1 of 31

Cyber Security

1

2 of 31

Objectives of the Topic

  • After completing this topic, a student will be able to
    • Explain Kerberos.
    • Explain OCTAVE
    • Explain COBIT

2

3 of 31

What is Kerberos?

Kerberos is a key distribution and user authentication service developed at MIT as part of Project Athena.

The problem that Kerberos addresses:

  • Assume an open distributed environment in which users at workstations wish to access services on servers distributed throughout network.
  • We would like for servers to be able to restrict access to authorized users and to be able to authenticate requests for service.
  • A workstation cannot be trusted to identify its users correctly to network services.

3

4 of 31

What is Kerberos?

In particular, the following three threats exist:

  1. A user may gain access to a particular workstation and pretend to be another user operating from that workstation.
  2. A user may alter the network address of a workstation so that the requests sent from the altered workstation appear to come from the impersonated workstation.
  3. A user may eavesdrop on exchanges and use a replay attack to gain entrance to a server or to disrupt operations.

4

5 of 31

What is Kerberos?

  • In any of these cases, an unauthorized user may be able to gain access to services and data that he or she is not authorized to access.
  • Rather than building elaborate authentication protocols at each server, Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users.
  • Kerberos relies exclusively on symmetric encryption, making no use of public-key encryption.

5

6 of 31

What is Kerberos?

Motivation

  • If a set of users is provided with dedicated personal computers that have no network connections, then a user’s resources and files can be protected by physically securing each computer.
  • When these users instead are served by a centralized time-sharing system, the time-sharing operating system can enforce access-control policies based on user identity and use the logon procedure to identify users.

6

7 of 31

Distributed Architecture

In this environment, there are three approaches to security.

  • Rely on each individual client workstation to assure the identity of its user or users and rely on each server to enforce a security policy based on user identification (ID).
  • Require that client systems authenticate themselves to servers, but trust the client system concerning the identity of its user.
  • Require the user to prove his or her identity for each service invoked. Also require that servers prove their identity to clients.

7

8 of 31

  • In a more open environment in which network connections to other machines are supported, the third approach is needed to protect user information and resources housed at the server.

8

  • In a small, closed environment in which all systems are owned and operated by a single organization, the first or perhaps the second strategy may suffice.

9 of 31

Conclusion

  • Kerberos supports this third approach.
  • Kerberos assumes a distributed client/server architecture and employs one or more Kerberos servers to provide an authentication service.

9

10 of 31

10

11 of 31

Operationally Critical Threat, Asset, and Vulnerability

Evaluation SM (OCTAVE®) Methodology

12 of 31

13 of 31

Characteristics of OCTAVE

  • Application of a catalog of good security practices
  • Focus of the analysis toward organizational decision makers
  • Use of a structured information gathering process for organizational security data
  • Use of a standard structure for describing security
  • information threats relevant to the organization
  • Evaluation of security risk in terms relevant to the organization

14 of 31

Tailoring Process for New Domain

  • Identify sources for major security concerns and good security practices relevant to the domain (catalog of practices)
  • Identify decision makers and organizational roles relevant to managing security (composition of analysis team, structure of data gathering processes)
  • Identify major types of organizational impacts relevant to the domain (evaluation criteria)
  • Identify relationship between key infrastructure
  • participants and information assets (threats profile)

15 of 31

Information Security Risk Framework

16 of 31

Is the OCTAVE Catalog of Practices Relevant?

  • Limited resources for security
  • Limited expertise in technology support and security
  • High reliance on external resources for technology
  • Broad physical access to technology resources
  • Insufficient policies and procedures for technology control
  • Limited awareness of security issues among technology
  • participants
  • Poor technology contingency planning

17 of 31

Is the OCTAVE Catalog of Practices Sufficient?

  • Blocking of inappropriate content is mandated
  • Computers are shared resources among many users
  • Technology does not enforce copyright and licensing

mandates

  • Personal computing resources are encouraged to reduce technology costs to the organization

18 of 31

OCTAVE Application

Security Practice Survey

Catalog of Practices

Protection Strategy

Mitigation Plan

19 of 31

OCTAVE Analysis Team

  • An interdisciplinary team – consisting of
    • educational and administrative staff
    • information technology staff

20 of 31

Application of Analysis Team

An existing group that addressed safety concerns was selected to be the OCTAVE analysis team. The membership included:

  • Technology coordinator
  • Technology supervisor
  • Administrative manager
  • Assistant computer system manager

The network specialist was added to the team to broaden

the IT knowledge.

21 of 31

21

22 of 31

22

COBIT

Control Objectives for Information and Related Technology

23 of 31

23

It was designed to be a supportive tool for managers—and allows bridging the crucial gap between technical issues, business risks, and control requirements.

COBIT is a thoroughly recognized guideline that can be applied to any organization in any industry. Overall, COBIT ensures quality, control, and reliability of information systems in an organization, which is also the most important aspect of every modern business.

What is COBIT?

24 of 31

24

  • To help organizations achieve their objectives for the governance and management of enterprise IT.
  • To provide a comprehensive set of best practices for enterprise IT governance and management.
  • To promote alignment between enterprise IT and the business goals of the organization.
  • To provide a common language for enterprise IT governance and management.

Goals of COBIT

25 of 31

25

The COBIT framework provides a common language for IT professionals, compliance auditors, and business executives. They can communicate with each other on the same IT goals, controls, objectives and outcomes.

The absence of a common language demands explanations on when, how, where, and why certain IT controls were created.

Implementing COBIT in any organization from any industry ensures control, quality, and reliability of IT systems.

Why is it Important?

26 of 31

26

The COBIT business orientation includes linking business goals with its IT infrastructure by providing various maturity models and metrics that measure the achievement while identifying associated business responsibilities of IT processes. The main focus of COBIT 4.1 was illustrated with a process-based model subdivided into four specific domains, including:

Planning & Organization

Delivering and Support

Acquiring & Implementation

Monitoring & Evaluating

COBIT Framework

27 of 31

27

  • Meet stakeholder needs
  • Holistic approach
  • Dynamic governance system
  • Distinct governance from management
  • Tailored to enterprise needs
  • End-to-end governance system

Principles of COBIT

28 of 31

28

Framework

IT helps organize the objectives of IT governance, implement best practices in IT processes and domains, and link business requirements.

Process Descriptions

It is a reference model and also acts as a common language for every individual in the organization. The process descriptions include planning, building, running, and monitoring all IT processes.

Various COBIT Components

29 of 31

29

Control Objectives

This provides a complete list of requirements the management has considered for effective IT business control.

Maturity Models

Accesses the maturity and the capability of every process while addressing the gaps.

Management Guidelines

It helps better assign responsibilities, measure performances, agree on common objectives, and illustrate better interrelationships with other process.

Various COBIT Components

30 of 31

30

  • IT management issues and how they can affect organizations
  • Principles of IT governance and enterprise IT while establishing the differences between management and governance
  • Accessing how COBIT 5.0 processes can help the establishment of the five basic principles along with other enablers
  • Discussing COBIT 5.0 concerning its process reference model and goal cascade

Advantages of COBIT

31 of 31

31