1 / 0

Information Security

Information Security. Protecting your data. http://www.flickr.com/photos/photobunny_earl/2625899895/sizes/z/in/photostream/. Terms. security system a set of actions taken, or put in place, to prevent adverse consequences asset an entity the security system is designed to protect

karah
Télécharger la présentation

Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security

    Protecting your data. http://www.flickr.com/photos/photobunny_earl/2625899895/sizes/z/in/photostream/
  2. Terms security system a set of actions taken, or put in place, to prevent adverse consequences asset an entity the security system is designed to protect attacker someone who intentionally attempts to violate security threat the possibility of a successful attack vulnerability a weakness in the security system mitigation something that corrects vulnerabilities
  3. Foundations of Security Confidentiality Integrity Availability
  4. Integrity Two kinds of integrity Data integrity: data has not been corrupted Owner integrity: data owner (source) is correct Identity (owner) Without the notion of "identity" there can be no owner Security systems are dependent upon identity management Every user, process, and device has a unique identity Ownership Some data is anonymous (nobody claims ownership) Some data is owned by multiple identities (joint bank accounts)
  5. Confidentiality and Availability Confidentiality: information is not disclosed to unauthorized persons, processes or devices. Availability : information must be available in a timely fashion to authorized users. Consider a file that you upload to Google docs. If the file is transferred correctly and correctly tags you as the only one with authorized access. However, Google docs doesn't give you a link to the document. data integrity is established (the file is not corrupted) owner integrity is established (you are the owner) confidentiality is established (no unauthorized access) availability is not established (the document is not available)
  6. Attack : Malware Malware is a program that has been changed/corrupted by a hacker. Users typically download a program and install it. The program is malware if the program either does what it claims AND MORE doesn't do what it claims
  7. Attack : Virus A computer virus is a form of malware. Named virus because The program typically harms the infected system or the user of the infected system Erase files Collect sensitive information and send to someone The program replicates itself Collects emails / contacts / Ip's Attempts to install itself on these other systems
  8. Example : MyDoom Mydoom was a virus that affected Microsoft Windows. It was first detected on January 26, 2004. It became the fastest-spreading e-mail worm ever (as of January 2004) Mydoomspread via email. The worm contains the text message "andy; I'm just doing my job, nothing personal, sorry" The virus was designed to launch an attack against SCO.com; a controversial tech company at the time. The virus opened a 'backdoor' that allowed a hacker to take-over any infected computer.
  9. Example : ILOVEYOU ILOVEYOU was a computer virus that attacked tens of millions of Windows personal computers on and after 5 May 2000. The virus was spread via email The subject line was "ILOVEYOU" and contained an attachment named "LOVE-LETTER-FOR-YOU.txt.vbs". Opening the attachment installed the virus. The worm did damage on the infected machine, overwriting files, and emailing a copy of itself to all addresses in the Windows Address Book. Results The worm originated in Manila and spread, moving to Hong Kong, then to Europe, and finally the United States. Within ten days, over fifty million infections had been reported, and it is estimated that 10% of internet-connected computers in the world had been affected. To protect themselves, The Pentagon, CIA, the British Parliament and most large corporations decided to completely shut down their mail systems.
  10. Attack : Network sniffing Background Your computer is attached to a 'local network'. Any information that you send or receive can be 'seen' by any computer on this network. The local network is connected to a larger network. Any 'router' on this larger network can see the same information Network sniffer (packet sniffer): a program that reads and saves information that has been directed to another user.
  11. Attacks : Non-technical Shoulder surfing : when someone observes confidential information Looking at PIN at ATM machine Looking at keyboard when typing password NSA has devices that record keystroke sound/cadence and identify the keys. Dumpster diving : obtaining confidential information that was meant to be discarded Oracle hired a private firm to purchase garbage from Microsoft Crop in 2000.
  12. Attacks : DoS Please send data Denial of Service (DoS) : when a large number of computers work together to deny access to an internet service. Usually by flooding a server with requests for information
  13. Example : Spamhaus Spamhaus.org maintains a database of email spammers and is used by many firms to keep spam out of their mail systems Started on March 18th 2013 and continued for weeks. Peak bandwidth was around 310 Gbps 310 giga-bits every second
  14. Example : MafiaBoy MafiaBoy: a series of highly publicized denial-of-service attacks MafiaBoy was the nickname of Michael Calce, a high school student from West Island, Quebec Launched in February 2000 against large commercial websites including Yahoo!, Fifa, Amazon, Dell, E*TRADE, eBay, and CNN. Shut each of these systems down (except Amazon) for a 'short' period of time
  15. Authentication Security requires confidentiality. Must be able to identify ‘things’ You can say something confidential to your friend. How do you know if it is really your friend on the other end of the 'chat' or phone or text-message? Authentication is the process of validating identity.
  16. Authentication Methods Authentication can be done by: passwords smart cards or tokens biometrics retinal scan fingerprint voice recognition facial recognition palm print DNA typing rhythm gait
  17. Authentication Factors Four factors can be used to authenticate Something you know Something you possess Something you are Somewhere you are 2-Factor authentication Any system that involves 2 of the four factors Which factors are involved for the following systems? passwords Using an ATM smart cards or tokens biometrics credit card
  18. Authorization Authentication leads to authorization Authorization grants certain rights: Right to read a file Right to create a file Right to execute a program Right to withdraw money from an account Right to borrow money … In a computing system the rights are classified as either read write own execute
  19. Encryption Encryption mitigates threats by mitigating threats against owner integrity confidentiality Consider the case where a hacker gains access to a file that you own. The hacker can see all the bits in the file The hacker can understand the bits if the bits are ‘plaintext’ (plaintext files are understandable by anyone) The hacker cannot understand the bits if the bits are encrypted. Encryption: the process of encoding messages in such a way that hackers cannot understand it, but that authorized parties can.
  20. One-way encryption encryption algorithm plain text cipher text The cipher text can not be understood by anyone! Given the plain-text, it is easy to generate the cipher text. Given the cipher-text, it is impossible to generate the plaint-text The cipher-text is often called a 'digest'. Is one-way encryption useful?
  21. One-way encryption Sally Create/Update password password sally | zy#!(kdbh encryption algorithm Sally Authenticate password Compare encryption algorithm Is one-way encryption useful?
  22. Two-way encryption The decryption key is dependent on the encryption key. They might even be the same. A key is required to allow the algorithm to generate the output cipher text plain text plain text encryption algorithm decryption algorithm Given the plain-text and a key, it is easy to generate the cipher text Given the cipher-text and the right key, it is easy to generate the plain-text Given the cipher-text (but no key), it is impossible to generate the plain-text
  23. Using two-way encryption for confidential (secure) communication The cipher text can only be decrypted with Dana’s private key. She receives the encrypted message and decrypts it on her computer. Jason creates and encrypts a message on his computer. He encrypts the message with Dana’s public key. Danas private key Danas public key cipher text plain text plain text encryption algorithm decryption algorithm Public key-encryption is a two-way encryption system that uses two matched keys Every user has a private key (only they know) Every user has a public key (everyone knows this key) Encryption can only be undone with the "other" key of the "pair"
  24. Confidential and Secure Public Key Encryption Message is created and sent from Jason's computer Jason create the plaintext message A program creates a digest of the plaintext message Jason encrypts the digest using his own private key. This is the digital signature. The plaintext message with signature is then encrypted with Dana’s public key. Message is received, decrypted, authenticated by Dana’s computer Dana decrypts the message with her private key. A digest of the plaintext of the message is generated (using the same program that Jason used). The signature of the message is decrypted with Jason’s public key. This signature is compared to the digest created above.
  25. Recommendations use virus protection software and update frequently keep software patched (both O.S. and apps) open email attachments reluctantly backup critical data regularly use strong passwords long passwords (12 characters or more) include capital & small letters, digits and special symbols don't use the same password on every system be wary about running untrusted programs use file access controls and encryption
More Related