Protection of Information Assets II

1
Protection of Information Assets II

• 25 50 Questions

2

• Network Infrastructure Security

3
LAN Security

• Risks
• Unauthorized changes
• Dial-in connections
• Virus
• License management
• Spoofing
• IS auditors need to know
• LAN topology
• LAN administrators functions
• Groups of LAN users

4
Client/Server Security

• Disable floppy disk/diskless workstation
• Network monitoring device
• Data encryption
• Authentication
• Risks and concerns
• Inherently weak access control
• Loss of network availability
• Unauthorized manipulation of resources

5
Internet Threats

• Disclosure
• Eavesdrop
• Masquerade
• Pretend to be someone else
• Unauthorized access
• Loss of integrity
• Intercept and change data
• Denial of service
• Flooded with data/requests

6
Ancient Ciphers to Modern Cryptosystems

• Cryptography
• Secures information by encrypting it
• Transforms data by using a key
• A string of digits that acts as a password and
  makes the data incomprehensible to those without
  it
• Plaintext unencrypted data
• Cipher-text encrypted data
• Cipher of cryptosystem technique for encrypting
  messages

7
Ancient Ciphers to Modern Cryptosystems

• Ciphers
• Substitution cipher
• Every occurrence of a given letter is replaced by
  a different letter
• Transposition cipher
• Shifts the ordering of letters
• Modern cryptosystems
• Digital
• Key length length of string used to encrypt and
  decrypt

8
Secret-key Cryptography

• Secret-key cryptography
• Same key to encrypt and decrypt message
• Sender sends message and key to receiver
• Problems with secret-key cryptography
• Key must be transmitted to receiver
• Different key for every receiver
• Key distribution centers used to reduce these
  problems
• Generates session key and sends it to sender and
  receiver encrypted with the unique key
• Encryption algorithms
• Dunn Encryption Standard (DES), Triple DES,
  Advanced Encryption Standard (AES)

9
Secret-key Cryptography

• Encrypting and decrypting a message using a
  symmetric key

Private Key
Private Key
Message Text
Ciphered Text
Message Text
Encryption
Decryption
Sender
Receiver
10
Public Key Cryptography

• Public key cryptography
• Asymmetric two inversely related keys
• Private key
• Public key
• If public key encrypts only private can decrypt
  and vice versa
• Each party has both a public and a private key
• Either the public key or the private key can be
  used to encrypt a message
• Encrypted with public key and private key
• Proves identity while maintaining security
• RSA public key algorithm

11
Public Key Cryptography
Public Key of Recipient
Private Key of Recipient
Message Text
Ciphered Text
Message Text
Encryption
Decryption
Sender
Receiver
12
Key Agreement Protocols

• Key agreement protocol
• Process by which parties can exchange keys
• Use public-key cryptography to transmit symmetric
  keys
• Digital envelope
• Encrypted message using symmetric key
• Symmetric key encrypted with the public key
• combination of symmetrical and public key
  encryption
• Digital signature

13
Key Agreement Protocols
Public key of Recipient
Public key of Recipient
Session Key
Session Key
Digital Envelop
Session Key
Session Key
Message Text
Ciphered Text
Message Text
Encryption
Decryption
Sender
Receiver
14
Key Management

• Key management
• Handling and security of private keys
• Key generation
• The process by which keys are created
• Must be truly random

15
Digital Signatures

• Digital signature
• Authenticates senders identity
• Run plaintext through hash function
• Gives message a mathematical value called hash
  value
• Hash value also known as message digest
• Encrypt message digest with private-key
• Send signature, encrypted message (with
  public-key) and hash function
• Timestamping
• Binds a time and date to message, solves
  non-repudiation

16
Digital Signature
Public Key of Recipient
Private Key of Recipient
Message Text
Message Text
Ciphered Text
Encryption
Decryption
Signature
Signature
Sender
Receiver
Private Key of Sender
Public Key of Sender
17
PKI, Certificates and Certification Authorities

• Public Key Infrastructure (PKI)
• Integrates public key cryptography with digital
  certificates and certification authorities
• Digital certificate
• Digital document issued by certification
  authority
• Includes name of subject, subjects public key,
  serial number, expiration date and signature of
  trusted third party
• Verisign (www.verisign.com)
• Leading certificate authority
• Periodically changing key pairs helps security

18
Cryptoanalysis

• Cryptoanalysis
• Trying to decrypt ciphertext without knowledge of
  the decryption key
• Try to determine the key from ciphertext
• 128-bit encryption almost unbreakable
• 256-bit encryption NOT allowed to be exported

19

• Auditing Network Infrastructure Security

20
Auditing Internet Connections

• Review network diagrams
• Remote access security
• Firewall
• deny services except those explicitly permitted
• Filter dial-in access
• Updates and patches done periodically
• Internet presence
• Make business sense?

21
Development and Change Control

• Firewalls
• Routers
• Bridges
• Gateways
• Application software
• Web pages

22
Logical Security

• Intrusion detection software in place
• Filtering is performed
• Encryption is used
• Virus scanning is used
• Audit logging is undertaken firewalls, routers,
  etc.
• Security administrators review regularly outside
  reports for Internet security breaches

23

• Environmental Exposures and Controls

24
Environmental Issues and Exposures

• Fire
• Natural disasters
• Power failure
• Air conditioning failure
• Electrical shock
• Equipment failure
• Water damage/flooding
• Bomb threat/attack

25
Controls for Environmental Exposures

• Water detectors
• Under raised floor and near drain holes
• Hand-held fire extinguishers
• Located strategically, inspected regularly
• Manual/hand-pull fire alarms
• Smoke detectors
• Above and below ceiling tiles and below raised
  floor

26
Controls for Environmental Exposures

• Fire suppression systems
• Water-based/sprinkler
• Effective but unpopular
• Dry-pipe
• Not charged
• Halon
• Inert does NOT damage equipment
• NOT environmentally friendly
• CO2
• NOT human-friendly

27
Controls for Environmental Exposures

• Fireproof walls, floors and ceilings
• Electrical surge protectors
• UPS (uninterruptible power supply)
• Emergency power-off switch
• In and outside computer room

28

• Physical Access Exposures and Controls

29
Physical Access Exposures

• Unauthorized entry
• Damage or vandalism
• Public disclosure
• Blackmail
• Possible perpetrators
• Former employees
• Threatened by disciplinary action/dismissal
• Addicted to gambling

30
Physical Access Controls

• Bolting door locks
• Cipher locks
• Electronic door locks
• Biometric door locks
• Manual/electronic logging
• Identification badges
• Video cameras
• Security guards

31
Physical Access Controls

• Controlled visitor access
• Deadman doors
• Not advertising location of sensitive facilities
• Computer terminal locks
• Controlled single entry point
• Alarm system
• Secured report/document distribution cart

32

• END