Overview of Information Security

Chapter 01
 Content

1. Classic security model

2. X.800 security model (security architecture for open
systems)
3. ISO 27001: Information Security Standard
4. Current system security risks

3
 Information Security

Information Computer Network

security security security

5
 CIA Model

What is the secure system?

 C = Confidentiality
 I = Integrity
 A = Availability

7
 Confidentiality (C)

 Limit the objects that are allowed to access system resources.

 Confidentiality of information content
 Confidentiality of information existence.

 Mechanism to ensure confidentiality:

 Access Control
 Encryption

9
 Integrity (I)

 Information is not lost or changed unintentionally.

 Content integrity
 Original integrity.

 Mechanisms to ensure integrity:

 Hash function
 Digital signature
 Authentication Protocols

11
 Availability (A)

 The information is available for valid retrievals. It is the most basic

characteristic of an information system.
 Modern security models (e.g. X.800) do not guarantee availability.
 DoS/DDoS attacks targeting system availability (the greatest risk to the
security of information systems)

13
 Analysis of the CIA

 No guarantee of the “non-repudiation” ( “không từ chối hành vi” )

 Does not show “ownership” ( “sở hữu” )
 There is no correlation with the OSI open systems model.
=> Need to build a new model.

15
 AAA Strategy (RFC 3127)

 Mechanisms to build a security system according to the CIA model.

 Access Control
 Authentication
 Auditing

Distinguish from AAA terminology of Cisco

(Authentication, Authorization, Accounting)

17
 Access Control

 MAC (Mandatory Access Control)

 Mandatory access management, shared for the entire
system (built-in in the operating system)
 DAC (Discretionary Access Control): popular
 Access rights are assigned according to resource
ownership: NTFS file management on Windows XP
 RBAC (Role-based Access Control)
 Access rights assigned by role in the system: financial
manager, account group on win-server, active directory
19
 Authentication

 User/password: Some systems will encrypt the

information, some will not: Cleartext(FTP, Telnet);
Challenge/response, Kerberos,
 Biometric: Fingerprint, retina, ...
 Digital Certificates; Smart card
 Combining multiple techniques: multi-factor
authentication
 2 authentication methods: one way authentication;
21
mutual authentication
 Auditing
 Auditing
 System events auditing
 NTFS access auditing
 System log
 Service log
 Command history
 System scanning: periodic system checking
 Vulnerability scanning

23
 Deploy security solutions

 Conditions for the attack to occur:

 Threats + Vulnerability
 Base of solutions implementation:
 Information security policy: a system of regulations to ensure the
security of the system
 Security mechanism: system of methods, tools, procedures, ... used
to enforce the provisions of the security policy
 Economic efficiency of information systems

25
 Security policy
 Security policy can be expressed in natural language or
mathematical language.
 Natural language representation: In a system, to secure a
particular resource, the security policy stipulates that only users
belonging to the system administrator group have access rights,
and other users do not.
 The mathematical language is as follows:
 U is the set of users in the system.
 A is the set of users belonging to the admin group.
 O is the collection of objects (resources) in the system
 The Access(u, o) operation gives the value TRUE if user u has access to the object o,
otherwise it gives the value FALSE.
 The security policy provision p is stated as follows:
∀u ∈U, ∀o ∈O: Access(u, o) = TRUE ⇔u ∈A
27
 Security mechanism

 Set of technical measures or procedures implemented to ensure policy

implementation. E.g.:
 Use the permission mechanism on the NTFS partition
 Use the system permissions mechanism (user rights)
 Provide procedural rules (every time you leave the computer, you must
logout from the system)
…

29
 For example:

 The university's computer lab rules: students are not allowed to copy
other students' work that has been saved on the server. This is a
regulation of the privacy policy. To implement this regulation, the
mechanisms applied include: creating separate folders on the server
for each student, assigning access rights for each student to these
folders and requiring students to save assignments in separate
folders; whenever you leave the computer, you must logout from the
system

31
 Building a security system
In order to clearly Evaluating the safety
separate the states of a mechanism:
of the system: Policy P: set of all states of the system
Q: set of security states as
• Safe Definition defined by security policy
• Unsafe R: set of system states after
applying security mechanisms.
 R  Q: System is
absolutely safe.
 If there is a state r  R so
that rQ: System is unsafe
To prevent the Mechanism
system from Implementation
entering an unsafe
state
33
 The goals of System Security
 An ideal system is one (which is difficult to build):
 Have a policy that accurately and completely defines the
security states of the system.
 Having a mechanism to fully and effectively enforce the
regulations of the policy.
 When building a safety system, the goal is set for the
mechanism:
 Prevention
 Detection
 Recovery
35
 X.800 Security Model (ITU-T)

Security architecture for open systems X.800: Consider security in

relation to the OSI open system model from 3 perspectives :
 Security attack
 Security mechanism
 Security service
 Security services are provided as primitives at the respective OSI layer

37
 Security attack

 Passive attacks:
 Disclosure
 Traffic analysis
 Active attacks:
 Change information
 Denial of service

39
 Security services

 Access Control
 Authentication
 Data Confidentiality
 Data Integrity
 Non-repudiation

40
 Security mechanisms

 Encipherment: cryptographic algorithm to protect data

 Digital Signature: verify content and information
origin
 Access Control
 Data Integrity
 Authentication exchange
 Traffic padding: insert fake information into traffic,
prevent the ability to analyze traffic to recover
information
42
 ….
 Information security standards: ISO 27001

 Based on the concept of Information Security Management

System (ISMS).
 The PDCA process:
 P (Plan): Establish and define
security policies.
 D (Do): deploy mechanisms
to implement policy
 C (Check): Evaluation of
the effectiveness of ISMS
 A (Act): strengthen and upgrade ISMS
44
 ISO 27001 requirements
 Assess information security risks
 Information security policy
 Organization of the information security system
 Asset management organization
 Ensuring human resource security
 Environmental security and working equipment
 Communication management (including network security)
 Manage access to information resources
 Management of information system failures.

46
 System security risks in practice

 Intentional attacks
 White hat hackers
 Script kiddies
 Black hat hackers
 Internal threats
 The destructive software (malicious code)

48
 Attacks on information systems

 Based on the vulnerabilities of system

 Based on the vulnerabilities of software
 Based on the vulnerabilities of protocol
 Attack on the security mechanism
 Denial of Service (DoS/DDoS) attack

50
 The destructive software (malicious code)

 Virus
 Worm
 Logic bomb
 Trojan horse
 Backdoor
 Spammer
 Zoombie

52
 Discussion

 + Threats?
 Mối đe dọa: hacker, nhân viên nội bộ, đối thủ
 + Vulnerability?
 Điểm yếu, lỗ hổng
 + Risk?
 Rủi ro, nguy cơ

53