Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security, Theory and Practice.

Published byTheodora Newton Modified over 6 years ago

Similar presentations

Presentation on theme: "Information Security, Theory and Practice."— Presentation transcript:

1 Information Security, Theory and Practice.
ISA 562 Information Security, Theory and Practice.

2 What is computer security?
At it’s essence, it is an arms race! Adversaries find vulnerabilities, and attack them. Security experts find vulnerabilities and develop countermeasures. Security managers try to deploy countermeasures, trace attacks, and recover from them. Efforts to formalize the field Build theoretical models and formal analysis of systems. Efforts to at least organize the field Categorize attack types, countermeasure types, etc.

3 C.I.A. Confidentiality Integrity Availability

4 C.I.A. Confidentiality: Preventing unauthorized access to the information. Encryption Access Control User Authentication / identification Physical security Integrity Availability

5 C.I.A. Confidentiality Integrity: ensuring that data is unaltered
Backups Checksums Error correcting codes Message authentication and digital signatures Availability Integrity: mention metadata, e.g. timestamps

6 C.I.A. Confidentiality Integrity
Availability: accessible when needed by those that are authorized Physical protection from attacks and nature. Redundancy of storage, servers, etc. Give example of credit card blacklists

7 A.A.A.A. Assurance Authenticity Anonymity Accountability

8 A.A.A.A. Assurance: guarantee that the system provides the properties it has been trusted to provide. Policies about how the system can be used by various users Permissions of various users Protection of the system through some security mechanism. Might include legal means, reputation, … Not just about data, but also resources. Authenticity Anonymity Accountability

9 A.A.A.A. Assurance Authenticity: a method for verifying that policies and permissions are genuine. In other words: non-repudiation. People can’t go back on their word. Solved by using digital signatures, which also provide integrity. Anonymity Accountability

10 A.A.A.A. Assurance Authenticity
Anonymity: certain records or actions cannot be attributed to a particular individual. Aggregation and noise. (Differential privacy) Mixing Proxies, such as ToR Accountability To provide authenticity and confidentiality, we need mechanism for proving our identity. These open us to attack as well, as our identity become linked across the Internet.

11 A.A.A.A. Assurance Authenticity Anonymity
Accountability: actions of an entity are traceable. Non-repudiation of actions. Supports after-action recovery and legal action.

12 C.I.A. Examples Not all attacks have the same impact.
Both student grades, and student enrollment are regulated by FERPA. An attack revealing either would be an attack on confidentiality, but, clearly grade information is more sensitive than enrollment. Medical data is an asset with a high requirement for integrity. Lives could be at stake if someone changes the information. Bus schedules have a medium requirement. Availability: a system for tracking the current location of police officers in a large city would have high need for availability. My course website has a low need.

13 Terminology Source: Computer Security, Principles and Practice. William Stallings, Lawrie Brown

14 Attacks and consequences
Source: Computer Security, Principles and Practice. William Stallings, Lawrie Brown

15 Assets Hardware Software Data Communication lines and networks

16 Countermeasures Source: Computer Security, Principles and Practice. William Stallings, Lawrie Brown

17 Countermeasures Source: Computer Security, Principles and Practice. William Stallings, Lawrie Brown

18 Overall strategy Security Policy Value of assets
Vulnerabilities of the system Potential threats and likelihood of attacks Ease of use vs. security gains. Cost of security vs. cost of failure and recovery. Source: Computer Security, Principles and Practice. William Stallings, Lawrie Brown

19 Overall strategy Security Implementation Prevention Detection Response
Recovery Source: Computer Security, Principles and Practice. William Stallings, Lawrie Brown

20 Overall strategy Assurance and Evaluation
How sure are we that the system meets the policy requirements? Assurance is a degree of confidence. Quantifying and evaluating it formally is nearly impossible. Evaluation through testing, possibly using some formal or technical means, and also through human attempts at penetration. Source: Computer Security, Principles and Practice. William Stallings, Lawrie Brown

Download ppt "Information Security, Theory and Practice."

Similar presentations

Operating System Security

Operating System Security
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Cryptography and Network Security Chapter 1 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 1 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Cryptography and Network Security Overview & Chapter 1 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Overview & Chapter 1 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”.
Thomas Levy. Agenda 1.Aims: CIAN 2.Common Business Attacks 3.Information Security & Risk Management 4.Access Control 5.Cryptography 6.Physical Security.

Thomas Levy. Agenda 1.Aims: CIAN 2.Common Business Attacks 3.Information Security & Risk Management 4.Access Control 5.Cryptography 6.Physical Security.
Cryptography and Network Security

Cryptography and Network Security
Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.

Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 1 – Overview.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 1 – Overview.

Similar presentations

Ads by Google