1 / 38

Module 2 Security Methodology

Module 2 Security Methodology. MModified by :Ahmad Al Ghoul PPhiladelphia University FFaculty Of Administrative & Financial Sciences BBusiness Networking & System Management Department RRoom Number 32406 EE-mail Address: ahmad4_2_69@hotmail.com. Some standards bodies.

candyr
Download Presentation

Module 2 Security Methodology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 2 Security Methodology • MModified by :Ahmad Al Ghoul • PPhiladelphia University • FFaculty Of Administrative & Financial Sciences • BBusiness Networking & System Management Department • RRoom Number 32406 • EE-mail Address: ahmad4_2_69@hotmail.com Ahmad Al-Ghoul 2010-2011

  2. Some standards bodies • the IETF (the Internet Engineering Task Force). • AES the Advanced Encryption Standard • ETSI (the European Telecommunications Standards Institute) • IEEE the Institute of Electrical and Electronics Engineers • ISO international standard organization Ahmad Al-Ghoul 2010-2011

  3. The 10 Major Headings • Security Policy • Security Organisation • Asset Classification and Control • Personnel Security • Physical and Environmental Security • Operational Management • Access Control • Systems Development and Maintenance • Business Continuity Management • Compliance Ahmad Al-Ghoul 2010-2011

  4. International Standards • International Standards in Information Security are developed by Security Techniques Committee ISO/IEC JTC 1 SC 27 • Three Areas • WG 1 - Security Management • WG 2 - Security Algorithms/Techniques • WG 3 - Security Assessment/Evaluation Ahmad Al-Ghoul 2010-2011

  5. SAI Australia IBN Belgium ABNT Brazil SCC Canada CSBTS/CESI China CSNI Czech Rep DS Denmark SFS Finland AFNOR France DIN Germany MSZT Hungary BIS India UNINFO Italy JISC Japan KATS Korea, Rep of DSM Malaysia NEN Netherlands NTS/IT Norway PKN Poland GOST R Russian Fed SABS South Africa AENOR Spain SIS Sweden SNV Switzerland BSI UK DSTU Ukraine ANSI USA Participating Members Ahmad Al-Ghoul 2010-2011

  6. WG 1 Security Management • Two key standards: • Guidelines for Information Security Management (GMITS) (TR 13335) • Code of Practice for Information Security Management (IS 17799) • Other standards: • Guidelines on the use and management of trusted third parties (TR 14516) • Guidelines for implementation, operation and management of Intrusion Detection Systems (WD 18043) • Guidelines for security incident management (WD 18044) Ahmad Al-Ghoul 2010-2011

  7. WG 2 Security Techniques • There are International Standards for: • Encryption (WD 18033) • Modes of Operation (IS 8372) • Message Authentication Codes (IS 9797) • Entity Authentication (IS 9798) • Non-repudiation Techniques (IS 13888) • Digital Signatures (IS 9796, IS 14888)) • Hash Functions (IS 10118) • Key Management (IS 11770) • Elliptic Curve Cryptography (WD 15946) • Time Stamping Services (WD 18014) Ahmad Al-Ghoul 2010-2011

  8. WG 3 Security Evaluation • Third Party Evaluation • Criteria for an independent body to form an impartial and repeatable assessment of the presence, correctness and effectiveness of security functionality • “Common Criteria” (CC) (IS 15408 Ahmad Al-Ghoul 2010-2011

  9. Common Criteria • Produced by a consortium of Government bodies in North America / European Union • Mainly National Security Agencies • Influenced by International Standardisation committee • Adopted as International Standard 15408 • Adopted and recognised by other major Governments • All EU, Australia, Japan, Russia Ahmad Al-Ghoul 2010-2011

  10. Security Architecture • For end-to-end communications Ahmad Al-Ghoul 2010-2011

  11. Security Architecturefor End-to-End Communications Ahmad Al-Ghoul 2010-2011

  12. Authentication is the process of confirming a user's identity. • Authentication is one of the basic building blocks of computer security. It is achieved through the execution of an authentication protocol between two or more parties. One such protocol, the Secure Socket Layer (SSL) protocol • Authorization determines what services and access a user is authorized for. Ahmad Al-Ghoul 2010-2011

  13. Authentication 3 types of authentication: • Something you know - Password, PIN, mother’s maiden name, passcode. Something you have - ATM card, smart card, token, key, ID Badge, driver license, passport • Something you are - Fingerprint, voice scan, DNA Ahmad Al-Ghoul 2010-2011

  14. Authentication is a process in which a system identifies a user. Access control determines what is permitted after authentication. Authentication is often closely tied to the concept of accounts, which are, generically, a set of information tied to a unique identifier. This information usually comprises the data needed to let someone use system resources. For example, it provides the location of the user's personal files or the user's real name. Ahmad Al-Ghoul 2010-2011

  15. Models: Access Control • What is access control? • Limiting who is allowed to do what • What is an access control model? • Specifying who is allowed to do what Ahmad Al-Ghoul 2010-2011

  16. What is access control? • Access control is the heart of security • Definitions: • The ability to allow only authorized users, programs or processes system or resource access • The granting or denying, according to a particular security model, of certain permissions to access a resource • An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on reestablished rules. Ahmad Al-Ghoul 2010-2011

  17. How can AC be implemented? • Hardware • Software • Application • Protocol (Kerberos, IPSec) • Physical • Logical (policies) Ahmad Al-Ghoul 2010-2011

  18. What does AC hope to protect? • Data - Unauthorized viewing, modification or copying • System - Unauthorized use, modification or denial of service • It should be noted that nearly every network operating system (NT, Unix, Vines, NetWare) is based on a secure physical infrastructure Ahmad Al-Ghoul 2010-2011

  19. Access control lists (ACL) • A file used by the access control system to determine who may access what programs and files, in what method and at what time • Different operating systems have different ACL terms • Types of access: • Read/Write/Create/Execute/Modify/Delete/Rename Ahmad Al-Ghoul 2010-2011

  20. Defending Against Threats • When talking about information security, vulnerability is a weakness in your information system (network, systems, processes, and so on) that has the greatest potential of being compromised. There might be a single vulnerability, but typically there are a number of them. For instance, if you have five servers that have the latest security updates for the operating system and applications running, but have a sixth system that is not current, the sixth system would be considered a vulnerability. Although this would be a vulnerability, it would most likely not be the only one. To defend against threats, you must identify the threats to your C-I-A triad, determine what your vulnerabilities are, and minimize them. Ahmad Al-Ghoul 2010-2011

  21. Building a Defense • When building a defense, you should use a layered approach that includes securing the network infrastructure, the communications protocols, servers, applications that run on the server, and the file system, and you should require some form of user authentication. • When you configure a strong, layered defense , an intruder has to break through several layers to reach his or her objective. For instance, to compromise a file on a server that is part of your internal network, a hacker would have to breach your network security, break the server's security, break an application's security, and break the local file system's security. The hacker has a better chance of breaking one defense than of breaking four layers of defense. Ahmad Al-Ghoul 2010-2011

  22. Methods of Defense • Having controls does no good unless they are used properly, the next are some factors that affect the effectiveness of controls. • Effectiveness of Controls • Awareness of Problem • Likelihood of Use: the suitable and effective use • Overlapping Controls: combinations of controls could be provided to one exposure. • Periodic Review: few controls are permanently effective. When we finds a way to secure assets, the opposition doubles its efforts in an effort to defeat the the security mechanism. Thus, judging the effectiveness of a control is an ongoing task. Ahmad Al-Ghoul 2010-2011

  23. Principle of Effectiveness: Controls must be used to be effective. They must be efficient, easy to use, and appropriate. Ahmad Al-Ghoul 2010-2011

  24. Methods of Defense • Controls • In this section we will study some security control tools that attempt to prevent exploitation of the vulnerabilities of computing system. • Encryption • Software Controls • internal program controls(data base): parts of the program that enforce security restrictions, such as access limitations in a data base management program. • operating system controls: limitations enforced by the system to protect each user from all other users. • development controls: quality standards under which a program is designed, coded, tested, and maintained. Ahmad Al-Ghoul 2010-2011

  25. Methods of Defense • Hardware Controls • use the devices which have been invented to assist in computer security (e.g. smart card) • Hardware security modules (HSM) perform cryptographic operations, protected by hardware (PCI boards, SCSI boxes, smart cards, etc.) • These operations include: • Random number generation • Key generation (asymmetric and symmetric) • Private key hiding (security) from attack (no unencrypted private keys in software or memory) • Private keys used for signing and decryption • Private keys used in PKI for storing Root Keys Ahmad Al-Ghoul 2010-2011

  26. Methods of Defense • Policies • operation policy: some of the simplest controls could do by change the password frequently, and that can be achieved essentially no cost but with tremendous effect. • legal and ethical control:the law is slow to evolve, and the technology involving computers has emerged suddenly. Although legal protection is necessary and desirable. • The area of computer ethics is unclear. It is not that computer people are unethical, but rather that society in general and the computing community in particular have not adopted formal standards of ethical behavior. Some organizations are attempting to devise codes of ethics for computer professionals. • Physical Controls • Some of the easiest, most effective, and least expensive controls are physical controls. locks on door, guard at entry point, backup, etc. Ahmad Al-Ghoul 2010-2011

  27. Basic Encryption and Decryption • Encryption and Decryption • encryption: a process of encoding a message so that its meaning is not obvious • decryption: the reverse process • encode(encipher) vs. decode(decipher) • encoding: the process of translating entire words or phrases to other words or phrases • enciphering: translating letters or symbols individually • encryption: the group term that covers both encoding and enciphering Ahmad Al-Ghoul 2010-2011

  28. What is Encryption? This is confidential. Ahmad Al-Ghoul 2010-2011

  29. What is Encryption? This is confidential. CJIN Network This is Confidential. Ahmad Al-Ghoul 2010-2011

  30. Plaintext vs. Ciphertext • Plaintext vs. Ciphertext • P(plaintext): the original form of a message • C(ciphertext): the encrypted form • Basic operations • plaintext to ciphertext: encryption: C = E(P) • ciphertext to plaintext: decryption: P = D(C) • requirement: P = D(E(P)) Ahmad Al-Ghoul 2010-2011

  31. Encryption Strategy • Provide confidentiality of communications • Ensure integrity of information • Enhance Authentication • Provide for non-repudiation of sender or receiver Ahmad Al-Ghoul 2010-2011

  32. Encryption with key • encryption key: KE • daecryption key: KD • C = E(KE, P) • P = D(KD, E(KE, P)) Ahmad Al-Ghoul 2010-2011

  33. Encryption with key • Symmetric Cryptosystem: KE =KD • Asymmetric Cryptosystem: KEKD Ahmad Al-Ghoul 2010-2011

  34. Secret Key Encryption Not a secure line This is a secret message This is a secret message 1. Jane receives Bobs secret message and is later told by Bob the secret key to unlock the message 2. She decrypts and reads the message 1. Bob types message to Jane and encrypts the message with secret key and sends it. 3. Somehow he lets her know what his secret key is. Ahmad Al-Ghoul 2010-2011

  35. Bob Jane Jane, This is a secret message - Bob Jane, This is a secret message - Bob Not a secure line Jane’s public key Jane’s private key 1. Bob writes the message and encrypts it using Jane’s public key which is known to everyone 2. Bob sends the message over the internet to Jane 1. Jane receives the message and decodes it with her private key, which only she knows. 2. The secrecy of the private key is crucial Public Key Encryption Ahmad Al-Ghoul 2010-2011

  36. Uses of Encryption • Digital Certificates use Public Key • Web Access with SSL • Virtual Private Networks (VPNs) • Desktop Encryption Ahmad Al-Ghoul 2010-2011

  37. Digital signature Digital signature is a sort of protocol that provides authenticity and identification of the user. It is similar to the signature of a person on a paper or check It is used for many purposes in the network security provision Ahmad Al-Ghoul 2010-2011

  38. Physical security • Network security should begin by first emphasizing the necessity for physical security. Most organizations limit physical access to hosts and servers, but it must talk into consideration networking devices, such as routers, switches, and the like. Even such simple elements as cabling and wiring. Ahmad Al-Ghoul 2010-2011

More Related