• No results found

Basic Concepts of Information Security

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Basic Concepts of Information Security"

Copied!
38
0
0

Loading.... (view fulltext now)

Download now ( 38 Page )

Full text

(1)

Basic Concepts of

Information Security

Timo Kiravuo

Helsinki University of Technology

Telecommunication Software and Multimedia Laboratory

Based on slides by:

(2)

Security, why

• Protect valuable assets • Compliance with laws

• Meet the customer requirements • Prevent breakdowns in production • Keep personnel happy

(3)

Confidentiality- Luottamuksellisuus

• Secrecy of information

• Who is allowed to know something • Bell-LaPadula –model

• A real property of information

– Classification must be the same every place the same information is processed

(4)

Availability – Käytettävyys

(Saatavuus)

• Availability of service (information)

• What is the maximum time delay for getting service

• Sometimes probability of not losing information • Some close areas

– availability – reliability – usability

• A property of the system

– The same information may have different classification in different systems

(5)

Integrity - Eheys

• The meaning of integrity has changed during time • Originally integrity in transactions

– There must been no partial transactions

• Now much broader definition

– Data was correct in the beginning

– All changes have be legal, accountable and correct – Data is still correct

• Accountability is usually required to maintain integrity

(6)

Threat – Uhka

• Something harmful that may happen

• Possibility to happen is the numerical value of a threat

• Examples

– Fire

– Death of key person – Malfunction of hard disk – Cracker breaking in

(7)

Risk - Riski

• The expectancy of a threat • Two components

– Threat (probability) – Damage (amount)

(8)

Vulnerability - Haavoittuvuus

• Weakness in the information system

– Makes it possible for a threat to occur – Increase probability of a threat

– Increase damage

• Examples

– Weak passwords – Weak encryption

– No secondary power supply – A backdoor in the system

(9)

From Threat to Risk

Threat Vulnerability Loss

Risk Eliminate risk Minimize risk Accept risk

(10)

The Balance between

Risks and Costs

Total cost

Resources to avoid an accident Cost of risk Minimal costs Costs of avoiding accidents Costs of accidents

(11)

Data protection – Tietosuoja

• Privacy protection is a civil right in many countries including Finland

• Restriction on gathering personal information

– What kind of information – From whom

– How to use information – How to protect information

(12)

Protocol - Protokolla

• A formal description of discussion • Vocabulary

• Order of words

• How to do handshake

(13)

AAA

• Authentication - Todennus

– Mechanism for confirming the identity of user and integrity and authenticity of information

• Authorization – Valtuutus

– Who is allowed to do what

• Accountability – Kohdennettavuus

– It is possible afterward to find out who has made any operations

• Identification – Tunnistus

– Connects a user to the real person

– Usually additional authentication is needed to verify the identity

(14)

Anonymity - Anonymiteetti

• An entity can not be identified

– Protects the privacy of the entity

• Can still be authorized to perform actions

– By using e.g. certificates

– E.g. when you buy something and pay only cash, the transaction is anonymous, but authorized

• This can often be a design requirement

(15)

Pseudonymity -pseudonymiteetti

• We can authenticate and entity and connect it to previous occurances, but we can not identify the person connected to the pseudonym

– E.g. web cookies

• Using the same pseudonym in different situations can lead to identification of the entity

(16)

Nonrepudiation

-Kiistämättömyys

• It is not possible for a user to afterward deny an operation he has made

• Methods

– Electronic signature – Trusted Third Party – Time Stamps

(17)

Classification

• Classification – Luokittelu

– Labeling sensitive information – CIA-model

– (Confidentiality, Integrity, Availability)

• Clearance – Luokittelu

(18)
(19)

The Assets

• Everything required for production • Everything valuable

• All good reputation • Investments

(20)

Material

• Production – Buildings – Machinery – Raw material – Stocks • Valuables – Money – Art • Other investments – Cars

(21)

People

• Production – Skilled workers • Information – Databank • Reputation – Value itself

(22)

Information

• Production – Prints – Orders • Corporate management – Plans – Customer information – Personnel information • Investments – Databases • Compliance – Bookkeeping – Privacy

(23)

Reputation

• Good manufacturer – No malfunctions – No faulty products • Good neighbor – Environmental protection – Safe traffic • Good employer – Safety in work

(24)

Security Management

• Set the goals

• Define the security level

• Define the acceptance of risk • Define protection principles

(25)

Security Policy

• A high level statement

• Defines the baseline security • Defines the acceptable risk • Defines protection principles • Basic document

(26)

Legislation and security

• Assets may be protected by legislation

– An intruder is a criminal and will be punished

• Special capabilities are guaranteed to protect assets

(27)

Baseline Security

• The minimal required security level • The procedures to protect others • Usually more is required

– Production – Customers – Legislation

(28)

Asset Management

• Recognize the important assets • Classification

(29)

Physical Security

• Security domains

• Protection prevents outsiders from intruding

– Fences, walls – Guards

• Authenticate the insiders

– Keys, access control

• Detection

– Alarms

– Delay in detection – Precision of detection

• Active response

– Time to reach the site

(30)

How much is enough

• S(Tp + Tg) > Ta + Tt

– Tp time to go through a passive barrier – Tg time to go to the next barrier

– Ta delay in alarm

(31)

The Goal of Physical Security

• People in the domain may work efficiently

– All the people are authenticated – All the people are trusted

– No outsiders to look after

• Good working conditions

– Safety

– Fire prevention

• Don’t prevent or disturb working of authenticated people

(32)

Personnel Security

• Accepts insiders – Background checking • Prevents accidents – Education • Preserves motivation – Personnel management • Personnel lifecycle

(33)

Operational Security

• Job management

– Enough people

– Possibility to work in a secure way

• Safety procedures

– Safe working conditions

• Sharing of duties • Key persons

(34)

Information Technology Security

• Computer security

• Communication security • Security domains

• Protection against outsiders • Authentication of insiders • Notification of intrusion

(35)

Security in a Modern Organization

• Security requirements are part of management • The lower level in hierarchy must meet the

requirements of higher level

• The higher level must accept the cost of security • Management in each level has to make decisions

(36)

Security in Outsourcing

• Security requirements as part of the service • Defined in contracts

• Evaluation, certification

• Costs are part of the service

– Service provider has to be able to include the costs in the price

(37)

Security Costs

• Part of normal operational costs • Have to take into accounting when

– calculate the investments – pricing products

(38)

Conclusion

• Security is a prevention of incidents which may cause losses to the organization

• Security is optimization between losses and costs of protection

References

Download now ( PDF - 38 Page - 1.31 MB )

Related documents

INFORMATION SECURITY STUDY

Endpoint Security Firewall Keeping Up With New Technology Mobile Device Security Patch Management Risk Assessment Tool Management Security Organiza Incident Response ti on

The Economic Incentives for Sharing Security Information

We assume that the cost of investing in improved security technology depends upon the firm’s own investment level as well as the level of security chosen by the competitor and

Media. Information intelligent. security intelligence that transcends borders. PUBLICATION

T Intelligent CISO provides security officers with the latest information and intelligence to help them make important, informed decisions?. Our integrated platforms enable

Using the Information Security Index to Measure University Information Security Management : Concepts and Strategies

The result of this research is information security index will evaluate an organization based on six area that is: ICT Roles, Information Security Governance, Information

ECE 297:11 - Lecture 1. Security Services. Basic Concepts of Cryptology. Security Threats and Security Services. Need for information security

Relations among security services INTEGRITY AUTHENTICATION NON-REPUDIATION CONFIDENTIALITY Basic Concepts of Cryptology CRYPTOLOGY CRYPTOGRAPHY CRYPTANALYSIS from Greek?. cryptos

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

Policy Procedures Plans Security | Culture Top Management Middle Management Operation Level... Why manage

ACCT 5121 SECTION P ADVANCED CONCEPTS II COURSE OUTLINE WINTER 2021

3.3.2 Evaluates and applies cost management techniques appropriate for specific costing decisions. 3.3.4 Recommends cost management improvements across

Basic Airport Security Awareness

Security practices will become more effective and working together as a TEAM, we make Mineta San Jose International Airport secure. BE COMMITTED