Chapter VI Information Resource Security Management

Connotation of Information Resource Security Management

• Problems faced in the process of information development and utilization:
  • Availability; legitimate users will not be unduly denied access to the information
  • Confidentiality, also known as confidentiality; to ensure that confidential information is not stolen, or that the thief cannot understand the true meaning of the information
  • Authentication is also called authenticity; judging the source of information can identify information from forged sources
  • Consistency is also called integrity; during the whole process of information generation and utilization, the content will not be tampered with by illegal users
• The main tasks of information resource security management:
  • Take technical and administrative measures to ensure that information resources can be used by legitimate users even if information and information systems are available at all times
  • Data encryption technology is used to prevent the content from being obtained by illegal persons during the processing of information
  • Establish an effective liability mechanism to prevent users from denying behavior
  • Establish an auditable mechanism to achieve accountability

System Management of Information Resource Security

Information System Security Model

• Behavior norm management: stipulate the obligations and responsibilities of ordinary citizens and organization members for the epitome of information system security in terms of regulations and systems, that is, to regulate and guide people's ideological actions
• Physical security management; various threats to hardware and related physical entities involved in information systems
• Technical security management: use various information security technologies to solve security management issues such as availability, confidentiality, authentication, and consistency of information resources

Code of Conduct Management

• Including the two levels of the state and social organizations
• Steps in developing a security policy
  • Understand organizational business characteristics
  • Establish a safety management organization mechanism
  • Determine the overall goal of information resource security
  • Determine the scope of your security policy
  • Security Policy Evaluation
  • Security Policy Enforcement

Physical Security Management

• Site environmental safety; site, air conditioning system, fire management
• Hardware security; file management of hardware equipment, anti-electromagnetic interference, anti-electromagnetic leakage, power supply security (generally, the power of the power supply should exceed 125% of the load of all equipment)
• Medium safety; fireproof, high temperature proof, moisture proof, waterproof, mildew proof, anti-theft

Network Security Management

• The network resources are as follows:
  • Host system; various computer systems that provide network services, also known as servers
  • Terminal system; a computer system that issues various service requests, also known as a client
  • Network interconnection equipment; network cables and interfaces, hubs, switches, routers, gateways, bridges, etc.
• Cybersecurity technologies include:
  • Network segmentation and VLAN; isolate illegal users and network resources from each other, thereby restricting and organizing illegal access and illegal interception of users
    • Advantages: filtering traffic, expanding network range, improving reliability, reducing the monitoring range of network sniffer
    • Segmentation includes physical segmentation (switches) and logical segmentation (network layer and above)
    • VLAN is a commonly used logical segmentation method; advantages: effectively manage broadcasts between VLANs to prevent broadcast storms; effectively manage and limit inter-VLAN traffic, reduce router overhead; increase internal security of the network; provide convenience for network management , to simplify the work brought by the network
    • VLAN division method: port-based, MAC-based, protocol-based, IP-based
  • Firewall; the only channel for information between different networks; from the perspective of connection mode, firewalls are divided into packet filtering type, application gateway type, circuit layer gateway type, etc.
  • VPN; Open up a safe and stable tunnel through the public network through tunneling technology
    • Advantages: economy; flexible structure, convenient management; safety
  • Intrusion Detection; Active Security Protection Technology
    • From the detection method, it is divided into real-time intrusion detection and post-event intrusion detection
    • Divided from information sources into host-based and network-based
    • Common data analysis methods for intrusion detection: feature recognition or pattern matching analysis
  • Virus prevention and control; virus is defined as a set of computer instructions or program codes that are compiled or inserted into computer programs to destroy computer functions or destroy data, affect computer use, and can self-replicate
    • Viruses have the characteristics of concealment, infectivity, latentness and destructiveness

Software Security Management

• Software Security Issues: Information Assets at Risk; Software Application Security Issues
• TCSEC puts forward six basic requirements for trusted computer systems:
  • Security Policy: Description of rules for system access
  • Marking: Marking the needs of each object controlled by the system in relation to accessing data
  • Identification: the need to accurately identify the identity of the subject who wants to access the system object
  • Responsibilities: Need to maintain records of safety-related time
  • Assurance: Independent evaluation of security mechanisms to provide assurance that system requirements are met
  • Continuous Protection: Guarantees that security enforcement mechanisms are not maliciously modified to avoid compromising security
• TCSEC divides computer systems into four categories (D, C, B, A) and eight levels according to the degree of reliability, as follows:
  • D: non-safe protection class, such as MS-DOS
  • C: autonomous protection class
    • C1: There is a certain autonomous access control mechanism, such as early UNIX
    • C2: Controllable security protection mechanism, such as windows2000, UNIX
  • B: Mandatory security protection class
    • B1: Tag security protection, adding functions such as tag mandatory access control to C2, such as AT&T System V
    • B2: It has a formal security model, the system involves structuring, and the user self-rating function is added. Such as Xenix
    • B3: Security area level, strictly structured, comprehensive access control access monitoring mechanism, audit report. Such as Honeywell, Federal, SystemXTS-200
  • A: Verify protection class
    • A1: Verify the design
    • Beyond A1: Verified Objective Level
• In 1999, my country stipulated five levels of computer system security protection capabilities:
  • User autonomous protection level
  • System Audit Protection Level
  • Safety Mark Protection Level
  • Structured Protection Level
  • access authentication protection level
• Principles that should be followed in the design of a secure operating system:
  • least privilege
  • economy
  • openness
  • license-based
  • Utilities least
  • effectiveness
  • fully coordinated
  • convenience
• Security mechanism of hardware system: memory protection, process control, input/output control, etc.
• Security mechanism of software system: identification and authentication, access control, least privilege management, security audit, etc.
• Malicious program definition: Unauthorized computer programs that enter the user's computer system without the user's knowledge, affecting the normal operation of the system, or even endangering or destroying the system
• Malicious programs are characterized by destructiveness, illegality and concealment
• Common Malware
  • Trapdoor: A secret entrance into a program, also known as a backdoor
  • Logic Bomb: Code embedded in a legitimate program that performs a harmful task if certain conditions are met
  • Trojan horse: Contains an imperceptibly harmful program segment that, when executed, compromises user security
  • Virus: A malicious program that is contagious
  • Worm: A network virus program that replicates itself over a network
• Malicious program damage manifestation
  • System resources are poor or unavailable
  • loss of confidentiality
  • Information authentication is destroyed
  • loss of information consistency
• Malicious program prevention and control: mainly includes two aspects of protection and governance, and a combination of management and technology should be adopted

Data Security Management

• Basic requirements for a secure database:
  • Database availability and ease of use
  • database confidentiality
  • database integrity
  • Database maintainability
• User rights management
  • Database schema modification permissions: index permissions, resource permissions, modification permissions, revoke permissions
  • Data operation permissions: read, insert, modify, delete
• Access control: establish corresponding security access control mechanisms, identify user identities, and achieve security goals of database availability
• Data Encryption: Key
• Logs and Backups

Data Encryption Technology and Its Application

Basic concepts of cryptography

Encryption Technology and Its Application

• RSA encryption process; A encrypts the information with B's public key, transmits the encrypted ciphertext to B, and B decrypts it with its own private key

• The RSA signature process is as follows:
  
  

• CA and its authentication mechanism

• A PKI-based third-party authentication service system includes at least: users, certificates, registration authority RA, certificate authority CA, certificate repository, revoked certificate repository and other entities. The relationship is as shown in the figure:

• The digital certificate issuance process is as follows: