulatory compliances Discuss different types of attackers

Information Security “Preservation of confidentiality, integrity and availability of information. Note: In addition, other properties, such as authenticity, accountability, non-repudiation and reliability can also be involved." (ISO/IEC 27000:2009) Wireless Security Specific to wireless networks and mobile devices Balanced approach among security, implementation efficiency, & employee productivity.

5 Security Principles Confidentiality Integrity Availability Non-repudiation Authentication

Cryptography For confidentiality Symmetric-key cryptography Same key for encryption and decryption Simple and fast Two parties must exchange the key in a secure way beforehand

Public Key Cryptography A pair of keys Public key – available for public and other user may use it for encryption Private key – only known to owner. Decrypt the message encoded using public key Solved the key exchange problem of SKC Strong security More computationally intensive

Hybrid Cryptosystem Combine the benefit of SKC and PKC Use PKC for the key exchange Use SKC for the communication afterward

Digital Signature Using PKC Applications Private key for signing Public key for verification Applications Authentication Integrity Non-repudiation

Integrity Threats to integrity Hash function Passive and active Mathematical function that converts a numerical input value into another compressed numerical value Minor changes in hash input will cause significant change in hash value

5 Pillars of Information Security Protection Detection Reaction Documentation Prevention

Access Control - AAA Authentication Authorization Accounting

Defense in Depth Physical controls Technical controls Administrative controls

https://www. slideshare https://www.slideshare.net/OTNArchbeat/rationalization-and-defense-in-depth-two-steps-closer-to-the-clouds

Threats to Wireless Network System access Device control Data theft

Information Security Standards ISO 27001, 27002 NIST ETSI CISQ

Regulatory Compliance Sarbanes-Oxley Act GLBA HIPPA PCI-DSS.

General Profiles of A Cyber Attacker Attacker Example Motive Action Script Kiddie/Skid People interested in or only partially engaged in understanding offensive tools Curious, Mischievous, Street Cred Since they don’t know the tools they may be very noisy when attacking and perform a lot of attempts, may have the most harmful consequences Expert Attackers @th3j35t3r, Ed Skodus, Kevin Mitnick, Various motives, curiosity, money, patriotism, etc. Only limited by their imagination, can steal, spy, and sell exploits on the unethical market Activist/Hack tivists Manning, Snowden, Anonymous Further a Cause Reveal Information, further a cause, deface websites, or disrupt progress of opposition Nation States Stuxnet Espionage: Stealing, Disrupting Services Logic Bombs, support law enforcement & military Gain a greater understanding of allies and enemies Terrorists ISIS Defacement of US disabled Veteran websites, DDoS of power grids, Chemical Changes in Water Infiltrate, destroy data, cause political upheaval, death, manipulate data in order to promote a cause Cybercrime Mafia Money DOS against financial institutions, steal credentials, sell illegal goods, anything for money, Crime as a Service (CaaS), Ransomware variants, credit card theft, etc. Insider Attacker Current or Former Employee Revenge, could be clueless employees too Destruction of data, altering data, or stealing information

Reference Praphul Chandra, Bulletproof Wireless Security: GSM, UMTS, 802.11, and Ad Hoc Security, ELSEVIER, 2005. Jim Doherty, Wireless and Mobile Device Security, Jones & Bartlett Learning, 2016. https://en.wikipedia.org/wiki/Information_security https://en.wikipedia.org/wiki/Wireless_security http://cf.rims.org/Magazine/PrintTemplate.cfm?AID=2409 https://en.wikipedia.org/wiki/Defense_in_depth_(computing) http://searchsecurity.techtarget.com/definition/authentication-authorization-and-accounting https://www.usna.edu/CyberDept/sy110/lec/pillarsCybSec/lec.html SKC:http://www.webopedia.com/TERM/S/symmetric_key_cryptography.html AKC: https://en.wikipedia.org/wiki/Public-key_cryptography Hybrid cryptograph: https://en.wikipedia.org/wiki/Hybrid_cryptosystem https://www.tutorialspoint.com/cryptography/data_integrity_in_cryptography.htm https://en.wikipedia.org/wiki/Digital_signature https://en.wikipedia.org/wiki/Cyber_security_standards https://www.tcdi.com/information-security-compliance-which-regulations/