1 / 71

Securing an Information Resource Management System

Securing an Information Resource Management System. Overview. Security issues of an information resource management system Secure physical network Standards and protocols used in information security Management tools used to implement that system. Information Security in Society.

primo
Download Presentation

Securing an Information Resource Management System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing an Information Resource Management System

  2. Overview • Security issues of an information resource management system • Secure physical network • Standards and protocols used in information security • Management tools used to implement that system

  3. Information Security in Society • Homeland Defense • Homeland Defense as an information security system • Need to communicate sensitive information efficiently in a crisis

  4. Information Security in Society • HD Secretary Tom Ridge and Strategic Communications Resources (SECURE) Initiative • Five new HD officers per state • Secure telephones and video conferencing for the Governors office

  5. Information Security in Society • Information based industry • Potential loss • New information technology = New vulnerabilities

  6. The First Step

  7. Secure Information Network Physical Architectures • Homeland example • Telephony equipment • Emergency Operations Center

  8. FIPS 140-2 • FIPS 140-2(Federal Information Processing Standard) • Crypto-modules • tests hardware, software, firmware • crypto algorithms • key-generation

  9. Secure Environments • Secure Environments: • authorized personnel • placing servers locally • disconnected information networks

  10. Smart Cards • Used in combination with other id-securing methods • Portable • Secure • Difficult to replicate, useless to steal • Appearance; gold-contacts • Microprocessor • Also can be used to facilitate secure communications

  11. Smart Cards • Little interoperability between software and hardware of different vendors • Difficult implementation and maintenance • NIST (National Institute of Standards and Technology) • NIST is working on guidlines/specifications (as we’ll see in the next section)

  12. Firewalls • Located on routers or servers • Blocks specific communications and allows specific communication

  13. FIREWALL Telnet SSH Web Browsing FTP SFTP

  14. Firewalls • Located on routers or servers • Blocks specific communications and allows specific communication • useful in preventing viruses

  15. Connected Networks • Can be physically isolated to provide security • Controlled communication access points

  16. VLANS • By remote login, a server can make it appear as though the user is on a network • Secure tunneling

  17. WIFI • Wi-Fi (short for "wireless fidelity") • Ever-growing WiFI networks

  18. WIFI • Wi-Fi (short for "wireless fidelity") • Ever-growing WiFI networks • Unsecured

  19. WIFI • Current business trends Demand Robust Security Networks (RSNs) on WiFi: • RSN • Dependable • Secure • Versatile

  20. WIFI • WIFI products need to • Provide security • Multi-vendor interoperability • Long security lifecycle to lengthen usability • Support hotspots connectivity

  21. WIFI and FIPS 140-2 • 802.11b IEE standard • Minimal security • FIPS 140-2 and 802.11 and Bluetooth standard (for WiFi) • IEEE, IETF, NIST working to create effective standards • Theory: higher level crypto protocols, like IPSec (next section)

  22. WIFI • Interim methods to minimizing WIFI losses: • Detailed wireless topology • Inventory of devices • Frequent back-ups • Random security audits of WiFi infrastructure • Monitor WIFI technology changes

  23. Oregano Break!

  24. Universals Standards/Protocols • Different technology vendors and universals standards/protocols

  25. Standards and Protocols • Information security standards/protocols are also policy

  26. Standards and Protocols • Congress and the Gramm Leach-Bliley Act • Bank security policies • Information security standards • Protect customer info • Protect other nonpublic info • Safe, secure, and reliable transactions

  27. Standards and Protocols • ISO 17799, ISF, NIST: • Guidelines that have standards for information security • Security communication protocols • Cryptographic standards • What are common cryptographic standards?

  28. Cryptographic Standards • Common cryptographic standards • Integrity • Authenticity • Authorization/access control model • Non-repudation

  29. Cryptographic Standards • Definition: block cipher • Definition: cipher text • Definition: stream cipher • Definition: symmetric block cipher • algorithm to encrypt and decrypt block text

  30. Cryptographic Standards • Digital Signature Standard (DSS) • Authentication and Integrity • Digital Signature Algorithm (DSA): public-private keys schemes (discussed later)

  31. DSA • Hashing • Definition: message digest • Digest encrypted with DSA

  32. DSA • FIPS 180-1 (FIPS Hashing standard) • SHA-1, SHA-256 blocks <2^64 bits • SHA-384, SHA-512 blocks <2^128 bits • changes to a message results in a different digest (high probability) • also used with stored data

  33. Keys • Secret keys

  34. Secret Key Original Key Copy Key

  35. Keys • Public-Private Keys

  36. Public Key Secret Key Private Key

  37. Public Key Private Key Message Encrypted Message Decrypted Message

  38. Keys • Key certificates • Key lifecycle

  39. Keys • Key-substitution vulnerability

  40. Keys • Key-destruction vulnerability

  41. Keys • Controlling the key lifecycle • Crypto-periods

  42. PKI • Public Key Infrastructure (PKI) • Certificate Authorities • Electronic transport • Manual key transport • Trust

  43. Lets look at some examples

  44. IPSEC • IPSEC uses keys • Works on the Transport Layer

More Related