information security : is it an art or a science

28
Information Security : Is it an Art or a Science ? by Pankaj Rane Research Associate(IDRBT) 1

Upload: pankaj-rane

Post on 12-Dec-2014

369 views

Category:

Technology


2 download

DESCRIPTION

A brief overview on Information Security

TRANSCRIPT

Page 1: Information Security : Is it an Art or a Science

1

Information Security : Is it an Art or a Science ?

by Pankaj RaneResearch Associate(IDRBT)

Page 2: Information Security : Is it an Art or a Science

2

AGENDA

What is Security ? What is Information Security ? Brief History : Information Security Present Day : InfoSec Why InfoSec is important ? What is Information Assurance ? Security Services Information States Security Countermeasures Prevention , Detection , Response References

Page 3: Information Security : Is it an Art or a Science

3

WHAT IS SECURITY ?

“The quality or state of being secure to be free from danger”

To be protected from adversaries A successful organization should have

multiple layers of security in place: Physical securityPersonal security Operations security Communications security Network security

Page 4: Information Security : Is it an Art or a Science

4

Fig.1 Spheres of security

Page 5: Information Security : Is it an Art or a Science

5

WHAT IS INFORMATION SECURITY ?

The protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information

Tools, such as policy, awareness, training,

education, and technology are necessary

The C.I.A. triangle was the standard based on Confidentiality, Integrity, and Availability

Page 6: Information Security : Is it an Art or a Science

6C.I.A. Triangle

Page 7: Information Security : Is it an Art or a Science

7

BRIEF HISTORY OF INFORMATION SECURITY

Computer security began immediately after the first mainframes were developed

Groups developing code-breaking computations during World War II created the first modern computers

Physical controls were needed to limit access to authorized personnel to sensitive military locations

Only limited controls were available to defend against physical theft, espionage, and sabotage

Page 8: Information Security : Is it an Art or a Science

8

The "Enigma" machines, which scramble messages into codes, were best known for their use by the German military during WWII.

Many models were made and there were complex additions to the machines during the war, but British code breakers managed to crack the "Enigma" code.

Page 9: Information Security : Is it an Art or a Science

9

PRESENT DAY : INFORMATION SECURITY

The Internet has brought millions of computer networks into communication with each other – many of them unsecured

Ability to secure each now influenced by the security on every computer to which it is connected

Page 10: Information Security : Is it an Art or a Science

10

WHY INFORMATION SECURITY IS IMPORTANT ?

Governments, commercial businesses, and individuals are all storing information electronically compact, instantaneous transfer, easy access

Ability to use information more efficiently has resulted in a rapid increase in the value of information

Information stored electronically faces new and potentially more damaging security threats can potentially be stolen from a remote location much easier to intercept and alter electronic

communication than its paper-based predecessors

Page 11: Information Security : Is it an Art or a Science

11

WHAT IS INFORMATION ASSURANCE ?

The act of ensuring that data is not lost when critical issues arise.

These issues include natural disasters, computer/server malfunction, physical theft, or any other instance where data has the potential of being lost. 

Common method of providing information assurance is to have an off-site backup of the data in case one of the mentioned issues arise.

Page 12: Information Security : Is it an Art or a Science

12

SECURITY SERVICES :

WHAT TYPES OF PROBLEMS CAN OCCUR?

Confidentiality Integrity Availability Authentication Non Repudiation

Page 13: Information Security : Is it an Art or a Science

13

CONFIDENTIALITY“the assurance that information is not disclosed to unauthorized persons, processes or devices.”

INTEGRITY

“the assurance that data can not be created, changed, or deleted without proper authorization”

AVAILABILITY

“Timely, reliable access to data and information services for authorized users.”

AUTHENTICATION

“Designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual’s authorizations to receive specific categories of information”

Page 14: Information Security : Is it an Art or a Science

14

NON-REPUDIATION “The assurance the sender of the data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data”

Examples where non-repudiation is lacking include:

- An online shopper purchases and downloads a software package, but later claims he never downloaded it.

- An online shopper purchases and downloads a software package that he later finds out was corrupted, but he later finds out the seller was not who he expected, but instead was a “man in the middle”.

Page 15: Information Security : Is it an Art or a Science

15

INFORMATION STATES :

WHERE IS THE DATA?

Transmission Storage Processing

Page 16: Information Security : Is it an Art or a Science

16

TRANSMISSION

Time in which the data is in transit between processing/process steps.

STORAGE

Time during which data is on a persistent medium such as a hard drive or tape.

PROCESSING

Time during which the data is actually in the control of a processing step.

Page 18: Information Security : Is it an Art or a Science

18

SECURITY COUNTERMEASURES :

WHO CAN ENFORCE /CHECK SECURITY?

People Policy and Practice Technology

Page 19: Information Security : Is it an Art or a Science

19

PEOPLE

The heart and soul of secure systems. Awareness, literacy, training, education in

sound practice. Must follow policy and practice or the

systems will be compromised no matter how good the design!

Both strength and vulnerability.

Page 20: Information Security : Is it an Art or a Science

20

POLICY AND PRACTICE

System users System administrators Software conventions Trust validation

Page 21: Information Security : Is it an Art or a Science

21

TECHNOLOGY

Evolves rapidly

Crypto systems

Hardware

Software

Network Firewalls Routers Intrusion detection Other….

Platform Operating systems Transaction monitoring Other….

Especially vulnerable to misconfiguration and other “human” errors.

Page 22: Information Security : Is it an Art or a Science

22

PREVENTION

Establishment of policy and access control who: identification, authentication, authorization what: granted on “need-to-know” basis

Implementation of hardware, software, and services users cannot override, unalterable (attackers

cannot defeat security mechanisms by changing them)

examples of preventative mechanisms passwords - prevent unauthorized system access firewalls - prevent unauthorized network access encryption - prevents breaches of confidentiality physical security devices - prevent theft

Maintenance

Page 23: Information Security : Is it an Art or a Science

23

PREVENTION IS NOT ENOUGH!

Bruce Schneier,Counterpane Internet Security, Inc.

Prevention systems are never perfect.

No bank ever says: "Our safe is so good, we don't need

an alarm system."

No museum ever says: "Our door and window locks are

so good, we don't need night watchmen.“

Detection and response are how we get security in the real world, and they're the only way we can

possibly get security in the cyberspace world.

Page 24: Information Security : Is it an Art or a Science

24

DETECTION

Determine that either an attack is underway or has occurred and report it

Real-time monitoring or, as close as possible monitor attacks to provide data about their

nature, severity, and results Intrusion verification and notification

intrusion detection systems (IDS) typical detection systems monitor various

aspects of the system, looking for actions or information indicating an attack example: denial of access to a system when user

repeatedly enters incorrect password

Page 25: Information Security : Is it an Art or a Science

25

RESPONSE

Stop/contain an attack must be timely!

incident response plan developed in advance

Assess and repair any damage Resumption of correct operation Evidence collection and preservation

very important identifies vulnerabilities strengthens future security measures

Page 26: Information Security : Is it an Art or a Science

26

REFERENCES[1] http://www.informit.com/isapi/articles/index.asp {InformIT

Reference Guides}

[2]http://www.cs.duke.edu/courses/summer04/cps001/lectures/Lecture15.ppt

[3]http://www.acc.ncku.edu.tw/chinese/faculty/shulc/courses/cas/Whitman/chap01.ppt

[4] http://en.wikipedia.org/wiki/Information_security

[5] http://en.wikipedia.org/wiki/NSTISSC

Page 27: Information Security : Is it an Art or a Science

27

THANK YOU !!!

Page 28: Information Security : Is it an Art or a Science

28

QUERIES ???