Organizational Security 1 IT Security From an Organizational Perspective Ulrika Norman Jeffy Mwakalinga Reference: 1) Enterprise Security. Robert C. Newman.

Slides:



Advertisements
Similar presentations
5-Network Defenses Dr. John P. Abraham Professor UTPA.
Advertisements

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
2 An Overview of Telecommunications and Networks Telecommunications: the _________ transmission of signals for communications (home net) (home net)
Security Controls – What Works
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Chapter 12 Network Security.
N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Business Data Communications, Fourth Edition Chapter 10: Network Security.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Chapter 19 Security.
NETWORK SECURITY.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
BUSINESS B1 Information Security.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Network Security Lecture 9 Presented by: Dr. Munam Ali Shah.
Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Cryptography, Authentication and Digital Signatures
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption.
Types of Electronic Infection
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
Information Systems Security
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Database Security Tampere University of Technology, Introduction to Databases. Oleg Esin.
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.
Discovery 2 Internetworking Module 8 JEOPARDY K. Martin.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Chap1: Is there a Security Problem in Computing?.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
Chapter 40 Network Security (Access Control, Encryption, Firewalls)
Jump to first page Internet Security in Perspective Yong Cao December 2000.
CPT 123 Internet Skills Class Notes Internet Security Session B.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Information Systems Design and Development Security Precautions Computing Science.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)
Security Issues in Information Technology
Network Security Presented by: JAISURYA BANERJEA MBA, 2ND Semester.
Working at a Small-to-Medium Business or ISP – Chapter 8
NETWORK SECURITY Cryptography By: Abdulmalik Kohaji.
Security of a Local Area Network
Security in Networking
IT Security From an Organizational Perspective
Protection Mechanisms in Security Management
Presentation transcript:

Organizational Security 1 IT Security From an Organizational Perspective Ulrika Norman Jeffy Mwakalinga Reference: 1) Enterprise Security. Robert C. Newman. ISBN: ) Corporate Computer and Network Security. Raymond R. Panko. ISBN:

Organizational Security 2 Outline PART I Security Overview 1) Introduction 2) Security Services and Implementation 3) Overview of Existing Security Systems 4) Implementing Security in a System m PART II: Organizational Security 1) Introduction 2) Securing Information Systems of an Organization 3) Corporate Security Planning 4) Adding a Security Department

Organizational Security 3 Introduction Security Management Security Management Mobile (wireless) Security Mobile (wireless) Security Information Security Information Technology Security Information Technology Security Wired Security Wired Security Applications Security Applications Security Communication Security Communication Security Computer Security Computer Security Technology Security Technology Physical Security

Organizational Security 4 Information security is defined as methods and technologies as methods and technologies for deterrence (scaring away hackers), protection, detection, response, recovery and extended functionalities Introduction

Organizational Security 5 Generic Security Principles Detergence (Scare away) Detergence (Scare away) Recovery Response Detection Protection Generic Security System Information while in storage Information while in transmission Hardware Hacker

Organizational Security 6 PART I: Security Overview m Introduction m Security Services and Implementation m Overview of Existing Security Systems m Implementing security in a system

Organizational Security 7 Security Services and Implementation : Confidentiality To keep a message secret to those that are not authorized to read it Confidentiality Authentication Access Control Integrity Availability Non-repudiation

Organizational Security 8 Security Services: Authentication Confidentiality Authentication Access Control Integrity Availability Non-repudiation To verify the identity of the user / computer

Organizational Security 9 Security Services: Access Control Confidentiality Authentication Access Control Integrity Availability Non-repudiation To be able to tell who can do what with which resource

Organizational Security 10 Security Services: Integrity Confidentiality Authentication Access Control Integrity Availability Non-repudiation To make sure that a message has not been changed while on Transfer, storage, etc

Organizational Security 11 Security Services: Non-repudiation Confidentiality Authentication Access Control Integrity Availability Non-repudiation To make sure that a user/server can’t deny later having participated in a transaction

Organizational Security 12 Security Services: Availability Confidentiality Authentication Access Control Integrity Availability Non-repudiation To make sure that the services are always available to users.

Organizational Security 13Cryptography  We use cryptography  Science of transforming information so it is secure during transmission or storage Encryption: Changing original text into a secret, encoded message Encryption: Changing original text into a secret, encoded message Decryption: Reversing the encryption process to change text back to original, readable form Decryption: Reversing the encryption process to change text back to original, readable form Providing Security Services: Confidentiality

Organizational Security 14 Some confidential text (message) in clear (readable) form Someconfid entialtext essage) in clear E n c r y p t i o n Encryption

Organizational Security 15 Some confidential text (message) in clear (readable) form D e c r y p t i o n Someconfid entialtext essage) in clear Decryption

Organizational Security 16 Example A B C D E F G.... X Y Z L G T U W O M.... I A C VWRFNKROP STOCKHOLM

Organizational Security 17 Symmetric Key Encryption – One Key System Internet Plaintext “Hello” Encryption Method & Key Ciphertext “ ” Symmetric Key Ciphertext “ ” Plaintext “Hello” Decryption Method & Key Same Symmetric Key Interceptor Anders Karin Note: A single key is used to encrypt and decrypt in both directions.

Organizational Security 18 Same secret key is used to encrypt and decrypt messages. Secret Key must remain secret Some confidential text (message) in clear (readable) form Someconfid entialtext essage) in clear E n c r y p t i o n D e c r y p t i o n Crypto key Single Key System: Symmetric System

Organizational Security 19 MessageKey 1, 2, 3, , 2, 3, , 192,256 Encrypted message 1, 2, 3, K-1 K-2 K-Rounds Advanced Encryption Algorithm (AES) If key = 128 Rounds = 9 If key = 192 Rounds = 11 If key = 256 Rounds = 13

Organizational Security 20 Two Keys System: Asymmetric System Some confidential text (message) in clear (readable) form Someconfid entialtext essage) in clear E n c r y p t i o n D e c r y p t i o n Key 1 Key 2 System with two keys: Private key and Public key. Example: Rivest Shamir Adleman system (RSA)

Organizational Security 21 Providing Security Services: Authentication -something who you are -something what you have -something what you know -where you are - terminal WWW Server User

Organizational Security 22 Authentication (continued) m Passwords m Smart cards m certificates m Biometrics Biometrics used for door locks, can also be used for access control to personal computers Biometrics used for door locks, can also be used for access control to personal computers Fingerprint scanners Fingerprint scanners Fingerprint scanner

Organizational Security 23 Providing Security Services : Access Control Access control Who can do... what... with which resource ? File A File A File B File B Read Copy

Organizational Security 24 Subject1 Subject 2 Subject 3 Subject 4 Subject 5 Subject 6 File1File2File3File4File5File6 read, write delete Access Control Matrix

Organizational Security 25 Some confidential text (message) in clear (readable) form It is called Message Digest Providing Security Services : Integrity Providing Security Services : Integrity Compress (Hashing) Change to Binary form

Organizational Security 26 Providing Integrity message Message Digest Hashing System Message Digest ~ Message Authentication Code (MAC)

Organizational Security 27 message Hashing System MAC RSA (signing) Signature Sender’s private RSA key messageSignature PKCS#1 14 Providing Security Services : Non- repudiation - Signatures Providing Security Services : Non- repudiation - Signatures

Organizational Security 28 PART I: Security Overview m Introduction m Security Services m Overview of Existing Security Systems m Implementing security in a system

Organizational Security 29 Overview of Existing Security Systems : Firewalls Used even for Deterring (Scaring attackers) Firewalls  Designed to prevent malicious packets from entering Software based  Runs as a local program to protect one computer ( personal firewall ) or as a program on a separate computer ( network firewall ) to protect the network Hardware based  separate devices that protect the entire network (network firewalls)

Organizational Security 30 Overview of Existing Security Systems : Detection - Intrusion Detection Systems Intrusion Detection System (IDS)  Examines the activity on a network Goal is to detect intrusions and take action Two types of IDS: Host-based IDS  Installed on a server or other computers (sometimes all) Monitors traffic to and from that particular computer Network-based IDS  Located behind the firewall and monitors all network traffic

Organizational Security 31 Overview of Existing Security Systems : Network Address Translation (NAT) Network Address Translation (NAT) Systems  Hides the IP address of network devices Located just behind the firewall. NAT device uses an alias IP address in place of the sending machine’s real one “You cannot attack what you can’t see”

Organizational Security 32 Overview of Existing Security Systems :Proxy Servers Overview of Existing Security Systems : Proxy Servers Proxy Server  Operates similar to NAT, but also examines packets to look for malicious content Replaces the protected computer’s IP address with the proxy server’s address Protected computers never have a direct connection outside the networkThe proxy server intercepts requests. Acts “on behalf of” the requesting client

Organizational Security 33 Adding a Special Network called Demilitarized Zone (DMZ) Demilitarized Zones (DMZ)  Another network that sits outside the secure network perimeter. Outside users can access the DMZ, but not the secure network Some DMZs use two firewalls. This prevents outside users from even accessing the internal firewall  Provides an additional layer of security

Organizational Security 34 Overview of Existing Security Systems : Virtual Private Networks (VPN)  Virtual Private Networks (VPNs)  A secure network connection over a public network Allows mobile users to securely access information Allows mobile users to securely access information Sets up a unique connection called a tunnel Sets up a unique connection called a tunnel

Organizational Security 35 Overview of Existing Security Systems :Virtual Private Networks (VPN) Overview of Existing Security Systems : Virtual Private Networks (VPN)

Organizational Security 36 Overview of Existing Security Systems : Honeypots Honeypots  Computer located in a DMZ and loaded with files and software that appear to be authentic, but are actually imitations Intentionally configured with security holes Goals: Direct attacker’s attention away from real targets; Examine the techniques used by hackers

Organizational Security 37 Overview of Existing Security Systems : Secure Socket Layer (SSL) SSL is used for securing communication between clients and servers. It provides mainly confidentiality, integrity and authentication WWW Server Client Establish SSL connection - communication protected

Organizational Security 38 PART I: Security Overview m Introduction m Security Services and Implementation m Overview of Existing Security Systems m Implementing security in a system

Organizational Security 39 Implementing Security in a System Involves: Patching software - Getting the latest versions Hardening systems - by using different security systems available Blocking attacks – By having different security tools to prevent attacks Testing defenses Regularly testing from outside and inside the network or an organization

Organizational Security 40 Protecting one Computer Summary (continued) m Operating system hardening is the process of making a PC operating system more secure Patch management Patch management Antivirus software – to protect your pc from viruses Antivirus software – to protect your pc from viruses Antispyware software Antispyware software Firewalls – to deter (scare), protect Firewalls – to deter (scare), protect Setting correct permissions for shares Setting correct permissions for shares Intrusion detection Systems – to detect intrusions Intrusion detection Systems – to detect intrusions Cryptographic systems Cryptographic systems

Organizational Security 41 Protecting a Wired Network Use Firewalls, Intrusion Detection Systems, Network Address Translation, Virtual Private net Networks, honey pots, cryptographic systems, etc

Organizational Security 42 Protecting a Wireless Local Area Network (WLAN)

Organizational Security 43 Security in a Wireless LAN m WLANs include a different set of security issues m Steps to secure: Turn off broadcast information Turn off broadcast information MAC address filtering MAC address filtering Encryption Encryption Password protect the access point Password protect the access point Physically secure the access point Physically secure the access point Use enhanced WLAN security standards whenever possible Use enhanced WLAN security standards whenever possible Use cryptographic systems Use cryptographic systems

Organizational Security 44 PART II: Organizational Security m Introduction m Securing Information Systems of an Organization m Corporate Security Planning m Adding a security Department

Organizational Security 45 Introduction - Traditional Organization ProductionMarketing Customers ResearchSupplyServices Management Sales Organization Web Clients Business to Business Partners (Outsource)

Organizational Security 46 Introduction: Adding Information System IS for Production IS for Marketing IS for Customers IS for Research IS for Supply IS for Services Information System (IS) for Management IS for Sales Organization + IS IS for Web Clients IS 4 Business to Business IS 4 Partners (Outsource) How do we secure the IS of the organization?

Organizational Security 47 PART II: Organizational Security m Introduction m Securing Information Systems of an Organization m Corporate Security Planning m Adding a security Department

Organizational Security 48 Securing Information Systems of an Organization IS for Production IS for Marketing IS for Customers IS for Research IS for Supply IS for Services Information System for Management IS for Sales IS organization IS for Web Clients IS for B2B IS 4 Partners (Outsource) Interne t Security SECURITySECURITy

Organizational Security 49 Holistic (Generic) Security Approach Organization Detergence (Scare away) Detergence (Scare away) Recovery Response Detection Protection Security People Technology (servers, …) Information

Organizational Security 50 Analysis Detergence (Scare away) Detergence (Scare away) Recovery Response Detection Protection How much to spend on Deterrence? How much to spend on Deterrence? How much to spend on Recovery? How much to spend on Recovery? How much to spend on Response? How much to spend on Response? How much to spend on Detection? How much to spend on Detection? How much to spend on Protection? How much to spend on Protection? 10%? 20%? 50%? How much responsibility on employees? How much responsibility on employees? How much responsibility on employees? How much responsibility on employees? How much responsibility on employees? How much responsibility on employees? How much responsibility on employees? How much responsibility on employees? How much responsibility on employees? How much responsibility on employees? How much responsibility on organization? How much responsibility on organization? How much responsibility on organization? How much responsibility on organization? How much responsibility on organization? How much responsibility on organization? How much responsibility on organization? How much responsibility on organization? How much responsibility on organization? How much responsibility on organization? How much responsibility on government? How much responsibility on government? How much responsibility on government ? How much responsibility on government ? How much responsibility on government ? How much responsibility on government ? How much responsibility on government ? How much responsibility on government ? How much responsibility on government ? How much responsibility on government ?

Organizational Security 51 Analysis continued Detergence (Scare away) Detergence (Scare away) Recovery Response Detection Protection Implementation By Software x% By People y% By Hardware z% Implementation By Software x% By People y% By Hardware z% Implementation By Software k% By People d% By Hardware c% Implementation By Software k% By People d% By Hardware c% Implementation By Software f% By People g% By Hardware r% Implementation By Software f% By People g% By Hardware r% Implementation By Software m% By People p% By Hardware h% Implementation By Software m% By People p% By Hardware h% Implementation: By Software? n% By People s% By Hardware t% Implementation: By Software? n% By People s% By Hardware t% Which standards to use for deterring? Which standards to use for deterring? Which standards to use for Recovery? Which standards to use for Recovery? Which standards to use for response? Which standards to use for response? Which standards to use for detection? Which standards to use for detection? Which standards to use for Protection? Which standards to use for Protection? To do the analysis we need corporate security planning?

Organizational Security 52 PART II: Organizational Security m Introduction m Securing Information Systems of an Organization m Corporate Security Planning m Adding a security Department

Organizational Security 53 Corporate Security Planning m Security requirements Assessment m Business Continuity Planning m How to perform network management? m Administration m How to test and troubleshoot?

Organizational Security 54 Security requirements Assessment: Continuous process Finish one round Audit AnalyzeDesignImplement IdentifyEvaluate Start Identify the organization’s security issues and assets Analyze security risks, threats and vulnerabilities Design the security architecture and the associated processes Audit the impact of the security technology and processes Evaluate the effectiveness of current architecture and policies Identify the organization’s security issues and assets Analyze security risks, threats and vulnerabilities Design the security architecture and the associated processes Audit the impact of the security technology and processes Evaluate the effectiveness of current architecture and policies

Organizational Security 55 Business Continuity Planning (1) A business continuity plan specifies how a company plans to restore core business operations when disasters occur A business continuity plan specifies how a company plans to restore core business operations when disasters occur m Business Process Analysis Identification of business processes and their interrelationships Identification of business processes and their interrelationships Prioritizations of business processes Prioritizations of business processes m Communicating, Testing, and Updating the Plan Testing (usually through walkthroughs) needed to find weaknesses Testing (usually through walkthroughs) needed to find weaknesses Updated frequently because business conditions change and businesses reorganize constantly Updated frequently because business conditions change and businesses reorganize constantly

Organizational Security 56 Business Continuity Planning - continued m Disaster Recovery Disaster recovery looks specifically at the technical aspects of how a company can get back into operation using backup facilities Disaster recovery looks specifically at the technical aspects of how a company can get back into operation using backup facilities m Backup Facilities Hot sites Hot sites – Ready to run (with power, computers): Just add data Cold sites Cold sites – Building facilities, power, communication to outside world only – No computer equipments – Might require too long to get operating m Restoration of Data and Programs m Testing the Disaster Recovery Plan

Organizational Security 57 Network management Functions (ISO) m Fault Management Ability to detect, isolate, and correct abnormal conditions that occur in a network. Ability to detect, isolate, and correct abnormal conditions that occur in a network. m Configuration management Ability to identify components configure them according to the security policy Ability to identify components configure them according to the security policy m Performance Management Ability to evaluate activities of the network and improve network performance Ability to evaluate activities of the network and improve network performance m Security management Ability to monitor, control access, securely store information, examine audit records; etc. Ability to monitor, control access, securely store information, examine audit records; etc. m Accounting management The ability to track the use of network resources. Identify costs and charges related to the use of network resources

Organizational Security 58 Some Network management Standards m Simple Network Management Protocol (SNMP) m Common Management Information protocol (CMIP). The main functions provided by this protocol are : alarm reporting, access control, accounting, event report management, lo control, object management, state management, security audit, test management, summarization, relation management. The main functions provided by this protocol are : alarm reporting, access control, accounting, event report management, lo control, object management, state management, security audit, test management, summarization, relation management. 1) Management Agent 2) Management Information base (MIB) 1) Network Management Station 2) Application program 1) Management Agent 2) Management Information base (MIB) Network Element no: 1 (research section) Network Element no: N (services section) SNMP

Organizational Security 59 Administration m Computer and Network administration section m Duties: 1) Software installation and upgrade 2) Database access approval and maintenance 3) User identities and password management 4) Back up and restoral processes 5) Training employees about security awareness

Organizational Security 60 How to test and troubleshoot? m Test whether the systems and components are behaving in accordance to the security plans m Test from inside the organization and from outside the organization m Trouble shooting: Define the situation, prioritize the problem, develop information about the problem, identify possible causes, eliminate the possibilities one at a time, ensure the fix does not cause additional problems, document the solution

Organizational Security 61 PART II: Organizational Security m Introduction m Securing Information Systems of an Organization m Corporate Security Planning m Adding a security Department

Organizational Security 62 Adding a security Department m Security Management section 1) Security planning 2) Security requirements Assessment 3) Business continuity planning m Security Technology section 1) Computer and Network administration 2) Network management 3) Testing and troubleshooting

Organizational Security 63 Organization with a Security Department IS for Production IS for Marketing IS for Customers IS for Research IS for Supply IS for Services Information System for Management IS for Sales IS organization IS for Web Clients IS for B2B IS 4 Partners (Outsource) Interne t Security SECURITySECURITy

Organizational Security 64 PART II: Organizational Security m Introduction m Securing Information Systems of an Organization m Corporate Security Planning m Adding a security Department

Organizational Security 65 Summary PART I Security Overview 1) Introduction 2) Security Services and Implementation 3) Overview of Existing Security Systems 4) Implementing Security in a System m PART II: Organizational Security 1) Introduction 2) Securing Information Systems of an Organization 3) Corporate Security Planning 4) Adding a Security Department

Organizational Security 66 ? Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.