Professional Documents
Culture Documents
01b Fundamental Aspects
01b Fundamental Aspects
Fundamental Aspects
http://www-swiss.ai.mit.edu/6805/articles/morris-worm.html
After the incident, Morris was suspended from
Cornell for acting irresponsibly according to a
university board of inquiry. Later, Morris would obtain
his Ph.D. from Harvard University for his work on
modeling and controlling networks with large
numbers of competing connections.
ISP D
ISP B FIT E-learning
ISP C
ISP A
Student V
Authentication: Who am I talking to?
ISP D
ISP B FIT E-learning
Hello, I’m V
ISP C
ISP A Is that
student
V?
Student V
Is that
FIT ?
Authentication
Protection Mechanisms
Password
Manual
One-Time Password
Key Sharing
Public-private keys
Wifi
Challenge-Response
Multi-factor Authentication
Access Control
ISP D
Mr. Anonymous ISP B FIT E-learning
ISP C
ISP A
Are Mr. T
allowed to
Student V view course
contents?
Access Control
Protection mechanisms
Access control list
Firewall
VPN
Smart card
Rules
Auditing
Confidentiality Availability
24
I
N
ISO 27002:2005 defines Information Security as the
F
O preservation of:
R
M
A Ensuring that information is
– Confidentiality accessible only to those
T
authorized to have access
I A
O T
N T
R Safeguarding the accuracy and
completeness of information
I – Integrity and processing methods
B
U
T
E Ensuring that authorized
users have access to
S – Availability information and associated
assets when required
3/29/201
9
Mohan Kamat
25
Confidentiality
Is my data hidden?
Confidentiality
Protection Mechanisms
Data encryption
Symmetric
Asymmetric (public-private keys)
Confidentiality: Is my data hidden?
ISP D
ISP B FIT E-learning
Mr. T
ISP C
ISP A
Student V
Can Mr. T see my
homework?
Integrity
ISP D
ISP B FIT E-learning
Mr. T
ISP C
ISP A
Can Mr. T
Student V modify student
V’s homework?
Integrity
Protection mechanisms
Digital signature
Availability
Can I
access ISP D
FIT ISP B FIT E-learning
during
midterm
? ISP C
ISP A
Student V
Availability
Protection mechanisms
Backup and recovery
Firewall
Vulnerability scanning and patching
Intrusion detection and response
Virus scanning
W
H
A What is Risk?
T
35
I
N
F
O
• Information Security is “Organizational Problem”
S rather than “IT Problem”
E
C • More than 70% of Threats are Internal
U
• More than 60% culprits are First Time fraudsters
R
I • Biggest Risk : People
T
Y S
• Biggest Asset : People
U
• Social Engineering is major threat
R
V • More than 2/3rd express their inability to determine
E “Whether my systems are currently compromised?”
Y
3/29/201
9
Mohan Kamat
36
R
I
S Potential Threats
K
S
&
T
H
R
E
A
T
S Natural
Systems & Lack Of Lapse in
Calamities &
Network Documentation Physical
Fire
Failure Security
3/29/201
9
Mohan Kamat
37
SO HOW DO
WE
OVERCOME
THESE
PROBLEMS?
3/29/201
9
Mohan Kamat
38
U
S
E
R
Information Security Policy
R
E
S
P
O IS Policy is approved by Top
N Management
S Policy is released on Intranet at
I http://xx.xx.xx.xx/ISMS/index.htm
B
I
L
I
T
I
E
S
3/29/201
9
Mohan Kamat
39
U
S
E Access Control - Physical
R
3/29/201
9
Mohan Kamat
40
U
S
E
R
Password Guidelines
Always use at least 8 character password with combination of
R alphabets, numbers and special characters (*, %, @, #, $, ^)
E Use passwords that can be easily remembered by you
S Change password regularly as per policy
P Use password that is significantly different from earlier passwords
O
N
S
I
B
I Use passwords which reveals your personal
L information or words found in dictionary
I Write down or Store passwords
T Share passwords over phone or Email
I
Use passwords which do not match above complexity
E
criteria
S
3/29/201
9
Mohan Kamat
41
U
S
E Internet Usage
R
3/29/201
9
Mohan Kamat
42
U
S
E E-mail Usage
R
3/29/201
9
Mohan Kamat
43
U
S
E
R
Security Incidents
Report Security Incidents (IT and Non-IT) to
R Helpdesk through
E • E-mail to info.sec@organisation.com
S • Telephone : xxxx-xxxx-xxxx
P • Anonymous Reporting through Drop boxes
O
N
S
e.g.:
I
B IT Incidents: Mail Spamming, Virus attack, Hacking, etc.
I
Non-IT Incidents: Unsupervised visitor movement, Information
L
leakage, Bringing unauthorized Media
I
T
I
E •Do not discuss security incidents with any one outside organisation
S
•Do not attempt to interfere with, obstruct or prevent anyone from reporting
incidents
3/29/201
9
Mohan Kamat
44
U
S
E
R Ensure your Desktops are having latest antivirus updates
Ensure your system is locked when you are away
Always store laptops/ media in a lockable place
R
Be alert while working on laptops during travel
E
S Ensure sensitive business information is under lock and key
P
when unattended
O Ensure back-up of sensitive and critical information assets
N Understand Compliance Issues such as
S Cyber Law
I IPR, Copyrights, NDA
B Contractual Obligations with customer
I
Verify credentials, if the message is received from unknown
L
sender
I
T
Always switch off your computer before leaving for the day
I Keep your self updated on information security aspects
E
S
3/29/201
9
Mohan Kamat
45
Disable Non-essential services,
protocols, processes, programs
Protocols, systems, and processes that rob
systems of resources and allow potential attacks
to occur that could damage your systems.
If they are not being actively used, it is an
unnecessary security risk.
The solution is simply to disable or inactivate the
service, protocol, system, or process which is
not needed
But… Be Careful!
ISP D
ISP B FIT E-learning
Mr. T
ISP C
ISP A
Student V
Example: FIT-E-learning
ISP D
ISP B FIT E-learning
Hello, I’m V
ISP C
ISP A
Tutorial