Information Security Basics: Principles, Authentication, and Access Control, Slides of Cryptography and System Security

An overview of information security basics, including identifying who is responsible for information security, understanding security principles, using effective authentication methods, controlling access to computer systems, and auditing information security schemes. It covers topics such as layering, limiting, diversity, obscurity, simplicity, username and password, tokens, biometrics, certificates, kerberos, challenge handshake authentication protocol (chap), mutual authentication, multifactor authentication, access control lists (acl), mandatory access control (mac), role based access control (rbac), and discretionary access control (dac).

Typology: Slides

2012/2013

Uploaded on 04/24/2013

ballari
ballari 🇮🇳

4.6

(10)

117 documents

1 / 38

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Chapter 3: Security Basics
Docsity.com
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26

Partial preview of the text

Download Information Security Basics: Principles, Authentication, and Access Control and more Slides Cryptography and System Security in PDF only on Docsity!

Chapter 3: Security Basics

Objectives

  • Identify who is responsible for information security
  • Describe security principles
  • Use effective authentication methods
  • Control access to computer systems
  • Audit information security schemes

Identifying Who Is Responsible for

Information Security (continued)

  • Bottom-up approach: major tasks of securing information are accomplished from the lower levels of the organization upwards
  • This approach has one key advantage: the bottom-level employees have the technical expertise to understand how to secure information

Identifying Who Is Responsible for

Information Security (continued)

Identifying Who Is Responsible for

Information Security (continued)

  • Chief information security officer (CISO): helps develop the security plan and ensures it is carried out
  • Human firewall: describes the security- enforcing role of each employee

Understanding Security Principles

  • Ways information can be attacked:
    • Crackers can launch distributed denial-of-service (DDoS) attacks through the Internet
    • Spies can use social engineering
    • Employees can guess other user’s passwords
    • Hackers can create back doors
  • Protecting against the wide range of attacks calls for a wide range of defense mechanisms

Layering (continued)

Limiting

  • Limiting access to information reduces the threat against it
  • Only those who must use data should have access to it
  • Access must be limited for a subject (a person or a computer program running on a system) to interact with an object (a computer or a database stored on a server)
  • The amount of access granted to someone should be limited to what that person needs to know or do

Diversity

  • Diversity is closely related to layering
  • You should protect data with diverse layers of security, so if attackers penetrate one layer, they cannot use the same techniques to break through all other layers
  • Using diverse layers of defense means that breaching one security layer does not compromise the whole system

Diversity (continued)

  • You can set a firewall to filter a specific type of traffic, such as all inbound traffic, and a second firewall on the same system to filter another traffic type, such as outbound traffic
  • Using firewalls produced by different vendors creates even greater diversity

Simplicity

  • Complex security systems can be difficult to understand, troubleshoot, and feel secure about
  • The challenge is to make the system simple from the inside but complex from the outside

Using Effective

Authentication Methods

  • Information security rests on three key pillars:
    • Authentication
    • Access control
    • Auditing

Username and Password (continued)

  • ID management:
    • User’s single authenticated ID is shared across multiple networks or online businesses
    • Attempts to address the problem of users having individual usernames and passwords for each account (thus, resorting to simple passwords that are easy to remember)
    • Can be for users and for computers that share data

Tokens

  • Token: security device that authenticates the user by having the appropriate permission embedded into the token itself
  • Passwords are based on what you know, tokens are based on what you have
  • Proximity card: plastic card with an embedded, thin metal strip that emits a low- frequency, short-wave radio signal