1 / 17

Principles of Information Security: Unit -I

Principles of Information Security: Unit -I. Sanjay Rawat Sanjay_r@vnrvjiet.in. Introduction. Text book: Principles of Information Security : Michael E. Whitman, Herbert J. Mattord , CENGAGE Learning, 4th Ed. History of IS: ARPANET -> ETHENET -> INTERNET

shino
Télécharger la présentation

Principles of Information Security: Unit -I

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Principles of Information Security:Unit -I Sanjay Rawat Sanjay_r@vnrvjiet.in

  2. Introduction • Text book: • Principles of Information Security : Michael E. Whitman, Herbert J. Mattord, CENGAGE Learning, 4th Ed. • History of IS: ARPANET -> ETHENET -> INTERNET • To read (optional): Protection Analysis: Final Report, Richard Biswey & Dennis Hollingworth

  3. What is Security? • State of being secure, protected. • Elusion? • Being safe until someone finds a vulnerability to exploit.. • CIA – ONLY intended actors can: • Know -> confidentiality • Modify -> integrity • Have access ->availability • Too coarse.. Access, Assets, Risk, Threat….

  4. High-level View All alone in the world -> no security? Access control, network security etc. Physical security software security etc.

  5. Contemporary whole picture Access control outbound Internet LAN AV Routing tables simple ACL Crypto router ID/PS AV Access control inbound DMZ HTTP, SMTP, FTP WAN

  6. Definitions • CONTROL SPHERE: a set of resources and behaviors that are accessible to a single actor, or a group of actors. • SECURITY POLICY: a specification by the product or user that defines one or more control spheres for one or more actors • PROTECTION MECHANISM: a behavior or set of behaviors that helps to enforce an intended security policy for the product

  7. Definitions conti… • ATTACK: an attempt by an actor to violate the intended security policy. • ATTACKER: an actor who attempts an attack. • WEAKNESS: a type of behavior that has the potential for allowing an attack. • VULNERABILITY: a set of one or more related weaknesses within a specific software product or protocol that allows an actor to access resources or behaviors that are outside of that actor's control sphere.

  8. CNSS Model • CNSS = Committee on National Security Systems • McCumberCube – Cubes-inside-cube detailed model for planning and implementing security across organization. • It emphasizes issues beyond CIA); • Context dependent security risk evaluation; • Context dependent measurements to address those issues.

  9. CNSS Model conti…

  10. Components of IS • Software: ever changing -> difficult to secure . Low-level bugs etc. • Hardware: Relates to physical security aspect • Data: ultimate target • People: unpredictable • Procedures/Policies • Networks: Eluding physical security?

  11. Balancing Security and Access (usability) • No security -> complete access • Complete security -> no access • Optimal Security AND required access

  12. Few more terms (~ CIA connection) • Accuracy: Property of being unmodified? • Authenticity: is it genuine? • Utility: Is data/information remained useful? • Possession: Information is in safe hands?

  13. Security Implementation Approaches • Bottom-Up approach: low-level to top • Top-Down approach: higher management to low-level (people who really work  ) Project!!

  14. Software Development Life Cycle • Investigation : What problem is being solved? • Analysis: Step 1 vs. current status of the organization’s environment. • Logical Design: blue print of the desired solution. Emphasis is on “how the proposed system will solve the problem at hand”. • Physical Design: Proof of concept. • Implementation: Real product is created and tested along with supporting doc etc. • Maintenance and Change: support and patch.

  15. SecSDLCPrevention is better than cure • Investigation: outlines the implementation of a security program within the organization. • Analysis: Risk analysis, security and privacy issues (legal, e.g. HIPAA). • Logical Design: develops the blueprints for information security e.g. BCP & DR. • Physical Design: evaluates the information security technology needed to support the blueprint. • Implementation: security solutions are acquired, tested, implemented. • Maintenance: keep evaluating after the deployment and do remediation.

  16. SecSDLCconti… “… computer security is more than mechanisms and mathematics. It includes being able to analyze a situation to figure out what constitutes security, being able to specify those requirements, being able to design a system or program to meet those requirements, being able to implement the system or program correctly, and being able to make configuration and maintenance simple.” – Matt Bishop, UC, Davis, US.

  17. SecSDCLPrevention is better than cure • To read: Security Considerations in the System Development Life Cycle - NIST http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf • Microsoft SDL:

More Related