Presentation is loading. Please wait.

Presentation is loading. Please wait.

ITEC 4100, Fall 2007, D Chan Session 1 – Introduction to Information Security.

Published byBethany Briggs Modified over 8 years ago

Similar presentations

Presentation on theme: "ITEC 4100, Fall 2007, D Chan Session 1 – Introduction to Information Security."— Presentation transcript:

1 ITEC 4100, Fall 2007, D Chan Session 1 – Introduction to Information Security

2 ITEC 4100, Fall 2007, D Chan Security Objectives zConfidentiality (includes privacy) zIntegrity zAvailability

3 ITEC 4100, Fall 2007, D Chan Security Processes zIdentification zAuthentication zAuthorization zLogging zMonitoring

4 ITEC 4100, Fall 2007, D Chan Common Security Measures zPassword zTwo-factor authentication zBiometrics zAccess control lists for granting authorization to information zLocks zEncryption zAnti-virus zUsage and rejection reports

5 ITEC 4100, Fall 2007, D Chan Passwords zShould not be shared zShould be changed by user zShould be changed frequently and upon compromise (suspected unauthorized disclosure)

6 ITEC 4100, Fall 2007, D Chan Passwords zLong, at least 8 characters zAlphanumeric zHashed (one-way scrambling) zSystem should allow only a few attempts before locking out account

7 ITEC 4100, Fall 2007, D Chan Passwords zAn 8-letter password is 676 times stronger than a 6-letter password. zA 6-character alphanumeric password is 6 times stronger than a 6-letter password. zStrength should depend on user’s privilege and locality of system.

8 ITEC 4100, Fall 2007, D Chan Two-factor Authentication zUsed to compensate for the inherent weaknesses of passwords, i.e., guessing and hacking. zUses what the user has and what the user knows. zExamples are to use a token with a dynamic password and ATM.

9 ITEC 4100, Fall 2007, D Chan Biometrics zCan include fingerprint, hand geometry, voice etc. zHeld back by privacy concerns. zNot recognised legally in place of signature

10 ITEC 4100, Fall 2007, D Chan Operating System Security zUse a standard checklist for configuration zImplement vendor updates zUse scanning software to detect vulnerabilities before implementation and periodically

11 ITEC 4100, Fall 2007, D Chan Firewall zCan be hardware based only, e.g., a router. zCan be a server with sophisticated software, more granular and reliable than a router, provides better logs. zCan use artificial intelligence to check for patterns.

12 ITEC 4100, Fall 2007, D Chan Firewall zEvery organization that hosts a web site should have a firewall to protect its internal network from hackers zThe firewall would block traffic that is definitely unacceptable.

13 ITEC 4100, Fall 2007, D Chan Firewall zA typical firewall uses rules to determine whether traffic is acceptable, e.g., port scanning is not allowed by some organizations. zA data packet typically consists of a source Internet Protocol (IP) address, a port and a destination Internet Protocol address.

14 ITEC 4100, Fall 2007, D Chan Firewall zA port is a logical connection point in a network device including a computer. zIt is used to standardize Internet traffic, e.g., web browsing uses port 80, e- commerce uses port 443.

15 ITEC 4100, Fall 2007, D Chan Virus Protection zCompanies around the world spend about US $20 billion a year to clean up viruses zAll critical servers are protected zAll internet email is scanned zAutomated identification of workstations that do not have up-to-date signature files zOrganizations should block common virus file types to be proactive

16 ITEC 4100, Fall 2007, D Chan Virtual Private Network zTo secure remote access to company systems by staff or contractors. zShould require two-factor authentication. zEncrypted traffic, bypasses firewall, secure tunnel should end at another firewall with traffic decrypted.

17 ITEC 4100, Fall 2007, D Chan Intrusion Detection System zInstalled at critical points of a network to inspect incoming and outgoing traffic for anomalies and malicious messages. zAlerts systems administrators to take pre- emptive or corrective actions.

18 ITEC 4100, Fall 2007, D Chan Intrusion Prevention System zCombines firewall and intrusion detection technologies. zRejects highly questionable or unacceptable traffic. zMore effective than firewalls but may have false positive.

19 ITEC 4100, Fall 2007, D Chan Encryption zUses mathematics to scramble data. zUses a key and an algorithm. Commercial algorithms are public knowledge. zSymmetric key. zAsymmetric keys (private/public key pair).

20 ITEC 4100, Fall 2007, D Chan Symmetric Key Encryption zThe same key is used to decrypt and encrypt zSimple to encrypt and decrypt zLarge number of keys required for one- on-one secret communication zNumber of keys for N people is N(N-1)/2 zNeed to secure the key

21 ITEC 4100, Fall 2007, D Chan Asymmetric Encryption zA pair of key is generated by a user, a private key and a corresponding public key. zThe public key can be disclosed. The private key is secured. zPeople can use the public key to encrypt material.

22 ITEC 4100, Fall 2007, D Chan Asymmetric Encryption zThe corresponding private key is needed to decrypt. zThe 2 keys cannot be reengineered, i.e., you cannot use the public key to derive the private key. zLonger keys than symmetric and therefore a longer process to encrypt and decrypt.

23 ITEC 4100, Fall 2007, D Chan Asymmetric Encryption zNeeded for email encryption. zUsed for e-commerce, digital certificates and digital signatures. zNumber of keys for N users is 2N.

24 ITEC 4100, Fall 2007, D Chan Digital Signature zA digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and to ensure that the original content of the message or document that has been sent is unchanged.

25 ITEC 4100, Fall 2007, D Chan Digital Signature zThe sender uses an algorithm to compute a hash (garbled digest) of the document zSender uses its private key to encrypt the hash. zRecipient uses same algorithm to hash the plain text document when received. zRecipient uses the public key to decrypt the digital signature and compare to the hash the recipient created, to confirm integrity.

26 ITEC 4100, Fall 2007, D Chan Digital Certificate An electronic business card that establishes your credentials when doing business or other transactions on the Web. It is issued and digitally signed by a certification authority. It contains your name, a serial number, expiration dates, the certificate authority’s name and public key, and your public key. People can use the certificate authority’s public key to verify the signature.

27 ITEC 4100, Fall 2007, D Chan Certificate Authority zAn organization that issues digital certificates to companies and individuals zAn organization can issue digital certificates to its own customers or employees to authenticate local transactions zThe certificate authority will do due diligence to confirm the existence and authenticity of the party before issuing a certificate.

28 ITEC 4100, Fall 2007, D Chan E-commerce Encryption zUses both symmetric keys and asymmetric keys zEnforced by the merchant zMerchant sends its certificate and public key to the browser

29 ITEC 4100, Fall 2007, D Chan E-commerce Encryption zBrowser generates a symmetric key zBrowser encrypts the symmetric key with the merchant’s public key zBrowser authenticates the digital certificate zEncrypted symmetric key is sent to merchant

30 ITEC 4100, Fall 2007, D Chan E-commerce Encryption zMerchant decrypts the symmetric key with its private key zThe symmetric key is used for all subsequent transfer of information between the 2 parties until the user logs off.

31 ITEC 4100, Fall 2007, D Chan Email Encryption zSender uses the recipient’s public key to encrypt the message zSender signs the message with own private key zRecipient uses own private key to decrypt message zRecipient uses sender’s public key to authenticate the digital signature

32 ITEC 4100, Fall 2007, D Chan Conclusion zSecurity is increasingly important because of e-commerce. zSecurity is the responsibility of every employee. z Organizations should designate a chief information security officer to coordinate.

Download ppt "ITEC 4100, Fall 2007, D Chan Session 1 – Introduction to Information Security."

Similar presentations

Security Controls and Systems in E-Commerce

Security Controls and Systems in E-Commerce
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
1 Encryption What is EncryptionWhat is Encryption Types of EncryptionTypes of Encryption.

1 Encryption What is EncryptionWhat is Encryption Types of EncryptionTypes of Encryption.
Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.

Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.
Business Data Communications, Fourth Edition Chapter 10: Network Security.

Business Data Communications, Fourth Edition Chapter 10: Network Security.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
 2001 Prentice Hall, Inc. All rights reserved. Chapter 7 – Computer and Network Security Outline 7.1Introduction 7.2Ancient Ciphers to Modern Cryptosystems.

 2001 Prentice Hall, Inc. All rights reserved. Chapter 7 – Computer and Network Security Outline 7.1Introduction 7.2Ancient Ciphers to Modern Cryptosystems.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

Similar presentations

Ads by Google