Download presentation
Presentation is loading. Please wait.
Published byCory Carter Modified over 9 years ago
1
Chapter 9 Security
2
Copyright © 2003, Addison-Wesley Security The quality or state of being secure Freedom from danger Freedom from fear or anxiety Measures taken to guard against Espionage or sabotage Crime or attack Escape
3
Copyright © 2003, Addison-Wesley Information Technology Security Protect resources… Hardware Software Data …from unauthorized Use Modification Theft Technology infrastructure is strategic resource Mission critical applications
4
Copyright © 2003, Addison-Wesley Security Tradeoffs Conflicting objectives Convenience vs. security Ease of use vs. security Perfect security is impossible Lock computer in safe and don’t use it Or, accept some risk
5
Copyright © 2003, Addison-Wesley The Attacker’s Viewpoint Attack pointless if cost exceeds value Cost of breaking security Major cost is risk of getting caught Training, equipment, time Value of secured resources Difficult to estimate What is the value of information? Enemy’s attack plans Competitor’s pricing strategy Hackers do not value things conventionally
6
Copyright © 2003, Addison-Wesley The Defender’s Viewpoint Cost of implementing security Hardware, software, and other IT resources Security management User efficiency implications Cost of not implementing security Theft, destruction, or modification of information Denial of service attacks Viruses, worms, and packet sniffers Loss of a mission critical application
7
Copyright © 2003, Addison-Wesley Risk Assessment Problem resembles insurance underwriting Estimate value of resources Identify and estimate risks How might you be attacked? What would a successful attack cost? Estimate probabilities for several security options Consider social/political issues Powerful managers Non-believers Customers – risk assumption
8
Copyright © 2003, Addison-Wesley Security Threats Traditional physical countermeasures Locks, doors, vaults Security guards and security cameras Internet issues Difficult to trace electronic access paths Steal, alter, destroy, copy information Denial of service Viruses and worms Packet sniffers
9
Copyright © 2003, Addison-Wesley Figure 9.1 The Objectives of Security. Access Each user can access all authorized resources Authentication Sender of message is who he or she claims to be Integrity Contents not modified during transmission Privacy protection Contents known only to sender and receiver
10
Copyright © 2003, Addison-Wesley Objectives, continued Non-repudiation Sender cannot deny he or she sent message Recovery Procedures in place to get the system back on line Auditability Procedures can be audited
11
Copyright © 2003, Addison-Wesley Physical Access Control Foundation of security Ensure physically secure location The system itself All system access points Tools Doors, locks, guards User authentication Biometrics Fingerprints and smart cards Mantraps
12
Copyright © 2003, Addison-Wesley Figure 9.3 A smart card. Embedded chip ID number Digital photo Digital fingerprint Other biometrics Financial data Likely applications Credit cards Cash cards National ID card
13
Copyright © 2003, Addison-Wesley Figure 9.4 Biometrics authentication. Scan smart card Scan fingerprint Compare values Match – approve No match – reject
14
Copyright © 2003, Addison-Wesley Figure 11.5 Biometrics using a database. Scan employee ID Read fingerprint from disk Scan fingerprint Compare results Match – approve No match – reject More secure
15
Copyright © 2003, Addison-Wesley Biometrics Risks Invalid if database compromised Digitized biometrics value Resembles a long password Subject to forgery Subject to hacking False negatives and false positives Excessive confidence in biometrics
16
Copyright © 2003, Addison-Wesley Network Vulnerabilities Public access can compromise physical security E-mail is a major security hole Attachments Trojan horses, backdoors, sniffers Instant messaging is an emerging problem Efficiency gains No telephone tag No crossing e-mail messages Public domain software inability to control Solution – integrate into corporate IT strategy
17
Copyright © 2003, Addison-Wesley Intrusion Detection Objectives Gather evidence for possible prosecution Identify cause to aid in recovery Logging Record all logins and changes to database Write-only medium Honey pots and tar pits Reverse Trojan horse Lure attacker into confined space Monitor activities
18
Copyright © 2003, Addison-Wesley The Principle of Confinement Limit a given user’s access Need to know Privilege levels Permissions Before gaining access Authorization After gaining access Privilege levels and permissions
19
Copyright © 2003, Addison-Wesley Firewalls (access control doors/interlocks) Consist of: Hardware/software Software only Monitor incoming and outgoing packets Packet filtering Content filtering Isolate private network from public network Protect integrity and privacy
20
Copyright © 2003, Addison-Wesley Cryptography (for Privacy) Encrypting/concealing meaning of message Plain text An unencrypted message Readable by anyone Encryption Convert to ciphered or encoded form Code – substitute word or phrase Cipher – substitute letter or digit Decryption Convert back into plain text
21
Copyright © 2003, Addison-Wesley Asymmetric Public Key Encryption Two keys Related pair Public key is published Private key is secret Sender encrypts with recipient’s public key Recipient decrypts with his/her private key More secure than secret key encryption No need to exchange keys Much slower than secret key encryption
22
Copyright © 2003, Addison-Wesley Digital Envelopes and Signatures Solution to the security/speed tradeoff Use secret key encryption for the message The lengthy part Use public key encryption for the secret key Solves the key exchange problem Key is relatively small, so speed is not an issue This is the digital envelope Transmit message and digital envelope
23
Copyright © 2003, Addison-Wesley Digital Signature Flaws Compromised system Trojan horse Virus Backdoor Steal keys from hard drive User signs wrong document Display document A Apply signature to document B
24
Copyright © 2003, Addison-Wesley Digital Certificate Registration authority (RA) Authenticates applicant’s identity Certificate authority (CA) Trusted third party Attests to binding between public key and user name Assign key pair and digital certificate The public key infrastructure (PKI)
25
Copyright © 2003, Addison-Wesley Figure 9.18 The contents of a digital certificate. Source: http://rr.sans.org/encryption/certificate.phphttp://rr.sans.org/encryption/certificate.php
26
Copyright © 2003, Addison-Wesley Figure 9.23 A steganographic watermark. A visible watermark proves ownership and makes the image unusable The image with the watermark. removed or hidden. Source: http://www15.brinkster.com/kfrank/projects/water/water.htmhttp://www15.brinkster.com/kfrank/projects/water/water.htm
27
Copyright © 2003, Addison-Wesley Secure Sockets Layer (SSL) Operates in TCP/IP context Public key encryption Digital envelope Digital signature Randomly generates keys by transaction Encrypts browser/ server communication e.g., credit card number Supports several encryption algorithms and authentication methods The closed lock icon
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.