Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Systems
BSc (Hons) Information Systems Level 3
Learning Objectives
Upon completion of this material, you should be able to:
2
The Present
3
What is Security?
5
6
Critical Characteristics of Information
The value of information comes from the characteristics it
possesses:
Timeliness
No value if it is too late
Availability
No interference or obstruction
Required format
Accuracy
Free from mistakes
Authenticity
Quality or state of being genuine, i.e., sender of an email
Confidentiality
Disclosure or exposure to unauthorized individuals or system is prevented
7
Critical Characteristics of Information
Integrity
Whole, completed, uncorrupted
Cornerstone
Size of the file, hash values, error-correcting codes,
retransmission
Utility
Having value for some purpose
Possession
Ownership
Breach of confidentiality results in the breach of possession, not
the reverse
8
Components of an Information System
9
Components of an Information System
Data
Often most valuable asset
Main target of intentional attacks
People
Weakest link
Social engineering
Must be well trained and informed
Procedures
Threat to integrity of data
Networks
Locks and keys won’t work
10
Securing Components
Computer can be subject of an attack and/or the object
of an attack
11
Figure 1-5 – Subject and Object of
Attack
12
Balancing Information Security and Access
13
Figure 1-6 – Balancing Security and
Access
14
Approaches to Information Security
Implementation: Bottom-Up Approach
Grassroots effort: systems administrators attempt to
improve security of their systems
Participant support
15
Approaches to Information Security
Implementation: Top-Down Approach
16
The Systems Development Life Cycle
Systems development life cycle (SDLC) is methodology
and design for implementation of information security within
an organization
Methodology is formal approach to problem-solving based
on structured sequence of procedures
Using a methodology
ensures a rigorous process
avoids missing steps
Goal is creating a comprehensive security posture/program
Traditional SDLC consists of six general phases
17
18
The Security Systems Development Life Cycle
19
The Security Systems Development Life Cycle
Investigation
Identifies process, outcomes, goals, and constraints of the
project
Analysis
20
The Security Systems Development Life Cycle
Logical Design
Creates and develops blueprints for information security
Physical Design
Needed security technology is evaluated, alternatives
generated, and final design selected
Principles of Information Security, 2nd Edition 21
The Security Systems Development Life Cycle
Implementation
Security solutions are acquired, tested, implemented, and
tested again
Personnel issues evaluated; specific training and education
programs conducted
Entire tested package is presented to management for final
approval
22
Information Security Project Team
23
Data Ownership
24
Key Concepts of Information
Security
Confidentiality
Confidentiality of information ensures that only those
with sufficient privileges may access certain information
To protect confidentiality of information, a number of
measures may be used including:
Information classification
Secure document storage
Application of general security policies
Education of information custodians and end users
25
Key Concepts of Information
Security
Integrity
27
Key Concepts of Information
Security
Privacy
28
Key Concepts of Information
Security
Identification
30
Key Concepts of Information
Security
Authorization
31
Key Concepts of Information
Security
Accountability
32
Other Key Terms
33
Key Terms
Attack: deliberate act that exploits a vulnerability to
achieve the compromise of a controlled system
Accomplished by a threat agent that damages or steals an
organization’s information or physical asset
Exploit: technique or mechanism used to compromise a
system
Vulnerability: identified weakness of a controlled system in
which necessary controls are not present or are no longer
effective
Threats to Information Security
Some Common Attacks
Malicious code Spoofing
Hoaxes Man-in-the-middle
Back doors Spam
Password crack Mail bombing
Brute force Sniffer
Dictionary Social engineering
Denial-of-service Buffer overflow
(DoS) and distributed Timing
denial-of-service
(DDoS)
Attacks
An attack is the deliberate act that exploits
vulnerability
It is accomplished by a threat-agent to damage or
steal an organization’s information or physical
asset
An exploit is a technique to compromise a system
A vulnerability is an identified weakness of a controlled
system whose controls are not present or are no longer
effective
An attack is then the use of an exploit to achieve the
compromise of a controlled system
37
Malicious Code
This kind of attack includes the
execution of viruses, worms, Trojan
horses, and active web scripts with
the intent to destroy or steal
information
The state of the art in attacking
systems in 2002 is the multi-vector
worm using up to six attack vectors
to exploit a variety of vulnerabilities
in commonly found information
system devices
38
39
Attack Descriptions
IP Scan and Attack – Compromised system scans random or local
range of IP addresses and targets any of several vulnerabilities
known to hackers or left over from previous exploits
Web Browsing - If the infected system has write access to any Web
pages, it makes all Web content files infectious, so that users who
browse to those pages become infected
40
Attack Descriptions
Unprotected Shares - using file shares to copy viral component to
all reachable locations
41
Attack Descriptions
Back Doors - Using a known or previously unknown and newly discovered
access mechanism, an attacker can gain access to a system or network
resource
42
Attack Descriptions
Denial-of-service (DoS) –
attacker sends a large number of connection or information requests to a target
so many requests are made that the target system cannot handle them
successfully along with other, legitimate requests for service
may result in a system crash, or merely an inability to perform ordinary
functions
43
44
Attack Descriptions
Spoofing - technique used to gain unauthorized access
whereby the intruder sends messages to a computer with an
IP address indicating that the message is coming from a
trusted host
48
Attack Descriptions
“People are the weakest link. You can have the
best technology; firewalls, intrusion-detection
systems, biometric devices ... and somebody can
call an unsuspecting employee. That's all she
wrote, baby. They got everything.”
49
Attack Descriptions
Buffer Overflow –
application error occurs when more data is sent to a
buffer than it can handle
when the buffer overflows, the attacker can make the
target system execute instructions, or the attacker can
take advantage of some other unintended consequence
of the failure
Usually the attacker fill the overflow buffer with
executable program code to elevate the attacker’s
permission to that of an administrator.
50
Attack Descriptions
Ping of Death Attacks --
A type of DoS attack
Attacker creates an ICMP packet that is larger than the
maximum allowed 65,535 bytes.
The large packet is fragmented into smaller packets and
reassembled at its destination.
Destination user cannot handle the reassembled
oversized packet, thereby causing the system to crash or
freeze.
51
Attack Descriptions
Timing Attack –
relatively new
works by exploring the contents of a web browser’s
cache
can allow collection of information on access to
password-protected sites
another attack by the same name involves attempting to
intercept cryptographic elements to determine keys and
encryption algorithms
52
Summary
Unlike any other aspect of IT, information security’s primary mission to ensure
things stay the way they are
Information security performs four important functions:
Protects organization’s ability to function
Enables safe operation of applications implemented on organization’s IT
systems
Protects data the organization collects and uses
53
Summary
54
Summary
55
Summary
56