Presentation is loading. Please wait.

Presentation is loading. Please wait.

SECURITY in IT ~Shikhar Agarwal.

Published byDinah Horton Modified over 6 years ago

Similar presentations

Presentation on theme: "SECURITY in IT ~Shikhar Agarwal."— Presentation transcript:

1 SECURITY in IT ~Shikhar Agarwal

2 DEFINITION Computer security is a branch of computer science that addresses enforcement of 'secure' behavior on the operation of computers. The definition of 'secure' varies by application, and is typically defined implicitly or explicitly by a security policy that addresses confidentiality, integrity and availability of electronic information that is processed by or stored on computer systems.

3 Security in IT context Physical Security Computing Security
Information Security Secure computer and networks from malicious use. Prevent users from accessing facility, resource or information stored on physical media Prevent unauthorized and unwarranted access of data or information in any form

4 Information Security

5 Compliance/Regulations
What Information Security means Availability Confidentiality Non-repudiation Integrity Digital Credentials Authentication Auditing Risk assessment Compliance/Regulations Administration Governance

6 Common Fraudulent Practices

7 Online Fraud Common types of fraud Phishing Identity theft
Man-In-the-Middle Attacks Denial of Service (Dos) Password Attack Data Theft

8 Securing Systems

9 To Secure Systems we need
Physical Security Technological Security Policies and Procedures

10 Securing Systems (cont’d)
Technological security is just one part of security problem Physical security of systems is important Only right people (authorized users) have access to the systems First priority is to make systems physically secure Technological Security Network security: To secure systems over network Only valid packets delivered to web server Application security: Web servers, Apps are secure Operating system security Policies and Procedures Ensure systems are secure overall Every employee should be asked not to give out passwords To anybody within or outside organization For example n-strikes policies for passwords Document Shredding Sensitive papers to be shredded

11 Key Security Concepts

12 Key Security Concepts Authentication Authorization Confidentiality
Data/Message Integrity Accountability Availability Non-Repudiation

13 Key Concepts 1. Authentication

14 Authentication Authentication Three general ways of authentication:
Verifies identity is a process by which an entity proves that it is who it claims to be Three general ways of authentication: Something we know (i.e., Passwords) Something we have (i.e., Tokens) Something we are (i.e., Biometrics)

15 Something we KNOW Something we know Example: Pros Cons
Passwords, Pass phrase, PIN Pros Simple to implement Simple for us to understand Cons Easy to crack (unless we choose strong ones) Hacker can try common login names, concatenations of words etc. We need to be forced to choose strong passwords for example, by setting password policies Passwords are reused many times Each time we enter a password to access the system, the attacker listens-in every time

16 Something we HAVE – A Token
Smart Cards ATM Cards SecurID USB Tokens

17 Something we ARE Biometrics Techniques used: Pros
Palm scan Retinal scan Iris scan Fingerprint Voice Id Facial Recognition Signature Dynamics Pros Provides a strong authentication solution Raise the bar for authentication Cons Difficulty in terms of deployment and management Social acceptance Key management If a bad guy is able to copy a fingerprint – then how are the secret pieces of info actually managed?

18 Two Factor Authentication
Two Factor Authentication (T-FA) requires two independent ways to establish identity and privileges Combination of “what we know” and “what we have” factors Example: ATM Cards + What we have What we know

19 Types of Authentication
Person to computer Computer to Computer There are three types of authentication Server Authentication – who is the client Client Authentication – who is the server Mutual Authentication (Client and Server) Authenticated user is the “Principal”

20 Server Authentication
Server authentication is the process in which the server authenticates to the client, thus helping the client to verify the server Server authentication is very important in Financial Institutions and Home Banking systems Example, Personal Assurance Message (PAM) which identifies the server to the user, and helps prevent phishing attacks

21 Client Authentication
Client authentication involves proving the identity of the client to a server on the web Client generally communicates with the server using Hypertext Transfer Protocol (HTTP) HTTP being a stateless, sessionless protocol, the client must provide an authentication token

22 Mutual Authentication
Mutual authentication refers to a client/user authenticating themselves to the server and that server authenticating itself to the user in such a way that both parties are assured of the other’s identity This is done for a client process and a server process without user interaction

23 Key Concepts 2. Authorization

24 Authorization Authorization is the process of granting or denying user’s access to a resource Authorization is a step next to authentication, in which the users access to various system is based on the permissions granted to them

25 Key Concepts 3. Confidentiality

26 Confidentiality Protecting the communication/data from the unintended recipients Keep the contents of the communication secret by using a shared secret between the communicating parties Confidentiality can be achieved through Cryptography Access Controls Database views Shared key access

27 Key Concepts 4. Message/Data Integrity

28 Message/Data Integrity
Data integrity is the process of ensuring non-alteration of data during the transit Techniques used to check the data integrity are Hashing algorithms Checksums Message Authentication Codes (MAC)

29 Key Concepts 5. Accountability

30 Accountability Logging & Audit Trials
Logging all the activities carried out by the system user Auditing is a surveillance mechanism that watches over access to all sensitive information contained within the database Requirements to implement Logging and Audit Trails Secure Time stamping (OS vs. Network) Data integrity in logs / audit trials

31 Key Concepts 6. Availability

32 Availability The period for which the system / network is available to the user Example Dial tone availability, System Downtime limit, Web server response time Solutions Add redundancy to eliminate single point of failure Impose limits that legitimate users can use

33 Key Concepts 7. Non-Repudiation

34 Non-Repudiation Non-repudiation provides evidence of the message source, so that the sender cannot refuse its origin. Generate evidence / receipts (digitally signed documents)

35 Privileges

36 Privileges A privilege in a computer system is a permission to perform an action. Privileges can be Automatic Granted Applied for Examples of various privileges include the ability to create a file in a directory to read or delete a file access a device have read or write permission to a socket for communicating over the Internet

37 Principle of least privilege
A user/computer program is given the least amount of privileges necessary to accomplish his/its task. Example: Use of Valet keys in the car Allows the valet only to start the car and drive down to the parking lot, these keys do not allow the valet to access the store part in the car where the valuables are kept. The idea of the valet key is to provide access only to the required resources

38 Secure Defaults Only enable 20% features of the product that will be used by 80% of the users Harden systems – switch of all unnecessary services by default

39 Cryptography

40 What is Cryptography? The conversion of data into a secret code for protection of privacy using a specific algorithm and a secret key The original text, or “plaintext”, is converted into a coded equivalent called “ciphertext” via an encryption algorithm Cryptography is used in many software security systems to achieve high level of security The ciphertext can only be decoded (decrypted) using a predefined secret key Cryptography: The study of how to encode and decode messages BAD guys should not be able to decode messages Based on mathematics and number theory Applied Cryptography Focuses on how to use cryptography to achieve security goals Part of lower end of solution, to help achieve higher end security goals

Download ppt "SECURITY in IT ~Shikhar Agarwal."

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
C HAPTER 1 Security Goals Slides adapted from Foundations of Security: What Every Programmer Needs To Know by Neil Daswani, Christoph Kern, and Anita.

C HAPTER 1 Security Goals Slides adapted from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern, and Anita.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.

Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.

Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.
Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.

Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.
OV 11 - 1 Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.

OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.

Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.

Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
C HAPTER 1 Security Goals Ahmed Khademzadeh Imam Reza University of Mashhad

C HAPTER 1 Security Goals Ahmed Khademzadeh Imam Reza University of Mashhad
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Cryptography, Authentication and Digital Signatures

Cryptography, Authentication and Digital Signatures

Similar presentations

Ads by Google