Data Security Assessment and Prevention

abdomendebonairSecurity

Nov 2, 2013 (4 years and 8 days ago)

124 views

Data Security Assessment and
Prevention

AD660


Databases, Security, and Web
Technologies

Marcus Goncalves

Spring 2013

Total Internet Security



A gateway
disconnected from the
network,


inside a safelock
100feet below surface,

where the only person
who has the keys


…died last week.

Estimated Losses in Dollars

Causes of Incidents

Causes of Incidents from the
Human Perspective

Main Threats

Motivation




Low Cost of connection (media)




Global Reach




Exposed Products




Implementation of Services




Cost Reduction




Survey




Research and Development of New Products

Phases of a Security Project





Study Phase




Decision Phase




Implementation Phase




Maintenance Phase

Neutrality Curve (Study Phase)


Understanding the Neutrality Curve




Evaluation of the impact of various scenarios



Understanding of the implementation phases



Rejection Pilot



Immediate Identification of Security Needed



Understanding of what really needs
protection

Possibility Curve (Study Phase)



Understanding the Possibility Curve





Identify Security Risks (possible atacks)




Cost Evaluation




Identify Policies and Procedures




Define Responsibilities

Degree of Security (Decision Phase)



Understanding the Degree of
Security



Precise Identification of Cost




Development of Policy




Clear Idea of the Applicable Security Model




Accessment of Stability

Sensitive Segment: Implementation
Phase

A

B

Understanding Sensitive Segment



Identifies the reference security point




Enables the planning of project stages




Assess cost for every stage of project




Assess lenght of time for implementation




Mobilization of local issues/resources




Increase of quality of local security

Moving the Reference Line
(Maintenance)



Natural Process




Dynamic Nature




Involves adaptation and refinement




Support for new planning

Understanding Line Movement



System



Service



Implementation

Vulnerabilities



Failure of the OS Architecture




Application failure




Lack of updates of Sistema Operacional
(SPs, patches)




Bugs on OS

Systems Failure



Bugs on application service




Failure of application service configuration




Weak passwords




Access to passwords




Visible passwords




Permission to privileged accounts

Service Failures



Lack of content protection




Lack of security policy




Lack of user group profiles




Failure of usability policy




Failure in implementing security

Implementation Failures


DNS


Brute force


Altered Ping


Network Sniffers


Java and ActiveX


Bugs on SendMail


Attack on applications


Applications based on
ODBC/JDBC


Browser failure


Web servers

Few Known Security Threats



Invasion




Hacking of content




Access to passwords




Sabotage




Unauthorized Access to e
-
mail




Espionage




Financial frauds


Analysis of Risks



Physical security



Logical security



Service security



Application security



Policy and procedures



Redundance and contingency


Security Project



e
-
Applications should ensure (at
data level)



Integrity



Unicity



Auditing



Confidentiality



Access controls



Ensure identity



Authorization



Criptography


Security for E
-
Commerce



To ensure identity of:



User / System



Client / Server



Quality of data



By using identifiers



By protecting against fraud

Criptography Functions


Math functions


Security key should resist
testings


The larger the key more
exhaustive it is to break it


Types:



Symmetric



Asymmetric

How About Algorithms?

Symmetric

System

Asymmetric

System



Math functions




Does not characterize users




Key size is limited




Possible vulnerability at protocol level




Only guarantees servers’ authenticity

SSL


Secure Socket Layer

Integration Topology: Adding DMZs



Change (mix) protocols



Implementation of auditable systems



Centralization and analysis of logins



Individual filters



Password controls



Encrypted file system



Permission controls



Monitoring controls



Automated management

Security Integration (LAN)



Solutions can be based on hard or software



Centralized security systems



Part of security implementation



Enables content controls (HTTP/MAIL)



Controls allowed services (rule based)



Controls the origin and destination of packages

Firewall Solution Characteristics

Alternatives…