Uploaded byRamaNingaiah
PPT, PDF16 views

Lecture15.ppt

Information security involves all measures taken to protect electronic data from unauthorized access, use, disclosure, alteration or destruction. It aims to provide confidentiality by concealing data, integrity by ensuring data is authentic and unmodified, and availability by maintaining efficient system function even with security provisions. While no single measure ensures complete security, cryptographic systems can potentially provide high levels of security through confidentiality, integrity and availability. Public key encryption uses separate keys for encryption and decryption, allowing secure communication for large networks, while digital signatures and certification authorities provide authentication. Prevention, detection and response work together to secure systems and minimize risks from security attacks.

Embed presentation

Download to read offline
Information Security
Information security  All measures taken to prevent unauthorized use of electronic data – unauthorized use includes disclosure, alteration, substitution, or destruction of the data concerned  Provision of the following three services – Confidentiality  concealment of data from unauthorized parties – Integrity  assurance that data is genuine – Availability  system still functions efficiently after security provisions are in place  No single measure can ensure complete security
Why is information security important?  Governments, commercial businesses, and individuals are all storing information electronically – compact, instantaneous transfer, easy access  Ability to use information more efficiently has resulted in a rapid increase in the value of information  Information stored electronically faces new and potentially more damaging security threats – can potentially be stolen from a remote location – much easier to intercept and alter electronic communication than its paper-based predecessors
Building blocks of a secure system  Confidentiality: concealment from unauthorized parties – identification – unique identifiers for all users – authentication  user: assurance that the parties involved in a real- time transaction are who they say they are  data: assurance of message source – authorization - allowing users who have been identified and authenticated to use certain resources  Integrity: assurance the data is has not been modified by unauthorized parties – non-repudiation  proof of integrity and origin of data which can be verified by any third party at any time
Completing the security process  Confidentiality + integrity  system security  However, it is not enough for system to be secure  System must also be available – must allow guaranteed, efficient and continuous use of information – security measures should not prohibitively slow down or crash system or make it difficult to use  what good is a secure system if you can’t use it?  Cryptographic systems – high level of security and flexibility – can potentially provide all objectives of information security: confidentiality, integrity, and availability
Symmetric and public key cryptosystems Symmetric-key cryptosystem  same key is used for encryption and decryption  system with 1000 users requires 499,500 keys – each pair of users requires a different key Public-key cryptosystem  separate keys for encryption and decryption  system with 1000 users requires 2000 keys – each individual user has exactly two keys
Public-key encryption: confidentiality  Alice wants to send message M to Bob – uses Bob’s public key to encrypt M  Bob uses his private key to decrypt M – only Bob has key – no one else can decipher M  Identification provided by public key encryption  But … anyone can send message to Bob using his public key – how are we sure the message came from Alice?
Digital signatures  Electronic equivalent of handwritten signatures  Handwritten signatures are hard to forge  Electronic information is easy to duplicate  Digital signatures using public key encryption – Idea:  Bob uses his private key to “sign” a message  Alice verifies signature using Bob’s public key  Data authentication provided by digital signatures
Signed challenges  Alice wants assurance of real-time communication  Bob tries to provide assurance by digital signature  Alice is assured message originated from Bob – digital signatures provide data origin authentication – But … Eve can intercept signature and use it to authenticate herself as Bob at any later time  Signed challenge – Alice sends random number (a challenge) to Bob – Bob replies with challenge encrypted with signature  User authentication provided by signed challenges – combination of digital signature and unpredictability of Alice's random number challenge
Certification authority  A third party trusted by all users that creates, distributes, revokes, & manages certificates  Certificates bind users to their public keys  For example, if Alice wants to obtain Bob's public key – she retrieves Bob's certificate from a public directory – she verifies the CA's signature on the certificate itself – if signature verifies correctly, she has assurance from the trusted CA this really is Bob's public key – she can use Bob's public key to send confidential information to Bob or to verify Bob's signatures, protected by the assurance of the certificate  Integrity is provided by the certification authority
Attacks  Compromise systems in ways that affect services of information security – attack on confidentiality:  unauthorized disclosure of information – attack on integrity:  destruction or corruption of information – attack on availability:  disruption or denial of services Prevention, detection, response – proper planning reduces risk of attack and increases capabilities of detection and response if an attack does occur
Prevention  Establishment of policy and access control – who: identification, authentication, authorization – what: granted on “need-to-know” basis  Implementation of hardware, software, and services – users cannot override, unalterable (attackers cannot defeat security mechanisms by changing them) – examples of preventative mechanisms  passwords - prevent unauthorized system access  firewalls - prevent unauthorized network access  encryption - prevents breaches of confidentiality  physical security devices - prevent theft  Maintenance
Prevention is not enough! Bruce Schneier, Counterpane Internet Security, Inc. Prevention systems are never perfect. No bank ever says: "Our safe is so good, we don't need an alarm system." No museum ever says: "Our door and window locks are so good, we don't need night watchmen.“ Detection and response are how we get security in the real world, and they're the only way we can possibly get security in the cyberspace world.
Detection  Determine that either an attack is underway or has occurred and report it  Real-time monitoring – or, as close as possible – monitor attacks to provide data about their nature, severity, and results  Intrusion verification and notification – intrusion detection systems (IDS) – typical detection systems monitor various aspects of the system, looking for actions or information indicating an attack  example: denial of access to a system when user repeatedly enters incorrect password
Response  Stop/contain an attack – must be timely!  incident response plan developed in advance  Assess and repair any damage  Resumption of correct operation  Evidence collection and preservation – very important  identifies vulnerabilities  strengthens future security measures
Exercises Classify each of the following as an attack on confidentiality, integrity, and/or availability (more than one may apply). Justify your answers. 1. John copies Mary's homework 2. Paul crashes Linda's system 3. Carol changes the amount of Angelo's check from $100 to $1,000 4. Gina forges Roger's signature on a deed 5. Rhonda registers the domain name "AddisonWesley.com" and refuses to let the publishing house buy or use that domain name 6. Jonah obtains Peter's credit card number and has the credit card company cancel the card and replace it with another card bearing a different account number 7. Henry spoofs Julie's IP address to gain access to her computer
References Introduction to Information Security ECC white paper, March 1997 http://www.certicom.com The Information Security Process: Prevention, Detection and Response James LaPiedra GIAC practical repository, SANS Institute http://www.giac.org/practical/gsec InformIT Reference Guides http://www.informit.com/isapi/articles/index.asp

More Related Content

PPTX
information security AND COMPUTING SAFE GAURDING .pptx
bymikeshaft32
 
PPTX
Mis jaiswal-chapter-11
byAmit Fogla
 
PPTX
Cyber Security Unit I Part -I.pptx
bykarthikaparthasarath
 
PPTX
cyber security.pptx
bykarthikaparthasarath
 
PPTX
Information Security : Is it an Art or a Science
byPankaj Rane
 
PPTX
Lecture one Network Security Introduction.pptx
byAreebaSaeed18
 
PPTX
Information Security and Indian IT Act 2000
byDr. Prashant Vats
 
PPT
Infomation System Security
byKiran Munir
 
information security AND COMPUTING SAFE GAURDING .pptx
bymikeshaft32
 
Mis jaiswal-chapter-11
byAmit Fogla
 
Cyber Security Unit I Part -I.pptx
bykarthikaparthasarath
 
cyber security.pptx
bykarthikaparthasarath
 
Information Security : Is it an Art or a Science
byPankaj Rane
 
Lecture one Network Security Introduction.pptx
byAreebaSaeed18
 
Information Security and Indian IT Act 2000
byDr. Prashant Vats
 
Infomation System Security
byKiran Munir
 

Similar to Lecture15.ppt

PPTX
unit -I PPt.pptxsacdACFDSGFDGZfxtfyytrfufjgdx
byTejaswini Vontela
 
PPT
M.Florence Dayana/Cryptography and Network security
byDr.Florence Dayana
 
PPTX
Foundation of the information securiety
byALIZAIB KHAN
 
PPTX
CRYPTOGRAPHY AND NETWORK SECURITY ppt by me.pptx
byNune SrinivasRao
 
PDF
IS-Intro.pdf
bywdwd10
 
PPTX
Introduction of network security
bysneha padhiar
 
PPT
information security management
byGurpreetkaur838
 
PPT
CompTIA Security+ Module1: Security fundamentals
byGanbayar Sukhbaatar
 
PPTX
Information-Security_System_Notes__.pptx
byabhinaygupta389
 
PPT
Information System Security introduction
byShu Shin
 
PPTX
Cybersecurity
byEng Hasan Shamroukh CISCO Exams Author
 
PDF
Basics of Data Security and Cryptographic techniques
byJay Sahoo
 
PDF
Management Information Systems
bymsd11
 
PPTX
Cyber security
byJahirUddinKomol
 
PDF
information security introduction for campus students.pdf
byhailegebrielgeta6
 
PPTX
unit-1-is1.pptx
bysorabhsingh17
 
PPTX
informations_security_presentations.pptx
byFAKHARZAMANPROUD
 
PDF
cryptograph and computer security lecture 1.pdf
byAWELHAJI2
 
PPTX
Information Security introduction and management.pptx
bydaudevarist18
 
PPTX
2 second lectuer theory princible security.pptx
byYunisAmenMuhammed
 
unit -I PPt.pptxsacdACFDSGFDGZfxtfyytrfufjgdx
byTejaswini Vontela
 
M.Florence Dayana/Cryptography and Network security
byDr.Florence Dayana
 
Foundation of the information securiety
byALIZAIB KHAN
 
CRYPTOGRAPHY AND NETWORK SECURITY ppt by me.pptx
byNune SrinivasRao
 
IS-Intro.pdf
bywdwd10
 
Introduction of network security
bysneha padhiar
 
information security management
byGurpreetkaur838
 
CompTIA Security+ Module1: Security fundamentals
byGanbayar Sukhbaatar
 
Information-Security_System_Notes__.pptx
byabhinaygupta389
 
Information System Security introduction
byShu Shin
 
Cybersecurity
byEng Hasan Shamroukh CISCO Exams Author
 
Basics of Data Security and Cryptographic techniques
byJay Sahoo
 
Management Information Systems
bymsd11
 
Cyber security
byJahirUddinKomol
 
information security introduction for campus students.pdf
byhailegebrielgeta6
 
unit-1-is1.pptx
bysorabhsingh17
 
informations_security_presentations.pptx
byFAKHARZAMANPROUD
 
cryptograph and computer security lecture 1.pdf
byAWELHAJI2
 
Information Security introduction and management.pptx
bydaudevarist18
 
2 second lectuer theory princible security.pptx
byYunisAmenMuhammed
 

Recently uploaded

PDF
[DSC Europe 25] Marija Vlajkovic & Andrea Radonjanin - Integration of AI tool...
byDataScienceConferenc1
 
PPTX
Two Factor Authentication for CSE Students.pptx
byfizarcse
 
PPTX
[DSC Europe 25] Jim Sterne - Adopting Generative AI Capabilities Into the Ent...
byDataScienceConferenc1
 
PPT
How To Write A Scientific Paper- IMRAD pattern
bydrmeenajain
 
PPTX
ELECTRICITY SECTOR IN PHILIPHINE .pptx
byahmadnabil090406
 
PDF
OPPOTUS - Malaysians on Malaysia (MOM) Q3 2025
byOppotus
 
PPTX
Safe_Spaces_Act_Modern_Presentation.pptx
byairesmijares2003
 
PPTX
hindustan Unilever Limited Presentation - Sample
bymohitsawale3
 
PPTX
[DSC Europe 25] Dragana Ilic - AI for Big Data in Astronomy.pptx
byDataScienceConferenc1
 
PPTX
Presentation (2).pptxbbnnnnnnnnnnnnnnnnnnn
byEshaEman27
 
PPTX
Time serise forcasting of non-durble consumer goods industry
byvkumaranand89
 
PPTX
1. Prepare for the application of health survey.pptx
byDegaregeNibret
 
PPTX
Orientation-on-ARAL-Check-in-Assessment.pptx
byJenTeruel1
 
PPTX
[DSC Europe 25] Goran Obradovic - The Rise of Sovereign AI: Building the Regi...
byDataScienceConferenc1
 
PPTX
[DSC Europe 25] Vid Stimac - Policy Parsimony: Between Oversimplifying and Ov...
byDataScienceConferenc1
 
PPTX
Exploring Quantum Computing Simulation Tools and Fundamentals Algorithms.pptx
byfarhanafayk
 
PPTX
First introduction to pipeline pilot a datascience software
byJamesImmanuel4
 
PPTX
Customer Segmentation: Seeing the Trees and the Forest Simultaneously - V2
bySK Palu
 
PDF
Bicycle Project sostenible pllay book presentacion
byAlejoLevenstain1
 
PPTX
Creating-Effective-Scientific-Posters (1).pptx
byphnajlaa1
 
[DSC Europe 25] Marija Vlajkovic & Andrea Radonjanin - Integration of AI tool...
byDataScienceConferenc1
 
Two Factor Authentication for CSE Students.pptx
byfizarcse
 
[DSC Europe 25] Jim Sterne - Adopting Generative AI Capabilities Into the Ent...
byDataScienceConferenc1
 
How To Write A Scientific Paper- IMRAD pattern
bydrmeenajain
 
ELECTRICITY SECTOR IN PHILIPHINE .pptx
byahmadnabil090406
 
OPPOTUS - Malaysians on Malaysia (MOM) Q3 2025
byOppotus
 
Safe_Spaces_Act_Modern_Presentation.pptx
byairesmijares2003
 
hindustan Unilever Limited Presentation - Sample
bymohitsawale3
 
[DSC Europe 25] Dragana Ilic - AI for Big Data in Astronomy.pptx
byDataScienceConferenc1
 
Presentation (2).pptxbbnnnnnnnnnnnnnnnnnnn
byEshaEman27
 
Time serise forcasting of non-durble consumer goods industry
byvkumaranand89
 
1. Prepare for the application of health survey.pptx
byDegaregeNibret
 
Orientation-on-ARAL-Check-in-Assessment.pptx
byJenTeruel1
 
[DSC Europe 25] Goran Obradovic - The Rise of Sovereign AI: Building the Regi...
byDataScienceConferenc1
 
[DSC Europe 25] Vid Stimac - Policy Parsimony: Between Oversimplifying and Ov...
byDataScienceConferenc1
 
Exploring Quantum Computing Simulation Tools and Fundamentals Algorithms.pptx
byfarhanafayk
 
First introduction to pipeline pilot a datascience software
byJamesImmanuel4
 
Customer Segmentation: Seeing the Trees and the Forest Simultaneously - V2
bySK Palu
 
Bicycle Project sostenible pllay book presentacion
byAlejoLevenstain1
 
Creating-Effective-Scientific-Posters (1).pptx
byphnajlaa1
 

Lecture15.ppt

  • 1.
  • 2.
    Information security  Allmeasures taken to prevent unauthorized use of electronic data – unauthorized use includes disclosure, alteration, substitution, or destruction of the data concerned  Provision of the following three services – Confidentiality  concealment of data from unauthorized parties – Integrity  assurance that data is genuine – Availability  system still functions efficiently after security provisions are in place  No single measure can ensure complete security
  • 3.
    Why is informationsecurity important?  Governments, commercial businesses, and individuals are all storing information electronically – compact, instantaneous transfer, easy access  Ability to use information more efficiently has resulted in a rapid increase in the value of information  Information stored electronically faces new and potentially more damaging security threats – can potentially be stolen from a remote location – much easier to intercept and alter electronic communication than its paper-based predecessors
  • 4.
    Building blocks ofa secure system  Confidentiality: concealment from unauthorized parties – identification – unique identifiers for all users – authentication  user: assurance that the parties involved in a real- time transaction are who they say they are  data: assurance of message source – authorization - allowing users who have been identified and authenticated to use certain resources  Integrity: assurance the data is has not been modified by unauthorized parties – non-repudiation  proof of integrity and origin of data which can be verified by any third party at any time
  • 5.
    Completing the securityprocess  Confidentiality + integrity  system security  However, it is not enough for system to be secure  System must also be available – must allow guaranteed, efficient and continuous use of information – security measures should not prohibitively slow down or crash system or make it difficult to use  what good is a secure system if you can’t use it?  Cryptographic systems – high level of security and flexibility – can potentially provide all objectives of information security: confidentiality, integrity, and availability
  • 6.
    Symmetric and publickey cryptosystems Symmetric-key cryptosystem  same key is used for encryption and decryption  system with 1000 users requires 499,500 keys – each pair of users requires a different key Public-key cryptosystem  separate keys for encryption and decryption  system with 1000 users requires 2000 keys – each individual user has exactly two keys
  • 7.
    Public-key encryption: confidentiality Alice wants to send message M to Bob – uses Bob’s public key to encrypt M  Bob uses his private key to decrypt M – only Bob has key – no one else can decipher M  Identification provided by public key encryption  But … anyone can send message to Bob using his public key – how are we sure the message came from Alice?
  • 8.
    Digital signatures  Electronicequivalent of handwritten signatures  Handwritten signatures are hard to forge  Electronic information is easy to duplicate  Digital signatures using public key encryption – Idea:  Bob uses his private key to “sign” a message  Alice verifies signature using Bob’s public key  Data authentication provided by digital signatures
  • 9.
    Signed challenges  Alicewants assurance of real-time communication  Bob tries to provide assurance by digital signature  Alice is assured message originated from Bob – digital signatures provide data origin authentication – But … Eve can intercept signature and use it to authenticate herself as Bob at any later time  Signed challenge – Alice sends random number (a challenge) to Bob – Bob replies with challenge encrypted with signature  User authentication provided by signed challenges – combination of digital signature and unpredictability of Alice's random number challenge
  • 10.
    Certification authority  Athird party trusted by all users that creates, distributes, revokes, & manages certificates  Certificates bind users to their public keys  For example, if Alice wants to obtain Bob's public key – she retrieves Bob's certificate from a public directory – she verifies the CA's signature on the certificate itself – if signature verifies correctly, she has assurance from the trusted CA this really is Bob's public key – she can use Bob's public key to send confidential information to Bob or to verify Bob's signatures, protected by the assurance of the certificate  Integrity is provided by the certification authority
  • 11.
    Attacks  Compromise systemsin ways that affect services of information security – attack on confidentiality:  unauthorized disclosure of information – attack on integrity:  destruction or corruption of information – attack on availability:  disruption or denial of services Prevention, detection, response – proper planning reduces risk of attack and increases capabilities of detection and response if an attack does occur
  • 12.
    Prevention  Establishment ofpolicy and access control – who: identification, authentication, authorization – what: granted on “need-to-know” basis  Implementation of hardware, software, and services – users cannot override, unalterable (attackers cannot defeat security mechanisms by changing them) – examples of preventative mechanisms  passwords - prevent unauthorized system access  firewalls - prevent unauthorized network access  encryption - prevents breaches of confidentiality  physical security devices - prevent theft  Maintenance
  • 13.
    Prevention is notenough! Bruce Schneier, Counterpane Internet Security, Inc. Prevention systems are never perfect. No bank ever says: "Our safe is so good, we don't need an alarm system." No museum ever says: "Our door and window locks are so good, we don't need night watchmen.“ Detection and response are how we get security in the real world, and they're the only way we can possibly get security in the cyberspace world.
  • 14.
    Detection  Determine thateither an attack is underway or has occurred and report it  Real-time monitoring – or, as close as possible – monitor attacks to provide data about their nature, severity, and results  Intrusion verification and notification – intrusion detection systems (IDS) – typical detection systems monitor various aspects of the system, looking for actions or information indicating an attack  example: denial of access to a system when user repeatedly enters incorrect password
  • 15.
    Response  Stop/contain anattack – must be timely!  incident response plan developed in advance  Assess and repair any damage  Resumption of correct operation  Evidence collection and preservation – very important  identifies vulnerabilities  strengthens future security measures
  • 16.
    Exercises Classify each ofthe following as an attack on confidentiality, integrity, and/or availability (more than one may apply). Justify your answers. 1. John copies Mary's homework 2. Paul crashes Linda's system 3. Carol changes the amount of Angelo's check from $100 to $1,000 4. Gina forges Roger's signature on a deed 5. Rhonda registers the domain name "AddisonWesley.com" and refuses to let the publishing house buy or use that domain name 6. Jonah obtains Peter's credit card number and has the credit card company cancel the card and replace it with another card bearing a different account number 7. Henry spoofs Julie's IP address to gain access to her computer
  • 17.
    References Introduction to InformationSecurity ECC white paper, March 1997 http://www.certicom.com The Information Security Process: Prevention, Detection and Response James LaPiedra GIAC practical repository, SANS Institute http://www.giac.org/practical/gsec InformIT Reference Guides http://www.informit.com/isapi/articles/index.asp