BLOGGER TEMPLATES AND TWITTER BACKGROUNDS »

Monday, July 20, 2009

Lecture 1 : Introduction to Information Security

Topic yang dipelajari minggu ini:

  • What is security?
  • Security Architecture
  • Security Principles
  • Security Policy
  • Security Attacks/Threat
  • Methods of Defendse
  • Security Services
  • Security Mechanisms

Sebelum kita pergi lebih jauh apa kata kita fahan dulu asas-asas dalam " Information Security " ni....


KESELAMATAN DATA


Pengenalan

 Semua data dan maklumat yang bergerak dalam rangkaian mesti dipelihara dan
dikawal utk memastikan integriti dan keselamatan.
 Integriti ~ merujuk kepada data yg diterima adalah sama dengan data yang
dihantar.
 Keselamatan ~ merujuk kepada data yang dihantar selamat daripada intipan
termasuk juga keselamatan data drp perbuatan yg tidak disengajakan.


Keselamatan Data

 Data dan rangkaian perlu dikawal daripada:
– Pencapaian yg tidak sah ~ kawalan boleh dilakukan dengan menggunakan
pengesahan (authentication) seperti kod pengenalpastian pengguna (user
identification code) / password dan penyulitan (encryption)
– Virus ~ kod yg diperkenalkan secara haram yg boleh memusnahkan sistem.
Data & rangkaian perlu diperlihara drp virus dengan menggunakan
perkakasan dan perisian yg direkabentuk khusus utk tujuan tersebut.
(firewall)
– Bencana ~ Data & rangkaian perlu dipeliharan drp bencana seperti kecurian,
kebakaran, gempa bumi, banjir dll. Pemeliharaan boleh dilakukan dengan
melakukan sandaran.


Pengesahan (Authentication)

 Pengesahan pengirim sesuatu mesej.
 Ia mengesahkan identiti pengguna yang akan mencapai sumber2 yg terdapat
dalam komunikasi data.
 Pengesahan boleh dilakukan dengan menggunakan kata-laluan (password).


Kata-laluan (Password)

 Bentuk keselamatan yg sering digunakan.
 Ia diperlukan oleh hos komputer atau peranti tertentu utk mengesahkan identiti
sebelum memasuki sesuatu sistem.
 Terdapat 3 kaedah utk pengesahan dengan menggunakan password:
– Sesuatu yg dimiliki (Something possessed)
– Sesuatu yg wujud (Something embodied)
– Sesuatu yg diketahui (Something known).


Password ~ something possessed

 Sistem komputer memeriksa identiti melalui 2 cara:
– password
– Sesuatu benda yg dipunyai utk skema pengenalpastian.
 Contoh: password (nombor pin) yg digunakan bersama2 dengan kad ATM atau
kad pintar.


Password ~ something embodied

 Melibatkan pemeriksaan ke atas pengguna utk ciri2 yg unik yg terdapat pada
seseorang pengguna.
 Prosedur ini sesuai untuk sistem keselamatan yg ketat dimana ancaman ke atas
sistem boleh menyebabkan akibat yg teruk kerana kosnya adalah tinggi.
 Contoh: pengenalpastian suara (voice recognition), cap jari (finger print), corak
anak mata (retinal pattern), dan tandatangan digital (digital signature).

Password ~ something known

 Dalam kaedah ini, dengan bertanyakan password, sistem komputer juga akan
bertanyakan soalan yang bersangkutan dengan agen (pengguna).
 Contoh: soalan seperti tarikh lahir, nama ibu, nombor kad pengenalan dll.

Jenis2 Password

 Kata-laluan yg dikeluarkan oleh pengguna (User-generated password) ~
pengguna mencipta password dengan sendiri.
 Kata-laluan yg dikeluarkan oleh komputer (Password Computer-generated
password) ~ komputer mengeluarkan password secara rambang.
 Tunable password ~ kompromi antara kata-laluan yg dikeluarkan oleh pengguna
dan komputer. Komputer memberi sebahagian password dan pengguna
menggunakannya utk mencipta password baru.

Penyulitan / Penyahsulitan
(Encryption / Decryption)

 Salah satu kaedah yg praktikal utk memelihara data adalah dengan
menukarkannya ke dalam bentuk rahsia di mana penerima yg sah sahaja dapat
memahaminya.
 Penyulitan (Encryption) ~ pengirim menukarkan mesej asal ke bentuk rahsia dan
menghantarkan ke penerima.
 Penyahsulitan (Decryption) ~ menterbalikkan kembali proses penyulitan supaya
mesej ditukar kedalam bentuk yang asal.

Proses Encryption / Decryption

 Pengirim menggunakan algorithma penyulitan dan kunci utk menukarkan data
asal (plaintext) ke dalam bentuk data yg disulitkan (cipher text)
 Penerima menggunakan algorithma penyahsulitan dan kunci utk menukarkan
cipher text kembali ke data asal (plaintext).
 Kaedah penyulitan dan penyahsulitan boleh dibahagikan kpd 2 kategori:
– Conventional (secret key / symmetric)
– Public key (asymmetric)

ok dah faham ke belum......dah nampak kan sikit2 apa yang dikatakan security informationkan?k..jom kita teruskan.....

What is Security?

Definition: Security is the quality or state of being secure that is to be free from danger

Information security is the process of protecting information. It protects its availability, privacy and integrity. Access to stored information on computer databases has increased greatly. More companies store business and individual information on computer than ever before. Much of the information stored is highly confidential and not for public viewing.

Information Security Components: Confidentiality, Integrity and Availability . Information Systems are decomposed in three main portions, hardware, software and communications with the purpose to identify and apply information security industry standards, as mechanisms of protection and prevention, at three levels or layers: Physical, personal and organizational. Essentially, procedures or policies are implemented to tell people (administrators, users and operators)how to use products to ensure information security within the organizations.

Passive Versus Active Attacks
Alice and Bob want to communicate in presence of adversaries Adversaries:
Passive – just looking
Active – may change msgs

Security service have 5 Categories:
Confidentiality
Confidentiality is the property of preventing disclosure of information to unauthorized individuals or systems. For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred.

Integrity
In information security, integrity means that data cannot be modified without authorization. This is not the same thing as referential integrity in databases. Integrity is violated when an employee accidentally or with malicious intent deletes important data files, when a computer virus infects a computer, when an employee is able to modify his own salary in a payroll database, when an unauthorized user vandalizes a web site, when someone is able to cast a very large number of votes in an online poll, and so on.

Authentication
In computing, e-Business and information security it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim they are.
Non-repudiation In law, non-repudiation implies one's intention to fulfill their obligations to a contract. It also implies that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction. Electronic commerce uses technology such as digital signatures and encryption to establish authenticity and non-repudiation.

Access Control
Prevention of the unauthorized use of a resource.

Posted by ismiraihan at 3:54 AM 0 comments  

Subscribe to: Comments (Atom)