Welcome to Information Systems Security (503009)

(1)

Welcome to

Information Systems Security

(503009)

Nguyen Thi Ai Thao

Faculty of Computer Science & Engineering

HCMC University of Technology

(2)

Information Systems Security Chapter 1: Introduction to Information Systems Security 2

Course Outline

2 Week

Lectures

1 Information systems security: basic concepts

2,3

Basic cryptography & key exchange protocols

4 Identification & Authentication

5,6

Discretionary Access Controls

7,8

Mandatory Access Controls

9 Auditing & Accountability

10, 11,

12, 13,

14 Presentations

15 Revision

(3)

References

[1] M. Gertz, S. Jajodia (2008). Handbook of Database

Security: Applications and Trends, Springer Verlag, ISBN

978-0-387-48532-4.

[2] S. Castano, M. Fugini, G. Martella, and P. Samarati

(1995). Database Security, ACM Press &

Addison-Wesley, ISBN 0-201-59375-0.

[3] D.C. Knox (2004). Effective Oracle Database 10g

Security by Design, Oracle Press, ISBN 0-07-223130-0.

[4] T.R. Peltier, J. Peltier, J. Blackley (2005). Information

Security Fundamentals, Auerbach Publications, ISBN

0-8493-1957-9.

[5] W. Mao (2003). Modern Cryptography: Theory and

Practice, 3

rd

Ed., Prentice Hall, ISBN 0-13-066943-1.

(4)

Course Outline - Details

Week

Lectures

References

1 1. Introduction

1.1 Basic concepts

1.2 Picture of DB security

1.3 Framework for DB & Applications security

[1,2,3,4,5]

2 2. Basic cryptography & key exchange protocols

2.1 Cryptography-related concepts

2.2 Key channel

2.3 Perfect encryption

[4,5]

3 2. Basic cryptography & key exchange protocols

2.4 Dolev-Yao threat model

2.5 Protocols

(5)

Course Outline - Details

Week

Lectures

References

4 3. Identification & Authentication

3.1 Introduction

3.2 Identification techniques

3.3 Authentication techniques

3.2 Authentication protocols

[2,3,4]

5 3. Discretionary Access Controls

3.1 Introduction to DAC

3.2 Models for DAC

[2,3,4]

6 3. Discretionary Access Controls

3.3 SQL for Data Control

3.4 DAC & Information Flow Controls

(6)

Course Outline - Details

Week

Lectures

References

7 4. Mandatory Access Control

4.1 Introduction to MAC

4.2 Models for MAC

[2,3,4]

8 4. Mandatory Access Control

4.3 Case study: Oracle Label Security

[2,3,4]

9 5. Auditing & Accountability

5.1 Introduction to Auditing & Accountability

5.2 Techniques to Auditing

5.3 Case study: Auditing in Oracle

[2,3]

10,

11,

12,

13,

14 Presentation

Tbc.

(7)

Assessments



Credits: 3



No mid-term test



Open-book exams

7 Assessment Pattern

%

Presentation 1

15 Presentation 2

15 Assignment

20 Final Examination

50

(8)

Presentation



Group of 2-3 students



Presentation topics:

http://cse.hcmut.edu.vn/~thaonguyen >> Teaching



Register for the presentations:



Send to

[email protected]



Deadline: February 3

rd

, 2015

(9)

Chapter 1:

Introduction to

Information Systems Security

Nguyen Thi Ai Thao

Faculty of Computer Science & Engineering

HCMC University of Technology

(10)

Outline

Picture of DB Security

2 Framework for DB & Applications Security

3 Basic concepts

1 Basic concepts

(11)

Basic Concepts



Data and Information



Information System



Information Security



Information System Security Requirements



Countermeasures

(12)

Basic Concepts - Information Systems Security



Data are plain facts. When data are processed, organized,

structured or presented in a given context so as to make them

useful, they are called Information.

(13)

Basic Concepts - Information Systems Security



Information System refers to a system of people, data

records and activities that process the data and information

in an organization.

Data

Process

(14)

Basic Concepts - Information Systems Security



Information Security means protecting information and

information systems from unauthorized access, use,

(15)

Basic Concepts - Security Requirements



Information System Security Requirements :

Confidentiality

Non-repudiation

Availability

Integrity

(16)

Basic Concepts - Security Requirements



Information System Security Requirements:



Confidentiality: Protection of data from unauthorized

disclosure

Example: In a bank system, preventing a client from finding

out the information of another client, such as balance.



Integrity: Only authorized users should be allowed to modify

data.

Example: In a bank system, preventing a client from changing

his or her balance.

(17)

Basic Concepts - Security Requirements



Information System Security Requirements:



Availability: Making data available to the authorized users

and application programs

Example: In a bank system, ensuring that the invoices are

printed on time as required by law.



Non-repudiation: The ability to prevent the effective denial

of an act.

Example: In a bank system, providing proof of the origin and

delivery of transactions from a client.

(18)

Basic Concepts - Countermeasures



Countermeasures ensures these security requirements for

information systems. There are some countermeasures:



Access control



Inference control



Flow control

(19)

Basic Concepts - Access Control



Access Control: The security mechanism for restricting

access to the database as a whole



Handled by creating user accounts and passwords to control

login process by the Database Management System (DBMS).



Two types of access control system



Closed system

(20)

Basic Concepts – Closed System

Is there a rule

authorizing the

access?

Access request

Access permitted

Access denied

Rules:

authorized

accesses

(21)

Basic Concepts – Opened System

Access permitted

Access denied

Is there a rule

denying the

access?

Access request

Rules:

denied

accesses

Opened system

(22)

Basic Concepts - Inference control



Inference control: The security problem associated with

databases is that of controlling the access to a statistical

database, which is used to provide statistical information or

summaries of values based on various criteria.



The countermeasures to statistical database security problem

is called inference control measures.

(23)

Inference attack

Infer

Access control

Meta data

Non-sensitive

database

Sensitive

database

Access denied

Access permitted

(24)

Inference control

Access control

Meta data

Non-sensitive

database

Sensitive

database

Access denied

Access permitted

INFERENCE

CONTROL

(25)

Basic Concepts - Flow control



Flow control prevents information from flowing in such a

way that it reaches unauthorized users.



Channels that are pathways for information to flow

implicitly in ways that violate the security policy of an

organization are called Covert Channels.



Storage channel

(26)

Convert chanel – Timing Chanel



In Python:

def validate_password(actual_pw,

typed_pw):

if len(actual_pw) <> len(typed_pw):

return 0

for i in len(actual_pw):

if actual_pw[i] <> typed_pw[i]:

return 0

return 1

(27)

Basic Concepts - Encryption



Data encryption refers to mathematical calculations and

algorithmic schemes that transform

plaintext

into

cyphertext

,

a form that is non-readable to unauthorized parties.



Only the user having a correct key can decrypt the

cyphertext, transforming it to the original plaintext version.



Data encryption is used to protect sensitive data (such as

(28)

Basic Concepts



Basic Steps in Access control Process:

Identification

A user presents an identity to the database

Authentication:

The user proves that the identity is valid

Authorization:

What privileges and authorizations the user

has

(29)

Outline

Picture of DB Security

2 Framework for DB & Applications Security

3 Basic concepts

1

(30)

(31)

Các thành phần cần bảo vệ trong một HTTT

Identify &Authenticate

Access control

Auditing & Accountability

Encryption

Design

(32)

Các thành phần cần bảo vệ trong một HTTT

Encryption

Key exchange protocols

(33)

Các thành phần cần bảo vệ trong một HTTT

(34)

Các thành phần cần bảo vệ trong một HTTT

Training

(35)

Outline

Picture of DB Security

2 Framework for DB & Applications Security

3 Basic concepts

1

(36)

Framework for DB & Applications Security

Privacy, Dependable Information Management, Secure

Information Management Technologies, Data Mining and

Security, Digital Forensics, Secure Knowledge Management

Technologies, Secure Semantic Web, Biometrics

Relational DB Security, Distributed/Federated DB Security, Web

DB Security, Object/Multimedia DB Security, Data Warehouse

Security, Inference Problem, Sensor DB and Stream Data

Processing Security

Database Systems, Information Retrieval, Knowledge

Management, Information Management, Information & Computer

Security

(37)