Saad Haj Bakry, PhD, CEng, FIEE
1
Security Policy IssuesSaad Haj Bakry, PhD, CEng, FIEE
Saad Haj Bakry, PhD, CEng, FIEE 2
Definition (1)
ISO Information Processing Vocabulary
Term DefinitionData The representation of facts, concepts
and instructions in a formalized manner suitable for communication, interpretation, or processing.
Information The meaning that is currently assigned to data by means of conventions applied to that data.
Security Policy Issues
Saad Haj Bakry, PhD, CEng, FIEE 3
Definition (1)
ISO Information Processing Vocabulary
Term DefinitionData Integrity The data quality that exists as long
as accidental or malicious destruction, alteration, or loss of data does not occur
Data Corruption / Contamination
The violation of data integrity.
Security Policy Issues
Saad Haj Bakry, PhD, CEng, FIEE 4
Definition (1)ISO Information Processing Vocabulary
Term DefinitionFunctional
UnitThe entity of hardware, or software, or both capable of accomplishing a specific purpose.
Data Source The functional unit that originates data for transmission.
Data Source The functional unit that accepts transmitted data.
Security Policy Issues
Saad Haj Bakry, PhD, CEng, FIEE 5
Definition (1)Signal Processing of Voice / Data / Video
Term DefinitionSource
EncodingCoding signal in digital form:
Telephone Voice (64 kbps) / Video (135 Mbps)
Compression Reduction of transmission bandwidth.Telephone Voice (32 kbps) / Video (45 Mbps)
Encryption Using encoding (encryption / enciphering) as means for protecting data from interception by unauthorized parties
Security Policy Issues
Saad Haj Bakry, PhD, CEng, FIEE 6
Definition (1)
A Cipher / An Encryption MethodDefinition A procedure / an algorithm / a process
and a transformation key
Procedure / Algorithm / Process
A designed sequence of steps for transforming a plain text into a cipher text using a transformation key
Transformation Key
The key determines a particular transformation (digital string) from a set of possible transformations.
Security Policy Issues
Saad Haj Bakry, PhD, CEng, FIEE 7
Definition (1)ISO Information Processing Vocabulary
Term DefinitionSecurity The condition of being secure
or the condition of being protected from or exposed danger.
Privacy The state or quality of being private.
Security Policy Issues
Saad Haj Bakry, PhD, CEng, FIEE 8
Definition (1)ISO Information Processing Vocabulary
Term DefinitionCryptography A discipline involving
principles, means, and methods for changing data so that it is not readable.
Cryptanalysis An attack on one of the principles, means, or methods (to recover readability)
Security Policy Issues
Saad Haj Bakry, PhD, CEng, FIEE 9
Definition (1)ISO Information Processing Vocabulary
Term DefinitionEncryption / Enciphering
The process of changing data (plain text) so that it becomes unreadable (cipher text).
Decryption / Deciphering
The process of transforming cipher text back into plain text.
Security Policy Issues
Saad Haj Bakry, PhD, CEng, FIEE 10
Definition (2)ISO Information Processing Vocabulary
Computer System SecurityThe technological and the administrative safeguards established and applied to data processing to protect hardware, software, and data from accidental or malicious destruction or disclosure.
Saad Haj Bakry, PhD, CEng, FIEE 11
Analysis of Definition (2)
Issue DescriptionObject
(to be protected)
Hardware / Software / Data
Challenges (source)
Accidental / Malicious
Effect (protection from)
Destruction / Disclosure
Means (of
protection)
Technological / Administrative
Saad Haj Bakry, PhD, CEng, FIEE 12
Definition (3)ISO Information Processing Vocabulary
Privacy ProtectionThe implementation of appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of data records, and to protect both security and confidentiality against any threat or hazard that could result in substantial harm, embarrassment, inconvenience or unfairness to any individual about whom such information is maintained.
Saad Haj Bakry, PhD, CEng, FIEE 13
Analysis of Definition (3)Issue Description
Object (to be
protected)
Information / Data: Records (associated with individuals, or organizations: privacy)
Challenge (to object)
Security / Privacy
Effect (protection
from)
Threat & hazard that could result in harm, embarrassment, inconvenience,
or unfairness
Means (of protection)
Physical / Administrative / Technical
Saad Haj Bakry, PhD, CEng, FIEE 14
Definition (2)ISO-OSI Special Interest Group on Security
Network Security GoalsProtection of data against: undetected loss and repetition unauthorized modification unauthorized disclosure
Data is Sequenced
Sealed
Private
Ensuring correct identity of sender & receiver
Signed by Sender Stamped by Receiver
Saad Haj Bakry, PhD, CEng, FIEE 15
Definition (3)Intranet-Internet Flow / Flooding
Security of Network FlowProtection from undesired data
streams entering the Intranet (Private / National Networks)
Firewalls
Protection of private data streams from leaking out of the Intranet
Protection from denial of service :
Flooding: undesired generation of data.
Anti-Virus
Saad Haj Bakry, PhD, CEng, FIEE 16
Basic Data Security TermsTerm Definition
Plaintext Source text / Unencrypted data
Cryptography Transforming “plaintext” to “cipher text” (encrypted text) using a “cipher” and a “key”
Cipher text Encrypted text / Incomprehensible data
Cipher /
Cryptosystem
A technique / A procedure / An algorithm (a computer science term) for encrypting data / messages
A Key A string of digits used to encrypt data (like a password) / Longer keys lead to stronger encryption
Cryptanalysis Breaking / cracking encyption
Saad Haj Bakry, PhD, CEng, FIEE 17
Risk v. Cost
Cost
Risk
Balance
Saad Haj Bakry, PhD, CEng, FIEE 18
Profile Benefits
Current State
A Security Map of Broad Scope:“A Base for Investigations”
Future Policy“Reengineering”
Management“TQM”
Risk / Cost“Balance”
Saad Haj Bakry, PhD, CEng, FIEE 19
Profile Principles: Scope
T
PO
Technology
Organization People
Environment
Challenges
Accidental
Malicious
ProtectionTechnical
Administrative
Challenges: Technology / Organization / People / Environment
Protection: Awareness / Practices / Legal / Management
Access / identity / Integrity / Confidentiality / Flow / Contingency
Saad Haj Bakry, PhD, CEng, FIEE 20
Profile Principles: Levels / Modules
The Internet Level (Module)Potential World Wide Business Activities
The Extranet Level (Module)Partners / Suppliers / Customers “Business Activities”
The Intranet Level (Module)Intra-organization Activities
Security
Saad Haj Bakry, PhD, CEng, FIEE 21
Challenges: Organization / People
Levels Non-Malicious MaliciousOrganization:
Intranet /
Business: Extranet /
Public: Internet
Management “Environment”
/ Misbehaviour
/ Misuse
Conflicting Objectives
Hostility
Hackers (Internal / External)
Saad Haj Bakry, PhD, CEng, FIEE 22
Challenges: Technology
Levels Non-Malicious MaliciousOrganization: Intranet /
Business: Extranet /
Public: Internet
Design / Implementation Vulnerability: System Failure Logical Deficiencies Protocol
Un-robustness
Computer Viruses: Undesired (harmful)
technology
components Spreading the
Disease (network)
Saad Haj Bakry, PhD, CEng, FIEE 23
Challenges: Environment
Levels Accidental / Malicious
Non- Malicious
Organization: Intranet /
Business: Extranet /
Public: Internet
Noise
Power Failure
Disasters: Flood / Fire /
Earth quick / …
Rules: Regulations / Practices / Legal Issues
Management: Policy / Practices
Saad Haj Bakry, PhD, CEng, FIEE 24
Challenges: Effect / Results
Denial of Service
Performance Degradation
Loss of Privacy
Data Corruption
System Failures Loss of Data
Flooding
Problems of Identity
Saad Haj Bakry, PhD, CEng, FIEE 25
Protection: Technical (See Paper)
Firewalls
Reliable Technology
Traffic Padding
Access Control Authentication
of Identities Cryptography
Error Detection & Correction
Anti-Virus
Measures
Saad Haj Bakry, PhD, CEng, FIEE 26
Protection: Administrative (Issues)
Awareness: For Who: Users / IT Staff Subject: Understanding
Network
Security
Legal
Issues:National /
International
Rules
(IT Security /
Punishment)
Job Practices
& Management:People’s
Interaction
with Other
People
& with Machines
Saad Haj Bakry, PhD, CEng, FIEE 27
Protection: Administrative (Organizations)
International
Government
Professional
Private
Intranet /
Extranets
Standards
Management
Technical
Laws
Saad Haj Bakry, PhD, CEng, FIEE 28
Cost Effectiveness Scope / Objectives / Requirements
Cost / Benefits
Priorities
Internet / Extranet / Intranet
Saad Haj Bakry, PhD, CEng, FIEE 29
Profile: Generic Architecture Level Description
Computer Tools
User InterfaceComputer Database
Security Components
Elements (Products)
Economy (Cost / Benefit)
Positions / Functions
Profile
Base
Security: Tools
Security: Challenges / Protection
Intranet Extranet Internet
Saad Haj Bakry, PhD, CEng, FIEE 30
Profile: Use / Benefits Use Description
Current State Mapping / understanding current state
Policy Development
Assessing / diagnosing (problems) Evaluation criteria (requirements) The problem of choice.
Target State Developing / mapping target state
Implementation / Testing
Monitoring / follow up progress Testing performance
Management / Improvement
Gradual improvement (TQM) Incremental improvement (Reengineering)
Saad Haj Bakry, PhD, CEng, FIEE 31
Development: Profile / Policy / Application
Building
Profile
Architecture
Mapping
Current State
Policy
Development
Mapping
Target State
Implementation
/ TestingManagement/ Improvement
TQMReengineering
Incremental Gradual
Saad Haj Bakry, PhD, CEng, FIEE 32
Security Policies
Key to the security of the Organization / Network / Information
Vulnerability Possible Attackers Possible Threats Possible Damage Data Theft
www.cerias.com
www.baselinesoft.com
www.sans.org
Response Security Needs Security V. Performance
Saad Haj Bakry, PhD, CEng, FIEE 33
Cyber-Crimes
National Security Policy: USA National Infrastructure Protection ActDenial of Service Attack / Distribution of Viruses
(Federal Crimes: Fines & Jail Time).
Web Sites
www.usdoj.gov/criminal/cybercrime/ compcrime.html
www.cybertime.gov
Saad Haj Bakry, PhD, CEng, FIEE 34
Reference
H.M. Deitel, P.J. Deitel, K. Steinbuhler, e-Business and e-Commerce for Managers, Prentice-Hall, Upper Saddler River, New Jersey, 2001