Module 2 Security Methodology

1
Module 2 Security Methodology

• MModified by Ahmad Al Ghoul
• PPhiladelphia University
• FFaculty Of Administrative Financial Sciences
• BBusiness Networking System Management
  Department
• RRoom Number 32406
• EE-mail Address ahmad4_2_69_at_hotmail.com

2
Some standards bodies

• the IETF (the Internet Engineering Task Force).
• AES the Advanced Encryption Standard
• ETSI (the European Telecommunications Standards
  Institute)
• IEEE the Institute of Electrical and Electronics
  Engineers
• ISO international standard organization

3
The 10 Major Headings

• Security Policy
• Security Organisation
• Asset Classification and Control
• Personnel Security
• Physical and Environmental Security
• Operational Management
• Access Control
• Systems Development and Maintenance
• Business Continuity Management
• Compliance

4
International Standards

• International Standards in Information Security
  are developed by Security Techniques Committee
  ISO/IEC JTC 1 SC 27
• Three Areas
• WG 1 - Security Management
• WG 2 - Security Algorithms/Techniques
• WG 3 - Security Assessment/Evaluation

5
Participating Members

• SAI Australia
• IBN Belgium
• ABNT Brazil
• SCC Canada
• CSBTS/CESI China
• CSNI Czech Rep
• DS Denmark
• SFS Finland
• AFNOR France
• DIN Germany
• MSZT Hungary
• BIS India
• UNINFO Italy
• JISC Japan

• KATS Korea, Rep of
• DSM Malaysia
• NEN Netherlands
• NTS/IT Norway
• PKN Poland
• GOST R Russian Fed
• SABS South Africa
• AENOR Spain
• SIS Sweden
• SNV Switzerland
• BSI UK
• DSTU Ukraine
• ANSI USA

6
WG 1 Security Management

• Two key standards
• Guidelines for Information Security Management
  (GMITS) (TR 13335)
• Code of Practice for Information Security
  Management (IS 17799)
• Other standards
• Guidelines on the use and management of trusted
  third parties (TR 14516)
• Guidelines for implementation, operation and
  management of Intrusion Detection Systems (WD
  18043)
• Guidelines for security incident management (WD
  18044)

7
WG 2 Security Techniques

• There are International Standards for
• Encryption (WD 18033)
• Modes of Operation (IS 8372)
• Message Authentication Codes (IS 9797)
• Entity Authentication (IS 9798)
• Non-repudiation Techniques (IS 13888)
• Digital Signatures (IS 9796, IS 14888))
• Hash Functions (IS 10118)
• Key Management (IS 11770)
• Elliptic Curve Cryptography (WD 15946)
• Time Stamping Services (WD 18014)

8
WG 3 Security Evaluation

• Third Party Evaluation
• Criteria for an independent body to form an
  impartial and repeatable assessment of the
  presence, correctness and effectiveness of
  security functionality
• Common Criteria (CC) (IS 15408

9
Common Criteria

• Produced by a consortium of Government bodies in
  North America / European Union
• Mainly National Security Agencies
• Influenced by International Standardisation
  committee
• Adopted as International Standard 15408
• Adopted and recognised by other major Governments
• All EU, Australia, Japan, Russia

10

• Security Architecture
• For end-to-end communications

11
Security Architecturefor End-to-End
Communications
12

• Authentication is the process of confirming a
  user's identity.
• Authentication is one of the basic building
  blocks of computer security. It is achieved
  through the execution of an authentication
  protocol between two or more parties. One such
  protocol, the Secure Socket Layer (SSL) protocol
• Authorization determines what services and access
  a user is authorized for.

13
Authentication

• 3 types of authentication
• Something you know - Password, PIN, mothers
  maiden name, passcode. Something you have - ATM
  card, smart card, token, key, ID Badge, driver
  license, passport
• Something you are - Fingerprint, voice scan, DNA

14

• Authentication is a process in which a system
  identifies a user. Access control determines what
  is permitted after authentication. Authentication
  is often closely tied to the concept of accounts,
  which are, generically, a set of information tied
  to a unique identifier. This information usually
  comprises the data needed to let someone use
  system resources. For example, it provides the
  location of the user's personal files or the
  user's real name.

15
Models Access Control

• What is access control?
• Limiting who is allowed to do what
• What is an access control model?
• Specifying who is allowed to do what

16
What is access control?

• Access control is the heart of security
• Definitions
• The ability to allow only authorized users,
  programs or processes system or resource access
• The granting or denying, according to a
  particular security model, of certain permissions
  to access a resource
• An entire set of procedures performed by
  hardware, software and administrators, to monitor
  access, identify users requesting access, record
  access attempts, and grant or deny access based
  on reestablished rules.

17
How can AC be implemented?

• Hardware
• Software
• Application
• Protocol (Kerberos, IPSec)
• Physical
• Logical (policies)

18
What does AC hope to protect?

• Data - Unauthorized viewing, modification or
  copying
• System - Unauthorized use, modification or denial
  of service
• It should be noted that nearly every network
  operating system (NT, Unix, Vines, NetWare) is
  based on a secure physical infrastructure

19
Access control lists (ACL)

• A file used by the access control system to
  determine who may access what programs and files,
  in what method and at what time
• Different operating systems have different ACL
  terms
• Types of access
• Read/Write/Create/Execute/Modify/Delete/Rename

20
Defending Against Threats

• When talking about information security,
  vulnerability is a weakness in your information
  system (network, systems, processes, and so on)
  that has the greatest potential of being
  compromised. There might be a single
  vulnerability, but typically there are a number
  of them. For instance, if you have five servers
  that have the latest security updates for the
  operating system and applications running, but
  have a sixth system that is not current, the
  sixth system would be considered a vulnerability.
  Although this would be a vulnerability, it would
  most likely not be the only one. To defend
  against threats, you must identify the threats to
  your C-I-A triad, determine what your
  vulnerabilities are, and minimize them.

21
Building a Defense

• When building a defense, you should use a layered
  approach that includes securing the network
  infrastructure, the communications protocols,
  servers, applications that run on the server, and
  the file system, and you should require some form
  of user authentication.
• When you configure a strong, layered defense , an
  intruder has to break through several layers to
  reach his or her objective. For instance, to
  compromise a file on a server that is part of
  your internal network, a hacker would have to
  breach your network security, break the server's
  security, break an application's security, and
  break the local file system's security. The
  hacker has a better chance of breaking one
  defense than of breaking four layers of defense.

22
Methods of Defense

• Having controls does no good unless they are used
  properly, the next are some factors that affect
  the effectiveness of controls.
• Effectiveness of Controls
• Awareness of Problem
• Likelihood of Use the suitable and effective use
• Overlapping Controls combinations of controls
  could be provided to one exposure.
• Periodic Review few controls are permanently
  effective. When we finds a way to secure assets,
  the opposition doubles its efforts in an effort
  to defeat the the security mechanism. Thus,
  judging the effectiveness of a control is an
  ongoing task.

23

• Principle of Effectiveness
• Controls must be used to be effective. They must
  be efficient, easy to use, and appropriate.

24
Methods of Defense

• Controls
• In this section we will study some security
  control tools that attempt to prevent
  exploitation of the vulnerabilities of computing
  system.
• Encryption
• Software Controls
• internal program controls(data base) parts of
  the program that enforce security restrictions,
  such as access limitations in a data base
  management program.
• operating system controls limitations enforced
  by the system to protect each user from all other
  users.
• development controls quality standards under
  which a program is designed, coded, tested, and
  maintained.

25
Methods of Defense

• Hardware Controls
• use the devices which have been invented to
  assist in computer security (e.g. smart card)
• Hardware security modules (HSM) perform
  cryptographic operations, protected by hardware
  (PCI boards, SCSI boxes, smart cards, etc.)
• These operations include
• Random number generation
• Key generation (asymmetric and symmetric)
• Private key hiding (security) from attack (no
  unencrypted private keys in software or memory)
• Private keys used for signing and decryption
• Private keys used in PKI for storing Root Keys

26
Methods of Defense

• Policies
• operation policy some of the simplest controls
  could do by change the password frequently, and
  that can be achieved essentially no cost but with
  tremendous effect.
• legal and ethical controlthe law is slow to
  evolve, and the technology involving computers
  has emerged suddenly. Although legal protection
  is necessary and desirable.
• The area of computer ethics is unclear. It is not
  that computer people are unethical, but rather
  that society in general and the computing
  community in particular have not adopted formal
  standards of ethical behavior. Some organizations
  are attempting to devise codes of ethics for
  computer professionals.
• Physical Controls
• Some of the easiest, most effective, and least
  expensive controls are physical controls. locks
  on door, guard at entry point, backup, etc.

27
Basic Encryption and Decryption

• Encryption and Decryption
• encryption a process of encoding a message so
  that its meaning is not obvious
• decryption the reverse process
• encode(encipher) vs. decode(decipher)
• encoding the process of translating entire words
  or phrases to other words or phrases
• enciphering translating letters or symbols
  individually
• encryption the group term that covers both
  encoding and enciphering

28
What is Encryption?
29
What is Encryption?
30
Plaintext vs. Ciphertext

• Plaintext vs. Ciphertext
• P(plaintext) the original form of a message
• C(ciphertext) the encrypted form
• Basic operations
• plaintext to ciphertext encryption C E(P)
• ciphertext to plaintext decryption P D(C)
• requirement P D(E(P))

31
Encryption Strategy

• Provide confidentiality of communications
• Ensure integrity of information
• Enhance Authentication
• Provide for non-repudiation of sender or receiver

32
Encryption with key

• encryption key KE
• daecryption key KD
• C E(KE, P)
• P D(KD, E(KE, P))

33
Encryption with key

• Symmetric Cryptosystem KE KD
• Asymmetric Cryptosystem KE ? KD

34
Secret Key Encryption
35
Public Key Encryption
36
Uses of Encryption

• Digital Certificates use Public Key
• Web Access with SSL
• Virtual Private Networks (VPNs)
• Desktop Encryption

37
Digital signature

• Digital signature is a sort of
• protocol that provides authenticity
• and identification of the user.
• It is similar to the signature of a
• person on a paper or check
• It is used for many purposes in the
• network security provision

38
Physical security

• Network security should begin by first
  emphasizing the necessity for physical security.
  Most organizations limit physical access to hosts
  and servers, but it must talk into consideration
  networking devices, such as routers, switches,
  and the like. Even such simple elements as
  cabling and wiring.