Data Security Presenter Muhammad Ghazanfar Ullah Head, Computer Systems Engineering. Usman Institute of Technology
Agenda of Presentation
About Data Security
Policies and Principles
Technology and Threats
Security For some, it is just a concept; its about peace of mind and reassurance. It's about knowing that there is something you can rely on, something that you can turn to when there is a problem. Having a feeling of security brings you a sense of confidence and security for the future. For others, security means protection against something or someone. It provides a defence for people and property; safeguarding a precious investment or something that is cherished.
Data While carrying out an investigation about 'ourselves', a child writes 'brown' under the heading 'hair color', this is data about that child. This data becomes information when it is used to inform in some way, for example, when the data is combined with the heading and presented as a statement - 'Jane has brown hair'. Data can take many forms. It might be numerical data of room temperatures, words relating to a particular subject such as flowers, or sounds or images collected to illustrate a presentation. It could even be imaginary data created by children, about characters in their drama, for example.
Computers and Data
Most Valuable Resource
Five main Resources
(including facilities and energy)
Information (and data)
Physical Conceptual }
Computers and Data Many large organizations use computers to store important data (information). Large companies, government departments, colleges and hospitals all keep important information, for example, employee records and wages, patient or student records and accounts.
Sharing and Transmission etc.
Computers and Data 2002 2003 2004 North America 212.6 222.8 234.4 Latin America 25.6 32.6 43.7 Europe 163.5 195.5 224.8 Africa/ME 9.2 10.7 11.5 Asia/Pacific 151.2 203.6 238.1 Total 562.3 665.4 752.6 Computer Users
Computers and Data
Computers and Data
The proliferation of computers.
2-3 w/LAN per household is not unusual.
The geographical expansion of networks .
44 million plus hosts
650,000 plus Web sites
800 Million plus Internet users by the end of 2008.
The dramatic rise in computer literacy .
The dependence of organizations upon the infrastructure.
ECommerce is expected to be between 8 and 13 Trillion dollars by 2008.
The dependence of organizations upon Information.
How Did We Get Here?
Computers and Data Sensitive Information Sensitive information is any information stored on your computer that you would hate to have fall into the wrong hands. This could be personal information, employee information, trade secrets, etc. It is the ramifications that are the concern.
Computers and Data
Is your Information Sensitive?
What would happen if your competitor had a copy of a spreadsheet file containing your short and long term sales strategy?
What would happen if personnel records became public knowledge within your organization?
What would happen if your customer database was copied and sold? Does it contain information that you are ultimately liable for?
What would happen if someone made copies of your archived personal email messages? Could they somehow use this against you?
What could a resourceful private detective and a cunning lawyer do with information on your computer?
Data Security There are two problems with keeping this information on computers. The first problem is information can be lost through technical or human error. The second problem is that some information is confidential - only certain people should see it. These people can be described as ‘authorized users’ and the people who shouldn’t see this information as ‘unauthorized users’.
Secrecy requires that the information in a computer system only be accessible for reading by authorized parties.
This type of access includes:
Other forms of disclosure, including simply revealing the existing of an object
Integrity requires that the computer system asset can be modified only by authorized parties.
Availability requires that computer system assets are available to authorized parties.
Availability is a requirement intended to assure that systems work promptly and service is not denied to authorized users.
Security of Data Data Confidentiality Data Integrity Data Availability Secure Data Data
Authenticity means that parties in a information services can ascertain the identity of parties trying to access information services.
Also means that the origin of the message is certain.
Therefore two types:
Originator of communications can’t deny it later.
Without non-repudiation you could place an order for 1 million dollars of equipment online and then simply deny it later.
Or you could send an email inviting a friend to the dinner and then disclaim it later.
Non-repudiation associates the identity of the originator with the transaction in a non-deniable way.
Unauthorized users are kept out of the system.
Unauthorized users are kept out of places on the system/disk.
Typically makes use of Directories or Access Control Lists (ACLs) or Access Control Matrix
Objects: Resources that need to be protected
Subjects: Entities that need access to resources
Each entry is a triple <subject, object, rights>
The Threats to Security
Natural Events and Accidents
Blunders, Errors and Omissions
Foreign Intelligence Services.
Foreign Military (Information Warfare).
Attack is a danger which could affect the security (confidentiality, integrity, availability) of assets, leading to a potential loss or damage.
Types of Attacks
Modification is the Attack on which Service?
Fabrication is the attack on which service
Classification of attacks
Computer Security attacks can be classified into two broad categories:
Passive Attacks can only observe communications or data.
Active Attacks can actively modify communications or data. Often difficult to perform, but very powerful. Examples include
TCP/IP spoofing/session hijacking
A Security Model Firewalls and Security Gateways are based on this model
Encryption can be used to provide Confidentiality, Integrity, Authentication and Non-Repudiation.
There are four major cryptographic functions you should be familiar with:
The first is Symmetric Cryptography uses the same key for both encryption and decryption. Examples are:
Data Encryption Standard (DES) (56 bits)
Triple DES (3DES) 112 bits)
International Data Encryption Algorithm (IDEA) 128 bits).
Rivest Cipher (RC4) variable length key).
Advanced Encryption Standard (AES-Rjindahl)(variable Key length)
The second is Asymmetric Cryptography which uses two Keys, a Public and a Private key. One key is used for encrypting/signing while the other is used for decrypting/verifying. Examples are:
Diffie - Hellman.
Rivest, Shamir and Adleman (RSA).
Digital Signature Algorithm (DSA/El Gamal).
Elliptic Curve Cryptosystem (ECC).
These are trapdoor one-way functions that are easy to compute in one direction but very difficult to compute in the other.
They are much slower than symmetric algorithms and are not practical for encrypting/decrypting large amounts of data.
They are normally used for exchanging session keys (Private Keys) for symmetric algorithms
The third is Hash Functions which are used to condense a variable length messages in a fixed-length code. This code is called a Hash or Message Digest (MD). Examples are:
Message Digest (MD5) (128 bits)
Secure Hash Algorithm (SH-1) (160 bits)
Haval (variable length)
Hashs are cryptographic checksums used to provide integrity checks on messages or files.
They are one-way functions and its is not mathematically feasible to create the original message(at least not yet).
A Digital Signature is created by computing the Hash then encrypting the hash with the sender's Private Key.
The fourth is Public Key Certificates which provide a means of distributing Public Keys .
These public keys are used to support Authentication, Integrity and Confidentiality for such functions as Web transactions, Email and IPSec.
Public Key Infrastructure (PKI) provides a means for
Signing Certificates (Certificate Authority (CA)) and establishing