• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
The University of Akron Summit College

The University of Akron Summit College






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    The University of Akron Summit College The University of Akron Summit College Presentation Transcript

    • The University of Akron Summit College Business Technology Dept. 2440: 141 Web Site Administration Introduction to Security Instructor: Enoch E. Damson
    • Information Security
      • Consists of the procedures and measures taken to protect each component of information systems
        • Protecting data, hardware, software, networks, procedures and people
      • The concept of information security is based on the C.I.A triangle (according to the National Security Telecommunications and Information Security Committee – NSTISSC)
        • C – Confidentiality
        • I – Integrity
        • A – Availability
    • Confidentiality
      • Addresses two aspects of security with subtle differences
        • Prevents unauthorized individuals from knowing or accessing information
        • Safeguards confidential information and disclosing secret information only to authorized individuals by means of classifying information
    • Integrity
      • Ensures data consistency and accuracy
      • The integrity of the information system is measured by the integrity of its data
      • Data can be degraded into the following categories:
        • Invalid data – not all data is valid
        • Redundant data – the same data is recorded and stored in several places
        • Inconsistent data – redundant data is not identical
        • Data anomalies – one occurrence of repeated data is changed and the other occurrences are not
        • Data read inconsistency – a user does not always read the last committed data
        • Data non-concurrency – multiple users can access and read data at the same time but loose read consistency
    • Availability
      • Ensures that data is accessible to authorized individuals to access information
      • An organization’s information system can be unavailable because of the following security issues
        • External attacks and lack of system protection
        • Occurrence of system failure with no disaster recovery strategy
        • Overly stringent and obscure security procedures and policies
        • Faulty implementation of authentication processes, causing failure to authenticate customers properly
    • Information Security Architecture
      • The model for protecting logical and physical assets
      • The overall design of a company’s implementation of the C.I.A triangle
      • Components range from physical equipment to logical security tools and utilities
    • Components of Information Security Architecture
      • The components of information security architecture are:
        • Policies and procedures – documented procedures and company policies that elaborate on how security is to be carried out
        • Security personnel and administrators – people who enforce and keep security in order
        • Detection equipment – devices to authenticate users and detect and equipment prohibited by the company
    • Components of Information Security Architecture…
      • Other components of information security architecture include:
        • Security programs – tools to protect computer system’s servers from malicious code such as viruses
        • Monitoring equipment – devices to monitor physical properties, users, and important assets
        • Monitoring applications – utilities and applications used to monitor network traffic and Internet activities, downloads, uploads, and other network activities
        • Auditing procedures and tools – checks and controls to ensure that security measures are working
    • Levels of Security
      • The levels of security include:
        • highly restrictive
        • moderately restrictive
        • open
    • Levels of Security…
      • Before deciding on a level of security, answer these questions:
        • What must be protected?
        • From whom should data be protected?
        • What costs are associated with security being breached and data being lost or stolen?
        • How likely is it that a threat will actually occur?
        • Are the costs to implement security and train users to use a secure network outweighed by the need to provide an efficient, user-friendly environment?
    • Highly Restrictive Security Policies
      • Include features such as:
        • Data encryption
        • Complex password requirements
        • Detailed auditing and monitoring of computer/network access
        • Intricate authentication methods
        • Policies that govern use of the Internet/e-mail
      • Might require third-party hardware and software
      • Implementation cost is high
      • Cost of a security breach is high
    • Moderately Restrictive Security Policies
      • Most organizations can opt for this type of policy
      • Requires passwords, but not overly complex ones
      • Auditing detects unauthorized logon attempts, network resource misuse, and attacker activity
        • Most network operating systems contain authentication, monitoring, and auditing features to implement the required policies
      • Infrastructure can be secured with moderately priced off-the-shelf hardware and software (firewalls, etc)
      • Costs are primarily in initial configuration and support
    • Open Security Policies
      • Policy might have simple or no passwords, unrestricted access to resources, and probably no monitoring and auditing
      • May be implemented by a small company with the primary goal of making access to basic data resources
      • Internet access should probably not be possible via the company LAN
      • Sensitive data, if it exists, might be kept on individual workstations that are backed up regularly and are physically inaccessible to other employees
    • Types of Attacks & Vulnerabilities
      • Some of the numerous methods to attack systems are as follows:
        • Virus – code that compromises the integrity and state of a system
        • Worm – code that disrupts the operation of a system
        • Trojan horse – malicious code that penetrates a computer system or network by pretending to be legitimate code
        • Denial of service – the act of flooding a Web site or network system with many requests with the intent of overloading the system and forcing it to deny service to legitimate requests
        • Spoofing – malicious code that looks like legitimate code
        • Bugs – software code that is faulty due to bad design, logic, or both
    • Types of Attacks & Vulnerabilities…
      • Other methods to attack systems include:
        • Email spamming – E-mail that is sent to many recipients without their permission
        • Boot sector virus – code that compromises the segment in the hard disk containing the program used to start the computer
        • Back door – an intentional design element of some software that allows developers of a system to gain access to the application for maintenance or technical problems
        • Rootkits and bots – malicious or legitimate software code that performs functions like automatically retrieving and collecting information from computer systems
    • Security Resources
      • Computer Security Resources
        • http://www.sans.org
        • http://www.cert.org
        • http://www.first.org
        • http://csrc.nist.gov
        • http://www.securityfocus.com
    • Security Basics
      • Some of the basic security rules are as follows:
        • Security and functionality are inversely related – the more security you implement, the less functionality you will have, and vice versa
        • No matter how much security you implement and no matter how secure your site is, if hackers want to break in, they will
        • The weakest link in security is human beings
    • Security Methods
      • People
        • Physical limits on access to hardware and documents
        • Through the processes of identification and authentication, make certain that the individual is who he/she claims to be through the use of devices, such as ID card, eye scans, passwords
        • Training courses on the importance of security and how to guard assets
        • Establishments of security policies and procedures
    • Security Methods…
      • Applications
        • Authentication of users who access applications
        • Business rules
        • Single sign-on (a method for signing on once for different applications and Web sites)
    • Security Methods…
      • Network
        • Firewalls – to block network intruders
        • Virtual private network (VPN) – a remote computer securely connected to a corporate network
        • Authentication
    • Security Methods…
      • Operating System
        • Authentication
        • Intrusion detection
        • Password policy
        • Users accounts
    • Security Methods…
      • Database Management Systems
        • Authentication
        • Audit mechanism
        • Database resource limits
        • Password policy
    • Security Methods…
      • Data Files
        • File permissions
        • Access monitoring
    • Securing Access to Data
      • Securing data on a network has many facets:
        • Authentication and authorization – identifying who is permitted to access which network resources
        • Encryption/decryption – making data unusable to anyone except authorized users
        • Virtual Private Networks (VPNs) – allowing authorized remote access to a private network via the public Internet
        • Firewalls – installing software/hardware device to protect a computer or network from unauthorized access and attacks
        • Virus and worm protection – securing data from software designed to destroy data or make computer or network operate inefficiently
        • Spyware protection – securing computers from inadvertently downloading and running programs that gather personal information and report on browsing and habits
        • Wireless security – implementing unique measures for protecting data and authorizing access to the wireless network
    • Implementing Secure Authentication and Authorization
      • Administrators must control who has access to the network ( authentication ) and what logged on users can do to the network ( authorization )
        • Network operating systems have tools to specify options and restrictions on how/when users can log on to network
        • File system access controls and user permission settings determine what a user can access on a network and what actions a user can perform
    • Securing Data Transmission
      • Encryption is used to safeguard data as it travels across a network
      • Tools such as Telnet and FTP are very vulnerable since it sends data in clear text
        • Secured socket layer (SSL) is the most common method of encrypting data transmissions
          • Most Web sites that encrypt sensitive data such as credit card information, etc use SSL
    • Encryption
      • The act of encoding readable data into a format that is unreadable without a decoding key
        • Decryption – the act of decoding encoded data back into the original readable format
      • Encryption provides privacy (confidentiality)
      • Encryption and decryption are the two major processes that make up the science of cryptography
    • Cryptography
      • The science of encrypting and decrypting information to ensure that data and information cannot be easily understood or modified by unauthorized individuals
        • Allows encryption of data from its original form into a form that can only be read with a correct decryption key
      • Some of security functions addressed by cryptography methods are:
        • Authentication
        • Privacy
        • Message integrity
        • Provisions of data signatures
    • Vocabulary of Cryptography
      • Cryptanalysis – the process of evaluating cryptographic algorithms to discover their flaws
      • Cryptanalyst – a person who uses cryptanalysis to find flaws in cryptographic algorithms
      • Cryptographer – a person trained in the science of cryptograpy
      • Alphabet – set of symbols used in cryptographic to either input or output messages
      • Plaintext (cleartext) – the original data in its raw form
      • Cipher – a cryptographic encryption algorithm for transforming data from one form to another
      • Cyphertext - the encrypted data
    • Encryption Methodology
      • There are two elements in encryption:
        • Encryption method – specifies the mathematical process used in encryption
        • Key – the special string of bits used in encryption
    • Encryption Example
      • Plaintext : Meet me on the corner
      • Cipher (algorithm): C = P + K
        • C – the ciphertext character
        • P – the plaintext character
        • K – the value of the key
      • Key : 3
      • The algorithm simply states that to encrypt a plaintext character (P) and generate a ciphertext (C), add the value of the key (K) to the plaintext character
        • Shift the plaintext character to the right of the alphabet by three characters
          • D replaces A, E replaces B, F replaces C, etc
      • The following message is generated:
        • Ciphertext: Phhw ph rq wkh fruqhu
    • Types of Cryptographic Ciphers
      • Ciphers fall into one of two major categories:
        • Symmetric (single-key) ciphers – the same key is used to both encryption and decryption
        • Asymmetric (public-key) ciphers – different keys are used for encryption and decryption
    • Symmetric (Single) Key Encryption
      • The most common and simplest form of encryption
      • Both parties in the encryption process must keep the key secret
      • There are several specific symmetric key encryption algorithms
        • The most widely used is the data encryption standard (DES)
        • Other more secured encryption algorithms include: Triple-DES, DESX, RDES, Blowfish, AES, and IDEA
    • Symmetric Key Encryption…
      • Data Encryption Standard (DES) –
        • Developed by IBM for the US National Institute for Standards and Technology (NIST) in the 1970s
        • The original algorithm is based on a 56-bit key that yields 2 56 possible keys (72 quadrillion keys)
        • Breaks the plaintext into chunks of 64-bits (8 of the key bits are redundant) and encrypts each chunk
        • In general, the larger the key the more secure the encryption is
        • Widely used today but with some drawbacks
          • Both the sender and receiver of the encrypted message must know the key before they can communicate
          • Susceptible to attack especially in networked environments
    • Asymmetric (Public) Key Encryption
      • There are two keys for each party
        • The sender and receiver each has a private and public key
        • Public key – senders will encrypt data using nonsecure connections with the receivers’ public key
        • Private key – the receivers use their private keys to decrypt data
      • The only person who can decrypt the ciphertext is the owner of the private key that corresponds to the public key used for the encryption
    • Authentication
      • One purpose of encryption is to prevent anyone who intercepts a message from being able to read the message
        • It brings authorization ( confidentiality ) – only authorized users can use data
      • In contrast, authentication proves the sender’s identity
    • Forms of Authentication
      • There are many forms of authentication:
        • Passwords
        • Authentication cards – ATMs use these with coded information
        • Biometrics – measures body dimensions like finger-print analyzers
        • Public key authorization – uses digital signatures
          • Digital signature – the electronic version of a physical signature