Welcome to Information Systems Security (503009) · 2015. 1. 1. · Information Systems Security Chapter 1: Introduction to Information Systems Security 4 Course Outline - Details

Welcome to Information Systems Security

(503009)

Nguyen Thi Ai Thao

Faculty of Computer Science & Engineering

HCMC University of Technology

[email protected]

Ho Chi Minh City University of Technology

Faculty of Computer Science and Engineering

© 2011

Information Systems Security

Chapter 1: Introduction to Information Systems Security

2

Course Outline

2

Week Lectures

1 Information systems security: basic concepts

2,3 Basic cryptography & key exchange protocols

4 Identification & Authentication

5,6 Discretionary Access Controls

7,8 Mandatory Access Controls

9 Auditing & Accountability

10, 11,

12, 13,

14

Presentations

15 Revision



© 2011



3

References

[1] M. Gertz, S. Jajodia (2008). Handbook of Database Security: Applications and Trends, Springer Verlag, ISBN 978-0-387-48532-4.

[2] S. Castano, M. Fugini, G. Martella, and P. Samarati (1995). Database Security, ACM Press & Addison-Wesley, ISBN 0-201-59375-0.

[3] D.C. Knox (2004). Effective Oracle Database 10g Security by Design, Oracle Press, ISBN 0-07-223130-0.

[4] T.R. Peltier, J. Peltier, J. Blackley (2005). Information Security Fundamentals, Auerbach Publications, ISBN 0-8493-1957-9.

[5] W. Mao (2003). Modern Cryptography: Theory and Practice, 3rd Ed., Prentice Hall, ISBN 0-13-066943-1.

3



© 2011



4

Course Outline - Details

Week Lectures References

1

1. Introduction

1.1 Basic concepts

1.2 Picture of DB security

1.3 Framework for DB & Applications security

[1,2,3,4,5]

2

2. Basic cryptography & key exchange protocols

2.1 Cryptography-related concepts

2.2 Key channel

2.3 Perfect encryption

[4,5]

3

2. Basic cryptography & key exchange protocols

2.4 Dolev-Yao threat model

2.5 Protocols

[4,5]



© 2011



5



4

3. Identification & Authentication

3.1 Introduction

3.2 Identification techniques

3.3 Authentication techniques

3.2 Authentication protocols

[2,3,4]

5

3. Discretionary Access Controls

3.1 Introduction to DAC

3.2 Models for DAC

[2,3,4]

6

3. Discretionary Access Controls

3.3 SQL for Data Control

3.4 DAC & Information Flow Controls

[2,3,4]



© 2011



6



7

4. Mandatory Access Control

4.1 Introduction to MAC

4.2 Models for MAC

[2,3,4]

8 4. Mandatory Access Control

4.3 Case study: Oracle Label Security [2,3,4]

9

5. Auditing & Accountability

5.1 Introduction to Auditing & Accountability

5.2 Techniques to Auditing

5.3 Case study: Auditing in Oracle

[2,3]

10,

11,

12,

13,

14

Presentation Tbc.



© 2011



7

Assessments

Credits: 3

No mid-term test

Open-book exams

7

Assessment Pattern %

Presentation 1 15

Presentation 2 15

Assignment 20

Final Examination 50



© 2011



8

Presentation

Group of 2-3 students

Presentation topics:

http://cse.hcmut.edu.vn/~thaonguyen >> Teaching

Register for the presentations:

Send to [email protected]

Deadline: February 3rd , 2015

8

http://cse.hcmut.edu.vn/~t

mailto:[email protected]

Chapter 1: Introduction to


Nguyen Thi Ai Thao

Faculty of Computer Science & Engineering

HCMC University of Technology

[email protected]



© 2011



10

Outline

Picture of DB Security 2

Framework for DB & Applications Security 3

Basic concepts 1 Basic concepts 1



© 2011



11

Basic Concepts

Data and Information

Information System

Information Security

Information System Security Requirements

Countermeasures

Basic Steps in Information Security Process



© 2011



12

Basic Concepts - Information Systems Security

Data are plain facts. When data are processed, organized,

structured or presented in a given context so as to make them

useful, they are called Information.



© 2011



13


Information System refers to a system of people, data

records and activities that process the data and information

in an organization.

Data

Process

People



© 2011



14


Information Security means protecting information and

information systems from unauthorized access, use,

disclosure, disruption, modification or destruction.



© 2011



15

Basic Concepts - Security Requirements

Information System Security Requirements :

Confidentiality

Non-repudiation

Availability

Integrity



© 2011



16


Information System Security Requirements:

Confidentiality: Protection of data from unauthorized

disclosure

Example: In a bank system, preventing a client from finding

out the information of another client, such as balance.

Integrity: Only authorized users should be allowed to modify

data.

Example: In a bank system, preventing a client from changing

his or her balance.



© 2011



17


Information System Security Requirements:

Availability: Making data available to the authorized users

and application programs

Example: In a bank system, ensuring that the invoices are

printed on time as required by law.

Non-repudiation: The ability to prevent the effective denial

of an act.

Example: In a bank system, providing proof of the origin and

delivery of transactions from a client.



© 2011



18

Basic Concepts - Countermeasures

Countermeasures ensures these security requirements for

information systems. There are some countermeasures:

Access control

Inference control

Flow control

Encryption



© 2011



19

Basic Concepts - Access Control

Access Control: The security mechanism for restricting

access to the database as a whole

Handled by creating user accounts and passwords to control

login process by the Database Management System (DBMS).

Two types of access control system

Closed system

Open system



© 2011



20

Basic Concepts – Closed System

Is there a rule

authorizing the

access?

Access request

Access permitted Access denied

Rules:

authorized

accesses

Closed system



© 2011



21

Basic Concepts – Opened System

Access permitted Access denied

Is there a rule

denying the

access?

Access request

Rules:

denied

accesses

Opened system



© 2011



22

Basic Concepts - Inference control

Inference control: The security problem associated with

databases is that of controlling the access to a statistical

database, which is used to provide statistical information or

summaries of values based on various criteria.

The countermeasures to statistical database security problem

is called inference control measures.



© 2011



23

Inference attack

Infer

Access control

Meta data

Non-sensitive database

Sensitive database

Access denied Access permitted



© 2011



24

Inference control

Access control

Meta data

Non-sensitive database

Sensitive database

Access denied Access permitted

INFERENCE CONTROL



© 2011



25

Basic Concepts - Flow control

Flow control prevents information from flowing in such a

way that it reaches unauthorized users.

Channels that are pathways for information to flow

implicitly in ways that violate the security policy of an

organization are called Covert Channels.

Storage channel

Timing channel



© 2011



26

Convert chanel – Timing Chanel

In Python:

def validate_password(actual_pw,

typed_pw):

if len(actual_pw) <> len(typed_pw):

return 0

for i in len(actual_pw):

if actual_pw[i] <> typed_pw[i]:

return 0

return 1



© 2011



27

Basic Concepts - Encryption

Data encryption refers to mathematical calculations and

algorithmic schemes that transform plaintext into cyphertext,

a form that is non-readable to unauthorized parties.

Only the user having a correct key can decrypt the

cyphertext, transforming it to the original plaintext version.

Data encryption is used to protect sensitive data (such as

credit card numbers).



© 2011



28

Basic Concepts

Basic Steps in Access control Process:

Identification

A user presents an identity to the database

Authentication:

The user proves that the identity is valid

Authorization:

What privileges and authorizations the user has



© 2011



29

Outline



Basic concepts 1



© 2011



30



© 2011



31

Các thành phần cần bảo vệ trong một HTTT

Identify &Authenticate

Access control

Auditing & Accountability

Encryption

Design

Security in OBDS



© 2011



32


Encryption

Key exchange protocols

Physical security



© 2011



33


Physical security



© 2011



34


Training

Auditing & Accountability



© 2011



38

Outline



Basic concepts 1



© 2011



39

Framework for DB & Applications Security

Privacy, Dependable Information Management, Secure Information Management Technologies, Data Mining and Security, Digital Forensics, Secure Knowledge Management Technologies, Secure Semantic Web, Biometrics

Relational DB Security, Distributed/Federated DB Security, Web DB Security, Object/Multimedia DB Security, Data Warehouse Security, Inference Problem, Sensor DB and Stream Data Processing Security

Database Systems, Information Retrieval, Knowledge Management, Information Management, Information & Computer Security



© 2011



40

Documents

Welcome to Information Systems Security (503009) · 2015. 1. 1. · Information Systems Security Chapter 1: Introduction to Information Systems Security 4 Course Outline - Details