The University of Akron Summit College

The University of AkronThe University of AkronSummit CollegeSummit College

Business Technology Dept.Business Technology Dept.2440: 1412440: 141

Web Site Administration Web Site Administration Introduction to SecurityIntroduction to Security

Instructor: Enoch E. DamsonInstructor: Enoch E. Damson

SecuritySecurity 22

Information SecurityInformation Security Consists of the procedures and measures taken Consists of the procedures and measures taken

to protect each component of information to protect each component of information systemssystems Protecting data, hardware, software, networks, Protecting data, hardware, software, networks,

procedures and peopleprocedures and people The concept of information security is based on The concept of information security is based on

the the C.I.A triangleC.I.A triangle (according to the National (according to the National Security Telecommunications and Information Security Telecommunications and Information Security Committee – NSTISSC)Security Committee – NSTISSC) C – ConfidentialityC – Confidentiality I – IntegrityI – Integrity A – AvailabilityA – Availability

SecuritySecurity 33

ConfidentialityConfidentiality

Addresses two aspects of security with Addresses two aspects of security with subtle differencessubtle differencesPrevents unauthorized individuals from Prevents unauthorized individuals from

knowing or accessing informationknowing or accessing informationSafeguards confidential information and Safeguards confidential information and

disclosing secret information only to disclosing secret information only to authorized individuals by means of classifying authorized individuals by means of classifying informationinformation

SecuritySecurity 44

IntegrityIntegrity Ensures data consistency and accuracyEnsures data consistency and accuracy The integrity of the information system is measured by The integrity of the information system is measured by

the integrity of its datathe integrity of its data Data can be degraded into the following categories:Data can be degraded into the following categories:

Invalid dataInvalid data – not all data is valid – not all data is valid Redundant dataRedundant data – the same data is recorded and stored in – the same data is recorded and stored in

several placesseveral places Inconsistent dataInconsistent data – redundant data is not identical – redundant data is not identical Data anomaliesData anomalies – one occurrence of repeated data is changed – one occurrence of repeated data is changed

and the other occurrences are notand the other occurrences are not Data read inconsistencyData read inconsistency – a user does not always read the last – a user does not always read the last

committed datacommitted data Data non-concurrencyData non-concurrency – multiple users can access and read – multiple users can access and read

data at the same time but loose read consistencydata at the same time but loose read consistency

SecuritySecurity 55

AvailabilityAvailability Ensures that data is accessible to authorized Ensures that data is accessible to authorized

individuals to access informationindividuals to access information An organization’s information system can be An organization’s information system can be

unavailable because of the following security unavailable because of the following security issuesissues External attacks and lack of system protectionExternal attacks and lack of system protection Occurrence of system failure with no disaster Occurrence of system failure with no disaster

recovery strategyrecovery strategy Overly stringent and obscure security procedures and Overly stringent and obscure security procedures and

policiespolicies Faulty implementation of authentication processes, Faulty implementation of authentication processes,

causing failure to authenticate customers properlycausing failure to authenticate customers properly

SecuritySecurity 66

Information Security ArchitectureInformation Security Architecture

The model for protecting logical and The model for protecting logical and physical assetsphysical assets

The overall design of a company’s The overall design of a company’s implementation of the C.I.A triangleimplementation of the C.I.A triangle

Components range from physical Components range from physical equipment to logical security tools and equipment to logical security tools and utilitiesutilities

SecuritySecurity 77

Components of Information Components of Information Security ArchitectureSecurity Architecture

The components of information security The components of information security architecture are:architecture are:Policies and proceduresPolicies and procedures – documented – documented

procedures and company policies that procedures and company policies that elaborate on how security is to be carried outelaborate on how security is to be carried out

Security personnel and administratorsSecurity personnel and administrators – – people who enforce and keep security in people who enforce and keep security in orderorder

Detection equipmentDetection equipment – devices to – devices to authenticate users and detect and equipment authenticate users and detect and equipment prohibited by the companyprohibited by the company

SecuritySecurity 88

Components of Information Components of Information Security Architecture…Security Architecture…

Other components of information security Other components of information security architecture include:architecture include: Security programsSecurity programs – tools to protect computer – tools to protect computer

system’s servers from malicious code such as virusessystem’s servers from malicious code such as viruses Monitoring equipmentMonitoring equipment – devices to monitor physical – devices to monitor physical

properties, users, and important assetsproperties, users, and important assets Monitoring applicationsMonitoring applications – utilities and applications – utilities and applications

used to monitor network traffic and Internet activities, used to monitor network traffic and Internet activities, downloads, uploads, and other network activitiesdownloads, uploads, and other network activities

Auditing procedures and toolsAuditing procedures and tools – checks and – checks and controls to ensure that security measures are workingcontrols to ensure that security measures are working

SecuritySecurity 99

Levels of SecurityLevels of Security

The levels of security include: The levels of security include: highly restrictivehighly restrictivemoderately restrictivemoderately restrictiveopenopen

SecuritySecurity 1010

Levels of Security…Levels of Security…

Before deciding on a level of security, answer Before deciding on a level of security, answer these questions:these questions: What must be protected?What must be protected? From whom should data be protected?From whom should data be protected? What costs are associated with security being What costs are associated with security being

breached and data being lost or stolen?breached and data being lost or stolen? How likely is it that a threat will actually occur?How likely is it that a threat will actually occur? Are the costs to implement security and train users to Are the costs to implement security and train users to

use a secure network outweighed by the need to use a secure network outweighed by the need to provide an efficient, user-friendly environment?provide an efficient, user-friendly environment?


Highly Restrictive Security Highly Restrictive Security PoliciesPolicies

Include features such as:Include features such as: Data encryptionData encryption Complex password requirementsComplex password requirements Detailed auditing and monitoring of computer/network Detailed auditing and monitoring of computer/network

accessaccess Intricate authentication methodsIntricate authentication methods Policies that govern use of the Internet/e-mailPolicies that govern use of the Internet/e-mail

Might require third-party hardware and softwareMight require third-party hardware and software Implementation cost is highImplementation cost is high Cost of a security breach is highCost of a security breach is high


Moderately Restrictive Security Moderately Restrictive Security PoliciesPolicies

Most organizations can opt for this type of policyMost organizations can opt for this type of policy Requires passwords, but not overly complex onesRequires passwords, but not overly complex ones Auditing detects unauthorized logon attempts, network Auditing detects unauthorized logon attempts, network

resource misuse, and attacker activityresource misuse, and attacker activity Most network operating systems contain authentication, Most network operating systems contain authentication,

monitoring, and auditing features to implement the required monitoring, and auditing features to implement the required policiespolicies

Infrastructure can be secured with moderately priced off-Infrastructure can be secured with moderately priced off-the-shelf hardware and software (firewalls, etc)the-shelf hardware and software (firewalls, etc)

Costs are primarily in initial configuration and supportCosts are primarily in initial configuration and support


Open Security PoliciesOpen Security Policies Policy might have simple or no passwords, unrestricted Policy might have simple or no passwords, unrestricted

access to resources, and probably no monitoring and access to resources, and probably no monitoring and auditingauditing

May be implemented by a small company with the May be implemented by a small company with the primary goal of making access to basic data resourcesprimary goal of making access to basic data resources

Internet access should probably not be possible via the Internet access should probably not be possible via the company LANcompany LAN

Sensitive data, if it exists, might be kept on individual Sensitive data, if it exists, might be kept on individual workstations that are backed up regularly and are workstations that are backed up regularly and are physically inaccessible to other employeesphysically inaccessible to other employees


Types of Attacks & VulnerabilitiesTypes of Attacks & Vulnerabilities

Some of the numerous methods to attack systems are Some of the numerous methods to attack systems are as follows:as follows: VirusVirus – code that compromises the integrity and state of a – code that compromises the integrity and state of a

systemsystem WormWorm – code that disrupts the operation of a system – code that disrupts the operation of a system Trojan horseTrojan horse – malicious code that penetrates a computer – malicious code that penetrates a computer

system or network by pretending to be legitimate codesystem or network by pretending to be legitimate code Denial of serviceDenial of service – the act of flooding a Web site or network – the act of flooding a Web site or network

system with many requests with the intent of overloading the system with many requests with the intent of overloading the system and forcing it to deny service to legitimate requestssystem and forcing it to deny service to legitimate requests

SpoofingSpoofing – malicious code that looks like legitimate code – malicious code that looks like legitimate code BugsBugs – software code that is faulty due to bad design, logic, or – software code that is faulty due to bad design, logic, or

bothboth


Types of Attacks & Vulnerabilities…Types of Attacks & Vulnerabilities…

Other methods to attack systems include:Other methods to attack systems include: Email spammingEmail spamming – E-mail that is sent to many – E-mail that is sent to many

recipients without their permissionrecipients without their permission Boot sector virusBoot sector virus – code that compromises the – code that compromises the

segment in the hard disk containing the program used segment in the hard disk containing the program used to start the computerto start the computer

Back doorBack door – an intentional design element of some – an intentional design element of some software that allows developers of a system to gain software that allows developers of a system to gain access to the application for maintenance or technical access to the application for maintenance or technical problemsproblems

Rootkits and botsRootkits and bots – malicious or legitimate software – malicious or legitimate software code that performs functions like automatically code that performs functions like automatically retrieving and collecting information from computer retrieving and collecting information from computer systemssystems


Security ResourcesSecurity Resources

Computer Security ResourcesComputer Security Resourceshttp://www.sans.orghttp://www.cert.orghttp://www.first.orghttp://csrc.nist.govhttp://www.securityfocus.com


Security BasicsSecurity Basics

Some of the basic security rules are as Some of the basic security rules are as follows:follows:Security and functionality are inversely related Security and functionality are inversely related

– the more security you implement, the less – the more security you implement, the less functionality you will have, and vice versafunctionality you will have, and vice versa

No matter how much security you implement No matter how much security you implement and no matter how secure your site is, if and no matter how secure your site is, if hackers want to break in, they willhackers want to break in, they will

The weakest link in security is human beingsThe weakest link in security is human beings


Security MethodsSecurity Methods

PeoplePeople Physical limits on access to hardware and documentsPhysical limits on access to hardware and documents Through the processes of identification and Through the processes of identification and

authentication, make certain that the individual is who authentication, make certain that the individual is who he/she claims to be through the use of devices, such he/she claims to be through the use of devices, such as ID card, eye scans, passwordsas ID card, eye scans, passwords

Training courses on the importance of security and Training courses on the importance of security and how to guard assetshow to guard assets

Establishments of security policies and proceduresEstablishments of security policies and procedures


Security Methods…Security Methods…

ApplicationsApplicationsAuthentication of users who access Authentication of users who access

applicationsapplicationsBusiness rulesBusiness rulesSingle sign-on (a method for signing on once Single sign-on (a method for signing on once

for different applications and Web sites)for different applications and Web sites)



NetworkNetworkFirewallsFirewalls – to block network intruders – to block network intrudersVirtual private network (VPN) Virtual private network (VPN) – a remote – a remote

computer securely connected to a corporate computer securely connected to a corporate networknetwork

Authentication Authentication



Operating SystemOperating SystemAuthenticationAuthentication Intrusion detectionIntrusion detectionPassword policyPassword policyUsers accountsUsers accounts



Database Management SystemsDatabase Management SystemsAuthenticationAuthenticationAudit mechanismAudit mechanismDatabase resource limitsDatabase resource limitsPassword policyPassword policy



Data FilesData FilesFile permissionsFile permissionsAccess monitoringAccess monitoring


Securing Access to DataSecuring Access to Data Securing data on a network has many facets:Securing data on a network has many facets:

Authentication and authorizationAuthentication and authorization – identifying who is permitted to – identifying who is permitted to access which network resourcesaccess which network resources

Encryption/decryptionEncryption/decryption – making data unusable to anyone except – making data unusable to anyone except authorized usersauthorized users

Virtual Private Networks (VPNs)Virtual Private Networks (VPNs) – allowing authorized remote access – allowing authorized remote access to a private network via the public Internetto a private network via the public Internet

FirewallsFirewalls – installing software/hardware device to protect a computer or – installing software/hardware device to protect a computer or network from unauthorized access and attacksnetwork from unauthorized access and attacks

Virus and worm protectionVirus and worm protection – securing data from software designed to – securing data from software designed to destroy data or make computer or network operate inefficientlydestroy data or make computer or network operate inefficiently

Spyware protectionSpyware protection – securing computers from inadvertently – securing computers from inadvertently downloading and running programs that gather personal information and downloading and running programs that gather personal information and report on browsing and habitsreport on browsing and habits

Wireless securityWireless security – implementing unique measures for protecting data – implementing unique measures for protecting data and authorizing access to the wireless networkand authorizing access to the wireless network


Implementing Secure Implementing Secure Authentication and AuthorizationAuthentication and Authorization

Administrators must control who has access to Administrators must control who has access to the network (the network (authenticationauthentication) and what logged ) and what logged on users can do to the network (on users can do to the network (authorizationauthorization)) Network operating systems have tools to specify Network operating systems have tools to specify

options and restrictions on how/when users can log options and restrictions on how/when users can log on to networkon to network

File system access controls and user permission File system access controls and user permission settings determine what a user can access on a settings determine what a user can access on a network and what actions a user can performnetwork and what actions a user can perform


Securing Data TransmissionSecuring Data Transmission

Encryption is used to safeguard data as it travels Encryption is used to safeguard data as it travels across a networkacross a network

Tools such as Telnet and FTP are very Tools such as Telnet and FTP are very vulnerable since it sends data in clear textvulnerable since it sends data in clear text Secured socket layer (SSL) Secured socket layer (SSL) is the most common is the most common

method of encrypting data transmissionsmethod of encrypting data transmissions Most Web sites that encrypt sensitive data such as credit Most Web sites that encrypt sensitive data such as credit

card information, etc use SSLcard information, etc use SSL


EncryptionEncryption

The act of encoding readable data into a The act of encoding readable data into a format that is unreadable without a decoding format that is unreadable without a decoding keykeyDecryptionDecryption – the act of decoding encoded – the act of decoding encoded

data back into the original readable formatdata back into the original readable format Encryption provides privacy (confidentiality)Encryption provides privacy (confidentiality) Encryption and decryption are the two major Encryption and decryption are the two major

processes that make up the science of processes that make up the science of cryptographycryptography


CryptographyCryptography The science of encrypting and decrypting information to The science of encrypting and decrypting information to

ensure that data and information cannot be easily ensure that data and information cannot be easily understood or modified by unauthorized individualsunderstood or modified by unauthorized individuals Allows encryption of data from its original form into a form that Allows encryption of data from its original form into a form that

can only be read with a correct decryption keycan only be read with a correct decryption key Some of security functions addressed by cryptography Some of security functions addressed by cryptography

methods are:methods are: AuthenticationAuthentication PrivacyPrivacy Message integrityMessage integrity Provisions of data signaturesProvisions of data signatures


Vocabulary of CryptographyVocabulary of Cryptography CryptanalysisCryptanalysis – the process of evaluating cryptographic algorithms – the process of evaluating cryptographic algorithms

to discover their flawsto discover their flaws CryptanalystCryptanalyst – a person who uses cryptanalysis to find flaws in – a person who uses cryptanalysis to find flaws in

cryptographic algorithmscryptographic algorithms CryptographerCryptographer – a person trained in the science of cryptograpy – a person trained in the science of cryptograpy AlphabetAlphabet – set of symbols used in cryptographic to either input or – set of symbols used in cryptographic to either input or

output messagesoutput messages Plaintext (cleartext)Plaintext (cleartext) – the original data in its raw form – the original data in its raw form CipherCipher – a cryptographic encryption algorithm for transforming data – a cryptographic encryption algorithm for transforming data

from one form to anotherfrom one form to another CyphertextCyphertext - the encrypted data - the encrypted data


Encryption Methodology Encryption Methodology

There are two elements in encryption:There are two elements in encryption:Encryption methodEncryption method – specifies the – specifies the

mathematical process used in encryptionmathematical process used in encryptionKeyKey – the special string of bits used in – the special string of bits used in

encryptionencryption


Encryption ExampleEncryption Example AlphabetAlphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ: ABCDEFGHIJKLMNOPQRSTUVWXYZ PlaintextPlaintext: Meet me on the corner: Meet me on the corner CipherCipher (algorithm): C = P + K (algorithm): C = P + K

C – the ciphertext characterC – the ciphertext character P – the plaintext characterP – the plaintext character K – the value of the keyK – the value of the key

KeyKey: 3: 3 The algorithm simply states that to encrypt a plaintext character (P) and The algorithm simply states that to encrypt a plaintext character (P) and

generate a ciphertext (C), add the value of the key (K) to the plaintext charactergenerate a ciphertext (C), add the value of the key (K) to the plaintext character Shift the plaintext character to the right of the alphabet by three charactersShift the plaintext character to the right of the alphabet by three characters

D replaces A, E replaces B, F replaces C, etcD replaces A, E replaces B, F replaces C, etc The following message is generated:The following message is generated:

Ciphertext: Ciphertext: Phhw ph rq wkh fruqhuPhhw ph rq wkh fruqhu


Types of Cryptographic CiphersTypes of Cryptographic Ciphers

Ciphers fall into one of two major Ciphers fall into one of two major categories:categories:Symmetric (single-key) ciphersSymmetric (single-key) ciphers – the same – the same

key is used to both encryption and decryptionkey is used to both encryption and decryptionAsymmetric (public-key) ciphersAsymmetric (public-key) ciphers – different – different

keys are used for encryption and decryptionkeys are used for encryption and decryption


Symmetric (Single) Key EncryptionSymmetric (Single) Key Encryption

The most common and simplest form of encryptionThe most common and simplest form of encryption Both parties in the encryption process must keep the key Both parties in the encryption process must keep the key

secretsecret There are several specific symmetric key encryption There are several specific symmetric key encryption

algorithmsalgorithms The most widely used is the The most widely used is the data encryption standard (DES)data encryption standard (DES) Other more secured encryption algorithms include: Triple-DES, Other more secured encryption algorithms include: Triple-DES,

DESX, RDES, Blowfish, AES, and IDEADESX, RDES, Blowfish, AES, and IDEA


Symmetric Key Encryption…Symmetric Key Encryption… Data Encryption Standard (DES) – Data Encryption Standard (DES) –

Developed by IBM for the US National Institute for Standards Developed by IBM for the US National Institute for Standards and Technology (NIST) in the 1970sand Technology (NIST) in the 1970s

The original algorithm is based on a 56-bit key that yields 2The original algorithm is based on a 56-bit key that yields 25656 possible keys (72 quadrillion keys)possible keys (72 quadrillion keys)

Breaks the plaintext into chunks of 64-bits (8 of the key bits are Breaks the plaintext into chunks of 64-bits (8 of the key bits are redundant) and encrypts each chunkredundant) and encrypts each chunk

In general, the larger the key the more secure the encryption isIn general, the larger the key the more secure the encryption is Widely used today but with some drawbacksWidely used today but with some drawbacks

Both the sender and receiver of the encrypted message must Both the sender and receiver of the encrypted message must know the key before they can communicateknow the key before they can communicate

Susceptible to attack especially in networked environmentsSusceptible to attack especially in networked environments


Asymmetric (Public) Key EncryptionAsymmetric (Public) Key Encryption

There are two keys for each partyThere are two keys for each party The sender and receiver each has a The sender and receiver each has a privateprivate and and public keypublic key Public keyPublic key – senders will encrypt data using nonsecure – senders will encrypt data using nonsecure

connections with the receivers’ public keyconnections with the receivers’ public key Private keyPrivate key – the receivers use their private keys to decrypt – the receivers use their private keys to decrypt

datadata The only person who can decrypt the ciphertext is the owner The only person who can decrypt the ciphertext is the owner

of the private key that corresponds to the public key used for of the private key that corresponds to the public key used for the encryptionthe encryption


AuthenticationAuthentication

One purpose of encryption is to prevent One purpose of encryption is to prevent anyone who intercepts a message from anyone who intercepts a message from being able to read the messagebeing able to read the message It brings It brings authorizationauthorization ( (confidentialityconfidentiality) – ) –

only authorized users can use dataonly authorized users can use data In contrast, In contrast, authenticationauthentication proves the proves the

sender’s identitysender’s identity


Forms of AuthenticationForms of Authentication

There are many forms of authentication:There are many forms of authentication:PasswordsPasswordsAuthentication cardsAuthentication cards – ATMs use these with – ATMs use these with

coded informationcoded informationBiometricsBiometrics – measures body dimensions like – measures body dimensions like

finger-print analyzersfinger-print analyzersPublic key authorizationPublic key authorization – uses digital – uses digital

signaturessignaturesDigital signatureDigital signature – the electronic version of a – the electronic version of a

physical signaturephysical signature

The University of Akron Summit College

Documents

company security

levels of security

high security

utilities security

availability security

consistency security

security measures

security instructor