1 / 58

General Security Concepts

General Security Concepts. Chapter 2. Objective . CIA Model Host Security VS Network Security Least Privileges Layered Security Access Controls . Security Basics. Computer security means the methods used to ensure that a system is secure.

josh
Download Presentation

General Security Concepts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. General Security Concepts Chapter 2

  2. Objective • CIA Model • Host Security VS Network Security • Least Privileges • Layered Security • Access Controls Prepared by Mohammed Saher

  3. Security Basics • Computer security means the methods used to ensure that a system is secure. • In the modern organization, multiple computers are interconnected forming a complex network of computers. This is referred to as network security. Prepared by Mohammed Saher

  4. Security Basics • Information Assurancemeans that all the Information Systems and Information is available when needed. • Information Security encompasses broad range of concepts, principles and methodologies to make sure that the organizational Information systems operate in a safe environment. Prepared by Mohammed Saher

  5. The “CIA” of Security • Information Security is based on three basic principles: • Confidentiality • Integrity • Availability Prepared by Mohammed Saher

  6. Confidentiality, Integrity, Availability • Confidentiality means to ensure that only those individuals who have the authority to view a piece of information may do so. • Integrity means only authorized users can create and change the information. • Availability is to ensure that the data, the system is available for the use when an authorized user wants it Prepared by Mohammed Saher

  7. Authentication, Non-repudiation • Authentication means the ability to ensure an individual is who they claim to be. • Non-repudiation means the ability to verify that a message has been sent and received and that the sender can identified and verified. Prepared by Mohammed Saher

  8. The Operational Model of Security • Traditional Approach • Protection = Prevention • New Approach • Protection = Prevention + (Detection + Response) Prepared by Mohammed Saher

  9. Security Levels • Three ways or levels an organization protect its Information Assets: • Ignore security issues (minimum security) • Provide host security • Provide network security Prepared by Mohammed Saher

  10. Host Security • Host security takes a granular view of security by focusing on protecting each computer and devise individually instead of addressing protection of the network as a whole. • Basically, each computer is responsible for its own security. Prepared by Mohammed Saher

  11. Host Security – Problems • Less secure as some threats and vulnerabilities can be overlooked. • Difficult to implement if the Information System is heterogeneous; as each system, software, operating system and application has different security configuration. Prepared by Mohammed Saher

  12. Host Security Each computer and the server(s) are responsible for their own security. Prepared by Mohammed Saher

  13. Network Security • In Network Security, emphasis is placed on controlling access to internal computers from external entities. • Network Security can be implemented via: • Routers • Firewalls • Intrusion Detection Systems (IDS’s) • Authentication hardware and software Prepared by Mohammed Saher

  14. Network Security Access to the computer network is controlled via firewalls, routers, IDS’s and other authentication systems. Prepared by Mohammed Saher

  15. Least Privilege • Least Privilege means that a subject (user, application, process) should have only the necessary rights and privileges to perform its tasks with no additional permissions. • Limiting the access to sensitive information can limit the consequences of the damage. Prepared by Mohammed Saher

  16. Least Privilege Prepared by Mohammed Saher

  17. Least Privilege - Issues • Can the two departments be trusted and share information with each other? • On what basis the trust relationship is established? • Can all the users from these departments be trusted? Prepared by Mohammed Saher

  18. Least Privilege TRUST? Prepared by Mohammed Saher

  19. Layered Security • The basis of Layered security: Instead of relying on one single protection mechanism we must design a complex multiple protection mechanism. • Layered security provided a better solution as the intruder has to bypass all the layers of security. • Layered security approach eliminated the “single point of failure”. Prepared by Mohammed Saher

  20. Layered Security • All the layers in an architecture should work together in a coordinated manner to achieve the best results. • The complexity should increases from one layer to another, thus providing a very complex security mechanism. Prepared by Mohammed Saher

  21. Layered Security • Authentication Systems • IDS’s Prepared by Mohammed Saher

  22. Diversity of Defense • Diversity of Defense is an extension of the layered security. • The idea is to provide multiple layers of security, thus diversify the defense mechanism. • Having computers, servers, applications, operating systems , routers, firewalls and IDS’s from multiple vendors will provide a better solution as different vendors have different security mechanisms. Prepared by Mohammed Saher

  23. Diversity of Defense - Issues • Difficult to implement – implementing an IT infrastructure with multi-vendor systems can be operationally complex . • Requires multiple skills set – IT professionals must have experience on working with systems from multiple systems. • Not cost effective – Requires multiple skill set IT professional and procuring systems from multiple vendors. Prepared by Mohammed Saher

  24. Security Through Obscurity • Security through obscurity uses the approach of protecting something by hiding it. • Security through obscurity may make someone work little harder to accomplish the task, but does not prevent anymore from eventually succeeding. • Security through obscurity is a very poor security mechanism and should not be the only security mechanism in place. Prepared by Mohammed Saher

  25. Keep it Simple • Security systems should be simple enough for the IT professionals to understand them. • The more complex the security systems are, the harder it is to troubleshoot the system. • There must be a balance between security and complexity. Prepared by Mohammed Saher

  26. Access Controls • Access is the ability of a subject to interact with an object. • So, controlling who all can access a specific object is called as Access Controls. • Access Controls are widely used in network and computer security. Prepared by Mohammed Saher

  27. Access Control Matrix • Access Control Matrix is the simplest way of implementing an access control. • Not used anymore, as it is difficult to store a big matrix. R – Read W – Write E- Execute Prepared by Mohammed Saher

  28. Access Control List • Access Control List is a list that contains the subjects that have access rights to a particular object. • Three common types of access control lists are • Discretionary Access Control • Mandatory Access Control • Role-Based Control Prepared by Mohammed Saher

  29. Discretionary Access Control • Discretionary Access Controls are a means of restricting access to objects based on the identity of the subject and /or groups to which they belong. • The controls are discretionary is the sense that a subject with a certain access permission is capable of passing that permission on to any other subject. Prepared by Mohammed Saher

  30. Discretionary Access Control • In systems that employ discretionary access controls, the owner of an object can decide which other subjects may have access to the object and what specific access they may have. Prepared by Mohammed Saher

  31. Discretionary Access Control • Owner of the Payroll file is Employee 5 • Employee 5 has given R, W, E access to the payroll file for Employee 1 • Employee 5 has given R, W access to the payroll file for Employee 2 • Employee 5 has given R access to the payroll file for Employee 3 • Employee 5 has given W access to the payroll file for Employee 4 Prepared by Mohammed Saher

  32. Mandatory Access Control Prepared by Mohammed Saher

  33. Mandatory Access Control • Mandatory Access Control is a means of restricting access to objects based on the sensitivity of the information contained in the object and the formal authorization of subjects to access information of such sensitivity. • The crux of mandatory access control is the label attached with an object and the subject. • These labels and classifications cannot be changed by the subject. Prepared by Mohammed Saher

  34. Mandatory Access Control • A file that has been labeled as “Top Secret” can only be accessed by an employee with a “Top Secret” clearance. • An employee with a “Top Secret” clearance will not be allowed to pass on this file to an employee with “Secret” level employee. Prepared by Mohammed Saher

  35. Role-Based Access Control • In role-based access control, instead of each user being assigned specific access permissions for an object, that user is assigned a set of roles that the user may perform. • The roles are in turn assigned the access permissions necessary to perform the tasks associated with the role. Prepared by Mohammed Saher

  36. Role-Based Access Control Prepared by Mohammed Saher

  37. Authentication • Authentication is the process of verifying that the individual is who he claims to be. Prepared by Mohammed Saher

  38. Authentication - Methods • The most common form of authentication is the use of user name/ password (Something you know) • Another form of authentication is the use of personal identification number (PIN) (Something you have) • Last form of authentication is use of DNA & biometrics (Something about you) Prepared by Mohammed Saher

  39. Kerberos • Kerberos is a network authentication protocol designed for a client/ server architecture. • Kerberos uses a strong encryption so that a client can prove its identity to server and the server can in turn authenticate the client. • Kerberos uses tickets to provide this authentication. Prepared by Mohammed Saher

  40. Kerberos • Tickets are issued by an authentication server. • Authentication server is trusted by both the server and the client. • The whole session can be encrypted, thus eliminating the inherent threats of networking environment. • Tickets are time stamped, they cannot be reused. Prepared by Mohammed Saher

  41. CHAP • CHAP – Challenge Handshake Authentication Protocol. • CHAP is used to provide point-to-point authentication. • CHAP uses three way handshake to provide authentication. Prepared by Mohammed Saher

  42. CHAP • Initially, a challenge is sent to the client. • The client uses a one way hashing function to calculate the response, and sends that response back to the server. • The server compares the response form the client with what it calculated the response should be. If the two responses are same, the communication continues. Prepared by Mohammed Saher

  43. CHAP • Three way handshake model. Client 1. Send the challenge Server 1. Calculate the response, and send it back to the server Communication continues if the responses match Prepared by Mohammed Saher

  44. Certificates. • Certificates are a method to establish authenticity of a specific object such as an individual’s public key or downloaded software. • A digital certificate is generally seen as an attachment to a message and is used to verify that the message came from a genuine source. Prepared by Mohammed Saher

  45. Multifactor Authentication • Multifactor is a term used to describe the use of more than one authentication mechanism. • Common example: ATM cards. In order to use ATM services, the use must have an unique ATM card and the corresponding PIN. Prepared by Mohammed Saher

  46. Mutual Authentication • Mutual authentication is a term used to describe a process in which each side of an electronic communication verifies the authenticity of the other. Prepared by Mohammed Saher

  47. Security Models • The security with your organization depends on the security model that is being used. • Security models are classified in two types • Confidentiality Models • Integrity Models Prepared by Mohammed Saher

  48. Confidentiality Model • Example of confidentiality model is Bell-LaPadula Security model. • Used in US military, or in any organization where security models are hierarchical and uses levels of classifications. Prepared by Mohammed Saher

  49. Bell-LaPadula Model • This model uses both mandatory and discretionary access control mechanisms. • This model uses two important security rules • Simple Security Rule • Property Prepared by Mohammed Saher

  50. Bell-LaPadula Model • Simple Security Rule states that no subject could read information from an object with a security classification higher than that possessed by the subject itself. • User with only “Secret” level of clearance cannot read a file labeled as “Top Secret”. Prepared by Mohammed Saher

More Related