Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Data Security Presenter Muhammad Ghazanfar Ullah Head, Computer Systems Engineering. Usman Institute of Technology
  2. 2. Agenda of Presentation <ul><li>About Data Security </li></ul><ul><li>Security Measures </li></ul><ul><li>Policies and Principles </li></ul><ul><li>Technology and Threats </li></ul>
  3. 3. Security
  4. 4. Security For some, it is just a concept; its about peace of mind and reassurance. It's about knowing that there is something you can rely on, something that you can turn to when there is a problem. Having a feeling of security brings you a sense of confidence and security for the future. For others, security means protection against something or someone. It provides a defence for people and property; safeguarding a precious investment or something that is cherished.
  5. 5. Data
  6. 6. Data While carrying out an investigation about 'ourselves', a child writes 'brown' under the heading 'hair color', this is data about that child. This data becomes information when it is used to inform in some way, for example, when the data is combined with the heading and presented as a statement - 'Jane has brown hair'. Data can take many forms. It might be numerical data of room temperatures, words relating to a particular subject such as flowers, or sounds or images collected to illustrate a presentation. It could even be imaginary data created by children, about characters in their drama, for example.
  7. 7. Computers and Data
  8. 8. Information <ul><li>Most Valuable Resource </li></ul><ul><li>Five main Resources </li></ul><ul><ul><li>Personnel </li></ul></ul><ul><ul><li>Material </li></ul></ul><ul><ul><li>Machines </li></ul></ul><ul><ul><ul><li>(including facilities and energy) </li></ul></ul></ul><ul><ul><li>Money </li></ul></ul><ul><ul><li>Information (and data) </li></ul></ul>Physical Conceptual }
  9. 9. Computers and Data Many large organizations use computers to store important data (information). Large companies, government departments, colleges and hospitals all keep important information, for example, employee records and wages, patient or student records and accounts. <ul><li>Why? </li></ul><ul><ul><li>Efficiency </li></ul></ul><ul><ul><li>Accuracy </li></ul></ul><ul><ul><li>Capacity </li></ul></ul><ul><ul><li>Sharing and Transmission etc. </li></ul></ul>
  10. 10. Computers and Data 2002 2003 2004 North America 212.6 222.8 234.4 Latin America 25.6 32.6 43.7 Europe 163.5 195.5 224.8 Africa/ME 9.2 10.7 11.5 Asia/Pacific 151.2 203.6 238.1 Total 562.3 665.4 752.6 Computer Users
  11. 11. Computers and Data
  12. 12. Computers and Data <ul><ul><li>The proliferation of computers. </li></ul></ul><ul><ul><ul><li>2-3 w/LAN per household is not unusual. </li></ul></ul></ul><ul><ul><li>The geographical expansion of networks . </li></ul></ul><ul><ul><ul><li>44 million plus hosts </li></ul></ul></ul><ul><ul><ul><li>650,000 plus Web sites </li></ul></ul></ul><ul><ul><ul><li>800 Million plus Internet users by the end of 2008. </li></ul></ul></ul><ul><ul><li>The dramatic rise in computer literacy . </li></ul></ul><ul><ul><li>The dependence of organizations upon the infrastructure. </li></ul></ul><ul><ul><ul><li>ECommerce is expected to be between 8 and 13 Trillion dollars by 2008. </li></ul></ul></ul><ul><ul><li>The dependence of organizations upon Information. </li></ul></ul>How Did We Get Here?
  13. 13. Computers and Data Sensitive Information Sensitive information is any information stored on your computer that you would hate to have fall into the wrong hands. This could be personal information, employee information, trade secrets, etc. It is the ramifications that are the concern.
  14. 14. Computers and Data <ul><li>Is your Information Sensitive? </li></ul><ul><li>What would happen if your competitor had a copy of a spreadsheet file containing your short and long term sales strategy? </li></ul><ul><li>What would happen if personnel records became public knowledge within your organization? </li></ul><ul><li>What would happen if your customer database was copied and sold? Does it contain information that you are ultimately liable for? </li></ul><ul><li>What would happen if someone made copies of your archived personal email messages? Could they somehow use this against you? </li></ul><ul><li>What could a resourceful private detective and a cunning lawyer do with information on your computer? </li></ul>
  15. 15. Data Security
  16. 16. Data Security There are two problems with keeping this information on computers. The first problem is information can be lost through technical or human error. The second problem is that some information is confidential - only certain people should see it. These people can be described as ‘authorized users’ and the people who shouldn’t see this information as ‘unauthorized users’.
  17. 17. Security Services <ul><li>Secrecy </li></ul><ul><li>Integrity </li></ul><ul><li>Availability </li></ul><ul><li>Authenticity </li></ul><ul><li>Non-repudiation </li></ul><ul><li>Access control </li></ul>
  18. 18. Secrecy (Confidentiality) <ul><li>Secrecy requires that the information in a computer system only be accessible for reading by authorized parties. </li></ul><ul><li>This type of access includes: </li></ul><ul><ul><li>Printing </li></ul></ul><ul><ul><li>Displaying </li></ul></ul><ul><ul><li>Other forms of disclosure, including simply revealing the existing of an object </li></ul></ul>
  19. 19. Integrity <ul><li>Integrity requires that the computer system asset can be modified only by authorized parties. </li></ul><ul><li>Modification includes: </li></ul><ul><ul><li>Writing </li></ul></ul><ul><ul><li>Changing </li></ul></ul><ul><ul><li>Changing status </li></ul></ul><ul><ul><li>Deleting and </li></ul></ul><ul><ul><li>Creating </li></ul></ul>
  20. 20. Availability <ul><li>Availability requires that computer system assets are available to authorized parties. </li></ul><ul><li>Availability is a requirement intended to assure that systems work promptly and service is not denied to authorized users. </li></ul>
  21. 21. Security of Data Data Confidentiality Data Integrity Data Availability Secure Data Data
  22. 22. Authenticity <ul><li>Authenticity means that parties in a information services can ascertain the identity of parties trying to access information services. </li></ul><ul><li>Also means that the origin of the message is certain. </li></ul><ul><li>Therefore two types: </li></ul><ul><ul><li>Principal Authentication </li></ul></ul><ul><ul><li>Message Authentication </li></ul></ul>
  23. 23. Non-Repudiation <ul><li>Originator of communications can’t deny it later. </li></ul><ul><li>Without non-repudiation you could place an order for 1 million dollars of equipment online and then simply deny it later. </li></ul><ul><li>Or you could send an email inviting a friend to the dinner and then disclaim it later. </li></ul><ul><li>Non-repudiation associates the identity of the originator with the transaction in a non-deniable way. </li></ul>
  24. 24. Access Control <ul><li>Unauthorized users are kept out of the system. </li></ul><ul><li>Unauthorized users are kept out of places on the system/disk. </li></ul><ul><li>Typically makes use of Directories or Access Control Lists (ACLs) or Access Control Matrix </li></ul><ul><li>Objects: Resources that need to be protected </li></ul><ul><li>Subjects: Entities that need access to resources </li></ul><ul><li>Rights: Permissions </li></ul><ul><li>Each entry is a triple <subject, object, rights> </li></ul>
  25. 25. The Threats to Security
  26. 26. Types <ul><li>Natural Events and Accidents </li></ul><ul><li>Blunders, Errors and Omissions </li></ul><ul><li>Insiders </li></ul><ul><li>Recreational Hackers </li></ul><ul><li>Criminal Activity </li></ul><ul><li>Industrial Espionage </li></ul><ul><li>Terrorism </li></ul><ul><li>National Intelligence </li></ul><ul><li>Information Warfare </li></ul>
  27. 27. Typical Threats <ul><li>NATURAL DISASTERS </li></ul><ul><ul><li>Fires </li></ul></ul><ul><ul><li>Earthquakes </li></ul></ul><ul><ul><li>Hurricanes </li></ul></ul><ul><ul><li>Tornadoes </li></ul></ul><ul><ul><li>Floods </li></ul></ul><ul><li>PEOPLE </li></ul><ul><ul><li>Hackers </li></ul></ul><ul><ul><li>Criminals </li></ul></ul><ul><ul><li>Insiders </li></ul></ul><ul><li>ACCIDENTS </li></ul><ul><ul><li>Power Switch </li></ul></ul><ul><ul><li>Water Pipes </li></ul></ul><ul><ul><li>Air Conditioning </li></ul></ul><ul><ul><li>Air Humidity </li></ul></ul><ul><ul><li>Sparks </li></ul></ul>
  28. 28. Insiders <ul><ul><ul><ul><ul><li>Managers. </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Contractors. </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Business Partners. </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Former Employees. </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Present Employees. </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Disgruntled Employees. </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>System Administrators. </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Network Administrators. </li></ul></ul></ul></ul></ul>
  29. 29. Outsiders <ul><ul><ul><li>Hackers. </li></ul></ul></ul><ul><ul><ul><li>Virus Writers. </li></ul></ul></ul><ul><ul><ul><li>Criminals. </li></ul></ul></ul><ul><ul><ul><ul><li>Corporate Espionage. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Identity Theft. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Internet Fraud. </li></ul></ul></ul></ul><ul><ul><ul><li>Terrorist. </li></ul></ul></ul><ul><ul><ul><li>Foreign Intelligence Services. </li></ul></ul></ul><ul><ul><ul><li>Foreign Military (Information Warfare). </li></ul></ul></ul>
  30. 30. The Attacks
  31. 31. Attack <ul><li>Attack is a danger which could affect the security (confidentiality, integrity, availability) of assets, leading to a potential loss or damage. </li></ul><ul><li>Interruption </li></ul><ul><li>Interception </li></ul><ul><li>Modification </li></ul><ul><li>Fabrication </li></ul>
  32. 32. Types of Attacks
  33. 33. Quiz???? <ul><li>Modification is the Attack on which Service? </li></ul><ul><li>Fabrication is the attack on which service </li></ul>
  34. 34. Classification of attacks <ul><li>Computer Security attacks can be classified into two broad categories: </li></ul><ul><ul><li>Passive Attacks can only observe communications or data. </li></ul></ul><ul><ul><li>Active Attacks can actively modify communications or data. Often difficult to perform, but very powerful. Examples include </li></ul></ul><ul><ul><ul><li>Mail forgery/modification </li></ul></ul></ul><ul><ul><ul><li>TCP/IP spoofing/session hijacking </li></ul></ul></ul>
  35. 36. The Technology
  36. 37. A Security Model Firewalls and Security Gateways are based on this model
  37. 38. Encryption
  38. 39. Encryption <ul><li>Encryption can be used to provide Confidentiality, Integrity, Authentication and Non-Repudiation. </li></ul><ul><li>There are four major cryptographic functions you should be familiar with: </li></ul>
  39. 40. Symmetric Cryptography <ul><li>The first is Symmetric Cryptography uses the same key for both encryption and decryption. Examples are: </li></ul><ul><ul><ul><ul><ul><li>Data Encryption Standard (DES) (56 bits) </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Triple DES (3DES) 112 bits) </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>International Data Encryption Algorithm (IDEA) 128 bits). </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Rivest Cipher (RC4) variable length key). </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Advanced Encryption Standard (AES-Rjindahl)(variable Key length) </li></ul></ul></ul></ul></ul>
  40. 41. Encryption Contd. <ul><li>The second is Asymmetric Cryptography which uses two Keys, a Public and a Private key. One key is used for encrypting/signing while the other is used for decrypting/verifying. Examples are: </li></ul><ul><ul><li>Diffie - Hellman. </li></ul></ul><ul><ul><li>Rivest, Shamir and Adleman (RSA). </li></ul></ul><ul><ul><li>Digital Signature Algorithm (DSA/El Gamal). </li></ul></ul><ul><ul><li>Elliptic Curve Cryptosystem (ECC). </li></ul></ul><ul><li>These are trapdoor one-way functions that are easy to compute in one direction but very difficult to compute in the other. </li></ul><ul><li>They are much slower than symmetric algorithms and are not practical for encrypting/decrypting large amounts of data. </li></ul><ul><li>They are normally used for exchanging session keys (Private Keys) for symmetric algorithms </li></ul>
  41. 42. Encryption Contd <ul><li>The third is Hash Functions which are used to condense a variable length messages in a fixed-length code. This code is called a Hash or Message Digest (MD). Examples are: </li></ul><ul><ul><li>Message Digest (MD5) (128 bits) </li></ul></ul><ul><ul><li>Secure Hash Algorithm (SH-1) (160 bits) </li></ul></ul><ul><ul><li>Haval (variable length) </li></ul></ul><ul><li>Hashs are cryptographic checksums used to provide integrity checks on messages or files. </li></ul><ul><li>They are one-way functions and its is not mathematically feasible to create the original message(at least not yet). </li></ul><ul><ul><li>A Digital Signature is created by computing the Hash then encrypting the hash with the sender's Private Key. </li></ul></ul>
  42. 43. Encryption Contd. <ul><li>The fourth is Public Key Certificates which provide a means of distributing Public Keys . </li></ul><ul><li>These public keys are used to support Authentication, Integrity and Confidentiality for such functions as Web transactions, Email and IPSec. </li></ul><ul><li>Public Key Infrastructure (PKI) provides a means for </li></ul><ul><ul><li>Generating keys, </li></ul></ul><ul><ul><li>Signing Certificates (Certificate Authority (CA)) and establishing </li></ul></ul><ul><ul><li>Certificate Revocation (Certificate Revocation Lists (CRL)) </li></ul></ul>
  43. 44. <ul><li>Encryption Issues </li></ul><ul><ul><li>Cryptanalysis Attacks </li></ul></ul><ul><ul><ul><li>Brute Force Attack (Keyspace Search). </li></ul></ul></ul><ul><ul><ul><li>Known Plaintext. </li></ul></ul></ul><ul><ul><ul><li>Linear/Differential Analysis. </li></ul></ul></ul><ul><ul><ul><li>Weak Protocols (man in the Middle Attack). </li></ul></ul></ul><ul><ul><li>Surrounding System </li></ul></ul><ul><ul><ul><li>Encryption does not provide perimeter security. </li></ul></ul></ul>Encryption Contd. Recommendation: Employ a perimeter defense with encryption.
  44. 45. Security Policies
  45. 46. Policy Goals <ul><li>Goal 1 - To define the organization's expectation with regard to the proper use of computers and networks </li></ul><ul><li>Goal 2 - To define how the organization will respond to a security incident. </li></ul><ul><ul><li>The policy must conform to existing policies, rules, regulations and laws. </li></ul></ul><ul><ul><li>The policy should be developed by both technical and management personnel </li></ul></ul><ul><ul><ul><li>A policy must be both implementable and enforceable . </li></ul></ul></ul><ul><ul><li>The policy must ensure that everyone knows their responsibility for maintaining security. </li></ul></ul><ul><li>Prevention is the key to security. </li></ul>
  46. 47. <ul><li>Security Policy Philosophy </li></ul><ul><li>There are four basic security philosophies around which an organization can construct a security policy. </li></ul><ul><ul><li>Paranoid : Nothing is allowed(no external connections) - The organization has been hacked and its paranoid. </li></ul></ul><ul><ul><li>Cautious : That which is not explicitly permitted is not allowed. The default policy is to deny . </li></ul></ul><ul><ul><li>Optimistic : That which is not explicitly prohibited is allowed. The default policy is to allow . </li></ul></ul><ul><ul><li>Open : Everything is allowed. This organization has not been hacked. </li></ul></ul><ul><li>NOTE: Instructor's recommendation: BE CAUTIOUS . </li></ul><ul><li>The correct philosophy will depend upon the organization. The following criteria should be employed in establishing your policy. </li></ul><ul><ul><li>Risks - How much Risk is management willing to accept? </li></ul></ul><ul><ul><li>Cost - How much money is management willing to expend based upon the risks? </li></ul></ul><ul><ul><li>Operations - What is the proper balance between risk, cost and operations? </li></ul></ul><ul><ul><li>Culture - What is your organization's value system with regard to personal communications? </li></ul></ul><ul><ul><li>Legal - What are your legal requirements to customers, employees, state, etc.? </li></ul></ul>
  47. 48. <ul><li>Security Policy Philosophy Contd. </li></ul><ul><li>Organizational Security policies, standards, guidelines and procedures must be driven by senior management . </li></ul><ul><ul><li>Senior management must believe in the value of security. </li></ul></ul><ul><ul><li>Senior management must support security through their actions. </li></ul></ul><ul><ul><li>Senior management must conform to the same rules and regulations. </li></ul></ul><ul><ul><li>Users must believe that security has the support of senior management. </li></ul></ul><ul><li>Organizational security policies should be designed to support Information. </li></ul><ul><ul><li>Proprietary information </li></ul></ul><ul><ul><li>Customer information. </li></ul></ul><ul><ul><li>Databases </li></ul></ul><ul><ul><li>Electronic Mail. </li></ul></ul><ul><ul><li>All electronic or paper information. </li></ul></ul><ul><li>Risk can be reduced but never eliminated. </li></ul><ul><ul><li>No matter how much time and effort you spend to secure your computer or network, it can always be broken into. </li></ul></ul><ul><ul><li>Given enough time, resources, money and motivation any system can be had. </li></ul></ul>
  48. 49. Policy Thoughts <ul><li>The following are decisions that determines an organization's security posture. </li></ul><ul><ul><li>Who is allowed to use the resources? </li></ul></ul><ul><ul><li>What is the proper use of those resources? </li></ul></ul><ul><ul><li>What is being protected? </li></ul></ul><ul><ul><li>Why is it being protected? </li></ul></ul><ul><ul><li>Who has responsibility for protecting these resources? </li></ul></ul><ul><ul><li>What are the rights and responsibilities of the users? The System Administrator? The Network Manager? </li></ul></ul><ul><ul><li>Who/How is the organization to interpret and resolve security conflicts? </li></ul></ul>
  49. 50. Policy Thoughts Policy Standards Guidelines Rules Philosophy of protection Goals of protection Task to Accomplish Goal To implement Tasks in Firewalls/IDS Level 1 Level 2 Level 3 Level 4
  50. 51. Thankyou!