Professional Documents
Culture Documents
CP5603 Lecture 01 2011-07-26
CP5603 Lecture 01 2011-07-26
The Textbook
Whitman and Mattord, Principles of Information Security 3rd edition 2009 Has a yellow cover showing a maze. Currently selling for $113 at the JCU bookshop (plus postage). US$81 at Amazon.
Two Assignments
The assignment. Involves answering some questions. Some purely technical, some need a short essay answer. Reseach report and seminar. Read about a topic you are interested in. Write a report, do a short presentation about it.
Research Topics
Topics can be anything related to security, including:
1. Pretty Good Privacy (PGP) 2. Multi-purpose Internet Mail Extension (MIME) 3. Private Key Management software 4. Internet Protocol (IP) security (IPSec) 5. Spam, phishing, stealing bank passwords. 6. Secure Sockets Layer (SSL) 7. Transport Layer Security (TLS) 8. Kerberos 9. Secure Electronic Transaction (SET) 10. Or anything else that youre interested in.
Learning Objectives
Upon completion of this material, you should be able to: Define information security Relate the history of computer security and how it evolved into information security Define key terms and critical concepts of information security as presented in this chapter Discuss the phases of the security systems development life cycle Present the roles of professionals involved in information security within an organization
6
Bombe was the name for the first computer. It was used to decrypt Enigma messages.
But he committed suicide after being found guilty of being homosexual. Maybe if he had lived, comptuers might be better today.
Internet History
1957: Russia launches Sputnik. U.S. Government creates the Defense Advanced Research Projects Agency (DARPA). 1967: starts to develop a data network that can survive a nuclear war. A mesh of connections so that as bases get nuked, network traffic can travel around the damage.
15
What is Security?
The quality or state of being secure to be free from danger A successful organization should have multiple layers of security in place: Physical security just steal a computer. Personal security torture employees. Operations security guess what youre doing, by watching what you do. Communications security, network security, information security steal a copy of your data.
20
21
25
28
30
The most successful also involve formal development strategy referred to as systems development life cycle
32
33
35
1. Investigation
What problem is the system being developed to solve? Objectives, constraints, and scope of project are specified Preliminary cost-benefit analysis is developed At the end, feasibility analysis is performed to assess economic, technical, and behavioral feasibilities of the process
36
2. Analysis
Consists of assessments of the organization, status of current systems, and capability to support proposed systems Analysts determine what new system is expected to do and how it will interact with existing systems Ends with documentation of findings and update of feasibility analysis
37
3. Logical Design
Main factor is business need; applications capable of providing needed services are selected Data support and structures capable of providing the needed inputs are identified Technologies to implement physical solution are determined Feasibility analysis performed at the end
38
4. Physical Design
Technologies to support the alternatives identified and evaluated in the logical design are selected Components evaluated on make-or-buy decision Feasibility analysis performed; entire solution presented to end-user representatives for approval
39
5. Implementation
Needed software created; components ordered, received, assembled, and tested Users trained and documentation created Feasibility analysis prepared; users presented with system for performance review and acceptance test
40
41
42
1. Investigation
Identifies process, outcomes, goals, and constraints of the project Begins with Enterprise Information Security Policy (EISP) Organizational feasibility analysis is performed
43
2. Analysis
Documents from investigation phase are studied Analysis of existing security policies or programs, along with documented current threats and associated controls Includes analysis of relevant legal issues that could impact design of the security solution Risk management task begins
44
3. Logical Design
Creates and develops blueprints for information security Incident response actions planned: Continuity planning Incident response Disaster recovery Feasibility analysis to determine whether project should be continued or outsourced
45
4. Physical Design
Needed security technology is evaluated, alternatives are generated, and final design is selected At end of phase, feasibility study determines readiness of organization for project
46
5. Implementation
Security solutions are acquired, tested, implemented, and tested again Personnel issues evaluated; specific training and education programs conducted Entire tested package is presented to management for final approval
47
49
Senior Management
Chief Information Officer (CIO) C Senior technology officer Primarily responsible for advising senior executives on strategic planning Chief Information Security Officer (CISO) C Primarily responsible for assessment, management, and implementation of IS in the organization Usually reports directly to the CIO
50
Data Ownership
Data owner: responsible for the security and use of a particular set of information Data custodian: responsible for storage, maintenance, and protection of information Data users: end users who work with information to perform their daily jobs supporting the mission of the organization
52
Communities of Interest
Group of individuals united by similar interests/values within an organization
Information security management and professionals Information technology management and professionals Organizational management and professionals
53
54
Security as Art
No hard and fast rules nor many universally accepted complete solutions No manual for implementing security through entire system Expect the unexpected
55
Security as Science
Dealing with technology designed to operate at high levels of performance Specific conditions cause virtually all actions that occur in computer systems Nearly every fault, security hole, and systems malfunction are a result of interaction of specific hardware and software If developers had sufficient time, they could resolve and eliminate faults
56
Key Terms
Access Asset Attack Control, Safeguard, or Countermeasure Exploit Exposure Hack Object Risk Security Blueprint Security Model Security Posture or Security Profile Subject Threats Threat Agent Vulnerability
58
Summary of Chapter 1
Information security is a well-informed sense of assurance that the information risks and controls are in balance Computer security began immediately after first mainframes were developed Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information
59
CP5603 E-Security
Lecture 1 (part 2) Case Study: Stealing Passwords Tuesday 26 July 2011
Common Passwords
20 most popular passwords, in order of how popular they are:
password1 abc123 Blink182 baseball1 monkey1 slipknot1 qwerty1 football1 liverpool1 myspace1 fuckyou 123456 princess1 password 123abc soccer jordan23 monkey
superman1 iloveyou1
Common Passwords
Blink 182 is a music band. A lot of people use the band's name Easy to remember. It has numbers in its name, and so it seems like a good password.
Common Passwords
"qwerty1" refers to the first letters on a standard English computer keyboard.
QWERTY is the most common keyboard layout on English-language computer.
Common Passwords
The band Slipknot doesn't have any numbers in its name Many people just put a 1 on the end.
Common Passwords
The password "jordan23" refers to Basketball player Michael Jordan and his number 23.
Common Passwords
I don't know why so many people choose monkey or monkey1.
If you can steal the computer, you can get all these encrypted passwords.
A bit like a phone number. IP is not secure you can pretend to be someone elses IP number!
What Is IP Spoofing?
To spoof = to pretend to be someone else. IP spoofing you pretend to be another computer, take over their IP number.
Pretend to be 2 other computers. All traffic between the two computers can be routed through your computer. Example: firewall and the email server so you can read emails.
A
Original message
Arpspoof
Part of the dsniff package. Basic ARP manipulation tool.
ARPoison
Basic ARP manipulation tool
Source: www.ethereal.com
Yes!
etc.
Dictionary-Based Cracker
The U.S. Secret Service has a program for finding passwords:
Uses all the words on the victims criminals hard drive. Has a 50% success rate. Runs as a screensaver, so all the idle office PCs are running it.
Conclusions
Dont use dictionary words. Dont use a word in any email or file that you have ever touched. Dont let Internet Explorer remember your passwords. Run anti-IP-sniffing software. Will tell you if someone on your local network is IP sniffing. Are you going to change your password when you get home?