International Business Information Systems - Introduction to Computer Security PDF
Document Details
Uploaded by JubilantOpArt
Furtwangen University of Applied Sciences
2024
Dr. Norbert Schiffner
Tags
Summary
This document is lecture material on International Business Information Systems and an introduction to computer security. It covers different aspects of data security from asset security overview, data management, and retention strategies to data classification. The course material is from Furtwangen University of Applied Sciences.
Full Transcript
International Business Information Systems. Bachelor of Science (B.Sc.) Introduction to Computer Security Furtwangen University of Applied Sciences Hochschule Furt...
International Business Information Systems. Bachelor of Science (B.Sc.) Introduction to Computer Security Furtwangen University of Applied Sciences Hochschule Furtwangen University Course Overview 1. Course Structure and Motivation 2. Security and Risk Management 3. Asset Security 4. Security Engineering: 5. Communication & Network Security 6. Identity and Access Management 7. Security Assessment and Testing 8. Security Operations 9. Software Development Security 1 Hochschule Furtwangen University @ Dr. Norbert Schiffner 3 ASSET SECURITY Hochschule Furtwangen University @ Dr. Norbert Schiffner “Just as oil was likened to black gold, data takes on a new importance and value in the digital age.” Neelie Kroes Vice-President of the European Commission responsible for the Digital Agenda Data is the new gold Opening Remarks, Press Conference on Open Data Strategy Brussels 4 Hochschule Furtwangen University @ Dr. Norbert Schiffner Asset Security Overview Data Management Longevity and Use Data Standards Determine Data Security Controls 5 Hochschule Furtwangen University @ Dr. Norbert Schiffner 3.1 DATA MANAGEMENT 6 Hochschule Furtwangen University @ Dr. Norbert Schiffner Security Policy “A sound data policy defines strategic long-term goals for data management across all aspects of a project or enterprise” –ISC2 CBK This means all data regardless of medium Cost Ownership Your ISMS should Incorporate the Privacy following factors: Sensitivity Existing Legal & Compliance Requirements 7 Hochschule Furtwangen University @ Dr. Norbert Schiffner Data Ownership vs. Cusodianship Determine criticality Apply storage Understand value / security based on replacement cost for criticality the business Maintain data Determine who should storage Owners access it Custodians Apply user Determine proper permissions retention / destruction periods Enforce compliance Establish compliance obligations obligations Ensure data integrity Aligned with Business Aligned with infrastructure 8 Hochschule Furtwangen University @ Dr. Norbert Schiffner Data Classification The essential metadata items that are attached to organizations’ valuable information are a classification level. The classification tag remains affixed throughout the information life-cycle (Acquisition, Use, Archival, and Disposal) and ensures the protection of information 9 Hochschule Furtwangen University @ Dr. Norbert Schiffner Common classification labels Public Public data can be viewed by the general public and, therefore, the disclosure of this data could not cause any damage. For example, the general public can be aware of the organization’s upcoming projects. Sensitive information needs extraordinary precautions to ensure confidentiality and integrity for its protection. For example, the sensitive data may include company’s financial information. Private Private data may include personal information, such as credit card information and bank accounts. Unauthorized disclosure can be disastrous. Confidential Confidential information is only used within the organization and, in the case of unauthorized disclosure, the organization could suffer serious consequences. Secret Secret information, if disclosed, can adversely affect the national security, such as the release of military deployment plans. Top secret Top secret information, if disclosed, could cause massive damage to national security, such as the disclosure of spy satellite information. 10 Hochschule Furtwangen University @ Dr. Norbert Schiffner 3.2 LONGEVITY AND USE 11 Hochschule Furtwangen University @ Dr. Norbert Schiffner Data Retention Ensuring That Information is Kept as Long as Required – and no Longer Some Golden Rules for Retention ◦ Understand where the data is right now ◦ Classify and define the data (different information will need different retention) ◦ Archive and manage the data ◦ When defining the retention strategy, involve all stakeholders Eight Steps an Organization Should Take 1. Evaluate requirement 5. Train staff 2. Classify record types 6. Audit retention 3. Determine retention / 7. Periodically review policy destruction time 4. Draft and justify 8. Document policy and implementation retention policy 12 Hochschule Furtwangen University @ Dr. Norbert Schiffner Data Handling Requirements for Holding Data Key Vocabulary for Destruction Sanitized: When media have been erased of contents Marking: labelling the information, Zeroization: overwriting all previous data as well as pertinent facts about that Degaussing: scrambling magnetic media with stronger information magnets Handling: retrieving information for Crypto-shredding is the practice of 'deleting' data by review, shipping etc. deliberately deleting or overwriting the encryption keys. Storing: archiving, encrypting, Clearing: removing sensitive data so that it can not be keeping on-site / off-site recovered by normal, easily available means, Purging: Making information unrecoverable even with extraordinary effort. Data remanence: information left over by clearing 13 Hochschule Furtwangen University @ Dr. Norbert Schiffner (Backup) Media Reuse Data remanence: information left over by clearing Never downgrade the data stored on a media A backup tape used to store “top secret” marked data must not be used to store “secret” marked data Lower protected occurs and remanences of “top secret” data might still hidden on this tape 14 Hochschule Furtwangen University @ Dr. Norbert Schiffner SSD with integrated controllers Kingston SSD SSD Solid-state Drive An SSD controller, also referred to as a processor, includes the electronics that bridge the Flash memory components to the SSD input/output Interfaces. Flash Memory has depending on the technology between 300 and 3000 write cycles. Most SSD controller implement a “Wear Leveling” functionality. Write access are distributed among storage cells. Overwrite is not possible because of the separation between logical and physical access For SSD Crypto-shredding or destruction is the only save way of purging Shredded SSD 15 Hochschule Furtwangen University @ Dr. Norbert Schiffner Cloud Storage You are not the owner of the storage media It might be shared with other customers Released storage might be reused by other customers Crypto-shredding and bring your own keys are save ways to release / delete storage containers in a cloud environment 16 Hochschule Furtwangen University @ Dr. Norbert Schiffner 3.3 DATA STANDARDS 17 Hochschule Furtwangen University @ Dr. Norbert Schiffner Protecting Privacy In 2018, the European Union enacted new legislation to protect its citizens’ personal data potentially affecting every consumer brand worldwide. Limits on Collection: The organizations must collect at least a minimum amount of data, as it can be a matter of law later on. In 2014, more than 100 countries passed privacy protection laws that affect organizations in their jurisdictions. The policies vary among countries; for example, Argentina has the most restrictive privacy, while China has no restrictions at all. 18 Hochschule Furtwangen University @ Dr. Norbert Schiffner Privacy: Universal Requirements Gather it fairly and lawfully Use it only for the originally specified purpose Use only what it is adequate The subject can also view this information about him / her Secure storage Destruction after its purpose is fulfilled 19 Hochschule Furtwangen University @ Dr. Norbert Schiffner Data / Cyber Security Groups U.S. DoD (Department of Defence) U.S. NSA (National Security Agency) NIST (National Institute of Standards and Technology) EU (European Union) Cybersecurity Strategy ENISA (European Network and Information Security Agency) ISO (International Organization for Standardization) 20 Hochschule Furtwangen University @ Dr. Norbert Schiffner Equipment Lifecycle Information resides on equipment – whether it’s desktops, servers, smart phones, warehouses, desk drawers, … One common way to describe the life cycle for that equipment is : 1. Defining requirements 2. Acquiring and implementing 3. Operations and maintenance 4. Disposal or decommission 21 Hochschule Furtwangen University @ Dr. Norbert Schiffner 3.4 DATA MANAGEMENT 22 Hochschule Furtwangen University @ Dr. Norbert Schiffner The Three States of Data At Rest In Motion In Use Data in motion is data that is being transmitted across the network, while data at rest is stored on the hard drive. Either type needs unique controls for protection. 23 Hochschule Furtwangen University @ Dr. Norbert Schiffner Data Security Controls Drive Encryption ◦ is the control for the protection of data at rest. This control is recommended for all media and cellular devices that contain confidential information. Media Transportation and Storage ◦ provides data protection through backup and facilitates data storage off site through physically movement or via networks. Protecting data ◦ in motion requires the secure transit of data via networks. Table shows the examples of insecure network protocols and their reliable solutions: 24 Hochschule Furtwangen University @ Dr. Norbert Schiffner Protect Data in Use CPU needs access to the data to perform operations. Secure Enclaves are one way to protect the data during use Available in most Cloud providers and part of every Smartphone Performance degradation ( 3% - 10%) Key Management Relative new technology Change of application logic might necessary Software Guard Extensions (SGX) 25 Hochschule Furtwangen University @ Dr. Norbert Schiffner Thank You! Questions ? First / Last Name (123) 456-7890 Your Company Date Hochschule Furtwangen University Your Footer Here 26 @ Dr. Norbert Schiffner Let‘s stay in contact Dr. Norbert Schiffner Lecturer / Expert for Cyber-Security Faculty of Business Information Systems Furtwangen University Robert-Gerwig-Platz 1 78120 Furtwangen, Germany [email protected] [email protected] www.HS-Furtwangen.de/en Hochschule Furtwangen University @ Dr. Norbert Schiffner Legal Notice Copyright Dr. Schiffner keeps the copyright for this presentation and its content. This presentation and any attachments transmitted or uploaded with it are intended solely for the addressee(s) and may be legally privileged and/or confidential. Any unauthorised copying, distribution or disclosure is prohibited and unlawful. If you have received an e-Mail including this content in error, please destroy it and contact the sender. Hochschule Furtwangen University @ Dr. Norbert Schiffner