View
213
Download
0
Category
Tags:
Preview:
Citation preview
Today’s Lecture Covers
Chapter 6 - IS Security
Dsheehy@grantthornton.ca
Security
The system is protected against unauthorized physical and logical access.
A typical network today?
INTERNET
ExternalRouter
Corporate Backbone
Human Resources
Payroll - Accounting
e-Business Network
Human Resources
AP Cyberwall
Payroll - Accounting
AP Cyberwall
IP Firewall
DMZ
IP Firewall
DMZ
Internal Firewall
DMZ SystemsDMZ Systems
Control over Info Transmission
procedures to protect in bound information and outbound information
network design should incorporate information integrity, confidentiality and availability requirements for transmissions
network implementation and config mgt needs to be controlled
Control over Data Mgt
roles and responsibilities for data mgt needed
database design and implementation needs to address security, integrity and control requirements
also incorporate reliability and availability requirements
Control over End-Using Computing
procedures to ensure that end-users conform with organizational strategy
stds for development, acquisition, documentation and operation of applications procedures.
Effective support and training
monitoring end-using computing
The issue of IT Security
must id risks and design effective security processes and practices
not too much security - causes rule breaking to do job
balance between enabling staff and others to access easily and efficiently and controlling that access
Security Controls- to prevent
unauthorized access to IS by outsiders
unauthorized access to IS by insiders
interruptions in processing
at application (into each program) and
general level (e.g., electronic access, physical security, back-up and recovery and contingency planning)
To meet Security Objectives
need an integrated approach: develop policies assign roles and responsibilities and
communicate them design a security control framework implement on risk-prioritized
and timely basis monitor
Broad Organizational Issues
policies and stds
risk assessment
plan, design, test and implement
user and mgt involvement
monitor and update
Policies & Stds
responsibility of all personnel
roles and responsibilities for security administrator
classify systems and data in terms of sensitivity
role of I/A
Risk Assessment
analyze risks and exposures
assess what is acceptable
need to understand potential losses
Plan Design Test and Implement
assess what is needed
test - ensure authorized accepted/unauthorized rejected
access time is reasonable
audit trails are adequate
Monitoring and Update
need logs
need to ensure controls up to date
adequate resources
Physical Access Controls -
Safeguard against physical abuse, damage and destruction.
Isolation and restriction - use locks, effective key management, video, sensing devices
Communication Access Controls
Firewalls - hardware and software between 2 networks, all traffic must go through it, only authorized traffic may pass, and is protected from tampering
Simplifies security mgt - only have to manage single point
Communication Access Controls
can hide internal network since no direct outside connection
can limit damage of security breaches
do not protect against insider attacks
often ineffective with viruses
do not protect against other connections that bypass firewall
Communication Access Controls
Packet filter gateway - router between 2 gateways, either forwards or blocks them (less secure than firewall)
Application gateway - all packets are addressed to a user layer application at the gateway that relays them between 2 communication points
Communication Access Controls
use proxies to prevent a direct connection between external and internal networks acts as middleman - decides whether traffic is secure
between the hosts , forwards only secure traffic
Stateful inspection - all packets queried + application, user and transportation method queried - both the state of the transmission and context in which used cannot deviate from expectations ; otherwise rejected
Dial-Up Lines
Modem lines create problems
use callback modems, terminal authentication devices (id terminal as authentic before connecting), passwords, encryption, human hook-ups, warnings and look at communication bills
Encryption
coding messagesrely on mathematical algorithmsprivate key system - receiver must know what key is used to encipher message. Such keys must be protectedpublic key system - use 2 keys encipher is made public different key used to decipher
Electronic Access Controls- first classify info
sensitivity - need to classify information as to confidentiality and access rights
access time requirements - classify according to range of tolerable access times- for example many users may need to access certain files at a particular time
authorized users - based on need to know basis
Access management
identification process - use userids personal characteristic userids - name - easy transferred
but easy to guess.. also little privacy functional characteristic id - based on job, no need for
personal id, more privacy - someone transfers however, must give new id
no association ids - arbitrary - best privacy and can use if transferred
Access management
authentication - obtaining proof that user is who says he/she is plastic magnetic-strip cards - atm cards, carry fixed
password (PIN), can be stolen/duplicated smart cards- contain processor that allows card to
interact with number of control devices and define boundary of each specific access
biometric devices - fingerprints, hand geometry, eye retina patterns
Access management
passwords - traditional for log-on procedure system-generated- randomly generated are less hard to
guess- problem is are not really random and are meaningless to users - therefore write them down makes easier to find
user- selected - has meaning but often easier to guess word association password - use cue lists that only user
should know - too much computer space req'd, must be uniform
Access management
Increased use of single-sign on- authenticate once across multiple platforms must be very careful due to potential access hazard
Could also use profile management - allocate standard access privileges to users based on their group, rather than individual basisreduces admin costs and allows easier access and rule setting
Access management
access control software- allows controlled access - locks out illegimate users
Recommended