1
Information Security : Is it an Art or a Science ?
by Pankaj RaneResearch Associate(IDRBT)
2
AGENDA
What is Security ? What is Information Security ? Brief History : Information Security Present Day : InfoSec Why InfoSec is important ? What is Information Assurance ? Security Services Information States Security Countermeasures Prevention , Detection , Response References
3
WHAT IS SECURITY ?
“The quality or state of being secure to be free from danger”
To be protected from adversaries A successful organization should have
multiple layers of security in place: Physical securityPersonal security Operations security Communications security Network security
4
Fig.1 Spheres of security
5
WHAT IS INFORMATION SECURITY ?
The protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information
Tools, such as policy, awareness, training,
education, and technology are necessary
The C.I.A. triangle was the standard based on Confidentiality, Integrity, and Availability
6C.I.A. Triangle
7
BRIEF HISTORY OF INFORMATION SECURITY
Computer security began immediately after the first mainframes were developed
Groups developing code-breaking computations during World War II created the first modern computers
Physical controls were needed to limit access to authorized personnel to sensitive military locations
Only limited controls were available to defend against physical theft, espionage, and sabotage
8
The "Enigma" machines, which scramble messages into codes, were best known for their use by the German military during WWII.
Many models were made and there were complex additions to the machines during the war, but British code breakers managed to crack the "Enigma" code.
9
PRESENT DAY : INFORMATION SECURITY
The Internet has brought millions of computer networks into communication with each other – many of them unsecured
Ability to secure each now influenced by the security on every computer to which it is connected
10
WHY INFORMATION SECURITY IS IMPORTANT ?
Governments, commercial businesses, and individuals are all storing information electronically compact, instantaneous transfer, easy access
Ability to use information more efficiently has resulted in a rapid increase in the value of information
Information stored electronically faces new and potentially more damaging security threats can potentially be stolen from a remote location much easier to intercept and alter electronic
communication than its paper-based predecessors
11
WHAT IS INFORMATION ASSURANCE ?
The act of ensuring that data is not lost when critical issues arise.
These issues include natural disasters, computer/server malfunction, physical theft, or any other instance where data has the potential of being lost.
Common method of providing information assurance is to have an off-site backup of the data in case one of the mentioned issues arise.
12
SECURITY SERVICES :
WHAT TYPES OF PROBLEMS CAN OCCUR?
Confidentiality Integrity Availability Authentication Non Repudiation
13
CONFIDENTIALITY“the assurance that information is not disclosed to unauthorized persons, processes or devices.”
INTEGRITY
“the assurance that data can not be created, changed, or deleted without proper authorization”
AVAILABILITY
“Timely, reliable access to data and information services for authorized users.”
AUTHENTICATION
“Designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual’s authorizations to receive specific categories of information”
14
NON-REPUDIATION “The assurance the sender of the data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data”
Examples where non-repudiation is lacking include:
- An online shopper purchases and downloads a software package, but later claims he never downloaded it.
- An online shopper purchases and downloads a software package that he later finds out was corrupted, but he later finds out the seller was not who he expected, but instead was a “man in the middle”.
15
INFORMATION STATES :
WHERE IS THE DATA?
Transmission Storage Processing
16
TRANSMISSION
Time in which the data is in transit between processing/process steps.
STORAGE
Time during which data is on a persistent medium such as a hard drive or tape.
PROCESSING
Time during which the data is actually in the control of a processing step.
17
Fig.NSTISSC Security Model
18
SECURITY COUNTERMEASURES :
WHO CAN ENFORCE /CHECK SECURITY?
People Policy and Practice Technology
19
PEOPLE
The heart and soul of secure systems. Awareness, literacy, training, education in
sound practice. Must follow policy and practice or the
systems will be compromised no matter how good the design!
Both strength and vulnerability.
20
POLICY AND PRACTICE
System users System administrators Software conventions Trust validation
21
TECHNOLOGY
Evolves rapidly
Crypto systems
Hardware
Software
Network Firewalls Routers Intrusion detection Other….
Platform Operating systems Transaction monitoring Other….
Especially vulnerable to misconfiguration and other “human” errors.
22
PREVENTION
Establishment of policy and access control who: identification, authentication, authorization what: granted on “need-to-know” basis
Implementation of hardware, software, and services users cannot override, unalterable (attackers
cannot defeat security mechanisms by changing them)
examples of preventative mechanisms passwords - prevent unauthorized system access firewalls - prevent unauthorized network access encryption - prevents breaches of confidentiality physical security devices - prevent theft
Maintenance
23
PREVENTION IS NOT ENOUGH!
Bruce Schneier,Counterpane Internet Security, Inc.
Prevention systems are never perfect.
No bank ever says: "Our safe is so good, we don't need
an alarm system."
No museum ever says: "Our door and window locks are
so good, we don't need night watchmen.“
Detection and response are how we get security in the real world, and they're the only way we can
possibly get security in the cyberspace world.
24
DETECTION
Determine that either an attack is underway or has occurred and report it
Real-time monitoring or, as close as possible monitor attacks to provide data about their
nature, severity, and results Intrusion verification and notification
intrusion detection systems (IDS) typical detection systems monitor various
aspects of the system, looking for actions or information indicating an attack example: denial of access to a system when user
repeatedly enters incorrect password
25
RESPONSE
Stop/contain an attack must be timely!
incident response plan developed in advance
Assess and repair any damage Resumption of correct operation Evidence collection and preservation
very important identifies vulnerabilities strengthens future security measures
26
REFERENCES[1] http://www.informit.com/isapi/articles/index.asp {InformIT
Reference Guides}
[2]http://www.cs.duke.edu/courses/summer04/cps001/lectures/Lecture15.ppt
[3]http://www.acc.ncku.edu.tw/chinese/faculty/shulc/courses/cas/Whitman/chap01.ppt
[4] http://en.wikipedia.org/wiki/Information_security
[5] http://en.wikipedia.org/wiki/NSTISSC
27
THANK YOU !!!
28
QUERIES ???