CRYPTOGRAPHY

1
CRYPTOGRAPHY

• Ch 4 A Model for Information Security Planning
• Mohammed Minhajuddin Khan

2
Topics

• Information System Architecture And Design Layer
• Specify the information system security measures.
• Combination of Systems, Networks, Service
  Applications, and underlying Telecommunication
  Services - Information System.
• Information systems security depends on how the
  underlying architecture is designed and
  implemented.
• Web Services Protection Layer
• Specify the information system security measures.
• The use of Internet and open systems open the
  need to secure this layer of services that
  interact with Web.
• The Eight Ps Of Security Layer
• Address the soft side of information security.
• This layer is concern with the people

3
INFORMATION SYSTEM ARCHITECTURE AND DESIGN LAYER

• This level generally operate in an open
  environment, So we cant expect choke security.
  The information security specialist should be
  concerned with
• Create Choke point, well-known as gateway. This
  should be created to perform screening (Screening
  of Identity, content checking, malicious
  signatures). This are easy to develop through the
  use of routers.
• Viruses worms have long been the misery of
  information security professionals. Virus
  scanners are option to protect from this nemesis.
  Virus scanners work by checking information
  content for a Malicious signature.
• Maintaining a posture of least privilege. The
  idea behind the principle of least privilege is
  to minimize the attackers potential.
• To understand the security profile of Third-party
  providers. Third-party providers are usually
  high-profile hacker targets. Information security
  specialist should understand the provider
  security issues and to take action to protect the
  organizations information. Here is a good
  example of why applying cryptographic methods and
  authentication processes is important.

4
INFORMATION SYSTEM ARCHITECTURE AND DESIGN LAYER

• Implement event monitoring, intrusion detection,
  and logging systems. Through these systems, law
  enforcement officials may also benefit in the
  investigation of a crime.
• Develop a permission-based architecture (Closed
  architectures). Example Router (When creating
  access control lists).
• Extend Cryptographic methods for use at the
  network and system level (VPN, SSL, SET, IPsec,
  etc). This are the crux of this work. By using
  this network encryption services, it is possible
  to form secure tunnels through the open Internet.
  
• Securing the information system from both
  internal and external threats. 70 of all
  computer crime originates from within the pool of
  trusted insiders. So, the security management and
  corporate management should keeps a watch-full
  eye on both internal and external.
• Create System-level, Application-level, and
  Network-level tie-ins to the authentication and
  verification system.

5
WEB SERVICES PROTECTION LAYER

• The web services are browsing simple or complex
  information, file transfer, name and address
  resolution, secure funds transfer, transaction
  processing, and use of the web for private
  communications. Here the information is public,
  so the cryptographic methods should provide
  secure transactions have to be more complex to
  break.
• Goals to accomplish in this layer
• Client-side user privacy. A primary function of
  the web services layer in our security model is
  to prevent attacks.
• Prevention of inappropriate release of secure
  content by clients.
• Protection of the Web server from being accessed
  in an unauthorized way. To know the software flaw
  or a loophole in a website. Methods be used to
  secure these areas (ex proxy services)
• Prevention of document corruption. Web services
  are all about document access and control. Use of
  various cryptographic techniques such as digital
  signatures, code signing, and integrity checking
  to validate the integrity of the document.
• The primary concerned at this layer is with
  attacks against the brand, infiltration of
  client-side systems, springboard attacks,
  denial-of-service attacks, and malware.

6
THE EIGHT Ps OF SECURITY LAYER

• The information security breaches are most often
  caused by either human error or an inconsistency
  in the implementation of security procedures. By
  developing a plan that is concerned with the 8 Ps
  of information security, planners are likely to
  gain more cooperation and acceptance of the plan.
  
• People would like to believe that they can buy
  security off the shelf.
• Persuading people from all levels to buy into the
  security plan is difficult. Clients need to feel
  secure in the online access provided and need to
  have easy to follow procedures for successfully
  executing secure transactions. Any breaches can
  lead to a significant attack.
• Therefore, the outermost layer of the security
  model focus on encouraging and directing people
  to take the correct actions with regard to
  security.
• By incorporating these 8 Ps of security into the
  security design, we will have a far greater
  chance of success.

7
THE EIGHT Ps OF SECURITY LAYER

• People
• People need guidelines to direct their actions in
  the use of the information and the information
  system.
• People need to understand the consequences of
  their actions both technical and no-technical.
• People need to understand what these attacks are
  and how to prevent them.
• Caution to be taken when working on non-secure
  network (through PDA, NOTEBOOK, ETC).
• Use personal firewalls, virus scanners, and safe
  online habits can terminate hacker activity.
• How they store, use, and transmit information.
• The cryptographic methods layer work only if
  people apply the encryption to information
  requiring confidentiality.

8
THE EIGHT Ps OF SECURITY LAYER

• 2. Planning
• Security planning needs to bring all of the
  elements of the planning process together as a
  single, well-thought-out unified idea.
• Take into consideration the requirements of the
  organization, summary of the risk analysis,
  information on the cost benefit of a security
  design, and current vulnerabilities.
• The strategy needs to determine the actions that
  will be taken by the crisis-management team,
  users, and management in the event of an attack.
• To use this section of the plan to build
  confidence in the strategy, not to develop the
  implementation strategy.
• Finally the security plan should conclude with
  the policies that apply to each area of the
  security model. Policies should tell us what to
  do, when to do it, and why we are doing something.

9
THE EIGHT Ps OF SECURITY LAYER

• Policy
• Policies are categorized, high-level description
  of the security controls put in organization.
• Legal notices regarding use/monitoring/trespass/an
  d copy right of information or the information
  system, proper use of company resources,
  requirements fro trusted third parties,
  e-mail/Web/other application access and usage,
  etc.
• These policies need to be directed at the user
  community and should be specific and easy to
  follow.
• Policies generally define the rights of the
  employer, employee, user, and guest.
• The better defined the security policies are, the
  less the concern for legal liability, waste of
  corporate resources, or exposure of confidential
  information.

10
THE EIGHT Ps OF SECURITY LAYER

• Procedure
• It provide the technical details of enacting a
  policy/process combination.
• A procedure should specify how something is
  implemented.
• Example choke point will be created in network,
  Screening router, detail of constructing the
  access control list, and fail-safe stance
  enabled.

11
THE EIGHT Ps OF SECURITY LAYER

• Process
• Defines the actions that should be taken by the
  user community and security professionals to
  enable the workability of the security plan.
• These process should complement the policies by
  instructing users, regarding the steps they need
  to perform to be compliant with the policy.

12
THE EIGHT Ps OF SECURITY LAYER

• Product
• Products are the tools, hardware, and software
  that support the implementation and realization
  of the security implementation.
• Products need to be purchased in a legal way
  with specified plan and the policy and not the
  other way.
• It is important the product being used with all
  its pros and cons.
• By clearly articulating the product functionality
  and limitations, we can better determine if the
  product meets the needs of the plan

13
THE EIGHT Ps OF SECURITY LAYER

• Perseverance
• Perseverance speaks to the drive and heart of the
  information security professional, the
  determination of management, and the spirit of
  the user community.
• Initially, a security plan may not be completely
  effective. Once a workable plan is accomplished
  quite a bit by implementing it.
• Information security takes a long time to burn
  in and settle.
• After the plan is in place, the information
  security analyst needs to begin monitoring and
  making adjustments accordingly.

14
THE EIGHT Ps OF SECURITY LAYER

• Pervasiveness
• Information security is everywhere in the
  organization, not just in the computer memory or
  at the network gateways.
• Information security success is measured by the
  combination of everyones actions.
• By working through the eight Ps, our plan will
  become more acceptable to the user community.
• People will become more involved in security
  because you will have given them a role to play
  and goals to meet.

15
Question

• Jqf vb cqn jnrxnbc yvex ve cqn bntdavcl tqrve?
  Ufnb cqvb jnrxnbc yvex qrin rel afyn, vo bf cqne
  Ve jqvtq Yrlna? Savnoyl unbtavsn cqn afyn fo cqvb
  jnrxnbc yvex ve cqrc Yrlna?
• Who is the weakest link in the security chain?
  Does this weakest link have any role, if so
  then in which Layer? Briefly describe the role of
  this weakest link in that Layer?