1 / 40

SECURITY in IT

SECURITY in IT. ~Shikhar Agarwal. DEFINITION. Computer security is a branch of computer science that addresses enforcement of 'secure' behavior on the operation of computers.

jonas-sanford
Download Presentation

SECURITY in IT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SECURITY in IT ~Shikhar Agarwal

  2. DEFINITION • Computer security is a branch of computer science that addresses enforcement of 'secure' behavior on the operation of computers. • The definition of 'secure' varies by application, and is typically defined implicitly or explicitly by a security policy that addresses confidentiality, integrity and availability of electronic information that is processed by or stored on computer systems.

  3. Security in IT context Computing Security Physical Security Information Security Secure computer and networks from malicious use. Prevent users from accessing facility, resource or information stored on physical media Prevent unauthorized and unwarranted access of data or information in any form

  4. Information Security

  5. What Information Security means Availability Confidentiality Non-repudiation Integrity Digital Credentials Authentication Auditing Risk assessment Compliance/Regulations Administration Governance

  6. Common Fraudulent Practices

  7. Online Fraud • Common types of fraud • Phishing • Identity theft • Man-In-the-Middle Attacks • Denial of Service (Dos) • Password Attack • Data Theft

  8. Securing Systems

  9. To Secure Systems we need • Physical Security • Technological Security • Policies and Procedures

  10. Securing Systems (cont’d) • Technological security is just one part of security problem • Physical security of systems is important • Only right people (authorized users) have access to the systems • First priority is to make systems physically secure • Technological Security • Network security: • To secure systems over network • Only valid packets delivered to web server • Application security: Web servers, Apps are secure • Operating system security • Policies and Procedures • Ensure systems are secure overall • Every employee should be asked not to give out passwords • To anybody within or outside organization • For example n-strikes policies for passwords • Document Shredding • Sensitive papers to be shredded

  11. KeySecurityConcepts

  12. Key Security Concepts • Authentication • Authorization • Confidentiality • Data/Message Integrity • Accountability • Availability • Non-Repudiation

  13. Key Concepts 1.Authentication

  14. Authentication • Authentication • Verifies identity • is a process by which an entity proves that it is who it claims to be • Three general ways of authentication: • Something we know (i.e., Passwords) • Something we have (i.e., Tokens) • Something we are (i.e., Biometrics)

  15. Something weKNOW • Something we know • Example: • Passwords, Pass phrase, PIN • Pros • Simple to implement • Simple for us to understand • Cons • Easy to crack (unless we choose strong ones) • Hacker can try common login names, concatenations of words etc. • We need to be forced to choose strong passwords for example, by setting password policies • Passwords are reused many times • Each time we enter a password to access the system, the attacker listens-in every time

  16. Something we HAVE – A Token • Smart Cards • ATM Cards • SecurID • USB Tokens

  17. Something we ARE • Biometrics • Techniques used: • Palm scan • Retinal scan • Iris scan • Fingerprint • Voice Id • Facial Recognition • Signature Dynamics • Pros • Provides a strong authentication solution • Raise the bar for authentication • Cons • Difficulty in terms of deployment and management • Social acceptance • Key management • If a bad guy is able to copy a fingerprint – then how are the secret pieces of info actually managed?

  18. Two Factor Authentication • Two Factor Authentication (T-FA) requires two independent ways to establish identity and privileges • Combination of “what we know” and “what we have” factors • Example: ATM Cards + What we have What we know

  19. Types of Authentication • Person to computer • Computer to Computer • There are three types of authentication • Server Authentication – who is the client • Client Authentication – who is the server • Mutual Authentication (Client and Server) • Authenticated user is the “Principal”

  20. Server Authentication • Server authentication is the process in which the server authenticates to the client, thus helping the client to verify the server • Server authentication is very important in Financial Institutions and Home Banking systems • Example, Personal Assurance Message (PAM) which identifies the server to the user, and helps prevent phishing attacks

  21. Client Authentication • Client authentication involves proving the identity of the client to a server on the web • Client generally communicates with the server using Hypertext Transfer Protocol (HTTP) • HTTP being a stateless, sessionless protocol, the client must provide an authentication token

  22. Mutual Authentication • Mutual authentication refers to a client/user authenticating themselves to the server and that server authenticating itself to the user in such a way that both parties are assured of the other’s identity • This is done for a client process and a server process without user interaction

  23. Key Concepts 2. Authorization

  24. Authorization • Authorization is the process of granting or denying user’s access to a resource • Authorization is a step next to authentication, in which the users access to various system is based on the permissions granted to them

  25. Key Concepts 3. Confidentiality

  26. Shared key access Confidentiality • Protecting the communication/data from the unintended recipients • Keep the contents of the communication secret by using a shared secret between the communicating parties • Confidentiality can be achieved through • Cryptography • Access Controls • Database views

  27. KeyConcepts 4. Message/Data Integrity

  28. Message/Data Integrity • Data integrity is the process of ensuring non-alteration of data during the transit • Techniques used to check the data integrity are • Hashing algorithms • Checksums • Message Authentication Codes (MAC)

  29. Key Concepts 5. Accountability

  30. Accountability • Logging & Audit Trials • Logging all the activities carried out by the system user • Auditing is a surveillance mechanism that watches over access to all sensitive information contained within the database • Requirements to implement Logging and Audit Trails • Secure Time stamping (OS vs. Network) • Data integrity in logs / audit trials

  31. Key Concepts 6. Availability

  32. Availability • The period for which the system / network is available to the user • Example • Dial tone availability, System Downtime limit, Web server response time • Solutions • Add redundancy to eliminate single point of failure • Impose limits that legitimate users can use

  33. KeyConcepts 7. Non-Repudiation

  34. Non-Repudiation • Non-repudiation provides evidence of the message source, so that the sender cannot refuse its origin. • Generate evidence / receipts (digitally signed documents)

  35. Privileges

  36. Privileges • A privilege in a computer system is a permission to perform an action. • Privileges can be • Automatic • Granted • Applied for • Examples of various privileges include • the ability to create a file in a directory • to read or delete a file • access a device • have read or write permission to a socket for communicating over the Internet

  37. Principle of least privilege • A user/computer program is given the least amount of privileges necessary to accomplish his/its task. • Example: • Use of Valet keys in the car • Allows the valet only to start the car and drive down to the parking lot, these keys do not allow the valet to access the store part in the car where the valuables are kept. • The idea of the valet key is to provide access only to the required resources

  38. Secure Defaults • Only enable 20% features of the product that will be used by 80% of the users • Harden systems – switch of all unnecessary services by default

  39. Cryptography

  40. What is Cryptography? • The conversion of data into a secret code for protection of privacy using a specific algorithm and a secret key • The original text, or “plaintext”, is converted into a coded equivalent called “ciphertext” via an encryption algorithm • Cryptography is used in many software security systems to achieve high level of security • The ciphertext can only be decoded (decrypted) using a predefined secret key

More Related