380 likes | 398 Views
Module 2 Security Methodology. MModified by :Ahmad Al Ghoul PPhiladelphia University FFaculty Of Administrative & Financial Sciences BBusiness Networking & System Management Department RRoom Number 32406 EE-mail Address: ahmad4_2_69@hotmail.com. Some standards bodies.
E N D
Module 2 Security Methodology • MModified by :Ahmad Al Ghoul • PPhiladelphia University • FFaculty Of Administrative & Financial Sciences • BBusiness Networking & System Management Department • RRoom Number 32406 • EE-mail Address: ahmad4_2_69@hotmail.com Ahmad Al-Ghoul 2010-2011
Some standards bodies • the IETF (the Internet Engineering Task Force). • AES the Advanced Encryption Standard • ETSI (the European Telecommunications Standards Institute) • IEEE the Institute of Electrical and Electronics Engineers • ISO international standard organization Ahmad Al-Ghoul 2010-2011
The 10 Major Headings • Security Policy • Security Organisation • Asset Classification and Control • Personnel Security • Physical and Environmental Security • Operational Management • Access Control • Systems Development and Maintenance • Business Continuity Management • Compliance Ahmad Al-Ghoul 2010-2011
International Standards • International Standards in Information Security are developed by Security Techniques Committee ISO/IEC JTC 1 SC 27 • Three Areas • WG 1 - Security Management • WG 2 - Security Algorithms/Techniques • WG 3 - Security Assessment/Evaluation Ahmad Al-Ghoul 2010-2011
SAI Australia IBN Belgium ABNT Brazil SCC Canada CSBTS/CESI China CSNI Czech Rep DS Denmark SFS Finland AFNOR France DIN Germany MSZT Hungary BIS India UNINFO Italy JISC Japan KATS Korea, Rep of DSM Malaysia NEN Netherlands NTS/IT Norway PKN Poland GOST R Russian Fed SABS South Africa AENOR Spain SIS Sweden SNV Switzerland BSI UK DSTU Ukraine ANSI USA Participating Members Ahmad Al-Ghoul 2010-2011
WG 1 Security Management • Two key standards: • Guidelines for Information Security Management (GMITS) (TR 13335) • Code of Practice for Information Security Management (IS 17799) • Other standards: • Guidelines on the use and management of trusted third parties (TR 14516) • Guidelines for implementation, operation and management of Intrusion Detection Systems (WD 18043) • Guidelines for security incident management (WD 18044) Ahmad Al-Ghoul 2010-2011
WG 2 Security Techniques • There are International Standards for: • Encryption (WD 18033) • Modes of Operation (IS 8372) • Message Authentication Codes (IS 9797) • Entity Authentication (IS 9798) • Non-repudiation Techniques (IS 13888) • Digital Signatures (IS 9796, IS 14888)) • Hash Functions (IS 10118) • Key Management (IS 11770) • Elliptic Curve Cryptography (WD 15946) • Time Stamping Services (WD 18014) Ahmad Al-Ghoul 2010-2011
WG 3 Security Evaluation • Third Party Evaluation • Criteria for an independent body to form an impartial and repeatable assessment of the presence, correctness and effectiveness of security functionality • “Common Criteria” (CC) (IS 15408 Ahmad Al-Ghoul 2010-2011
Common Criteria • Produced by a consortium of Government bodies in North America / European Union • Mainly National Security Agencies • Influenced by International Standardisation committee • Adopted as International Standard 15408 • Adopted and recognised by other major Governments • All EU, Australia, Japan, Russia Ahmad Al-Ghoul 2010-2011
Security Architecture • For end-to-end communications Ahmad Al-Ghoul 2010-2011
Security Architecturefor End-to-End Communications Ahmad Al-Ghoul 2010-2011
Authentication is the process of confirming a user's identity. • Authentication is one of the basic building blocks of computer security. It is achieved through the execution of an authentication protocol between two or more parties. One such protocol, the Secure Socket Layer (SSL) protocol • Authorization determines what services and access a user is authorized for. Ahmad Al-Ghoul 2010-2011
Authentication 3 types of authentication: • Something you know - Password, PIN, mother’s maiden name, passcode. Something you have - ATM card, smart card, token, key, ID Badge, driver license, passport • Something you are - Fingerprint, voice scan, DNA Ahmad Al-Ghoul 2010-2011
Authentication is a process in which a system identifies a user. Access control determines what is permitted after authentication. Authentication is often closely tied to the concept of accounts, which are, generically, a set of information tied to a unique identifier. This information usually comprises the data needed to let someone use system resources. For example, it provides the location of the user's personal files or the user's real name. Ahmad Al-Ghoul 2010-2011
Models: Access Control • What is access control? • Limiting who is allowed to do what • What is an access control model? • Specifying who is allowed to do what Ahmad Al-Ghoul 2010-2011
What is access control? • Access control is the heart of security • Definitions: • The ability to allow only authorized users, programs or processes system or resource access • The granting or denying, according to a particular security model, of certain permissions to access a resource • An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on reestablished rules. Ahmad Al-Ghoul 2010-2011
How can AC be implemented? • Hardware • Software • Application • Protocol (Kerberos, IPSec) • Physical • Logical (policies) Ahmad Al-Ghoul 2010-2011
What does AC hope to protect? • Data - Unauthorized viewing, modification or copying • System - Unauthorized use, modification or denial of service • It should be noted that nearly every network operating system (NT, Unix, Vines, NetWare) is based on a secure physical infrastructure Ahmad Al-Ghoul 2010-2011
Access control lists (ACL) • A file used by the access control system to determine who may access what programs and files, in what method and at what time • Different operating systems have different ACL terms • Types of access: • Read/Write/Create/Execute/Modify/Delete/Rename Ahmad Al-Ghoul 2010-2011
Defending Against Threats • When talking about information security, vulnerability is a weakness in your information system (network, systems, processes, and so on) that has the greatest potential of being compromised. There might be a single vulnerability, but typically there are a number of them. For instance, if you have five servers that have the latest security updates for the operating system and applications running, but have a sixth system that is not current, the sixth system would be considered a vulnerability. Although this would be a vulnerability, it would most likely not be the only one. To defend against threats, you must identify the threats to your C-I-A triad, determine what your vulnerabilities are, and minimize them. Ahmad Al-Ghoul 2010-2011
Building a Defense • When building a defense, you should use a layered approach that includes securing the network infrastructure, the communications protocols, servers, applications that run on the server, and the file system, and you should require some form of user authentication. • When you configure a strong, layered defense , an intruder has to break through several layers to reach his or her objective. For instance, to compromise a file on a server that is part of your internal network, a hacker would have to breach your network security, break the server's security, break an application's security, and break the local file system's security. The hacker has a better chance of breaking one defense than of breaking four layers of defense. Ahmad Al-Ghoul 2010-2011
Methods of Defense • Having controls does no good unless they are used properly, the next are some factors that affect the effectiveness of controls. • Effectiveness of Controls • Awareness of Problem • Likelihood of Use: the suitable and effective use • Overlapping Controls: combinations of controls could be provided to one exposure. • Periodic Review: few controls are permanently effective. When we finds a way to secure assets, the opposition doubles its efforts in an effort to defeat the the security mechanism. Thus, judging the effectiveness of a control is an ongoing task. Ahmad Al-Ghoul 2010-2011
Principle of Effectiveness: Controls must be used to be effective. They must be efficient, easy to use, and appropriate. Ahmad Al-Ghoul 2010-2011
Methods of Defense • Controls • In this section we will study some security control tools that attempt to prevent exploitation of the vulnerabilities of computing system. • Encryption • Software Controls • internal program controls(data base): parts of the program that enforce security restrictions, such as access limitations in a data base management program. • operating system controls: limitations enforced by the system to protect each user from all other users. • development controls: quality standards under which a program is designed, coded, tested, and maintained. Ahmad Al-Ghoul 2010-2011
Methods of Defense • Hardware Controls • use the devices which have been invented to assist in computer security (e.g. smart card) • Hardware security modules (HSM) perform cryptographic operations, protected by hardware (PCI boards, SCSI boxes, smart cards, etc.) • These operations include: • Random number generation • Key generation (asymmetric and symmetric) • Private key hiding (security) from attack (no unencrypted private keys in software or memory) • Private keys used for signing and decryption • Private keys used in PKI for storing Root Keys Ahmad Al-Ghoul 2010-2011
Methods of Defense • Policies • operation policy: some of the simplest controls could do by change the password frequently, and that can be achieved essentially no cost but with tremendous effect. • legal and ethical control:the law is slow to evolve, and the technology involving computers has emerged suddenly. Although legal protection is necessary and desirable. • The area of computer ethics is unclear. It is not that computer people are unethical, but rather that society in general and the computing community in particular have not adopted formal standards of ethical behavior. Some organizations are attempting to devise codes of ethics for computer professionals. • Physical Controls • Some of the easiest, most effective, and least expensive controls are physical controls. locks on door, guard at entry point, backup, etc. Ahmad Al-Ghoul 2010-2011
Basic Encryption and Decryption • Encryption and Decryption • encryption: a process of encoding a message so that its meaning is not obvious • decryption: the reverse process • encode(encipher) vs. decode(decipher) • encoding: the process of translating entire words or phrases to other words or phrases • enciphering: translating letters or symbols individually • encryption: the group term that covers both encoding and enciphering Ahmad Al-Ghoul 2010-2011
What is Encryption? This is confidential. Ahmad Al-Ghoul 2010-2011
What is Encryption? This is confidential. CJIN Network This is Confidential. Ahmad Al-Ghoul 2010-2011
Plaintext vs. Ciphertext • Plaintext vs. Ciphertext • P(plaintext): the original form of a message • C(ciphertext): the encrypted form • Basic operations • plaintext to ciphertext: encryption: C = E(P) • ciphertext to plaintext: decryption: P = D(C) • requirement: P = D(E(P)) Ahmad Al-Ghoul 2010-2011
Encryption Strategy • Provide confidentiality of communications • Ensure integrity of information • Enhance Authentication • Provide for non-repudiation of sender or receiver Ahmad Al-Ghoul 2010-2011
Encryption with key • encryption key: KE • daecryption key: KD • C = E(KE, P) • P = D(KD, E(KE, P)) Ahmad Al-Ghoul 2010-2011
Encryption with key • Symmetric Cryptosystem: KE =KD • Asymmetric Cryptosystem: KEKD Ahmad Al-Ghoul 2010-2011
Secret Key Encryption Not a secure line This is a secret message This is a secret message 1. Jane receives Bobs secret message and is later told by Bob the secret key to unlock the message 2. She decrypts and reads the message 1. Bob types message to Jane and encrypts the message with secret key and sends it. 3. Somehow he lets her know what his secret key is. Ahmad Al-Ghoul 2010-2011
Bob Jane Jane, This is a secret message - Bob Jane, This is a secret message - Bob Not a secure line Jane’s public key Jane’s private key 1. Bob writes the message and encrypts it using Jane’s public key which is known to everyone 2. Bob sends the message over the internet to Jane 1. Jane receives the message and decodes it with her private key, which only she knows. 2. The secrecy of the private key is crucial Public Key Encryption Ahmad Al-Ghoul 2010-2011
Uses of Encryption • Digital Certificates use Public Key • Web Access with SSL • Virtual Private Networks (VPNs) • Desktop Encryption Ahmad Al-Ghoul 2010-2011
Digital signature Digital signature is a sort of protocol that provides authenticity and identification of the user. It is similar to the signature of a person on a paper or check It is used for many purposes in the network security provision Ahmad Al-Ghoul 2010-2011
Physical security • Network security should begin by first emphasizing the necessity for physical security. Most organizations limit physical access to hosts and servers, but it must talk into consideration networking devices, such as routers, switches, and the like. Even such simple elements as cabling and wiring. Ahmad Al-Ghoul 2010-2011