Transcript Classroom Expectations

CRYPTOGRAPHY
Ch 4: A Model for Information
Security Planning
Mohammed Minhajuddin Khan
Topics
• Information System Architecture And
Design Layer
 Specify the information system security measures.
 Combination of Systems, Networks, Service
Applications, and underlying Telecommunication
Services - Information System.
 Information system’s security depends on how the
underlying architecture is designed and implemented.
• Web Services Protection Layer
 Specify the information system security measures.
 The use of Internet and open systems open the need
to secure this layer of services that interact with Web.
• The Eight P’s Of Security Layer
 Address the soft side of information security.
 This layer is concern with the people
INFORMATION SYSTEM
ARCHITECTURE AND DESIGN LAYER
This level generally operate in an open environment, So
we can’t expect choke security. The information security
specialist should be concerned with
 Create Choke point, well-known as gateway. This should be created
to perform screening (Screening of Identity, content checking, &
malicious signatures). This are easy to develop through the use of
routers.
 Viruses & worms have long been the misery of information security
professionals. Virus scanners are option to protect from this
nemesis. Virus scanners work by checking information content for
a Malicious signature.
 Maintaining a posture of least privilege. The idea behind the
principle of least privilege is to minimize the attacker’s potential.
 To understand the security profile of Third-party providers. Thirdparty providers are usually high-profile hacker targets. Information
security specialist should understand the provider security issues
and to take action to protect the organization’s information. Here is
a good example of why applying cryptographic methods and
authentication processes is important.
INFORMATION SYSTEM
ARCHITECTURE AND DESIGN LAYER
 Implement event monitoring, intrusion detection, and logging systems.
Through these systems, law enforcement officials may also benefit in
the investigation of a crime.
 Develop a permission-based architecture (Closed architectures).
Example: Router (When creating access control lists).
 Extend Cryptographic methods for use at the network and system level
(VPN, SSL, SET, IPsec, etc). This are the crux of this work. By using
this network encryption services, it is possible to form secure tunnels
through the open Internet.
 Securing the information system from both internal and external threats.
70% of all computer crime originates from within the pool of trusted
insiders. So, the security management and corporate management
should keeps a watch-full eye on both internal and external.
 Create System-level, Application-level, and Network-level tie-ins to the
authentication and verification system.
WEB SERVICES PROTECTION LAYER
The web services are browsing simple or complex
information, file transfer, name and address resolution,
secure funds transfer, transaction processing, and use of
the web for private communications. Here the information
is public, so the cryptographic methods should provide
secure transactions & have to be more complex to break.
Goals to accomplish in this layer:
 Client-side user privacy. A primary function of the web services
layer in our security model is to prevent attacks.
 Prevention of inappropriate release of secure content by clients.
 Protection of the Web server from being accessed in an
unauthorized way. To know the software flaw or a loophole in a
website. Methods be used to secure these areas (ex: proxy services)
 Prevention of document corruption. Web services are all about
document access and control. Use of various cryptographic
techniques such as digital signatures, code signing, and
integrity checking to validate the integrity of the document.
The primary concerned at this layer is with attacks against
the brand, infiltration of client-side systems, springboard
attacks, denial-of-service attacks, and malware.
THE EIGHT P’s OF SECURITY LAYER
The information security breaches are most often caused
by either human error or an inconsistency in the
implementation of security procedures. By developing a
plan that is concerned with the 8 Ps of information security,
planners are likely to gain more cooperation and
acceptance of the plan.
 People would like to believe that they can buy security off the shelf.
 Persuading people from all levels to buy into the security plan is
difficult. Clients need to feel secure in the online access provided and
need to have easy to follow procedures for successfully executing
secure transactions. Any breaches can lead to a significant attack.
 Therefore, the outermost layer of the security model focus on
encouraging and directing people to take the correct actions with
regard to security.
 By incorporating these 8 Ps of security into the security design, we
will have a far greater chance of success.
THE EIGHT P’s OF SECURITY LAYER
1. People
 People need guidelines to direct their actions in the
use of the information and the information system.
 People need to understand the consequences of their
actions both technical and no-technical.
 People need to understand what these attacks are
and how to prevent them.
 Caution to be taken when working on non-secure
network (through PDA, NOTEBOOK, ETC).
 Use personal firewalls, virus scanners, and safe
online habits can terminate hacker activity.
 How they store, use, and transmit information.
 The cryptographic methods layer work only if people
apply the encryption to information requiring
confidentiality.
THE EIGHT P’s OF SECURITY LAYER
2. Planning
 Security planning needs to bring all of the elements
of the planning process together as a single, wellthought-out unified idea.
 Take into consideration the requirements of the
organization, summary of the risk analysis,
information on the cost benefit of a security design,
and current vulnerabilities.
 The strategy needs to determine the actions that will
be taken by the crisis-management team, users, and
management in the event of an attack.
 To use this section of the plan to build confidence in
the strategy, not to develop the implementation
strategy.
 Finally the security plan should conclude with the
policies that apply to each area of the security model.
Policies should tell us what to do, when to do it, and
why we are doing something.
THE EIGHT P’s OF SECURITY LAYER
3. Policy
 Policies are categorized, high-level description of the
security controls put in organization.
 Legal notices regarding use/monitoring/trespass/and
copy right of information or the information system,
proper use of company resources, requirements fro
trusted third parties, e-mail/Web/other application
access and usage, etc.
 These policies need to be directed at the user
community and should be specific and easy to follow.
 Policies generally define the rights of the employer,
employee, user, and guest.
 The better defined the security policies are, the less
the concern for legal liability, waste of corporate
resources, or exposure of confidential information.
THE EIGHT P’s OF SECURITY LAYER
4. Procedure
 It provide the technical details of enacting a
policy/process combination.
 A procedure should specify how something is
implemented.
 Example: choke point will be created in network,
Screening router, detail of constructing the access
control list, and fail-safe stance enabled.
THE EIGHT P’s OF SECURITY LAYER
5. Process
 Defines the actions that should be taken by the user
community and security professionals to enable the
workability of the security plan.
 These process should complement the policies by
instructing users, regarding the steps they need to
perform to be compliant with the policy.
THE EIGHT P’s OF SECURITY LAYER
6. Product
 Products are the tools, hardware, and software that
support the implementation and realization of the
security implementation.
 Products need to be purchased in a legal way with
specified plan and the policy and not the other way.
 It is important the product being used with all its pros
and cons.
 By clearly articulating the product functionality and
limitations, we can better determine if the product
meets the needs of the plan
THE EIGHT P’s OF SECURITY LAYER
7. Perseverance
 Perseverance speaks to the drive and heart of the
information security professional, the determination of
management, and the spirit of the user community.
 Initially, a security plan may not be completely
effective. Once a workable plan is accomplished quite
a bit by implementing it.
 Information security takes a long time to “burn in” and
settle.
 After the plan is in place, the information security
analyst needs to begin monitoring and making
adjustments accordingly.
THE EIGHT P’s OF SECURITY LAYER
8. Pervasiveness
 Information security is everywhere in the organization,
not just in the computer memory or at the network
gateways.
 Information security success is measured by the
combination of everyone’s actions.
By working through the eight Ps, our plan will
become more acceptable to the user community.
People will become more involved in security
because you will have given them a role to play
and goals to meet.
Question
Jqf vb cqn jnrxnbc yvex ve cqn bntdavcl tqrve?
Ufnb cqvb jnrxnbc yvex qrin rel afyn, vo bf cqne
Ve jqvtq Yrlna? Savnoyl unbtavsn cqn afyn fo
cqvb jnrxnbc yvex ve cqrc Yrlna?
Who is the weakest link in the security
chain? Does this weakest link have any
role, if so then in which Layer? Briefly
describe the role of this weakest link in
that Layer?