lecture 1 - Philadelphia University
Download
Report
Transcript lecture 1 - Philadelphia University
Module 1
Introduction: To Information &
Security
Modified by :Ahmad Al Ghoul
Philadelphia University
Faculty Of Administrative & Financial Sciences
Business Networking & System Management
Department
Room Number 32406
Email Address: [email protected]
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Objectives
Information cycle, What is the role of computers in the
information cycle?
What is System Security?
What are we protecting?
Ensure security in a network & Enhancing security by
Security awareness
Causes of system security lapses
Security procedures & Security phases
Security Goals
Types of Threat, Risk, Attack
Security Policy Definition and planning
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Information cycle
Security is required at all phases of the
information cycle – 1-gathering, 2-creating,
3-processing, 4-storing,5- transmitting and
6-deleting. Security is only as good as the
weakest link in the system
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
What is the role of computers in the
information cycle?
Accept data through input devices
Process data using microprocessors
Store data for interactive use in the
RAM and for longer periods of storage
in the hard disks
Output data through output devices.
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
What is System Security?
Protection of assets from unauthorized access
– protection from unauthorized access both from within
and external
Security is a process of reducing risk or the
likelihood of harm
– Security is a weak link problem- total security is no
better than the weakest link.
– It must, therefore, be evaluated across the entire
enterprise
– Security is a series of trade-offs: the greater the level of
security the worse the ease of use.
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
What are we protecting?
We are protecting system resources:
– Business information
– Equipment
– Systems
– Data (information)
Data and Information - the most important resource:
– Data is a physical phenomena that represents certain aspects of our
knowing of the world
– When we process data we give it meaning and we call it information.
– Data and information are:
• Stored
• Moved over communication channels
We focus on security of data and information:
– At source ( source: server/client)
– At destination (destination: server/client)
– In the communication channel
The security of computer networks means the security of information
on that network.
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Ensure security in a network by:
Access – legal channels of getting
resources
Identification – to uniquely distinguish a
user of a resource
Authentication – to prove positively that
the user is what he/she claims to be.
Authorization – being able to determine
and allow the user only those resources
the user has ability to utilize.
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Enhance security by:
Accountability – ability to associate
activities with the actors.
Awareness – create a level of understanding
of security issues
Administration – ability to manage the
security system.
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Security awareness
Security is a continuous process of making
valuable resources secure.
First act in securing system resources is
awareness
– Process of making people understand the
implications of security in their lives
– All people in the enterprise must understand the
importance of security
– All people must understand the following:
• Appropriate use of resources – all people must know
why security of resources matter.
• Relevancy of security
• Individual’s role
• Responsibility
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Causes of system security
weakness
- Hardware – many security problems originate
from hardware failures and poor designs
– Software – lots of security problems originate
from poor software designs and testing
– Human/user – humans are very unpredictable
and malicious
– * Resources ( data and information)– because the
resources within the computer system themselves
may contain loopholes through which, if found,
intruders enter the systems.
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
•Security procedures:
–Good and effective security is a result of a good
security policy
–A policy may have one or more of the following
procedures:
•For servers and Clients:
–Intrusion Detection Systems (IDS)
–Firewalls
•For the communication channel:
–Encryption
–Authentication
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Security phases:
– Inspection – identifying key security functions needed
and the capabilities available to achieve the desired
security level
– Protection – proactive risk reduction – mechanism in
place to prevent reduction in desired security level
– Detection ( in action)– to take measures to detect
whether an asset has been damaged, how, and who has
caused the damage.
– Response ( post-action)– to take measures that allow
recovery of assets or recovery from damage, and
minimize losses.
– Reflection – plans/processes that focus on security
improvements.
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
There are 10 fundamental aspects of security ( system
security):
– Awareness – make every one understand the critical role security
plays in their well-being
– Access – ability to connect to the system resources
– Identification – to be able to know the user
– Authentication – preventing unauthorized interception of
information during transmission
– Authorization – allowing identifiable users access to the resources
– Availability – preventing unauthorized withholding of
information and resources
– Integrity – preventing unauthorized modification of information
– Accuracy – an assurance of the integrity of the resources
– Confidentiality – the assets of a computing system are accessible
only by authorized parties.
– access to information, the source can be easily found it.
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Security Goals
Confidentiality
– the assets of a computing system are accessible
only by authorized parties.
Integrity
– assets can be modified only by authorized
parties or only in authorized ways.
Availability
– assets are accessible to authorized parties.
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Fourth Objective
Securing computing resources:
prevent/detect/ improper use of computing
resources
•
•
•
•
Hardware
Software
Data
Network
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Confidentiality
Only authorized people can see protected
data.
Problems
1-who determine who is authorized?
2- what he/ she can see ?
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Integrity
There are three aspects to integrity
1-Authorized action.
2-Separation and protection of resources.
3-Error detection and correction
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Availability
Availability applies both to data and to
service ( access to computing resources
Availability means:
1- Presence of object or service in usable
form.
2- Capacity to meet service needs.
3- Progress: bounded waiting time.
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Goals of Availability
1- Timely response.
2- Fault tolerance. The ability of a computer or an
operating system to respond to a catastrophic event or fault
3-Utility or Usability ( can be used as
intended)
4- Controlled concurrency: support for
simultaneous access, deadlock management,
and exclusive access.
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Security Goals
Confidentiality
Integrity
Network Security
Avalaibility
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Achieving Security
Policy
– What to protect?
Mechanism
– How to protect?
Assurance
– How good is the protection?
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Threat, Risk, Attack
Threat: potential occurrence that can have an undesired
effect on the system
Risk: measure of the possibility of security breaches and
severity of the damage
Attack: action of malicious intruder that exploits
vulnerabilities of the system to cause a threat to occur
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Types of Threats
Threats
– Interruption: an asset of the system becomes lost,
unavailable, or unusable
– Interception: some unauthorized party has gained
access to an asset
– Modification: an unauthorized party not only accesses
but tampers with an asset
– Fabrication: unauthorized party fabricate counterfeit
objects on a computing system
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Threats to Hardware
– Interruption
• denial of service
• destruction, etc.
– Interception
• Theft: unauthorized product owned by other vendors
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Threats to Software
– Interruption
• deletion
• configuration management is required
– Interception
• software theft:this attack include unauthorized copying of software
– Modification
• Trojan horse:a program that does one thing while covertly doing
anther
• virus: a specific type of trojan horse, that can be used to spread
infection from one computer to anther.
• trapdoor: a program that has a secret entry point.
• information leaks: in a program, which make information accessible
to unintended people or programs
• check the vendor
– use anti-virus software
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Threats to Data
– Interruption(loss)
• availability
• include key loss(encryption)
– Interception
• confidentiality
– Modification
• integrity
– Fabrication
• include replay attack
– internet banking
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Assets vs. Threats
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Security of Data
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Types of Attacks (1)
Interruption – an asset is destroyed, unavailable
or unusable (availability)
Interception – unauthorized party gains access to
an asset (confidentiality)
Modification – unauthorized party tampers with
asset (integrity)
Fabrication – unauthorized party inserts
counterfeit object into the system (authenticity)
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Types of Attacks (2)
Passive attacks:
Eavesdropping
Monitoring
Active attacks:
Masquerade – one entity pretends to be a different
entity
Replay – passive capture of information and its
retransmission
Modification of messages – legitimate message is
altered
Denial of service – prevents normal use of resources
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Intrusion
Points
Intrusion points are areas that provide an access point to your
company's information. Some of these are obvious, but others are not.
For instance, you might realize that you need to install a firewall to
protect the internal network and computers from hackers, but if a
hacker took a temporary job at your company, the firewall would be of
little use. When identifying intrusion points, you must consider internal
threats as well as external threats. Some internal and external access
points are as follows:
Internal access points
Systems that are not in a secured room
Systems that do not have any local security configured
External access points
Network components that connect your company to the Internet
Applications that are used to communicate across the Internet
Communications protocols
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Security Policy
Organizational
Policy
Computerized
Information System
Policy
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Planning a security policy
The first, and most important, principle
in security of any kind is to have a welldefined security policy. To develop a
policy, you need to answer these two
questions:
1. What constitutes a well-defined security
policy?
2. How can I make a security policy without
understanding the threats against me?
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
Security policy Basics
Consistent with other corporate policies
Accepted by the network support staff as
well as the appropriate levels of
management
Suitable for using with the existing network
equipment and procedures
Compliant with local, state, and federal
laws
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011
What is a good Security policy?
A well-defined security policy outlines your
requirements and limits your exposure to risk.
There are three criteria for creating and
evaluating a policy for information security.
1. Confidentiality: Your information must be kept
private. Unauthorized access must be prevented.
2. Integrity: Your information must be protected
from tampering. It cannot be modified from its
original form without your authorization.
3. Availability: Your information must be available to
authorized users when they need it.
Network Security
PHILADELPHIA UNIVERSITY
Ahmad Alghoul 2010-2011