John Carpenter 2008 702904 & 711908 lecture - 01 1 702904 & 711908 Information Security 2008 Lecture 1: Subject Introduction and Security Fundamentals

John Carpenter 2008 702904 & 711908 lecture - 01 1

702904 & 711908 Information Security

2008

Lecture 1: Subject Introduction and

Security Fundamentals


Lecturer

• Mr John Carpenter

B Eng (Electrical)

M Eng Sc (Systems Theory, Pattern Recognition)

M Arts (Philosophy – Theory of Mind)

• Work experience: Embedded Systems

Pathology Instrumentation and Databases

Project manager

Lecturer in Computer Technology,Project Management, and Security

• [email protected]


702904 & 711908 Information Security Lecture Introduction

• Welcome • Student Handout:• Subject Introduction • Assessment• Texts• Tutorials

• Lecture 1 Objectives


702904 & 711908 Information Security

• Principles of Security

• Securing individual computer systems

• Models for securing information systems

• Securing local networks

• Cryptography as a basis for securing transactions passing across open networks

• Maybe: Introduction to securing websites

• Maybe: Securing databases


Objectives of Lecture 1

• Subject Administration

• Define the objectives of information security

• Some definitions

• The four Threats

• Controls

• The layers of technology and hence the layers of controls

• A different point of view

• Physical security


References

• Pfleeger & Pleeger Ch 1, Section 8.4

Gollman Computer Security Ch 1


There are Problems

• Theft - of equipment, of proprietary software

• Theft - Copying of confidential material

• Fabrication - for gain - Adding false names to company payroll

• Modification - malicious - Virus infections

• Access - easy for ‘us’

• Access - difficult for ‘them’


What is Security ?

• Protection of assets - can take several forms:

• Prevention

• Detection

• Reaction

• What does this mean for computer assets ?


What is Information Security ?

• The objectives of information security are:

• Confidentiality

• Integrity

• Availability

• to give us: Secure Data


Confidentiality

• Only accessible by authorised parties

• Not revealed

• More than not reading• Confidentiality is distinct from secrecy and

privacy ( for you to think about)


Integrity

• Associated with loss and corruption

• Data Integrity: Computerised data to be the same as the external,

source data

Data not exposed to alteration or destruction

• No inappropriate modification


Availability

• The property of being accessible and useable (without delay) upon demand by an authorised entity

• We want there to be

• no denial of service


Other security issues

• Accountability

• Reliability

• Safety

• Dependability


• Computer security deals with the prevention

and detection of unauthorised actions by users of a computer system

• security deals with the ready availability of valuable assets by authorised agents, and the denial of that access to all others


Some Definitions• Vulnerability

A weakness of some sort

• AttackWhen a weakness is exploited

• ThreatA circumstance with a potential for loss

• ExposureWhen a vulnerability is visible

• ControlA protective measure

• NOTE the CLOSED nature of these definitions, the concept of PERIMETER CONTROL.


Breaches of Security The Four Threats

• Interruption

• Interception

• Modification

• Fabrication


Some Principles of Security

• Principle of Easiest PenetrationAn intruder will use any means of penetration

• Principle of TimelinessItems only need to be protected until they lose their value

(Only protect valuable items)

• Principle of EffectivenessControls must work, and they should be efficient, easy to

use, and appropriate


Costs

• The costs of additional resources to implement security mechanisms can be quantified (measured)

• Security mechanisms interfere with users, and can lead to loss of productivity

• Managing security also costs

• (Risk Analysis will be covered)


Controls

• A control is a protective mechanismA lock with a key

An ATM card is a PIN number

A login with a password

An e-mail message that is encrypted

• What should be the focus of controls ?

• Should protection mechanisms focus on data,

• or operations on that data,

• or should we focus on the users ?


There are layers of information systems technology

• Applications

• Services

• Operating system

• Kernel

• Hardware

• In which layer (or layers) should security mechanisms be placed ?

• Should controls be placed in more that one layer ?


Layers

• The presence of layers is a feature of technology

• Separate layers often perform very different functions

• Similar functions are combined in one layer

• The boundary between two layers is usually easily defined

• Layers can often be independently implemented


One Architecture of Controls

• Administrative Policies

• Physical

• Computer and Network Hardware

• Software

• Encryption (concealing)


Controls: The Onion Model

•

• Simple mechanisms, or lots of features ?

• Should defining and enforcing security be a centralised function ?

• How to prevent access to the layer below the security mechanism ?


Attack on the layer below

• An important concept

• Needs an understanding of the layers that are used to gain access to an asset

• When an intruder finds they are blocked at one layer, this intruder may attempt to attack the next layer closer to the asset

• Circumventing the protection Smashing a door

Posing as an employee

Posing as a programmer

An email pretending to be from your bank


A Different View:Security as a Person problem

• Roles of individuals in an organisationDirectors

Managers

Professionals

Clerks

IT staff

• Personality types Adventurous

Anti-social

Gregarious


Physical Security

• Control ACCESS

• Control PORTABILITY

• Detect EXIT VIOLATIONS


Site Security

• The concern is with physical things

• Fire

• Flood

• Electric Power

• Access


Securing ‘Closed’ Computer systems

• Media

• Equipment

• SiteCold Site

Warm Site

Hot Site


Next week

• Identity and Authentication

• References:Pfleeger and Pfleeger section 4.5

• Gollman Chapter 2

• (Anderson Security Engineering )

Documents

John Carpenter 2008 702904 & 711908 lecture - 01 1 702904 & 711908 Information Security 2008 Lecture 1: Subject Introduction and Security Fundamentals