Securing an Information Resource Management System - PowerPoint PPT Presentation

1 / 71
About This Presentation
Title:

Securing an Information Resource Management System

Description:

Symmetric block cipher. Federal Information Processing Standard approved (FIPS) ... Intranet website. Access management. Policy, politics, and technology. RBAC ... – PowerPoint PPT presentation

Number of Views:95
Avg rating:3.0/5.0
Slides: 72
Provided by: stude407
Category:

less

Transcript and Presenter's Notes

Title: Securing an Information Resource Management System


1
Securing an Information Resource Management System
2
Overview
  • Security issues of an information resource
    management system
  • Secure physical network
  • Standards and protocols used in information
    security
  • Management tools used to implement that system

3
Information Security in Society
  • Homeland Defense
  • Homeland Defense as an information security
    system
  • Need to communicate sensitive information
    efficiently in a crisis

4
Information Security in Society
  • HD Secretary Tom Ridge and Strategic
    Communications Resources (SECURE) Initiative
  • Five new HD officers per state
  • Secure telephones and video conferencing for the
    Governors office

5
Information Security in Society
  • Information based industry
  • Potential loss
  • New information technology
  • New vulnerabilities

6
The First Step
7
Secure Information Network Physical Architectures
  • Homeland example
  • Telephony equipment
  • Emergency Operations Center

8
FIPS 140-2
  • FIPS 140-2(Federal Information Processing
    Standard)
  • Crypto-modules
  • tests hardware, software, firmware
  • crypto algorithms
  • key-generation

9
Secure Environments
  • Secure Environments
  • authorized personnel
  • placing servers locally
  • disconnected information networks

10
Smart Cards
  • Used in combination with other id-securing
    methods
  • Portable
  • Secure
  • Difficult to replicate, useless to steal
  • Appearance gold-contacts
  • Microprocessor
  • Also can be used to facilitate secure
    communications

11
Smart Cards
  • Little interoperability between software and
    hardware of different vendors
  • Difficult implementation and maintenance
  • NIST (National Institute of Standards and
    Technology)
  • NIST is working on guidlines/specifications (as
    well see in the next section)

12
Firewalls
  • Located on routers or servers
  • Blocks specific communications and allows
    specific communication

13
FIREWALL
Telnet
SSH
Web Browsing
FTP
SFTP
14
Firewalls
  • Located on routers or servers
  • Blocks specific communications and allows
    specific communication
  • useful in preventing viruses

15
Connected Networks
  • Can be physically isolated to provide security
  • Controlled communication access points

16
VLANS
  • By remote login, a server can make it appear as
    though the user is on a network
  • Secure tunneling

17
(No Transcript)
18
WIFI
  • Wi-Fi (short for "wireless fidelity")
  • Ever-growing WiFI networks

19
(No Transcript)
20
WIFI
  • Wi-Fi (short for "wireless fidelity")
  • Ever-growing WiFI networks
  • Unsecured

21
WIFI
  • Current business trends Demand Robust Security
    Networks (RSNs) on WiFi
  • RSN
  • Dependable
  • Secure
  • Versatile

22
WIFI
  • WIFI products need to
  • Provide security
  • Multi-vendor interoperability
  • Long security lifecycle to lengthen usability
  • Support hotspots connectivity

23
WIFI and FIPS 140-2
  • 802.11b IEE standard
  • Minimal security
  • FIPS 140-2 and 802.11 and Bluetooth standard (for
    WiFi)
  • IEEE, IETF, NIST working to create effective
    standards
  • Theory higher level crypto protocols, like IPSec
    (next section)

24
WIFI
  • Interim methods to minimizing WIFI losses
  • Detailed wireless topology
  • Inventory of devices
  • Frequent back-ups
  • Random security audits of WiFi infrastructure
  • Monitor WIFI technology changes

25
Oregano Break!
26
Universals Standards/Protocols
  • Different technology vendors and universals
    standards/protocols

27
Standards and Protocols
  • Information security standards/protocols are also
    policy

28
Standards and Protocols
  • Congress and the Gramm Leach-Bliley Act
  • Bank security policies
  • Information security standards
  • Protect customer info
  • Protect other nonpublic info
  • Safe, secure, and reliable transactions

29
Standards and Protocols
  • ISO 17799, ISF, NIST
  • Guidelines that have standards for information
    security
  • Security communication protocols
  • Cryptographic standards
  • What are common cryptographic standards?

30
Cryptographic Standards
  • Common cryptographic standards
  • Integrity
  • Authenticity
  • Authorization/access control model
  • Non-repudation

31
Cryptographic Standards
  • Definition block cipher
  • Definition cipher text
  • Definition stream cipher
  • Definition symmetric block cipher
  • algorithm to encrypt and decrypt block text

32
Cryptographic Standards
  • Digital Signature Standard (DSS)
  • Authentication and Integrity
  • Digital Signature Algorithm (DSA) public-private
    keys schemes (discussed later)

33
DSA
  • Hashing
  • Definition message digest
  • Digest encrypted with DSA

34
(No Transcript)
35
DSA
  • FIPS 180-1 (FIPS Hashing standard)
  • SHA-1, SHA-256 blocks lt264 bits
  • SHA-384, SHA-512 blocks lt2128 bits
  • changes to a message results in a different
    digest (high probability)
  • also used with stored data

36
Keys
  • Secret keys

37
Secret Key
Original Key
Copy Key
38
(No Transcript)
39
Keys
  • Public-Private Keys

40
Secret Key
Private Key
41
Message
Encrypted Message
Decrypted Message
42
Keys
  • Key certificates
  • Key lifecycle

43
(No Transcript)
44
Keys
  • Key-substitution vulnerability

45
Keys
  • Key-destruction vulnerability

46
Keys
  • Controlling the key lifecycle
  • Crypto-periods

47
PKI
  • Public Key Infrastructure (PKI)
  • Certificate Authorities
  • Electronic transport
  • Manual key transport
  • Trust

48
  • Lets look at some examples

49
IPSEC
  • IPSEC uses keys
  • Works on the Transport Layer

50
(No Transcript)
51
IPSEC
  • Tunneling

52
(No Transcript)
53
IPSec
  • Internet Key Exchange (IKE)
  • Serial authentication access
  • Confidentiality
  • Transmissions and key crypto periods

54
IPSec
  • Encapsulating Security Payload (ESP)
  • Double-encryption scheme
  • Encrypts data
  • Encrypts header (source/destination invisible)

55
NIST
  • NIST (National Institute of Standards and
    Technology)
  • Information security standards for government and
    industry

56
NIST
  • Business metrics and standards
  • Supports DSS and public key encryptions
  • The MAIDS standard
  • The AES standard

57
NIST
  • The MAIDS standard
  • Mobile Agent Intrusion Detection and Security
  • Autonomous software entities
  • Security threats
  • MAIDS prevents unauthorized access
  • ensures secure communication with mobile agents

58
NIST
  • Advanced Encryption Standard (AES)
  • Keys of 128, 192, 256 bits/ 16, 24, 32 character
    long encryption blocks
  • Symmetric block cipher
  • Federal Information Processing Standard approved
    (FIPS)
  • AES and IPSEC work with modification of the IKE
    exchange
  • AES/IPSEC protocol works at the IP layer

59
N'Sync Break!
60
  • Poisoned dagger
  • the human element.

61
Personnel and Management Objectives in a Secure
Information Environment
62
  • Business Mindset
  • Quite frequently, the risk and the solutions are
    seen as part of the IT universe, while business
    leaders want to concentrate on product
    development, sales and revenue, and customer
    care. To change this mindset and to recognize IS
    as a business issue, the CISO has to inform,
    educate, and influence his or her business
    counterparts
  • --Robert Garigue, Information Systems

63
CIO and the CISO's tasks
  • Describe
  • Environmental factors (industry related threats)
  • New/developing standards
  • Defenses of digital assets taken
  • Existing security incidents
  • Financial impact of those breaches
  • New/developing metrics the CEO can use

64
CIO and the CISO's tasks
  • Educate
  • List risks factors to the bottom line
  • New technologies and their risks
  • Potential impact of breaches
  • How people participate in information security

65
CIO and the CISO's tasks
  • Influence
  • Priorities and resource allocation
  • Involving security specialists early in new
    projects
  • Deciding on organizational structures with
    information efficiency as a goal

66
CIO and the CISO's tasks
  • information risk analysis
  • Measures bottom line impact
  • Types of information loss
  • Malicious use
  • Predictive Systems
  • 36 chance 10-20 bill. in lost

67
CIO and the CISO's tasks
  • Security certification
  • Use common business metrics (activity reports) to
    measure the effect information breaches )
  • Are we secure?
  • Directly lead to budget decisions

68
Communicating Security Policy
  • Is the policy being followed?
  • Inform employees and management of
  • Security objectives
  • Organizational accountability
  • Standards and procedures
  • Available guidelines supporting the policy

69
Communicating Security Policy
  • Awareness metrics
  • Is the training effective?
  • Intranet website
  • Access management
  • Policy, politics, and technology
  • RBAC
  • Access based on identity vs. role
  • Operations with the object

70
Ongoing defense
  • Security tests
  • Upgrades
  • Communication monitoring
  • Computer forensics

71
A state of necessity
Write a Comment
User Comments (0)
About PowerShow.com