1 / 30

Information Security

Information Security. Dr. Rabie A. Ramadan GUC, Cairo Rabie.ramadan@guc.edu.eg Room C7 -310 Lecture 1. Class Organization. One class Weekly One Tutorial Weekly Most probably taught by myself 3-4 theoretical assignments 3-4 practical assignments (Labs) Term paper / project.

tanith
Télécharger la présentation

Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security Dr. Rabie A. Ramadan GUC, Cairo Rabie.ramadan@guc.edu.eg Room C7 -310 Lecture 1

  2. Class Organization • One class Weekly • One Tutorial Weekly • Most probably taught by myself • 3-4 theoretical assignments • 3-4 practical assignments (Labs) • Term paper / project

  3. Textbooks • Michael G. Solomon and Mike chapple, Information Security Illuminated, 2005 • William Stallings, Cryptography and Network Security, fourth Edition • Behrouz A. Forouzan, “Cryptography and Network Security,” 2008 Edition • Some other research materials

  4. Tentative Grading • 40% Final – comprehensive • 20% Mid-term exam • 5% Assignments • 5% Lecture participation • 20% Project / Term paper • 10% Quizzes 2 out of 3

  5. Lets have fun before we start

  6. Game No. 1 Study the circles below.Work out what number should replace the question mark.

  7. Hit 4 * 5 + 3* 6 = 38 8 * 4 + 3 * 5 = 47

  8. GameNo. 2 Draw a square made up of dots like this one on your piece of paper Now, without lifting the pencil from the page, draw no more than four straight lines which will cross through all nine dots

  9. Hint One line can go out of the paper

  10. Solution • Lessons Learned • Do not discard small details • Ask questions • You might think that things are very complicated but with little guide it becomes very easy

  11. Video Part Play What does it tell you? Be Smart and Think Smartly

  12. The Role of Security Security is like adding brakes to cars. The purpose of brakes is not to stop you; it is to enable you to go faster. Brakes help avoid accidents caused by mechanical failures in other cars, rude drivers, and road hazards. Better security is an enabler for greater freedom and confidence in the Cyber world.

  13. Why Information Security? • Play • Play

  14. Historical Aspects of InfoSec • In old days , to be secure, • Information maintained physically on a secure place • Few authorized persons have access to it (confidentiality) • Protected from unauthorized change (integrity) • Available to authorized entity when is needed (availability) • Nowadays, • Information are stored on computers • Confidentiality are achieved  few authorized persons can access the files. • Integrity is achieved  few are allowed to make change • Availability is achieved  at least one person has access to the files all the time

  15. Historical Aspects of InfoSec • In the 1970s, Federal Information Processing Standards (FIPS) examines DES (Data Encryption Standard) for information protection • DARPA creates a report on vulnerabilities on military information systems in 1978 • In 1979 two papers were published dealing with password security and UNIX security in remotely shared systems • In the 1980s the security focus was concentrated on operating systems as they provided remote connectivity

  16. Historical Aspects of InfoSec • In the 1990s, the growth of the Internet and the growth of the LANs contributed to new threats to information stored in remote systems • IEEE, ISO, ITU-T, NIST and other organizations started developing many standards for secure systems • Information security is the protection of information ,the systems, and hardware that use, store, and transmit information

  17. CNSS Model • CNSS stands for Committee on National Security Systems (a group belonging to the National Security Agency [NSA]). • CNSS has developed a National Security Telecommunications and Information Systems Security (NSTISSI) standards. • NSTISSI standards are 4011, 4012, 4013, 4014, 4015, 4016.

  18. Technology Education Policy Confidentiality Integrity Availability Storage Processing Transmission CNSS Security Model

  19. CNSS Security Model • The model identifies a 3 x 3 x 3 cube with 27 cells • Security applies to each of the 27 cells • These cells deal with people, hardware, software, data, and procedures • A hacker uses a computer (hardware) to attack another computer (hardware). Procedures describe steps to follow in preventing an attack. • An attack could be either direct or indirect • In a direct attack one computer attacks another. In an indirect attack one computer causes another computer to launch an attack.

  20. Investigate Analyze Logical Design Physical Design Implement Maintain Systems Development Life Cycle for InfoSec (SDLC) • SDLC for InfoSec is very similar to SDLC for any project • The Waterfall model would apply to InfoSec as well

  21. Investigate Analyze Logical Design Physical Design Implement Maintain Systems Development Life Cycle for InfoSec • Investigation phase involves feasibility study based on a security program idea for the organization • Analysis phase involves risk assessment • Logical design phase involves continuity planning, disaster recovery, and incident response

  22. Investigate Analyze Logical Design Physical Design Implement Maintain Systems Development Life Cycle for InfoSec • Physical design phase involves considering alternative options possible to construct the idea of the physical design • Maintenance phase involves implementing the design, evaluating the functioning of the system, and making changes as needed

  23. What is a Computer Security? • Different answers • It is the password that I use to enter the system or required set of rules (lock the computer before you leave) – End User • It is the proper combination of firewall technologies with encryption systems and access controls – Administrator • Keeping the bad guys out of my computer– Manager 23

  24. What is a computer security? • A computer is secure if you can depend on it and its software to behave as you expect– Simson and Gene in “Practical Unix and Internet Security “ book • Which definition is correct ? • All of them. However, • We need to keep all of these prospective in mind

  25. CIA Triad • Security Goals • Confidentiality, • Integrity , and • Availability

  26. Confidentiality • The property of preventing disclosure of information to unauthorized individuals or systems. • Real Scenario • a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. • The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. • If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred. To ensure confidentiality To ensure confidentiality

  27. Integrity • Data cannot be modified without authorization. • Real scenarios: • Integrity is violated when an employee (accidentally or with malicious intent) deletes important data files, • when a computer virus infects a computer, • when an employee is able to modify his own salary in a payroll database, • when an unauthorized user vandalizes a web site, • when someone is able to cast a very large number of votes in an online poll, and so on. • Preventing by Access Control and Encryption

  28. Availability • The information must be available when it is needed. • High availability systems aim to remain available at all times. • Real Scenarios • Power outages, • hardware failures, • DoS attacks (denial-of-service attacks). • Preventions by fault tolerance , access control, and attack prevention mechanisms.

  29. Confidentiality Ensures that computer-related assets are accessed only by authorized parties. Sometimes called secrecy or privacy. Integrity Assets can be modified only by authorized parties or only in authorized ways. Availability assets are accessible to authorized parties at appropriate times. The opposite is denial of service. Security Goals (Summary)

  30. Strong protection is based on Goals relations Security Goals

More Related