Professional Documents
Culture Documents
Cryptography and Network Security
Cryptography and Network Security
Key Management
public-key encryption helps address key distribution problems have two aspects of this:
distribution of public keys use of public-key encryption to distribute secret keys
Public Announcement
users distribute public keys to recipients or broadcast to community at large
eg. append PGP keys to email messages or post to news groups or email list
Public-Key Authority
improve security by tightening control over distribution of keys from directory has properties of directory and requires users to know public key for the directory then users interact with directory to obtain any desired public key securely
does require real-time access to directory when keys are needed
Public-Key Authority
Public-Key Certificates
certificates allow key exchange without realtime access to public-key authority a certificate binds identity to public key
usually with other info such as period of validity, rights of use etc
with all contents signed by a trusted PublicKey or Certificate Authority (CA) can be verified by anyone who knows the public-key authorities public-key
Public-Key Certificates
problem is that an opponent can intercept and impersonate both halves of protocol
rationale
performance backward compatibility
is a practical method for public exchange of a secret key used in a number of commercial products
value of key depends on the participants (and their private and public key information) based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy security relies on the difficulty of computing discrete logarithms (similar to factoring) hard
Diffie-Hellman Setup
all users agree on global parameters:
large prime integer or polynomial q a being a primitive root mod q
KAB is used as session key in private-key encryption scheme between Alice and Bob if Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys attacker needs an x, must solve discrete log
Diffie-Hellman Example
users Alice & Bob who wish to swap keys: agree on prime q=353 and a=3 select random secret keys:
A chooses xA=97, B chooses xB=233
(Alice) (Bob)
20
Security is achieved using several strategies simultaneously or used in combination with one another
Security is recognized as essential to protect vital processes and the systems that provide those processes Security is not something you buy, it is something you do
Monitored 24x7
Having People, Processes, Technology, policies, procedures, Security is for PPT and not only for appliances or devices
Share Holders / Owners Management Employees Business Partners Service providers Contractors Customers / Clients Regulators etc
Process what we do
The processes refer to "work practices" or workflow. Processes are the repeatable steps to accomplish business objectives. Typical process in our IT Infrastructure could include
Helpdesk / Service management Incident Reporting and Management Change Requests process Request fulfillment Access management Identity management Service Level / Third-party Services Management IT procurement process etc...
Finance and assets systems, including Accounting packages, Inventory management, HR systems, Assessment and reporting systems Software as a service (Sass) - instead of software as a packaged or custom-made product. Etc..
Access devices:
Desktop computers Laptops, ultra-mobile laptops and PDAs Thin client computing. Digital cameras, Printers, Scanners, Photocopier etc.
INFORMATION SECURITY
1. 2. 3. 4. 5.
Protects information from a range of threats Ensures business continuity Minimizes financial loss Optimizes return on investments Increases business opportunities
LOSS OF GOODWILL
Needed since change requester does not understand the security implications of their request Security administrator must analyze and assess carefully the impact to the system
Hardware
Classification is part of a mandatory access control model to ensure that sensitive data is properly controlled and secured DoD multi-level security policy has 4 classifications:
Top Secret Secret Confidential Unclassified
Data classification
Data classification
Top Secret - applies to the most sensitive business information which is intended strictly for use within the organization. Unauthorized disclosure could seriously and adversely impact the company, stockholders, business partners, and/or its customers Secret - Applies to less sensitive business information which is intended for use within a company. Unauthorized disclosure could adversely impact the company, its stockholders, its business partners, and/or its customers Confidential - Applies to personal information which is intended for use within the company. Unauthorized disclosure could adversely impact the company and/or its employees Unclassified - Applies to all other information which does not clearly fit into any of the above three classifications. Unauthorized disclosure isnt expected to seriously or adversely impact the company
The function of categories is that even someone with the highest classification isnt automatically cleared to see all information at that level. This support the concept of need to know
38
Data classification
Roles & responsibilities
Information owner Information custodian Application owner User manager Security administrator Security analyst Change control analyst Data analyst Solution provider End user
40
Background checks
What does a background check prevent potentially prevent against:
lawsuits from terminated employees lawsuits from 3rd-parties or customers for negligent hiring unqualified employees lost business and profits time wasted recruiting, hiring and training theft, embezzlement or property damage money lost (to recruiters fees, signing bonus) negligent hiring lawsuit decrease in employee moral workplace violence, or sexual harassment suits
42
Background checks
Who should be checked? Employee background checks should be performed for all sensitive positions. Information security staff in sensitive positions include those responsible for:
firewall administration e-commerce management Kerberos administrator SecurID & Password usage PKI and certificate management router administrator
43
Background checks
What can be checked for an applicant:
Credit Report SSN searches Workers Compensation Reports Criminal Records Motor Vehicle Report Education Verification & Credential Confirmation Reference Checks Prior Employer Verification
44
Employment agreement
Non-compete Non-disclosure Restrictions on dissemination of corporate information, i.e., press, analysts, law enforcement
47
Separation of duties
The principle of separating of duties is that an organization should carefully separate duties, so that people involved in checking for inappropriate use are not also capable of make such inappropriate use No person should be responsible for completing a task involving sensitive, valuable or critical information from beginning to end. Likewise, a single person must not be responsible for approving their own work
49
Separation of duties
Separate:
development/production security/audit accounts payable/accounts receivable encryption key management/changing of keys
Split knowledge
Encryption keys are separated into two components, each of which does not reveal the other
50
52
53
54
Risk Management
Introduction
Risk management: process of identifying and controlling risks facing an organization Risk identification: process of examining an organizations current information technology security situation Risk control: applying controls to reduce risks to an organizations data and information systems
Risk Identification
Assets are targets of various threats and threat agents Risk management involves identifying organizations assets and identifying threats/vulnerabilities Risk identification begins with identifying organizations assets and assessing their value
Asset attributes to be considered are: name; IP address; MAC address; element type; serial number; manufacturer name; model/part number; software version; physical or logical location; controlling entity
Security Clearances
Security clearance structure: each data user assigned a single level of authorization indicating classification level Before accessing specific set of data, employee must meet need-to-know requirement Extra level of protection ensures information confidentiality is maintained
Threat Identification
Realistic threats need investigation; unimportant threats are set aside Threat assessment:
Which threats present danger to assets? Which threats represent the most danger to information? How much would it cost to recover from attack? Which threat requires greatest expenditure to prevent?
Vulnerability Identification
Specific avenues threat agents can exploit to attack an information asset are called vulnerabilities Examine how each threat could be perpetrated and list organizations assets and vulnerabilities Process works best when people with diverse backgrounds within organization work iteratively in a series of brainstorming sessions At end of risk identification process, list of assets and their vulnerabilities is achieved
Risk Assessment
Risk assessment evaluates the relative risk for each vulnerability Assigns a risk rating or score to each information asset
Likelihood
The probability that a specific vulnerability will be the object of a successful attack
Assign numeric value: number between 0.1 (low) and 1.0 (high), or a number between 1 and 100
Zero not used since vulnerabilities with zero likelihood removed from asset/vulnerability list Use selected rating model consistently Use external references for values that have been reviewed/adjusted for your circumstances
Risk Determination
For the purpose of relative risk assessment, risk equals:
Likelihood of vulnerability occurrence TIMES value (or impact) MINUS percentage risk already controlled PLUS an element of uncertainty
Access Controls
Specifically address admission of a user into a trusted area of organization Access controls can be:
Mandatory access controls (MAC): give users and data owners limited control over access to information Nondiscretionary controls: managed by central authority in organization; can be role-based or taskbased Discretionary access controls (DAC): implemented at discretion or option of data user
Avoidance
Attempts to prevent exploitation of the vulnerability
Preferred approach; accomplished through countering threats, removing asset vulnerabilities, limiting asset access, and adding protective safeguards
Three common methods of risk avoidance:
Application of policy Training and education Applying technology
Transference
Control approach that attempts to shift risk to other assets, processes, or organizations If lacking, organization should hire individuals/firms that provide security management and administration expertise Organization may then transfer risk associated with management of complex systems to another organization experienced in dealing with those risks
Mitigation
Attempts to reduce impact of vulnerability exploitation through planning and preparation Approach includes three types of plans:
Incident response plan (IRP) Disaster recovery plan (DRP) Business continuity plan (BCP)
Mitigation (continued)
DRP is most common mitigation procedure The actions to take while incident is in progress is defined in IRP BCP encompasses continuation of business activities if catastrophic event occurs
Acceptance
Doing nothing to protect a vulnerability and accepting the outcome of its exploitation Valid only when the particular function, service, information, or asset does not justify cost of protection Risk appetite describes the degree to which organization is willing to accept risk as tradeoff to the expense of applying controls
Feasibility Studies
Before deciding on strategy, all information about economic/noneconomic consequences of vulnerability of information asset must be explored A number of ways exist to determine advantage of a specific control
Possible to complete steps using evaluation process based on characteristics using nonnumerical measures; called qualitative assessment Utilizing scales rather than specific estimates relieves organization from difficulty of determining exact values
Security Governance
Security Governance is the organizational processes and relationships for managing risk
Policies, Procedures, Standards, Guidelines, Baselines Organizational Structures Roles and Responsibilities
100
Policy Mapping
Laws, Regulations, Requirements, Organizational Goals, Objectives
Functional Policies
Procedures
Standards
Guidelines
Baselines
101
Policies
Policies are statements of management intentions and goals Senior Management support and approval is vital to success General, high-level objectives Acceptable use, internet access, logging, information security, etc
102
Procedures
Procedures are detailed steps to perform a specific task Usually required by policy Decommissioning resources, adding user accounts, deleting user accounts, change management, etc
103
Standards
Standards specify the use of specific technologies in a uniform manner Requires uniformity throughout the organization Operating systems, applications, server tools, router configurations, etc
104
Guidelines
Guidelines are recommended methods for performing a task Recommended, but not required Malware cleanup, spyware removal, data conversion, sanitization, etc
105
Baselines
Baselines are similar to standards but account for differences in technologies and versions from different vendors Operating system security baselines
FreeBSD 6.2, Mac OS X Panther, Solaris 10, Red Hat Enterprise Linux 5, Windows 2000, Windows XP, Windows Vista, etc
106
Organizational Structure
Organization of and official responsibilities for security vary
BoD, CEO, BoD Committee CFO, CIO, CSO, CISO Director, Manager
107
Security Director
System Auditor
108
IT Audit Manager
Security Director
System Auditor
109
Further Separation
Board of Directors/Trustees President Audit Committee Internal Audit CIO
IT Audit Manager
Security Director
System Auditor
Pro Security
110
Organizational Structure
Audit should be separate from implementation and operations
Independence is not compromised
Responsibilities for security should be defined in job descriptions Senior management has ultimate responsibility for security Security officers/managers have functional responsibility
111
112
Custodians
Manage security based on requirements
Users
Access as allowed by security requirements
113
Overview
Introduction Information Security Risk Management Methodologies Criteria on which Framework is based The Framework for Comparison How the Framework should be used Strengths and Weakness of this proposed Framework Conclusion References
Introduction
Informationsecurityisanorganizationsapproachto maintaining confidentiality, availability, integrity, nonrepudiation,accountability, authenticity and reliability of its IT systems Currently there are numerous risk analysis methodologies available some of which are qualitative while others are quantitative in nature These methodologies have a common goal of estimating the overall risk value
Introduction
An easy-to-use framework is required to compare information security risk analysis methodologies The best way to choose between methodologies is to compare them, using objective, quantifiable criteria This is where a framework for comparison is needed If the criteria that are used are applicable to all risk analysis methodologies, the organization can compare different methodologies objectively, and decide on the best one
Alternative Frameworks
The framework proposed by Badenhorst indicates whether a methodology addresses a criterion or not It does not use scales, or trade-offs which can aid the organization in choosing a methodology which will best meet their needs This shows the need for more Comparative Frameworks
Qualitative Methodologies
The qualitative methodologies considered for this framework are OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation) The CORAS (Construct a platform for Risk Analysis of Security Critical Systems) methodology
Quantitative Methodologies
The quantitative methodologies considered for this framework are ISRAM (Information Security Risk Analysis Method) Cost-Of-Risk Analysis (CORA) Information Systems (IS) analysis based on a business model The above methodologies were chosen because they have been well documented
OCTAVE
OCTAVE was developed at the CERT Coordination Center (CERT/CC) [Cert Coordination Center 2003] This approach concentrates on assets, threats and vulnerabilities One of the main concepts of OCTAVE is self-direction, the people inside the organization must lead the information security risk evaluation An analysis team, consisting of staff from the organization's business units as well as the IT department, is responsible for leading the evaluation and recording results
OCTAVE
The OCTAVE approach has three phases, with each broken down into processes Each process has certain activities that must be completed, and within each of these activities, different steps must be taken in order to achieve the desired outputs The final result that risk decisions can be based on is the threat profile of different assets Each threat profile contains information on which mitigation decisions can be based
CORAS
CORAS was developed under the Information Society Technologies (IST) program One of the main objectives of CORAS is to develop a framework that exploits methods for risk analysis, semiformal methods for object-oriented modeling, and computerized tools, for a precise, unambiguous, and efficient risk assessment of security critical systems The methodology is based on UML a language that uses diagrams to illustrate relationships and dependencies between users and the environment in which they work
CORAS
During an information security risk analysis, a great deal of information is brainstormed, and during workshops and discussions, different people (users, system developers, analysts, system managers), with different expertise in different fields come together, give their opinions and share information A way in which all the participants can communicate efficiently and understand each other must therefore exist and a UML profile, proposed by the CORAS project, is used to achieve this
CORAS
The framework has four main pillars, of which risk management is one. In CORAS, the final result on which decisions can be based is the UML class diagrams of each asset
ISRAM
The ISRAM methodology was developed at the National Research Institute of Electronics and Cryptology and the Gebze Institute of Technology in Turkey It is marketed as a quantitative approach to risk analysis that allows for the participation of the manager and staff of the organization and a surveybased model Two separate and independent surveys are conducted for the two attributes of risk, namely probability and consequence
ISRAM
ISRAM does not use techniques such as Single Occurrence Losses (SOL) or Annual Loss Expectancy (ALE), instead, the risk factor is a numerical value between 1 and 25 This numerical value corresponds to a qualitative, high, medium or low value, and it is this qualitative value on which risk management decisions are based
CORA
International Security Technology, Inc. (IST) developed CORA, the Cost-Of-Risk Analysis system The CORA risk model uses data collected about threats, functions and assets, and the vulnerabilities of the functions and assets to the threats to calculate the consequences, that is, the losses due to the occurrences of the threats
CORA
It is a methodology where the risk parameters are expressed quantitatively and where losses are expressed in quantitative monetary terms CORA uses a two-step process to support risk management. Parameters for threats, functions and assets are validated and refined until the best values are determined
CORA
CORA then calculates SOL and ALE for each of the threats identified It estimates a single loss value for a threat to an organization, and then multiplies this value by the frequency of the threat occurrence
IS Risk Analysis
The methodology has four stages During this methodology, the importance level of various business functions of the business model and the necessity level of various IS assets are determined Mathematical formulae are used to calculate ALE for a single threat occurrence on the organization The end result is a quantitative monetary value
If simplicity is most important, values are as follows: 1: Risk analysis involves extensive mathematical calculations 2: Risk analysis involves some but simple mathematical calculations 3: Risk analysis involves no mathematical calculations If accuracy is most important, values are as follows: 1: Risk analysis involves no mathematical calculations 2: Risk analysis involves some but simple mathematical calculations 3: Risk analysis involves extensive mathematical calculations
in IS
Strengths
Can be applied to various risk analysis methodologies Takes the requirements of an organization into account It uses scales based on different scenarios and tradeoffs Can give an indication of which assets and people will be needed for the risk analysis as based on the requirements of the organization
Weakness
Not taking the customization of a methodology into account The OCTAVE methodology can be tailored to fit the needs of an organization Not all processes have to be performed, which can influence the place where risk analysis fits into the methodology The preparation required can therefore be reduced The risk analysis based on the requirements of an organization
Weakness
The existence of other criteria, not presented by the framework There are many other risk analysis methodologies, such as CRAMM and there are also baselines, which cover a wider variety of information security aspects, such as the ISO 17799 framework and which can be used to define other criteria
Conclusion
Numerous methodologies are currently available and many organizations are faced with the daunting task of determining which one to use The goal was to develop an easy-to-use framework that organizations can employ to compare different information security risk analysis methodologies The main benefit lies in the ability to eliminate the majority of methodologies that are unsuitable and to only further investigate the few that remain
Security Audit
Other Documentation
Hardware/software inventory Network topology Key personnel Emergency numbers Incident logs
When to audit?
Emergency! Before prime time Scheduled/maintenance
Audit Schedules
Individual Host 1224 months Large Networks 1224 months Network 12 months Firewall 6 months
Security policy
Treat the policy as a potential threat Bad policies are worse than none at all Good policies are very rare Look for clarity & completeness Poor grammar and spelling are not tolerated
Review Documentation
Hardware/software inventory Network topology Key personnel Emergency numbers Incident logs
Technical Investigation
Run static tools (COPS, Crack, etc.) Check system logs Check system against known vulnerabilities (CERT, bugtraq, CIAC advisories, etc.) Follow startup execution Check static items (config files, etc.) Search for privileged programs (SUID, SGID, run as root) Examine all trust