Module 2 - Requirements on Five Pillars of Information Security PDF

MODULE 2 REQUIREMENTS ON FIVE PILLARS OF INFORMATION SECURITY Instructor: Hydie D. Cruz Learning Outcomes After this module, a student will be able to: Five (5) Pillars of information Security. 2 Introduction ✓Computer system – hardware, software and data – have value deserve security protection ✓ Even the primary purpose of the device is not computing, the device’s computer can be involved in security incidents and represents an assets worthy of protection 3 Introduction ✓Information security is the means of protecting against and managing risk related to the use, processing , storage, and transmission of data and information system. 4 Pillars of Information Security Availability Integrity Authentication Confidentiality Non- repudiation 5 Five (5) Pillar of Information Security 1) Confidentiality 2) Integrity 3) Availability 4) Authenticity 5) Non-Repudiation 6 Five (5) Pillar of Information Security 1) Confidentiality The ability of a system to ensure that an asset is viewed only by authorized parties 2. Integrity The ability of a system to ensure asset is modified only by authorized parties 7 Five (5) Pillar of Information Security 3) Availability The ability of a system to ensure that an asset can be used by any authorized parties 4. Authenticity The ability of a system to confirm the identify of a sender 8 Five (5) Pillar of Information Security 5) Non-reputiation or accountability The ability of a system to confirm that a sender cannot convincingly deny having sent something 9 1) Confidentiality A set of high-level rules that limit access to all types of data and information Assurance that information is not disclosed to unauthorized individuals, groups, processes or devices. 10 Example of Failure in Confidentiality Authorized person accesses a data item An authorized process or program access a data item. A person authorized to access certain data access other data not authorized(specialized version of “an authorized person access a data item”) An authorized person access an approximate data value(ex: confidential salary) An authorized person learns the existence of a piece of data(Company developing new product / new project/ merger) 11 Example of Failure in Confidentiality Authorized person accesses a data item An authorized process or program access a data item. A person authorized to access certain data access other data not authorized(specialized version of “an authorized person access a data item”) An authorized person access an approximate data value(ex: confidential salary) An authorized person learns the existence of a piece of data(Company developing new product / new project/ merger) 12 Confidentiality means Policy Who + What + How = Yes/No Subject (who) Object (what) Mode of Access (how) 13 To protect Confidential information, use the following number of measures includes: Information classification Secure document storage Application of general security policies Education of information custodians and end users 14 Requirements for Information Confidentiality Encryption: Encrypt sensitive data both at rest and in transit to protect it from unauthorized access. Ex: Caesar Cipher – each letter replace by another letter a fixed number or places down the alphabet Secure email – some email network encrypt and authenticate message of the user’s computer 15 Requirements for Information Confidentiality Access Control: Implement role-based access control (RBAC), strong user authentication(multi-factor authentication, biometric, etc) and ensure the principle of least privilege Data Masking – in case visible to non-administrator, mask or obfuscate critical information to minimize exposure Ex: Substitution(credit card), Randomization, Shuffling 16 2) Integrity The accuracy and completeness of vital information must be safeguarded. Integrity when it is whole, complete and uncorrupted Integrity of information is threatened when information is exposed to corruption, damage, destruction or other disruption of its authentic state Data corruption happen during transmission and storage 17 2) Integrity (cont..) Viruses and worms are purpose of corrupting data Key method for detecting virus or worms, look for sdata integrity(File Size) Another method is file hashing, which file is read by a special algorithm that uses the value of the bits in the file to compute a single large number called hash value E.g. File Hasing MD5, SHA-1 18 2) Integrity (cont..) How to use hashtaging command 1. Open Command prompt or type CMD 2. Type the command: certutil –hashfile “path/to/your/file.txt” MD5 (Generate the MD5 hash value for the file path “path/to/your/file.txt” 19 Open notepad Save file in your document as Test → test1.txt Open console or type CMD at search bar Type this word in the console "C:\Users\user\Documents\TIP Manila\Information Security and Mgnt\file1.txt" MD5 Integrity Example ✓Data Validation: check to ensure that data is accurate, complete and up-to-date ✓Hashing: Implement hashing algorithms to verify the integrity of the data and detect unauthorized alterations or tampering. ✓Auditing: Keep logs of data access and modifications to track any unauthorized or suspicious activities. 22 3) Availability ✓Means guaranteeing reliable access to information by authorized personnel. ✓It is every user’s responsibility to file desktop documents in a way that makes them easy to locate in the future ✓Like hardcopy should be filed securely and not left lying around ✓Copies should be made to ensure important Document is not lost. 23 3) Availability ✓ Data shared, not only within organization, but also to individuals outside the organization. ✓Email are quick and easy way of sharing data, but information send over internet can sometimes intercepted and accessed by hackers, compromising confidentiality 24 3) Availability ✓ that authorized users have timely and easy access to information services. IT resources and infrastructure should remain robust and fully-functional at all times even during adverse conditions, such as database conundrum or fall-overs. ✓protecting against malicious codes, hackers, and other threats that could block access to the information system. 25 3) Availability Example ✓Redundancy: Build redundant system, backup power, networking and data storage to ensure systems remain available ✓Disaster Recovery Plans – have clear plans for recovering data in case of disaster and attacks ✓ Incident Response - Establish incident response protocols to act quickly and limit system downtime during security breaches or attacks. 26 4) Authenticity ✓Validates the source or origin of data and other file transfers through proof of identify ✓ Ensures that the message (email, payment transaction, digital file, etc) was not corrupted and intercepted during transmission 27 4) Authenticity Authentication Process: User can verify their identities by providing specific credentials includes: 1. Strong Authentication Protocol login information(username and password) biometric data Electronic or digital signature Authentication tokens Smart cards 2. Authorization level: properly define and implement use of roles and permission to ensure of the authorized user can access sensitive systems and data 28 4) Authenticity Authentication Process: 2. Authorization level: properly define and implement use of roles and permission to ensure of the authorized user can access sensitive systems and data Privilege List – (directory), showing all those priviledge or access rights for a given subject 29 30 5) Non-Repudiation ✓Is a procedural, legal concept that proves that the legitimacy of a message or data transfer by providing undeniable evidence of both authenticity and integrity ✓It is used to prevent someone from denying that they sent or received information 31 5) How Non-Repudiation works Digital signatures: A customer signs a transaction with their private key, which can be verified by the merchant using the customer's public key Logging: A record is kept of who did what and when in a system Third parties: A trusted third party, such as a notary or forensic analyst, verifies the identity of the signer 32 Requirements for non-repudiation ✓Digital signatures – Use public-key cryptography to verify the identity of the sender and the integrity of the message ✓Time-stamping – record the exact time of a transaction to prevent backdating or future-dating ✓Public Key Infrastructure (PKI) – establish a framework that issues public and private keys that are mathematically related 33 Requirements for non-repudiation ✓Audit Trails – maintain detailed logs of all interactions with a document ✓Storage facilities – Use Write Once Read Many (WORM) drives to prevent unauthorized alterations to log records 34 Where Non-Repudiation is used ✓E-commerce – when a customer makes a purchase, they can’t later deny the transaction ✓Business-to-Business transactions – sender and receiver can prove they sent or received a message ✓Contractual agreement – the signer can’t later deny the terms of the agreement 35 36 Security Meaning Property Availability Ensures information is ready for use and at the required performance level Integrity Guarantees data, associated systems only accessible or modifiable by authorized users Authenticati Ensures users are who they say they on are(users/name,password, digital certicate) 37 Security Meaning Property Confidentiality Limited access or places restrictions on data like personally identifiable information / classified corporate data Non- Ensures individuals cannot deny any repudiation action because of a system provides proof of the action 38 Security isn’t something to buy, its something you do, and it takes talented people to do it right. 39 Reference https://resourcecenter.infinit-o.com/blog/the-5-pillars-of-information-security-and-how-to-manage-them/ file:///C:/Users/user/Documents/TIP%20Manila/Information%20Security%20and%20Mgnt/Principles%20of%20Information%20Se curity%20%20Whitman.pdf Hashing files tutorial - https://www.youtube.com/watch?v=NjSuZJc9tUU 40

Module 2 - Requirements on Five Pillars of Information Security PDF

Document Details

Tags

Related

Summary

Full Transcript