Week 1 – Introduction to Information Security.pdf
Document Details
Uploaded by RazorSharpSaxhorn
Tags
Related
Full Transcript
Information Assurance and Security LECTURE 1 : INTRODUCTION TO INFORMATION SECURITY Resource Personnel Kavinga Yapa Abeywardena (Lecturer in Charge) Senior Lecturer Department of Computer Systems Engineering...
Information Assurance and Security LECTURE 1 : INTRODUCTION TO INFORMATION SECURITY Resource Personnel Kavinga Yapa Abeywardena (Lecturer in Charge) Senior Lecturer Department of Computer Systems Engineering Dr. Harinda Fernando (Co-Lecturer) Email: [email protected] Assistant Professor Ms. Chethana Liyanapathirana (Co-Lecturer) Department of Computer Systems Engineering Senior Lecturer Email: [email protected] Department of Computer Systems Engineering Email: [email protected] Mr. V.A.M. Ragunathan Sinthujan (Co-Lecturer) Lecturer – SLIIT Northern UNI Mr. Kanishka Yapa (Co-Lecturer) Department of Information Technology Lecturer Email: [email protected] Department of Computer Systems Engineering Email: [email protected] IT3070 - INFORMATION ASSURANCE AND SECURITY 2 Lecture Delivery Lectures (Face-to-face) 2 Hours/Week Tutorials 1 Hours/Week Labs 2 Hours/Week IT3070 - INFORMATION ASSURANCE AND SECURITY 3 Assessment Criteria Continuous Assessments Midterm Examination 20 % L01-LO3 Assignment 30 % LO2-LO4 End Semester Assessment Final Examination 50 % LO1-LO5 TOTAL 100 % IT3070 - INFORMATION ASSURANCE AND SECURITY 4 Introduction to Information Security Objective: Describe the formal definition of Computer Security and Information Security Describe Confidentiality, Integrity, and Availability as the key security requirements Describe the security threats and attacks types Recommended Texts W. Stallings and L. Brown, “Computer Security, Principles and Practice, 2nd edition, Pearson, 2012, Chapter 1. Supplementary text Charles P. Pfleeger and Shari L. Pfleeger, Security in Computing (3rd edition). Prentice-Hall. 2003. ISBN: 0-13- 035548-8. IT3070 - INFORMATION ASSURANCE AND SECURITY 5 Computer Security Definition (NIST Computer Security Handbook) The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications). Key objectives of Computer Security: Confidentiality Integrity Availability IT3070 - INFORMATION ASSURANCE AND SECURITY 6 Information Security (InfoSec) The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. (Source : NIST Glossary of Key Information Security Terms) IT3070 - INFORMATION ASSURANCE AND SECURITY 7 Information Assurance (IA) Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. (Source : NIST Glossary of Key Information Security Terms) IT3070 - INFORMATION ASSURANCE AND SECURITY 8 CIA Triad IT3070 - INFORMATION ASSURANCE AND SECURITY 9 Confidentiality (C) This term covers two related concepts. Data confidentiality : Assures that confidential information is not made available or disclosed to unauthorized individuals. Privacy : Assures that the owners have control on: What information related to them may be collected and stored, By whom and to whom that information may be disclosed. NIST’s Requirement: Preserve authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information Loss of confidentiality means unauthorized disclosure of information. IT3070 - INFORMATION ASSURANCE AND SECURITY 10 Integrity (I) This term covers two related concepts. Data integrity: Information and programs are changed only in a specified and authorized manner. System integrity: A system performs its intended function in an unimpaired manner, and free from deliberate or inadvertent unauthorized manipulation of the system. Requirement: Guard against improper information modification or destruction, including ensuring information nonrepudiation authenticity. Loss of Integrity means unauthorized modification or destruction of information. IT3070 - INFORMATION ASSURANCE AND SECURITY 11 Availability (A) Systems work promptly and service is not denied to authorized users. NIST’s requirement: Ensuring timely and reliable access and use of information. Loss of Availability means disruption to the authorized users in accessing or use of information. IT3070 - INFORMATION ASSURANCE AND SECURITY 12 Additional Objectives Authenticity: Able to verify that the users are who they claim they are, and the system receives data from a trusted source. NIST includes authenticity as part of Integrity Accountability: Able to trace back the actions performed by an entity to that entity. Accountability supports: nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, after-action recovery and legal action. Read the examples of C-I-A in the textbook (Stallings & Brown) IT3070 - INFORMATION ASSURANCE AND SECURITY 13 Computer Security Model (RFC 2828) 1) System Resource or asset that needs to be protected Hardware: e.g., Computer System, data storage, communication devices. Software: e.g., operating systems, program utilities and applications. Data: e.g., data and password files, databases. Communication facilities and networks: e.g., LAN, WAN, routers, etc. 2) Vulnerabilities of system resources Definition: A flaw or weaknesses in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy. When the resource is corrupted violate Integrity When the resource is leaky violate Confidentiality When the resource is unavailable violate Availability IT3070 - INFORMATION ASSURANCE AND SECURITY 14 Computer Security Model (cont.) 3) Threat is a possible danger that might exploit a vulnerability. It represents a potential harm to the system resource. 4) Attack is a threat that is carried out (threat action) Two attack types: Active attack: An act that has negative effects on system resources Passive attack: An act to make use of system information but it does not affect the system The origin of an attack: Inside attack is carried out by an entity inside the security perimeter. Outside attack is performed by an unauthorized users. IT3070 - INFORMATION ASSURANCE AND SECURITY 15 Computer Security Model (cont.) 5) Adversary is an entity that carried out an attack ◦ A threat agent or an attacker. 6) Countermeasure is any means taken to address an attack, ◦ to prevent an attack from being successful, ◦ to detect the attack if the attack is successful, and ◦ to recover from the damage due to the attack. 7) Risk is the expected loss due to a particular attack. ◦ Examples? IT3070 - INFORMATION ASSURANCE AND SECURITY 16 Exploits An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service (DoS or related DDoS) attack. Used as a verb, exploit refers to the act of successfully making such an attack (make use of a vulnerability). IT3070 - INFORMATION ASSURANCE AND SECURITY 17 Vulnerability Assessment A vulnerability assessment is the process of defining, identifying, classifying and prioritizing vulnerabilities in Information systems, applications and network infrastructures and providing the organization doing the assessment with the necessary knowledge, awareness and risk background to understand the threats to its environment and react appropriately. IT3070 - INFORMATION ASSURANCE AND SECURITY 18 Penetration Testing Penetration testing (also called pen testing or ethical hacking) is the practice of testing a Information system, network or web application to find security vulnerabilities that an attacker could exploit. The process involves gathering information about the target before the test, identifying possible entry points, attempting to break in either virtually or for real and reporting back the findings. Penetration testing can be automated with software applications or performed manually. IT3070 - INFORMATION ASSURANCE AND SECURITY 19 Goal of Penetration Testing Identify weak spots in an organization's security posture Measure the compliance of its security policy Test the staff's awareness of security issues Determine whether and how the organization would be subject to security disasters. IT3070 - INFORMATION ASSURANCE AND SECURITY 20 Passive Attacks Passive attack is performed by eavesdropping or monitoring data transmission The attacker only learns or makes use of information without affecting system resources Passive attack is hard to detect because data is not altered Use attack prevention (not detection) to handle it Two types of passive attacks. Release of message contents (confidentiality) – Ex: Eavesdropping on Communication Channels Traffic analysis, if the data is encrypted. IT3070 - INFORMATION ASSURANCE AND SECURITY 21 Active Attacks Active attacks alters system resources or affecting their operations. Active attack is difficult to prevent but easy to detect Four categories of active attack: Replay. Capture and retransmit data unit to produce an unauthorized effect Masquerade. One entity pretends to be another entity It usually includes other form of attack, e.g., replay Data modification. Alter some portion of legitimate data, delay the data, or reorder the data to produce an unauthorized effect Denial of Service. Prevent or disallow the legitimate use of facilities IT3070 - INFORMATION ASSURANCE AND SECURITY 22 Inside attacks Attack vectors can also originate from inside the network. An internal user, such as an employee, can accidently or intentionally: Steal and copy confidential data to removable media, email, messaging software, and other media. Compromise internal servers or network infrastructure devices. Disconnect a critical network connection and cause a network outage. Connect an infected USB drive into a corporate computer system. Internal threats also have the potential to cause greater damage than external threats because internal users have direct access to the building and its infrastructure devices. Employees also have knowledge of the corporate network, its resources, and its confidential data. IT3070 - INFORMATION ASSURANCE AND SECURITY 23 Outside attacks Many attack vectors originate from outside the corporate network. Outside attacks are performed by an unauthorized users. For example, attackers may target a network, through the Internet, in an attempt to disrupt network operations and create a denial of service (DoS) attack. IT3070 - INFORMATION ASSURANCE AND SECURITY 24 Computer Security Model Figure from Stallings & Brown textbook IT3070 - INFORMATION ASSURANCE AND SECURITY 25