Organizational Security Organizational Security 1 IT Security From an IT Security From an Organizational Perspective Organizational Perspective Ulrika Norman Ulrika Norman Jeffy Mwakalinga Jeffy Mwakalinga Re fe re nc e : 1) E nte rprise Se c urity. Robe rt C. Ne wma n. ISBN: 0- 13- 047458- 4 2) Corpora te Compute r a nd Ne twork Se c urity. Ra ymond R. Pa nko. ISBN: 0- 13- 101774- 8
Organizational Security Organizational Security 2 Outline Outline � PART PART I Se c urity Ove rvie w � PART II: Org a niza tiona l PART I Se c urity Ove rvie w II: Org a niza tiona l Se c urity Se c urity Introduc tion Introduc tion 1) 1) 1) Introduc tion 1) Introduc tion Se c urity Se rvic e s a nd Se c urity Se rvic e s a nd 2) 2) Imple me nta tion Imple me nta tion 2) Se c uring Informa tion Syste ms 2) Se c uring Informa tion Syste ms of a n Org a niza tion of a n Org a niza tion Ove rvie w of E Ove rvie w of E xisting Se c urity xisting Se c urity 3) 3) Syste ms Syste ms 3) Corpora te Se c urity Pla nning 3) Corpora te Se c urity Pla nning Imple me nting Se c urity in a Imple me nting Se c urity in a 4) 4) 4) Adding a Se c urity De pa rtme nt 4) Adding a Se c urity De pa rtme nt Syste m Syste m
Organizational Security Organizational Security 3 Introduction Introduction Informa tion Se c urity Informa tion Se c urity Se c urity Se c urity Se c urity Se c urity T e c hnolog y Ma na g e me nt T e c hnolog y Ma na g e me nt Informa tion Informa tion T e c hnolog y Physic a l Se c urity T e c hnolog y Physic a l Se c urity Se c urity Se c urity Applic a tions Communic a tion Applic a tions Communic a tion Compute r Compute r Se c urity Se c urity Se c urity Se c urity Se c urity Se c urity Wire d Mobile Wire d Mobile Se c urity (wire le ss) Se c urity Se c urity (wire le ss) Se c urity
Organizational Security Organizational Security 4 Introduction Introduction Informa tion se c urity is de fine d is de fine d Informa tion se c urity a s me thods a nd te c hnolog ie s a s me thods a nd te c hnolog ie s for de te rre nc e (sc a ring a wa y ha c ke rs), for de te rre nc e (sc a ring a wa y ha c ke rs), prote c tion, de te c tion, re sponse , re c ove ry a nd prote c tion, de te c tion, re sponse , re c ove ry a nd e xte nde d func tiona litie s e xte nde d func tiona litie s
Organizational Security Organizational Security 5 Generic Security Principles Generic Security Principles Ge ne ric Se c urity Syste m Ge ne ric Se c urity Syste m De te rg e nc e De te rg e nc e Prote c tion De te c tion Re sponse Re c ove ry Prote c tion De te c tion Re sponse Re c ove ry (Sc a re a wa y) (Sc a re a wa y) Information while in transmission Information Hacker while in storage Hardware
Organizational Security Organizational Security 6 PART I: Security Overview PART I: Security Overview � Introduc tion � Introduc tion � Se c urity Se rvic e s a nd Imple me nta tion � Se c urity Se rvic e s a nd Imple me nta tion � Ove rvie w of E � Ove rvie w of E xisting Se c urity Syste ms xisting Se c urity Syste ms � Imple me nting se c urity in a syste m � Imple me nting se c urity in a syste m
Organizational Security Organizational Security 7 Security Services and Implementation : Security Services and Implementation : Confidentiality Confidentiality Confide ntia lity T o ke e p a me ssa g e se c re t to Confide ntia lity T o ke e p a me ssa g e se c re t to those tha t a re not a uthorize d those tha t a re not a uthorize d Authe ntic a tion Authe ntic a tion to re a d it to re a d it Ac c e ss Control Ac c e ss Control Inte g rity Inte g rity Non- Non - re pudia tion re pudia tion Ava ila bility Ava ila bility
Organizational Security Organizational Security 8 Security Services: Authentication Security Services: Authentication Confide ntia lity T o ve rify the ide ntity of the Confide ntia lity T o ve rify the ide ntity of the use r / c ompute r use r / c ompute r Authe ntic a tion Authe ntic a tion Ac c e ss Control Ac c e ss Control Inte g rity Inte g rity Non- Non - re pudia tion re pudia tion Ava ila bility Ava ila bility
Organizational Security Organizational Security 9 Security Services: Access Control Security Services: Access Control Confide ntia lity T o be a ble to te ll who c a n do Confide ntia lity wha t with whic h re sourc e Authe ntic a tion Authe ntic a tion Ac c e ss Control Ac c e ss Control Inte g rity Inte g rity Non- Non - re pudia tion re pudia tion Ava ila bility Ava ila bility
Organizational Security Organizational Security 10 Security Services: Integrity Security Services: Integrity Confide ntia lity T o ma ke sure tha t a me ssa g e Confide ntia lity T o ma ke sure tha t a me ssa g e ha s not be e n c ha ng e d while ha s not be e n c ha ng e d while Authe ntic a tion Authe ntic a tion on T ra nsfe r, stora g e , e tc on T ra nsfe r, stora g e , e tc Ac c e ss Control Ac c e ss Control Inte g rity Inte g rity Non- Non - re pudia tion re pudia tion Ava ila bility Ava ila bility
Organizational Security Organizational Security 11 Security Services: Non- -repudiation repudiation Security Services: Non Confide ntia lity T o ma ke sure tha t a Confide ntia lity T o ma ke sure tha t a use r/ se rve r c a n’ ’t de ny la te r t de ny la te r use r/ se rve r c a n Authe ntic a tion Authe ntic a tion ha ving pa rtic ipa te d in a ha ving pa rtic ipa te d in a tra nsa c tion tra nsa c tion Ac c e ss Control Ac c e ss Control Inte g rity Inte g rity Non- Non - re pudia tion re pudia tion Ava ila bility Ava ila bility
Organizational Security Organizational Security 12 Security Services: Availability Security Services: Availability Confide ntia lity T o ma ke sure tha t the Confide ntia lity T o ma ke sure tha t the se rvic e s a re a lwa ys se rvic e s a re a lwa ys Authe ntic a tion Authe ntic a tion a va ila ble to use rs. a va ila ble to use rs. Ac c e ss Control Ac c e ss Control Inte g rity Inte g rity Non- Non - re pudia tion re pudia tion Ava ila bility Ava ila bility
Cryptography Cryptography Organizational Security Organizational Security 13 Providing Se c urity Se rvic e s: Confide ntia lity Providing Se c urity Se rvic e s: Confide ntia lity � Sc ie nc e o f transfo rming We use c ryptog ra phy � Sc ie nc e o f transfo rming � We use c ryptog ra phy � info rmatio n so it is se c ure during transmissio n o r info rmatio n so it is se c ure during transmissio n o r sto rag e sto rag e • E • E nc ryption: nc ryption : Chang ing o rig inal te xt into a se c re t, e nc o de d Chang ing o rig inal te xt into a se c re t, e nc o de d me ssag e me ssag e • De c ryption • De c ryption: : Re ve rsing the e nc ryptio n pro c e ss to c hang e Re ve rsing the e nc ryptio n pro c e ss to c hang e te xt bac k to o rig inal, re adable fo rm te xt bac k to o rig inal, re adable fo rm
Organizational Security Organizational Security 14 Encryption Encryption ���������� Some confidential text (message) ��������⌧� in clear (readable) ������� form �� ����� E n c r y p t i o n E n c r y p t i o n
Organizational Security Organizational Security 15 Decryption Decryption ���������� Some confidential text (message) ��������⌧� in clear (readable) ������� form �� ����� D e c r y p t i o n D e c r y p t i o n
Organizational Security Organizational Security 16 Example Example ST OCKHOL M A B C D E F G . . . . X Y Z L G T U W O M . . . . I A C VWRF NKROP
Organizational Security Organizational Security 17 Symmetric Key Encryption – – One One Symmetric Key Encryption Key System Key System Symmetric Note: Key A single key is used to encrypt and decrypt in both directions. Encryption Ciphertext “11011101” Plaintext Method & “Hello” Interceptor Key Internet Same Symmetric Key Decryption Anders Ciphertext “11011101” Plaintext Method & “Hello” Key Karin
Organizational Security Organizational Security 18 Single Key System: Symmetric System Single Key System: Symmetric System Sa me se c re t ke y is use d to e nc rypt a nd de c rypt me ssa g e s. Se c re t Ke y must re ma in se c re t E n c r y p t i o n E n c r y p t i o n ���������� Some confidential text (message) ��������⌧� in clear (readable) form ������� �� ����� Crypto key D e c r y p t i o n D e c r y p t i o n
Organizational Security Organizational Security 19 Advanced Encryption Algorithm Algorithm Advanced Encryption (AES) (AES) 1, 2, 3, ... ... .128, 192,256 1, 2, 3, ... ... .128, 192,256 1, 2, 3, ... ... ... ... ... ...128 1, 2, 3, ... ... ... ... ... ...128 Ke y Me ssa g e Ke y Me ssa g e K- - 1 1 K If ke y = 128 Rounds = 9 K- - 2 2 K If ke y = 192 Rounds = 11 If ke y = 256 K- - Rounds Rounds K Rounds = 13 E E nc rypte d me ssa g e nc rypte d me ssa g e 1, 2, 3, ... ... ... ... ... ...... 64 1, 2, 3, ... ... ... ... ... ...... 64
Recommend
More recommend