1 december security and privacy. information systems security systems operating system, files,...
Post on 21-Dec-2015
226 views
TRANSCRIPT
![Page 1: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/1.jpg)
1 December
Security and Privacy
![Page 2: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/2.jpg)
Information Systems Security
Systems Operating system, files, databases,
accounting information, logs, ... Issue if someone gets access to your
system Information in transit over a network
e-commerce transactions, online banking, confidential e-mails, file transfers,...
![Page 3: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/3.jpg)
Basic Components of Security Confidentiality
Keeping data and resources secret or hidden Integrity
Ensuring authorized modifications Both data and origin
Availability Ensuring authorized access to data and resources
when desired Accountability
Ensuring that an action is traceable uniquely to the actor
![Page 4: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/4.jpg)
Assurance
How much to trust a system Requires
Protection against unintentional errors
Resistance to intentional penetration or by-pass
![Page 5: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/5.jpg)
Info Security 20 Years Ago
Physical security Information was primarily on paper Lock and key Safe transmission
Administrative security Control access to materials Personnel screening Auditing
![Page 6: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/6.jpg)
Information security today Emergence of the Internet and distributed systems
Increasing system complexity Digital information needs to be kept secure
Competitive advantage Protection of assets Liability and responsibility
Financial losses FBI estimates that an insider attack results in an average loss of $2.8
million Estimates of annual losses: $5 billion - $45 billion
National defense Protection of critical infrastructures
Power grid Air transportation
Interlinked government agencies Severe concerns regarding security management and access control
measures (GAO report 2003) Grade F for most of the agencies
![Page 7: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/7.jpg)
Attack Vs Threat
A threat is a “potential” violation of security Violation need not actually occur Fact that the violation might occur
makes it a threat The actual violation of security is
called an attack
![Page 8: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/8.jpg)
Common security attacks Interruption, delay, denial of receipt, denial of
service, distributed denial of service System assets or information become unavailable or
are rendered unavailable Interception or snooping
Unauthorized party gains access to information by browsing through files or reading communications
Modification or alteration Unauthorized party changes information in transit or
information stored for subsequent access Fabrication, masquerade, or spoofing
Spurious information is inserted into the system or network by making it appear as if it is from a legitimate source
![Page 9: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/9.jpg)
Goals of Security Prevention
Prevent someone from violating a security policy Detection
Detect activities in violation of a security policy Verify the efficacy of the prevention mechanism
Recovery Stop attacks Assess and repair damage Ensure availability in presence of an ongoing attack Fix vulnerabilities in order to prevent future attacks Deal with the attacker
![Page 10: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/10.jpg)
Should We Protect Something? Cost-Benefit Analysis
Benefits vs. total cost Is it cheaper to prevent or recover?
Risk Analysis How much should we protect this thing? Risk depends on environment and changes with time
Laws and Customs Are desired security measures illegal? Will people do them? (DNA for identity) Affects availability and use of technology
![Page 11: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/11.jpg)
Human Issues
Outsiders and insiders Insiders account for 80-90% of all
security problems Social engineering
How much do you disclose about security?
![Page 12: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/12.jpg)
Network Security
![Page 13: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/13.jpg)
Information Systems Security
“Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card
information from someone living in a cardboard box to someone living
on a park bench” – Gene Spafford (Purdue)
![Page 14: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/14.jpg)
Network Security Model
Trusted Third Partyarbiter, distributor of
secret information
OpponentSec
ure
Mes
sage
Sec
ure
Mes
sage
Mes
sage
Information channel
Sender Receiver
Secret Information Security related
transformation
Secret Information
Mes
sage
![Page 15: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/15.jpg)
Network Access Model
GateKeeper
Opponent - hackers - software
Access Channel
DataSoftware
firewall or equivalent, password-based login
![Page 16: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/16.jpg)
Firewall Techniques Filtering
Doesn’t allow unauthorized messages through
Can be used for both sending and receiving Most common method
Proxy The firewall actually sends and receives the
information Sets up separate sessions and controls what
passes in the secure part of the network
![Page 17: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/17.jpg)
Key Technologies
Encryption Authentication
![Page 18: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/18.jpg)
Encryption All encryption algorithms from BCE till
1976 were secret key algorithms Also called classical cryptography or
symmetric key algorithms Julius Caesar used a substitution cipher Widespread use in World War II (enigma)
Public key algorithms were introduced in 1976 by Whitfield Diffie and Martin Hellman
![Page 19: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/19.jpg)
Caesar Cipher Substitute the letter 3 ahead for
each one Example:
Et tu, Brute Hw wx, Euxwh
Quite sufficient for its time High illiteracy New idea
![Page 20: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/20.jpg)
Enigma Machine Simple Caesar
cipher through each rotor
But rotors shifted at different rates Roller 1 rotated
one position after every encryption
Roller 2 rotated every 26 times…
http://www.trincoll.edu/depts/cpsc/cryptography/enigma.html
Used by Germany in WW IIAllies broke the codeMajor benefit to the war effort
![Page 21: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/21.jpg)
Terminology Plaintexts – unencrypted text Ciphertexts – encrypted text Keys – used to encrypt and decrypt Encryption functions – algorithm to
change plaintext to ciphertext Decryption functions – algorithm to
change ciphertext to plaintext
![Page 22: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/22.jpg)
Security Level of Encrypted Data
Unconditionally Secure Unlimited resources + unlimited time Still the plaintext CANNOT be recovered
from the ciphertext Computationally Secure
Cost of breaking a ciphertext exceeds the value of the hidden information
The time taken to break the ciphertext exceeds the useful lifetime of the information
![Page 23: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/23.jpg)
Types of Attacks Ciphertext only
adversary has only ciphertext goal is to find plaintext, possibly key
Known plaintext adversary has plaintext and ciphertext goal is to find key
Chosen plaintext adversary can get a specific plaintext
enciphered goal is to find key
![Page 24: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/24.jpg)
Attack Mechanisms
Brute force Statistical analysis
Knowledge of natural language
![Page 25: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/25.jpg)
Classical Cryptography Sender, receiver share common key
Keys may be the same, or trivial to derive from one another
Two basic types Transposition ciphers (rearrange bits) Substitution ciphers
Product ciphers Combinations of the two basic types
![Page 26: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/26.jpg)
Advanced Encryption Standard (AES)
Government adopted in 2001 A block cipher:
encrypts blocks of 128 bits using at least a 128 bit key outputs 64 bits of ciphertext
A product cipher performs both substitution and transposition
(permutation) on the bits Computationally secure: no known
successful attacks
![Page 27: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/27.jpg)
Public Key Cryptography Two keys
Private key known only to individual Public key available to anyone Keys are inverses
Used for Confidentiality encipher using public key decipher using private key
Used for integrity and authentication encipher using private key decipher using public one
![Page 28: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/28.jpg)
Private Key Requirements
Computationally easy to encipher or decipher
Computationally infeasible to derive the private key from the public key
Computationally infeasible to determine the private key from a chosen plaintext attack
![Page 29: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/29.jpg)
RSA Public key algorithm described in 1977
by Rivest, Shamir, and Adelman Exponentiation cipher Basics
Public key: (e, n); private key: d e, d and n computed from two large prime numbers
Encipher: c = me mod n Decipher: m = cd mod n
Computationally secure with 2048 bit key
![Page 30: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/30.jpg)
Summary Two main types of cryptosystems:
classical and public key Classical cryptosystems encipher
and decipher using the same key Public key cryptosystems encipher
and decipher using different keys
![Page 31: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/31.jpg)
Authentication
Assurance of the identity of the party that you’re talking to
Methods Digital Signature Kerberos
![Page 32: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/32.jpg)
Digital Signature Authenticates origin, contents of message in a
manner provable to a disinterested third party (“judge”)
Sender cannot deny having sent message (service is “nonrepudiation”)
Limited to technical proofs Inability to deny one’s cryptographic key was used to
sign One could claim the cryptographic key was stolen or
compromised Legal proofs, etc., probably required
Protocols based on both public and private key technologies
![Page 33: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/33.jpg)
Kerberos Authentication system
Central server plays role of trusted third party Ticket (credential)
Issuer vouches for identity of requester of service Authenticator
Identifies sender User must
Authenticate to the system Obtain ticket to use a specific server
Problems Relies on synchronized clocks Vulnerable to attack
![Page 34: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/34.jpg)
Privacy
![Page 35: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/35.jpg)
What is privacy?
The right to have information that you don’t expect to be available to others remain that way
On many sites, you give up your right to privacy
![Page 36: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/36.jpg)
Some Views on Privacy “All this secrecy is making life harder,
more expensive, dangerous …”Peter Cochran, former head of BT (British Telecom)
Research
“You have zero privacy anyway.”Scott McNealy, CEO Sun Microsystems
“By 2010, privacy will become a meaningless concept in western society”
Gartner report, 2000
![Page 37: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/37.jpg)
Historical Basis of Privacy
Justice of Peace Act (England 1361) Provides for arrest of Peeping Toms
and eavesdroppers Universal Declaration of Human
Rights (1948) European Convention on Human
Rights (1970)
![Page 38: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/38.jpg)
Legal Realities of Privacy Self-regulation approach in US, Japan Comprehensive laws in Europe,
Canada, Australia European Union
Limits data collection Requires comprehensive disclosures Prohibits data export to unsafe countries
Or any country for some types of data
![Page 39: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/39.jpg)
Aspects of Privacy
Anonymity Security Transparency and Control:
knowing what is being collected
![Page 40: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/40.jpg)
Impediments to Privacy Surveillance Data collection and sharing Cookies
Web site last year was discovered capturing cookies that it retained for 5 years
Sniffing, Snarfing, Snorting All are forms of capturing packets as they
pass through the network Differ by how much information is captured
and what is done with it
![Page 41: 1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone](https://reader030.vdocuments.mx/reader030/viewer/2022033103/56649d615503460f94a43768/html5/thumbnails/41.jpg)
P3P
Platform for Privacy Preference Voluntary standard still in draft
form Structures a web sites policies in a
machine readable format Allows browsers to understand the
policy and behave according to a user’s defined preferences