SlideShare une entreprise Scribd logo

informations_security_presentations.pptx

Télécharger en tant que PPTX, PDF
F
FAKHARZAMANPROUD

Information security involves protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction. It encompasses a range of strategies and practices, including encryption, access control, and network security, aimed at ensuring the confidentiality, integrity, and availability of information. This field is crucial in today's digital age to safeguard sensitive data and systems from cyber threats and attacks.

Logiciels
1  sur  35
Information Security Muhammad Ahmed 1
Introduction • Fundamental concept – CIA – AAA – Threats and attacks – Security principles • Access control models – Access Control Matrices – Access Control Lists – Capabilities – Role based access control • Cryptographic concepts – Encryption – Digital signatures – Simple attacks on cryptosystems – Cryptographic has functions – Digital Certificates 2
Defining Security • The security of a system, application, or protocol is always relative to – A set of desired properties – An adversary with specific capabilities • For example, standard file access permissions in Linux and Windows are not effective against an adversary who can boot from a CD 3
A sound security model • Define security properties • Anticipate the types of attacks • The design should be usable and simple – If security measure are difficult to understand then it will lead to failure of adoption • Implementation (H/w or S/w) should be tested for programming errors • When deployed, it should be monitor. • Patches must be applied when available 4
Security Goals 5 Integrity Confidentiality Availability • C.I.A.
Confidentiality • Confidentiality is the avoidance of the unauthorized disclosure of information. – confidentiality involves the protection of data, – providing access for those who are allowed to see it while disallowing others from learning anything about its content. 6
Tools for Confidentiality • Encryption: the transformation of information using a secret, called an encryption key, so that the transformed information can only be read using another secret, called the decryption key (which may, in some cases, be the same as the encryption key). 7
Tools for Confidentiality • Access control: rules and policies that limit access to confidential information to those people and/or systems with a “need to know.” – This may be determined by identity, such as a person’s name or a computer’s serial number, or by a role that a person has, such as being a manager or a computer security specialist. 8
Cont. Access control prevention of the unauthorized use of a resource, that is this service controls - who can have access to a resource - under what condition access can occur - and what those accessing are allowed to do 9
Tools for Confidentiality • Authentication: the determination of the identity or role that someone has. This determination can be done in a number of different ways, but it is usually based on a combination of – something the person has (like a smart card or a radio key storing secret keys), – something the person knows (like a password), – something the person is (like a human with a fingerprint). 10 Something you have radio token with secret keys Something you know password=ucIb()w1V mother=Jones pet=Caesar Something you are human with fingers and eyes
Tools for Confidentiality • Authorization: the determination if a person or system is allowed access to resources, based on an access control policy. – Such authorizations should prevent an attacker from tricking the system into letting him have access to protected resources. • Physical security: the establishment of physical barriers to limit access to protected computational resources. It includes – locks on cabinets and doors, – placement of computers in windowless rooms, – use of sound dampening materials, – construction of buildings or rooms with walls incorporating copper meshes (called Faraday cages) so that electromagnetic signals cannot enter or exit the enclosure. 11
Cont. • Browser verify that website we are connecting to is indeed(Really) who it says it is. – Authentication • Website might be checking our browser and can we access that page according to ACP – Authentication and access control • Browser may ask the website for encryption key to encrypt credit card no. – Encryption • Finally our credit card no. reaches at server : – Physical security, access policy, authorization and authentication to safe credit card no 12
[Physical security] • One can determine the letters by – Listening to the recording of key stokes • Possible to reconstruct the image of computer screen – By monitoring its electromagnetic radiations – From video of blank wall the screen was shining on • Physical security is IS concept and should not be taken for granted 13
Integrity • Integrity: the property that information has not be altered in an unauthorized way. • Tools – Backups: the periodic archiving of data. – Checksums: • the computation of a function that maps the contents of a file to a numerical value. • A checksum function depends on the entire contents of a file and is designed in a way that even a small change to the input file is highly likely to result in a different output value. – Data correcting codes: • methods for storing data in such a way that small changes can be easily detected and automatically corrected. • Apply to small data such as byte or word • Metadata of the data also need to be protected 14
Availability • Availability: the property that information is accessible and modifiable in a timely fashion by those authorized to do so. • Tools: – Physical protections: infrastructure meant to keep information available even in the event of physical challenges. – Computational redundancies: computers and storage devices that serve as fallbacks in the case of failures. 15
Other Security Concepts • A.A.A. 16 Authenticity Assurance Anonymity
Assurance • Assurance refers to how trust is provided and managed in computer systems. • Trust management depends on: – Policies, which specify behavioral expectations that people or systems have for themselves and others. • E.g., the designers of an online music system may specify policies that describe how users can access and copy songs. – Permissions, which describe the behaviors that are allowed by the agents that interact with a person or system. • For instance, an online music store may provide permissions for limited access and copying to people who have purchased certain songs. – Protections, which describe mechanisms put in place to enforce permissions and polices. • We could imagine that an online music store would build in protections to prevent people from unauthorized access and copying of its songs. 17
Example: Internet Browser • “Locks the lock” indicate that comm. is secure • Perform no of services on behalf of user – Encrypting the session – Authenticate the website 18
Authenticity • Authenticity is the ability to determine that statements, policies, and permissions issued by persons or systems are genuine. • Primary tool: – Nonrepudiation, which is the property that authentic statements issued by some person or system cannot be denied – Digital signatures • These are cryptographic to authenticate a document • If doc is modified then become invalid • Requirement : must have electronic way to identify people 19
Anonymity • Anonymity: the property that certain records or transactions not to be attributable to any individual. • Tools: – Aggregation: • the combining of data from many individuals so that disclosed sums or averages cannot be tied to any individual. – Mixing: • the intertwining of transactions, information, or communications in a way that cannot be traced to any individual. – Proxies: • trusted agents that are willing to engage in actions for an individual in a way that cannot be traced back to that person. 20
Aspects of Security • Security attack Any action that compromises the security of information owned by an organization. • Security mechanism A process that is designed to detect, prevent or recover from a security attack. • Security service Services that enhances the security of the data processing systems and the information transfers of an organization. These services are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service. 21
Threat and attack • A threat is a possible potential danger that might exploit a vulnerability. – Exploit is a sequence of commands that take advantage of a vulnerability in order to cause damage – Vulnerability is applied to a weakness in a system which allows an attacker to violate the integrity of that system • An attack is an unlawful attempt on a system security that drives from an intelligent threat. 22
Security Attacks • Any action that compromises the security of information owned by an organization • Information security is about how to prevent attacks, or failing that, to detect attacks on information- based systems • have a wide range of attacks • Classification according to X.800 – Passive attack – Active attack 23
Passive attack • Obtaining message content • Traffic analysis 24
Active attack • Masquerade • Replay previous messages • Modify messages in transit • Denial of service 25
Threats and Attacks • Eavesdropping: the interception(Capture) of information intended for someone else during its transmission over a communication channel. 26 Bob Alice Eve
Threats and Attacks • Alteration: unauthorized modification of information. – Example: the man-in-the-middle attack, where a network stream is intercepted, modified, and retransmitted. 27 encrypt decrypt ciphertext C shared secret key plaintext M plaintext M′ shared secret key Communication channel Sender Recipient Attacker (intercepting) ciphertext C′
Threats and Attacks • Denial-of-service: the interruption or degradation of a data service or information access. – Example: email spam, to the degree that it is meant to simply fill up a mail queue and slow down an email server. 28 Alice
Threats and Attacks • Masquerading: the fabrication of information that is purported(suppose) to be from someone who is not actually the author. 29 “From: Alice” (really is from Eve)
Threats and Attacks • Repudiation: the denial of a commitment or data receipt. – This involves an attempt to back out of a contract or a protocol that requires the different parties to provide receipts acknowledging that data has been received. 30
Threats and Attacks • Correlation and traceback: the integration of multiple data sources and information flows to determine the source of a particular data stream or piece of information. 31 Bob
Security Mechanisms • Specific security mechanisms: – Encipherment: use of mathematical algorithm to transform data into a form that is not understandable – Digital signatures : use of cryptographic transformation on a data unit that allows a recipient of the data unit to prove that source and integrity of data unit – Access controls: mechanisms that enforce access rights to resources – Data integrity: 32
Cont. – Authentication exchange mechanism used to ensure the integrity of an entity by mean of information exchange – Traffic padding insertion of bits in a data stream to frustrate traffic analysis attempt – Routing control enable selection of physically secure route for data transmission – Notarization use of trusted third party to ensure certain properties of data exchange 33
Examples of Security Violations • A transmit a file (containing sensitive information) to B. C, who is not authorized to read the file, is able monitor the transmission • Administrator D sends a message to computer E for updating an authorization file. F intercept the message, alters its content to add or delete entries, and then forwards the message to E. E accept the message and update the authorization file • Rather than intercept, F constructs its own message and send it to E 34
Cont. • An employee X is fired. X is able to intercept the message that is send to invalidate the employee account. X is able to delay the message long enough to access the sensitive information from the server. X then forward the message and the action taken. This delay may go unnoticed • A message is send from a customer to a stockbroker. Afterwards, investment loose value and customer denies the sending message. 35

Recommandé

dokumen.tips_1-cryptography-and-network-security-third-edition-by-william-sta...
dokumen.tips_1-cryptography-and-network-security-third-edition-by-william-sta...dokumen.tips_1-cryptography-and-network-security-third-edition-by-william-sta...
dokumen.tips_1-cryptography-and-network-security-third-edition-by-william-sta...NISHASOMSCS113
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Dr. Kapil Gupta
 
Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptLecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptshahadd2021
 
Chapter 1: Overview of Network Security
Chapter 1: Overview of Network SecurityChapter 1: Overview of Network Security
Chapter 1: Overview of Network SecurityShafaan Khaliq Bhatti
 
Data Network Security
Data Network SecurityData Network Security
Data Network SecurityAtif Rehmat
 
security in is.pptx
security in is.pptxsecurity in is.pptx
security in is.pptxselvapriyabiher
 
Data information and security unit 1.pdf
Data information and security unit 1.pdfData information and security unit 1.pdf
Data information and security unit 1.pdfdeepakbharathi16
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)Zara Nawaz
 

Recommandé

dokumen.tips_1-cryptography-and-network-security-third-edition-by-william-sta...
dokumen.tips_1-cryptography-and-network-security-third-edition-by-william-sta...dokumen.tips_1-cryptography-and-network-security-third-edition-by-william-sta...
dokumen.tips_1-cryptography-and-network-security-third-edition-by-william-sta...NISHASOMSCS113
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Dr. Kapil Gupta
 
Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptLecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptshahadd2021
 
Chapter 1: Overview of Network Security
Chapter 1: Overview of Network SecurityChapter 1: Overview of Network Security
Chapter 1: Overview of Network SecurityShafaan Khaliq Bhatti
 
Data Network Security
Data Network SecurityData Network Security
Data Network SecurityAtif Rehmat
 
security in is.pptx
security in is.pptxsecurity in is.pptx
security in is.pptxselvapriyabiher
 
Data information and security unit 1.pdf
Data information and security unit 1.pdfData information and security unit 1.pdf
Data information and security unit 1.pdfdeepakbharathi16
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)Zara Nawaz
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lectureZara Nawaz
 
basic-security-concepts-what-is-security48.ppt
basic-security-concepts-what-is-security48.pptbasic-security-concepts-what-is-security48.ppt
basic-security-concepts-what-is-security48.pptPawachMetharattanara
 
chapter13 - Computing Security Ethics.pdf
chapter13 - Computing Security Ethics.pdfchapter13 - Computing Security Ethics.pdf
chapter13 - Computing Security Ethics.pdfsatonaka3
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
CyberSecurity101.pdf
CyberSecurity101.pdfCyberSecurity101.pdf
CyberSecurity101.pdfDhananjaySingh23178
 
network security.pdf
network security.pdfnetwork security.pdf
network security.pdfKIYALIBAN1
 
Module-1.ppt cryptography and network security
Module-1.ppt cryptography and network securityModule-1.ppt cryptography and network security
Module-1.ppt cryptography and network securityAparnaSunil24
 
Basic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpageBasic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpagenakomuri
 
Ch1 cse
Ch1 cseCh1 cse
Ch1 csebhaskard8
 
Computer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOVComputer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
Network Security
Network SecurityNetwork Security
Network SecurityManoj Singh
 
Chapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganisedChapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganisedBule Hora University
 
Network security chapter 1
Network security chapter 1Network security chapter 1
Network security chapter 1osama elfar
 
Information Security
Information SecurityInformation Security
Information SecurityDhilsath Fathima
 
2.Types of Attacks.pptx
2.Types of Attacks.pptx2.Types of Attacks.pptx
2.Types of Attacks.pptxNISARSHAIKH57
 
Introduction of network security
Introduction of network securityIntroduction of network security
Introduction of network securitysneha padhiar
 
Unit v
Unit vUnit v
Unit vbharatnaruka90
 
BAIT1103 Chapter 1
BAIT1103 Chapter 1BAIT1103 Chapter 1
BAIT1103 Chapter 1limsh
 
Intro
IntroIntro
IntroJustineJohn3
 
Network Security
Network Security Network Security
Network Security Vipul Mosaic
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 

Contenu connexe

Similaire à informations_security_presentations.pptx

Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lectureZara Nawaz
 
basic-security-concepts-what-is-security48.ppt
basic-security-concepts-what-is-security48.pptbasic-security-concepts-what-is-security48.ppt
basic-security-concepts-what-is-security48.pptPawachMetharattanara
 
chapter13 - Computing Security Ethics.pdf
chapter13 - Computing Security Ethics.pdfchapter13 - Computing Security Ethics.pdf
chapter13 - Computing Security Ethics.pdfsatonaka3
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
network security.pdf
network security.pdfnetwork security.pdf
network security.pdfKIYALIBAN1
 
Module-1.ppt cryptography and network security
Module-1.ppt cryptography and network securityModule-1.ppt cryptography and network security
Module-1.ppt cryptography and network securityAparnaSunil24
 
Basic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpageBasic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpagenakomuri
 
Computer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOVComputer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
Network Security
Network SecurityNetwork Security
Network SecurityManoj Singh
 
Chapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganisedChapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganisedBule Hora University
 
Network security chapter 1
Network security chapter 1Network security chapter 1
Network security chapter 1osama elfar
 
2.Types of Attacks.pptx
2.Types of Attacks.pptx2.Types of Attacks.pptx
2.Types of Attacks.pptxNISARSHAIKH57
 
Introduction of network security
Introduction of network securityIntroduction of network security
Introduction of network securitysneha padhiar
 
BAIT1103 Chapter 1
BAIT1103 Chapter 1BAIT1103 Chapter 1
BAIT1103 Chapter 1limsh
 

Similaire à informations_security_presentations.pptx (20)

Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lecture
 
basic-security-concepts-what-is-security48.ppt
basic-security-concepts-what-is-security48.pptbasic-security-concepts-what-is-security48.ppt
basic-security-concepts-what-is-security48.ppt
 
chapter13 - Computing Security Ethics.pdf
chapter13 - Computing Security Ethics.pdfchapter13 - Computing Security Ethics.pdf
chapter13 - Computing Security Ethics.pdf
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
 
CyberSecurity101.pdf
CyberSecurity101.pdfCyberSecurity101.pdf
CyberSecurity101.pdf
 
network security.pdf
network security.pdfnetwork security.pdf
network security.pdf
 
Module-1.ppt cryptography and network security
Module-1.ppt cryptography and network securityModule-1.ppt cryptography and network security
Module-1.ppt cryptography and network security
 
Basic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpageBasic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpage
 
Ch1 cse
Ch1 cseCh1 cse
Ch1 cse
 
Computer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOVComputer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOV
 
Network Security
Network SecurityNetwork Security
Network Security
 
Chapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganisedChapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganised
 
Network security chapter 1
Network security chapter 1Network security chapter 1
Network security chapter 1
 
Information Security
Information SecurityInformation Security
Information Security
 
2.Types of Attacks.pptx
2.Types of Attacks.pptx2.Types of Attacks.pptx
2.Types of Attacks.pptx
 
Introduction of network security
Introduction of network securityIntroduction of network security
Introduction of network security
 
Unit v
Unit vUnit v
Unit v
 
BAIT1103 Chapter 1
BAIT1103 Chapter 1BAIT1103 Chapter 1
BAIT1103 Chapter 1
 
Intro
IntroIntro
Intro
 
Network Security
Network Security Network Security
Network Security
 

Dernier

Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Intelisync
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 

Dernier (20)

Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 

informations_security_presentations.pptx

  • 2. Introduction • Fundamental concept – CIA – AAA – Threats and attacks – Security principles • Access control models – Access Control Matrices – Access Control Lists – Capabilities – Role based access control • Cryptographic concepts – Encryption – Digital signatures – Simple attacks on cryptosystems – Cryptographic has functions – Digital Certificates 2
  • 3. Defining Security • The security of a system, application, or protocol is always relative to – A set of desired properties – An adversary with specific capabilities • For example, standard file access permissions in Linux and Windows are not effective against an adversary who can boot from a CD 3
  • 4. A sound security model • Define security properties • Anticipate the types of attacks • The design should be usable and simple – If security measure are difficult to understand then it will lead to failure of adoption • Implementation (H/w or S/w) should be tested for programming errors • When deployed, it should be monitor. • Patches must be applied when available 4
  • 6. Confidentiality • Confidentiality is the avoidance of the unauthorized disclosure of information. – confidentiality involves the protection of data, – providing access for those who are allowed to see it while disallowing others from learning anything about its content. 6
  • 7. Tools for Confidentiality • Encryption: the transformation of information using a secret, called an encryption key, so that the transformed information can only be read using another secret, called the decryption key (which may, in some cases, be the same as the encryption key). 7
  • 8. Tools for Confidentiality • Access control: rules and policies that limit access to confidential information to those people and/or systems with a “need to know.” – This may be determined by identity, such as a person’s name or a computer’s serial number, or by a role that a person has, such as being a manager or a computer security specialist. 8
  • 9. Cont. Access control prevention of the unauthorized use of a resource, that is this service controls - who can have access to a resource - under what condition access can occur - and what those accessing are allowed to do 9
  • 10. Tools for Confidentiality • Authentication: the determination of the identity or role that someone has. This determination can be done in a number of different ways, but it is usually based on a combination of – something the person has (like a smart card or a radio key storing secret keys), – something the person knows (like a password), – something the person is (like a human with a fingerprint). 10 Something you have radio token with secret keys Something you know password=ucIb()w1V mother=Jones pet=Caesar Something you are human with fingers and eyes
  • 11. Tools for Confidentiality • Authorization: the determination if a person or system is allowed access to resources, based on an access control policy. – Such authorizations should prevent an attacker from tricking the system into letting him have access to protected resources. • Physical security: the establishment of physical barriers to limit access to protected computational resources. It includes – locks on cabinets and doors, – placement of computers in windowless rooms, – use of sound dampening materials, – construction of buildings or rooms with walls incorporating copper meshes (called Faraday cages) so that electromagnetic signals cannot enter or exit the enclosure. 11
  • 12. Cont. • Browser verify that website we are connecting to is indeed(Really) who it says it is. – Authentication • Website might be checking our browser and can we access that page according to ACP – Authentication and access control • Browser may ask the website for encryption key to encrypt credit card no. – Encryption • Finally our credit card no. reaches at server : – Physical security, access policy, authorization and authentication to safe credit card no 12
  • 13. [Physical security] • One can determine the letters by – Listening to the recording of key stokes • Possible to reconstruct the image of computer screen – By monitoring its electromagnetic radiations – From video of blank wall the screen was shining on • Physical security is IS concept and should not be taken for granted 13
  • 14. Integrity • Integrity: the property that information has not be altered in an unauthorized way. • Tools – Backups: the periodic archiving of data. – Checksums: • the computation of a function that maps the contents of a file to a numerical value. • A checksum function depends on the entire contents of a file and is designed in a way that even a small change to the input file is highly likely to result in a different output value. – Data correcting codes: • methods for storing data in such a way that small changes can be easily detected and automatically corrected. • Apply to small data such as byte or word • Metadata of the data also need to be protected 14
  • 15. Availability • Availability: the property that information is accessible and modifiable in a timely fashion by those authorized to do so. • Tools: – Physical protections: infrastructure meant to keep information available even in the event of physical challenges. – Computational redundancies: computers and storage devices that serve as fallbacks in the case of failures. 15
  • 16. Other Security Concepts • A.A.A. 16 Authenticity Assurance Anonymity
  • 17. Assurance • Assurance refers to how trust is provided and managed in computer systems. • Trust management depends on: – Policies, which specify behavioral expectations that people or systems have for themselves and others. • E.g., the designers of an online music system may specify policies that describe how users can access and copy songs. – Permissions, which describe the behaviors that are allowed by the agents that interact with a person or system. • For instance, an online music store may provide permissions for limited access and copying to people who have purchased certain songs. – Protections, which describe mechanisms put in place to enforce permissions and polices. • We could imagine that an online music store would build in protections to prevent people from unauthorized access and copying of its songs. 17
  • 18. Example: Internet Browser • “Locks the lock” indicate that comm. is secure • Perform no of services on behalf of user – Encrypting the session – Authenticate the website 18
  • 19. Authenticity • Authenticity is the ability to determine that statements, policies, and permissions issued by persons or systems are genuine. • Primary tool: – Nonrepudiation, which is the property that authentic statements issued by some person or system cannot be denied – Digital signatures • These are cryptographic to authenticate a document • If doc is modified then become invalid • Requirement : must have electronic way to identify people 19
  • 20. Anonymity • Anonymity: the property that certain records or transactions not to be attributable to any individual. • Tools: – Aggregation: • the combining of data from many individuals so that disclosed sums or averages cannot be tied to any individual. – Mixing: • the intertwining of transactions, information, or communications in a way that cannot be traced to any individual. – Proxies: • trusted agents that are willing to engage in actions for an individual in a way that cannot be traced back to that person. 20
  • 21. Aspects of Security • Security attack Any action that compromises the security of information owned by an organization. • Security mechanism A process that is designed to detect, prevent or recover from a security attack. • Security service Services that enhances the security of the data processing systems and the information transfers of an organization. These services are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service. 21
  • 22. Threat and attack • A threat is a possible potential danger that might exploit a vulnerability. – Exploit is a sequence of commands that take advantage of a vulnerability in order to cause damage – Vulnerability is applied to a weakness in a system which allows an attacker to violate the integrity of that system • An attack is an unlawful attempt on a system security that drives from an intelligent threat. 22
  • 23. Security Attacks • Any action that compromises the security of information owned by an organization • Information security is about how to prevent attacks, or failing that, to detect attacks on information- based systems • have a wide range of attacks • Classification according to X.800 – Passive attack – Active attack 23
  • 24. Passive attack • Obtaining message content • Traffic analysis 24
  • 25. Active attack • Masquerade • Replay previous messages • Modify messages in transit • Denial of service 25
  • 26. Threats and Attacks • Eavesdropping: the interception(Capture) of information intended for someone else during its transmission over a communication channel. 26 Bob Alice Eve
  • 27. Threats and Attacks • Alteration: unauthorized modification of information. – Example: the man-in-the-middle attack, where a network stream is intercepted, modified, and retransmitted. 27 encrypt decrypt ciphertext C shared secret key plaintext M plaintext M′ shared secret key Communication channel Sender Recipient Attacker (intercepting) ciphertext C′
  • 28. Threats and Attacks • Denial-of-service: the interruption or degradation of a data service or information access. – Example: email spam, to the degree that it is meant to simply fill up a mail queue and slow down an email server. 28 Alice
  • 29. Threats and Attacks • Masquerading: the fabrication of information that is purported(suppose) to be from someone who is not actually the author. 29 “From: Alice” (really is from Eve)
  • 30. Threats and Attacks • Repudiation: the denial of a commitment or data receipt. – This involves an attempt to back out of a contract or a protocol that requires the different parties to provide receipts acknowledging that data has been received. 30
  • 31. Threats and Attacks • Correlation and traceback: the integration of multiple data sources and information flows to determine the source of a particular data stream or piece of information. 31 Bob
  • 32. Security Mechanisms • Specific security mechanisms: – Encipherment: use of mathematical algorithm to transform data into a form that is not understandable – Digital signatures : use of cryptographic transformation on a data unit that allows a recipient of the data unit to prove that source and integrity of data unit – Access controls: mechanisms that enforce access rights to resources – Data integrity: 32
  • 33. Cont. – Authentication exchange mechanism used to ensure the integrity of an entity by mean of information exchange – Traffic padding insertion of bits in a data stream to frustrate traffic analysis attempt – Routing control enable selection of physically secure route for data transmission – Notarization use of trusted third party to ensure certain properties of data exchange 33
  • 34. Examples of Security Violations • A transmit a file (containing sensitive information) to B. C, who is not authorized to read the file, is able monitor the transmission • Administrator D sends a message to computer E for updating an authorization file. F intercept the message, alters its content to add or delete entries, and then forwards the message to E. E accept the message and update the authorization file • Rather than intercept, F constructs its own message and send it to E 34
  • 35. Cont. • An employee X is fired. X is able to intercept the message that is send to invalidate the employee account. X is able to delay the message long enough to access the sensitive information from the server. X then forward the message and the action taken. This delay may go unnoticed • A message is send from a customer to a stockbroker. Afterwards, investment loose value and customer denies the sending message. 35

Notes de l'éditeur

  1. The OSI security architecture focuses on security attacks,mechanisms,and services.
  2. A threat is a possible potential danger that might exploit a vulnerability. Is a sequence of commands that take advantage of a vulnerability in order to cause vulnerability is applied to a weakness in a system which allows an attacker to violate the integrity of that system.
  3. Passive attacks attempt to learn or make use of information from the system but does not affect system resources. By eavesdropping on, or monitoring of, transmissions to: + obtain message contents or + monitor traffic flows ( … opponent could determine the frequency and length of messages being exchange this kind of information maybe helpful in determining the nature of communication that was taking place) Are difficult to detect because they do not involve any alteration of the data.
  4. Active attacks attempt to alter system resources or affect their operation. By modification of data stream to: + masquerade of one entity as some other + replay previous messages (as shown above in Stallings Figure 1.4b) + modify messages in transit + denial of service Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are difficult to detect, measures are available to prevent their success. On the other hand, it is quite difficult to prevent active attacks absolutely, because of the wide variety of potential physical,software,and network vulnerabilities. Instead, the goal is to detect active attacks and to recover from any disruption or delays caused by them.