1 / 37

Business Data Communications

Business Data Communications. Chapter Ten Securing the Enterprise. Primary Learning Objectives. Understand the importance of security Identify four components of security Define cryptography Differentiate between symmetric and asymmetric ciphers Describe four types of firewalls

wendie
Télécharger la présentation

Business Data Communications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Business Data Communications Chapter Ten Securing the Enterprise Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  2. Primary Learning Objectives • Understand the importance of security • Identify four components of security • Define cryptography • Differentiate between symmetric and asymmetric ciphers • Describe four types of firewalls • Identify elements of physical security • Explain the benefits of a disaster recovery plan • Define an integrated security plan Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  3. The Importance of Security • Securing the enterprise is a necessary cost • Security involves both internal and external threats • Security should address, among other things: • Unauthorized access • Protection against data tampering • Recovery in the event of a disaster • Evaluating vulnerabilities • Defining policies Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  4. Types of Security Policies Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  5. Access Confidentiality Integrity Non-repudiation Four Components of Security • Referred to as the “CAIN” principles: • Confidentiality • Access • Integrity • Non-repudiation • A technology designed to secure the enterprise will touch on one or more of these four components Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  6. Confidentiality • Requires that only those authorized be able to observe a communication • May vary in degree, depending on the sensitivity of the data, information, or resource being secured • Can be enforced several ways: • File and object level controls • Transmission confidentiality via encryption • Digital certificates Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  7. Access • Must address two factors: • Availability: • Requires that when a resource is needed by a user (whether staff, customer, or business partner) that the resource is, in fact, available • Is often attained by duplicating the needed resource • Authentication: • Confirms that the user attempting to obtain a resource has appropriate rights and privileges to that resource • Frequently requires that a user have a verifiable login ID composed of a userid and password Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  8. Access Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  9. At least eight characters long Uses a combination of letters, numbers, and special symbols Not be a word found in a dictionary Is changed frequently Easy to remember Not written down Uses UPPER and lower case Cannot be reused by the same user Not the name of a family member, friend, or pet Not a common date, such as birthday or holiday Be comfortable to enter A Password Checklist  Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  10. Integrity • Means that only those who have the right to do so can modify data and information: • Integrity constraints limit who can do what, and when they can do it • The intent of integrity constraints is to assure that resources are not tampered with • Being able to access a resource must be balanced with what a user can do with that resource • As an example, implemented integrity constraints should prevent your bank from allowing just anyone to withdraw funds from your account Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  11. Non-repudiation • Assures us that who we are communicating with is, in fact, who they claim to be • In addition confirms that someone who has received your communication can be verified as having done so • As an example, permits a bank to establish whether or not a customer did or did not make a deposit or a withdrawal • Assuming the customer has claimed one or the other Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  12. Cryptography • Touches on each of the CAIN principles • Is the science of ensuring that data and information cannot be easily understood or modified by unauthorized individuals • Has its own vocabulary: • Alphabet, the set of symbols used in either an input or output message • Cleartext, the data in its raw or unencrypted form • Ciphertext, the encrypted form of the raw data • Cipher, a cryptographic encryption algorithm: • An algorithm is a mathematical formula • Has two major forms: symmetric and asymmetric Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  13. Cryptography Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  14. Symmetric Ciphers • Require that the sender and receiver share information on one key used for encrypting and decrypting data • Are generally faster than asymmetric ciphers • Speed may be a critical factor in deciding the type of cipher to use as certain applications are time-dependent • Are inherently less secure than asymmetric ciphers in that the encryption/decryption key must be shared Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  15. Symmetric Ciphers • Sun Tzu said that a secret shared by two, no longer is a secret: • Sharing a symmetric cipher across a network or infrastructure exposes that cipher to potential hacker discovery • A weakness of the symmetric cipher is that only one key is used, making that key more vulnerable to discovery or theft Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  16. Asymmetric Ciphers • Use two separate keys, called a key pair: • Private key • Public key • Allow for the private key to be managed and known only to its owner • Allow the owner of the private key to publish a public key that anyone can access • Knowing the public key does not grant the user knowledge of the private key Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  17. Asymmetric Ciphers Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  18. Asymmetric Ciphers • Frequently utilize digital signatures and certificate authorities: • Digital signatures are a means of encrypting data using a specific user’s private key • Certificate authorities: • Manage digital certificates and the ability to use them • Bind private keys to public keys • Guarantee between sender and receiver that the digital signature used in a communication is valid Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  19. Asymmetric Ciphers Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  20. Firewalls • Primarily serve as a barrier between the internal networks of the enterprise and the outside world • Are configured as a barrier between internal networks of the enterprise • Can be based on hardware, software, or a combination of the two • As a first line of defense, are themselves hacker targets Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  21. Firewalls Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  22. Firewalls • Have terms particularly associated with them: • The trusted portion of the enterprise or network is on the inner side the firewall • The untrusted network is on the outer side of the firewall • The demilitarizedzone refers to portions of the untrusted network that are on the outer boundary, or periphery, and that connect to the enterprise • The demilitarized zone is necessary in that it allows clients, business partners, and roaming staff to access enterprise resources • Filtering is a technique that firewalls use to determine whether or not to pass traffic through to the trusted network Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  23. FIREWALL Firewalls Routers Internet Untrusted Demilitarized Zone Internal Networks Trusted Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  24. Firewalls • Can be configured a variety of ways, but two broad approaches are: • Anything not specifically permitted is denied • This more restrictive approach places security before ease of access • Anything not specifically denied is permitted • This less restrictive approach places ease of access before tightened security • A business can incorporate both approaches, based on how certain networks within the enterprise are utilized Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  25. FIREWALL FIREWALL Firewalls – Internal and External Internal Networks Internet Research Dept. Network Projects Database Server Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  26. Firewalls • Have four common ways in which they filter traffic: • Packet filtering: • The easiest to implement, but also the least sophisticated • Susceptible to address spoofing • Application filtering: • Also called Proxy Firewalls • Susceptible to SYN and PING packet flooding attacks • Circuit filtering: • Evaluates the circuits that have been established • Useful for connection-oriented TCP communications • Stateful packet inspection filtering: • Combines elements of Application and Circuit Filtering • Capable of closing logical ports not currently being used to prevent hacker port scanning Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  27. Firewalls – Packet Filtering Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  28. Firewalls – Application Filtering Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  29. Elements of Physical Security • Address the day-to-day operations of a business: • Specialized devices should be housed in secure rooms or wiring closets • Policies should define who has access to what, by what means, when access was granted, for what purpose, and by whom • Physical keys, badges, or biometric measures can restrict access to rooms and buildings • Intruder detection systems alert of unauthorized access • Expensive equipment should be physically secured in place • Security documentation must be kept current and comprehensive Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  30. Disaster Recovery Plans • Must be thought out and designed well in advance of a disaster • Address major, unexpected events that could potentially devastate a business • Once defined and in place, must be periodically tested • Need to identify key personnel and their responsibilities in the event of a disaster • Should identify business-critical processes and applications, and how they can be recovered or restored should they be destroyed, lost, or damaged Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  31. Disaster Recovery Plans • Often rely on a degree of redundancy: • Businesses make use of “hot spots” where they can temporarily replace all or a portion of their information-processing infrastructure • A hot spot is a redundant facility • Backup policies guide how data, information, and applications can be recovered using redundant resources • Two common methods of backup include full and incremental: • Full backups take longer to create, but less time to restore; they may, however, result in greater data loss • Incremental backups are faster to create, but take more time to restore; but potentially, they recover more data Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  32. Disaster Recovery Plans Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  33. Full Backup Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  34. Incremental Backup Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  35. Integrated Security Plans • Are not disaster recovery plans, but incorporate them, as well as day-to-day physical security, into a total business security solution • Should provide for preventive, detective, and reactive security measures that are internal and external to the business • Must be adaptive, changing as security threats change • If too detailed, may get in the way of doing business • If too general, may not adequately protect the business Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  36. Integrated Security Plans Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

  37. In Summary • Businesses have both internal and external threats to their security • Four components of security are: confidentiality, access, integrity, and non-repudiation • Symmetric and asymmetric cryptographic methods are critical security technologies • Firewalls use a variety of methods to filter traffic before it enters the enterprise • Integrated security plans incorporate physical security as well as disaster recovery plans Business Data Communications, by Allen Dooley, (c) 2005 Pearson Prentice Hall

More Related