The University of Akron Summit College Business Technology Dept. 2440: 141 Web Site Administration  Introduction to Securi...
Information Security <ul><li>Consists of the procedures and measures taken to protect each component of information system...
Confidentiality <ul><li>Addresses two aspects of security with subtle differences </li></ul><ul><ul><li>Prevents unauthori...
Integrity <ul><li>Ensures data consistency and accuracy </li></ul><ul><li>The integrity of the information system is measu...
Availability <ul><li>Ensures that data is accessible to authorized individuals to access information </li></ul><ul><li>An ...
Information Security Architecture <ul><li>The model for protecting logical and physical assets </li></ul><ul><li>The overa...
Components of Information Security Architecture <ul><li>The components of information security architecture are: </li></ul...
Components of Information Security Architecture… <ul><li>Other components of information security architecture include: </...
Levels of Security <ul><li>The levels of security include:  </li></ul><ul><ul><li>highly restrictive </li></ul></ul><ul><u...
Levels of Security… <ul><li>Before deciding on a level of security, answer these questions: </li></ul><ul><ul><li>What mus...
Highly Restrictive Security Policies <ul><li>Include features such as: </li></ul><ul><ul><li>Data encryption </li></ul></u...
Moderately Restrictive Security Policies <ul><li>Most organizations can opt for this type of policy </li></ul><ul><li>Requ...
Open Security Policies <ul><li>Policy might have simple or no passwords, unrestricted access to resources, and probably no...
Types of Attacks & Vulnerabilities <ul><li>Some of the numerous methods to attack systems are as follows: </li></ul><ul><u...
Types of Attacks & Vulnerabilities… <ul><li>Other methods to attack systems include: </li></ul><ul><ul><li>Email spamming ...
Security Resources <ul><li>Computer Security Resources </li></ul><ul><ul><li>http://www.sans.org </li></ul></ul><ul><ul><l...
Security Basics <ul><li>Some of the basic security rules are as follows: </li></ul><ul><ul><li>Security and functionality ...
Security Methods <ul><li>People </li></ul><ul><ul><li>Physical limits on access to hardware and documents </li></ul></ul><...
Security Methods… <ul><li>Applications </li></ul><ul><ul><li>Authentication of users who access applications </li></ul></u...
Security Methods… <ul><li>Network </li></ul><ul><ul><li>Firewalls  – to block network intruders </li></ul></ul><ul><ul><li...
Security Methods… <ul><li>Operating System </li></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Intrusion detec...
Security Methods… <ul><li>Database Management Systems </li></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Audi...
Security Methods… <ul><li>Data Files </li></ul><ul><ul><li>File permissions </li></ul></ul><ul><ul><li>Access monitoring <...
Securing Access to Data <ul><li>Securing data on a network has many facets: </li></ul><ul><ul><li>Authentication and autho...
Implementing Secure Authentication and Authorization <ul><li>Administrators must control who has access to the network ( a...
Securing Data Transmission <ul><li>Encryption is used to safeguard data as it travels across a network </li></ul><ul><li>T...
Encryption <ul><li>The act of encoding readable data into a format that is unreadable without a decoding key </li></ul><ul...
Cryptography <ul><li>The science of encrypting and decrypting information to ensure that data and information cannot be ea...
Vocabulary of Cryptography <ul><li>Cryptanalysis  – the process of evaluating cryptographic algorithms to discover their f...
Encryption Methodology  <ul><li>There are two elements in encryption: </li></ul><ul><ul><li>Encryption method  – specifies...
Encryption Example <ul><li>Alphabet : ABCDEFGHIJKLMNOPQRSTUVWXYZ </li></ul><ul><li>Plaintext : Meet me on the corner </li>...
Types of Cryptographic Ciphers <ul><li>Ciphers fall into one of two major categories: </li></ul><ul><ul><li>Symmetric (sin...
Symmetric (Single) Key Encryption <ul><li>The most common and simplest form of encryption </li></ul><ul><li>Both parties i...
Symmetric Key Encryption… <ul><li>Data Encryption Standard (DES) –  </li></ul><ul><ul><li>Developed by IBM for the US Nati...
Asymmetric (Public) Key Encryption <ul><li>There are two keys for each party </li></ul><ul><ul><li>The sender and receiver...
Authentication <ul><li>One purpose of encryption is to prevent anyone who intercepts a message from being able to read the...
Forms of Authentication <ul><li>There are many forms of authentication: </li></ul><ul><ul><li>Passwords </li></ul></ul><ul...
Upcoming SlideShare
Loading in …5
×

The University of Akron Summit College

0 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
0
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The University of Akron Summit College

  1. 1. The University of Akron Summit College Business Technology Dept. 2440: 141 Web Site Administration Introduction to Security Instructor: Enoch E. Damson
  2. 2. Information Security <ul><li>Consists of the procedures and measures taken to protect each component of information systems </li></ul><ul><ul><li>Protecting data, hardware, software, networks, procedures and people </li></ul></ul><ul><li>The concept of information security is based on the C.I.A triangle (according to the National Security Telecommunications and Information Security Committee – NSTISSC) </li></ul><ul><ul><li>C – Confidentiality </li></ul></ul><ul><ul><li>I – Integrity </li></ul></ul><ul><ul><li>A – Availability </li></ul></ul>Security
  3. 3. Confidentiality <ul><li>Addresses two aspects of security with subtle differences </li></ul><ul><ul><li>Prevents unauthorized individuals from knowing or accessing information </li></ul></ul><ul><ul><li>Safeguards confidential information and disclosing secret information only to authorized individuals by means of classifying information </li></ul></ul>Security
  4. 4. Integrity <ul><li>Ensures data consistency and accuracy </li></ul><ul><li>The integrity of the information system is measured by the integrity of its data </li></ul><ul><li>Data can be degraded into the following categories: </li></ul><ul><ul><li>Invalid data – not all data is valid </li></ul></ul><ul><ul><li>Redundant data – the same data is recorded and stored in several places </li></ul></ul><ul><ul><li>Inconsistent data – redundant data is not identical </li></ul></ul><ul><ul><li>Data anomalies – one occurrence of repeated data is changed and the other occurrences are not </li></ul></ul><ul><ul><li>Data read inconsistency – a user does not always read the last committed data </li></ul></ul><ul><ul><li>Data non-concurrency – multiple users can access and read data at the same time but loose read consistency </li></ul></ul>Security
  5. 5. Availability <ul><li>Ensures that data is accessible to authorized individuals to access information </li></ul><ul><li>An organization’s information system can be unavailable because of the following security issues </li></ul><ul><ul><li>External attacks and lack of system protection </li></ul></ul><ul><ul><li>Occurrence of system failure with no disaster recovery strategy </li></ul></ul><ul><ul><li>Overly stringent and obscure security procedures and policies </li></ul></ul><ul><ul><li>Faulty implementation of authentication processes, causing failure to authenticate customers properly </li></ul></ul>Security
  6. 6. Information Security Architecture <ul><li>The model for protecting logical and physical assets </li></ul><ul><li>The overall design of a company’s implementation of the C.I.A triangle </li></ul><ul><li>Components range from physical equipment to logical security tools and utilities </li></ul>Security
  7. 7. Components of Information Security Architecture <ul><li>The components of information security architecture are: </li></ul><ul><ul><li>Policies and procedures – documented procedures and company policies that elaborate on how security is to be carried out </li></ul></ul><ul><ul><li>Security personnel and administrators – people who enforce and keep security in order </li></ul></ul><ul><ul><li>Detection equipment – devices to authenticate users and detect and equipment prohibited by the company </li></ul></ul>Security
  8. 8. Components of Information Security Architecture… <ul><li>Other components of information security architecture include: </li></ul><ul><ul><li>Security programs – tools to protect computer system’s servers from malicious code such as viruses </li></ul></ul><ul><ul><li>Monitoring equipment – devices to monitor physical properties, users, and important assets </li></ul></ul><ul><ul><li>Monitoring applications – utilities and applications used to monitor network traffic and Internet activities, downloads, uploads, and other network activities </li></ul></ul><ul><ul><li>Auditing procedures and tools – checks and controls to ensure that security measures are working </li></ul></ul>Security
  9. 9. Levels of Security <ul><li>The levels of security include: </li></ul><ul><ul><li>highly restrictive </li></ul></ul><ul><ul><li>moderately restrictive </li></ul></ul><ul><ul><li>open </li></ul></ul>Security
  10. 10. Levels of Security… <ul><li>Before deciding on a level of security, answer these questions: </li></ul><ul><ul><li>What must be protected? </li></ul></ul><ul><ul><li>From whom should data be protected? </li></ul></ul><ul><ul><li>What costs are associated with security being breached and data being lost or stolen? </li></ul></ul><ul><ul><li>How likely is it that a threat will actually occur? </li></ul></ul><ul><ul><li>Are the costs to implement security and train users to use a secure network outweighed by the need to provide an efficient, user-friendly environment? </li></ul></ul>Security
  11. 11. Highly Restrictive Security Policies <ul><li>Include features such as: </li></ul><ul><ul><li>Data encryption </li></ul></ul><ul><ul><li>Complex password requirements </li></ul></ul><ul><ul><li>Detailed auditing and monitoring of computer/network access </li></ul></ul><ul><ul><li>Intricate authentication methods </li></ul></ul><ul><ul><li>Policies that govern use of the Internet/e-mail </li></ul></ul><ul><li>Might require third-party hardware and software </li></ul><ul><li>Implementation cost is high </li></ul><ul><li>Cost of a security breach is high </li></ul>Security
  12. 12. Moderately Restrictive Security Policies <ul><li>Most organizations can opt for this type of policy </li></ul><ul><li>Requires passwords, but not overly complex ones </li></ul><ul><li>Auditing detects unauthorized logon attempts, network resource misuse, and attacker activity </li></ul><ul><ul><li>Most network operating systems contain authentication, monitoring, and auditing features to implement the required policies </li></ul></ul><ul><li>Infrastructure can be secured with moderately priced off-the-shelf hardware and software (firewalls, etc) </li></ul><ul><li>Costs are primarily in initial configuration and support </li></ul>Security
  13. 13. Open Security Policies <ul><li>Policy might have simple or no passwords, unrestricted access to resources, and probably no monitoring and auditing </li></ul><ul><li>May be implemented by a small company with the primary goal of making access to basic data resources </li></ul><ul><li>Internet access should probably not be possible via the company LAN </li></ul><ul><li>Sensitive data, if it exists, might be kept on individual workstations that are backed up regularly and are physically inaccessible to other employees </li></ul>Security
  14. 14. Types of Attacks & Vulnerabilities <ul><li>Some of the numerous methods to attack systems are as follows: </li></ul><ul><ul><li>Virus – code that compromises the integrity and state of a system </li></ul></ul><ul><ul><li>Worm – code that disrupts the operation of a system </li></ul></ul><ul><ul><li>Trojan horse – malicious code that penetrates a computer system or network by pretending to be legitimate code </li></ul></ul><ul><ul><li>Denial of service – the act of flooding a Web site or network system with many requests with the intent of overloading the system and forcing it to deny service to legitimate requests </li></ul></ul><ul><ul><li>Spoofing – malicious code that looks like legitimate code </li></ul></ul><ul><ul><li>Bugs – software code that is faulty due to bad design, logic, or both </li></ul></ul>Security
  15. 15. Types of Attacks & Vulnerabilities… <ul><li>Other methods to attack systems include: </li></ul><ul><ul><li>Email spamming – E-mail that is sent to many recipients without their permission </li></ul></ul><ul><ul><li>Boot sector virus – code that compromises the segment in the hard disk containing the program used to start the computer </li></ul></ul><ul><ul><li>Back door – an intentional design element of some software that allows developers of a system to gain access to the application for maintenance or technical problems </li></ul></ul><ul><ul><li>Rootkits and bots – malicious or legitimate software code that performs functions like automatically retrieving and collecting information from computer systems </li></ul></ul>Security
  16. 16. Security Resources <ul><li>Computer Security Resources </li></ul><ul><ul><li>http://www.sans.org </li></ul></ul><ul><ul><li>http://www.cert.org </li></ul></ul><ul><ul><li>http://www.first.org </li></ul></ul><ul><ul><li>http://csrc.nist.gov </li></ul></ul><ul><ul><li>http://www.securityfocus.com </li></ul></ul>Security
  17. 17. Security Basics <ul><li>Some of the basic security rules are as follows: </li></ul><ul><ul><li>Security and functionality are inversely related – the more security you implement, the less functionality you will have, and vice versa </li></ul></ul><ul><ul><li>No matter how much security you implement and no matter how secure your site is, if hackers want to break in, they will </li></ul></ul><ul><ul><li>The weakest link in security is human beings </li></ul></ul>Security
  18. 18. Security Methods <ul><li>People </li></ul><ul><ul><li>Physical limits on access to hardware and documents </li></ul></ul><ul><ul><li>Through the processes of identification and authentication, make certain that the individual is who he/she claims to be through the use of devices, such as ID card, eye scans, passwords </li></ul></ul><ul><ul><li>Training courses on the importance of security and how to guard assets </li></ul></ul><ul><ul><li>Establishments of security policies and procedures </li></ul></ul>Security
  19. 19. Security Methods… <ul><li>Applications </li></ul><ul><ul><li>Authentication of users who access applications </li></ul></ul><ul><ul><li>Business rules </li></ul></ul><ul><ul><li>Single sign-on (a method for signing on once for different applications and Web sites) </li></ul></ul>Security
  20. 20. Security Methods… <ul><li>Network </li></ul><ul><ul><li>Firewalls – to block network intruders </li></ul></ul><ul><ul><li>Virtual private network (VPN) – a remote computer securely connected to a corporate network </li></ul></ul><ul><ul><li>Authentication </li></ul></ul>Security
  21. 21. Security Methods… <ul><li>Operating System </li></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Intrusion detection </li></ul></ul><ul><ul><li>Password policy </li></ul></ul><ul><ul><li>Users accounts </li></ul></ul>Security
  22. 22. Security Methods… <ul><li>Database Management Systems </li></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Audit mechanism </li></ul></ul><ul><ul><li>Database resource limits </li></ul></ul><ul><ul><li>Password policy </li></ul></ul>Security
  23. 23. Security Methods… <ul><li>Data Files </li></ul><ul><ul><li>File permissions </li></ul></ul><ul><ul><li>Access monitoring </li></ul></ul>Security
  24. 24. Securing Access to Data <ul><li>Securing data on a network has many facets: </li></ul><ul><ul><li>Authentication and authorization – identifying who is permitted to access which network resources </li></ul></ul><ul><ul><li>Encryption/decryption – making data unusable to anyone except authorized users </li></ul></ul><ul><ul><li>Virtual Private Networks (VPNs) – allowing authorized remote access to a private network via the public Internet </li></ul></ul><ul><ul><li>Firewalls – installing software/hardware device to protect a computer or network from unauthorized access and attacks </li></ul></ul><ul><ul><li>Virus and worm protection – securing data from software designed to destroy data or make computer or network operate inefficiently </li></ul></ul><ul><ul><li>Spyware protection – securing computers from inadvertently downloading and running programs that gather personal information and report on browsing and habits </li></ul></ul><ul><ul><li>Wireless security – implementing unique measures for protecting data and authorizing access to the wireless network </li></ul></ul>Security
  25. 25. Implementing Secure Authentication and Authorization <ul><li>Administrators must control who has access to the network ( authentication ) and what logged on users can do to the network ( authorization ) </li></ul><ul><ul><li>Network operating systems have tools to specify options and restrictions on how/when users can log on to network </li></ul></ul><ul><ul><li>File system access controls and user permission settings determine what a user can access on a network and what actions a user can perform </li></ul></ul>Security
  26. 26. Securing Data Transmission <ul><li>Encryption is used to safeguard data as it travels across a network </li></ul><ul><li>Tools such as Telnet and FTP are very vulnerable since it sends data in clear text </li></ul><ul><ul><li>Secured socket layer (SSL) is the most common method of encrypting data transmissions </li></ul></ul><ul><ul><ul><li>Most Web sites that encrypt sensitive data such as credit card information, etc use SSL </li></ul></ul></ul>Security
  27. 27. Encryption <ul><li>The act of encoding readable data into a format that is unreadable without a decoding key </li></ul><ul><ul><li>Decryption – the act of decoding encoded data back into the original readable format </li></ul></ul><ul><li>Encryption provides privacy (confidentiality) </li></ul><ul><li>Encryption and decryption are the two major processes that make up the science of cryptography </li></ul>Security
  28. 28. Cryptography <ul><li>The science of encrypting and decrypting information to ensure that data and information cannot be easily understood or modified by unauthorized individuals </li></ul><ul><ul><li>Allows encryption of data from its original form into a form that can only be read with a correct decryption key </li></ul></ul><ul><li>Some of security functions addressed by cryptography methods are: </li></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Privacy </li></ul></ul><ul><ul><li>Message integrity </li></ul></ul><ul><ul><li>Provisions of data signatures </li></ul></ul>Security
  29. 29. Vocabulary of Cryptography <ul><li>Cryptanalysis – the process of evaluating cryptographic algorithms to discover their flaws </li></ul><ul><li>Cryptanalyst – a person who uses cryptanalysis to find flaws in cryptographic algorithms </li></ul><ul><li>Cryptographer – a person trained in the science of cryptograpy </li></ul><ul><li>Alphabet – set of symbols used in cryptographic to either input or output messages </li></ul><ul><li>Plaintext (cleartext) – the original data in its raw form </li></ul><ul><li>Cipher – a cryptographic encryption algorithm for transforming data from one form to another </li></ul><ul><li>Cyphertext - the encrypted data </li></ul>Security
  30. 30. Encryption Methodology <ul><li>There are two elements in encryption: </li></ul><ul><ul><li>Encryption method – specifies the mathematical process used in encryption </li></ul></ul><ul><ul><li>Key – the special string of bits used in encryption </li></ul></ul>Security
  31. 31. Encryption Example <ul><li>Alphabet : ABCDEFGHIJKLMNOPQRSTUVWXYZ </li></ul><ul><li>Plaintext : Meet me on the corner </li></ul><ul><li>Cipher (algorithm): C = P + K </li></ul><ul><ul><li>C – the ciphertext character </li></ul></ul><ul><ul><li>P – the plaintext character </li></ul></ul><ul><ul><li>K – the value of the key </li></ul></ul><ul><li>Key : 3 </li></ul><ul><li>The algorithm simply states that to encrypt a plaintext character (P) and generate a ciphertext (C), add the value of the key (K) to the plaintext character </li></ul><ul><ul><li>Shift the plaintext character to the right of the alphabet by three characters </li></ul></ul><ul><ul><ul><li>D replaces A, E replaces B, F replaces C, etc </li></ul></ul></ul><ul><li>The following message is generated: </li></ul><ul><ul><li>Ciphertext: Phhw ph rq wkh fruqhu </li></ul></ul>Security
  32. 32. Types of Cryptographic Ciphers <ul><li>Ciphers fall into one of two major categories: </li></ul><ul><ul><li>Symmetric (single-key) ciphers – the same key is used to both encryption and decryption </li></ul></ul><ul><ul><li>Asymmetric (public-key) ciphers – different keys are used for encryption and decryption </li></ul></ul>Security
  33. 33. Symmetric (Single) Key Encryption <ul><li>The most common and simplest form of encryption </li></ul><ul><li>Both parties in the encryption process must keep the key secret </li></ul><ul><li>There are several specific symmetric key encryption algorithms </li></ul><ul><ul><li>The most widely used is the data encryption standard (DES) </li></ul></ul><ul><ul><li>Other more secured encryption algorithms include: Triple-DES, DESX, RDES, Blowfish, AES, and IDEA </li></ul></ul>Security
  34. 34. Symmetric Key Encryption… <ul><li>Data Encryption Standard (DES) – </li></ul><ul><ul><li>Developed by IBM for the US National Institute for Standards and Technology (NIST) in the 1970s </li></ul></ul><ul><ul><li>The original algorithm is based on a 56-bit key that yields 2 56 possible keys (72 quadrillion keys) </li></ul></ul><ul><ul><li>Breaks the plaintext into chunks of 64-bits (8 of the key bits are redundant) and encrypts each chunk </li></ul></ul><ul><ul><li>In general, the larger the key the more secure the encryption is </li></ul></ul><ul><ul><li>Widely used today but with some drawbacks </li></ul></ul><ul><ul><ul><li>Both the sender and receiver of the encrypted message must know the key before they can communicate </li></ul></ul></ul><ul><ul><ul><li>Susceptible to attack especially in networked environments </li></ul></ul></ul>Security
  35. 35. Asymmetric (Public) Key Encryption <ul><li>There are two keys for each party </li></ul><ul><ul><li>The sender and receiver each has a private and public key </li></ul></ul><ul><ul><li>Public key – senders will encrypt data using nonsecure connections with the receivers’ public key </li></ul></ul><ul><ul><li>Private key – the receivers use their private keys to decrypt data </li></ul></ul><ul><li>The only person who can decrypt the ciphertext is the owner of the private key that corresponds to the public key used for the encryption </li></ul>Security
  36. 36. Authentication <ul><li>One purpose of encryption is to prevent anyone who intercepts a message from being able to read the message </li></ul><ul><ul><li>It brings authorization ( confidentiality ) – only authorized users can use data </li></ul></ul><ul><li>In contrast, authentication proves the sender’s identity </li></ul>Security
  37. 37. Forms of Authentication <ul><li>There are many forms of authentication: </li></ul><ul><ul><li>Passwords </li></ul></ul><ul><ul><li>Authentication cards – ATMs use these with coded information </li></ul></ul><ul><ul><li>Biometrics – measures body dimensions like finger-print analyzers </li></ul></ul><ul><ul><li>Public key authorization – uses digital signatures </li></ul></ul><ul><ul><ul><li>Digital signature – the electronic version of a physical signature </li></ul></ul></ul>Security

×