Professional Documents
Culture Documents
Introduction To Information Security: Do Not Figure On Opponents Not Attacking Worry About Your Own Lack of Preparation
Introduction To Information Security: Do Not Figure On Opponents Not Attacking Worry About Your Own Lack of Preparation
Security
Chapter 1
Do not figure on opponents not
attacking; worry about your own
lack of preparation.
-- Book of the Five Rings
1
Course Information
Hour 3 hours
Email
bukhari_sarah@yahoo.com
Rules
No compromise in study.
Slide 4
What Is Information Security?
Information security in today’s enterprise
is a “well-informed sense of assurance
that the information risks and controls are
in balance.” –Jim Anderson, Inovant
(2002)
Slide 5
The History Of Information
Security
Slide 6
Figure 1-1 – The Enigma
Slide 7
The 1960s
Department of Defense’s Advanced
Research Project Agency (ARPA) began
examining the feasibility of a redundant
networked communications
Larry Roberts developed the project from
its inception
Slide 8
Figure 1-2 - ARPANET
Slide 9
The 1990s
Networks of computers became more
common, so too did the need to
interconnect the networks
Resulted in the Internet, the first
manifestation of a global network of
networks
In early Internet deployments, security
was treated as a low priority
Slide 10
The Present
The Internet has brought millions of
computer networks into communication
with each other – many of them
unsecured
Ability to secure each now influenced by
the security on every computer to which it
is connected
Slide 11
What Is Security?
“The quality or state of being secure--to be free from
danger”
To be protected from adversaries
A successful organization should have multiple layers
of security in place:
– Physical security - to protect the physical items, objects, or areas of an organization
from unauthorized access and misuse.
– Personal security – to protect the individual or group of individuals who are authorized
to access the organization and its operations.
– Operations security – to protect the details of a particular operation or series of
activities.
– Communications security – to protect an organization’s communications media,
technology, and content.
– Network security – to protect networking components, connections, and contents.
Slide 12
What Is Information Security?
The protection of information and its critical
elements, including the systems and hardware
that use, store, and transmit that information
Tools, such as policy, awareness, training,
education, and technology are necessary
The C.I.A. triangle was the standard based on
confidentiality, integrity, and availability
The C.I.A. triangle has expanded into a list of
critical characteristics of information
Slide 13
Critical Characteristics Of Information
The value of information comes from the characteristics it possesses.
Availability - enables users who need to access information to do so without interference or obstruction and in
the required format. The information is said to be available to an authorized user when and where needed and in
the correct format.
Accuracy- free from mistake or error and having the value that the end-user expects. If information contains a
value different from the user’s expectations due to the intentional or unintentional modification of its content, it is
no longer accurate.
Authenticity - the quality or state of being genuine or original, rather than a reproduction or fabrication.
Information is authentic when it is the information that was originally created, placed, stored, or transferred.
Confidentiality - the quality or state of preventing disclosure or exposure to unauthorized individuals or systems.
Integrity - the quality or state of being whole, complete, and uncorrupted. The integrity of information is
threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic
state.
Utility - the quality or state of having value for some purpose or end. Information has value when it serves a
particular purpose. This means that if information is available, but not in a format meaningful to the end-user, it is
not useful.
Possession - the quality or state of having ownership or control of some object or item. Information is said to
be in possession if one obtains it, independent of format or other characteristic. While a breach of confidentiality
always results in a breach of possession, a breach of possession does not always result in a breach of
confidentiality.
Slide 14
Figure 1-3 – NSTISSC
Security Model
Slide 15
THE CAST OF CHARACTERS
Alice and Bob are the good guys
16
ALICE’S ONLINE BANK
17
CIA
18
CIA
19
CIA
20
BEYOND CIA: CRYPTO
How does Bob’s computer know that “Bob” is really Bob and not
Trudy?
Bob’s password must be verified
This requires some clever cryptography
21
BEYOND CIA: PROTOCOLS
22
BEYOND CIA: ACCESS CONTROL
23
BEYOND CIA: SOFTWARE
24
THE THREE OBJECTIVES OF
NETWORK SECURITY
Confidentiality
Integrity
Availability
THE PEOPLE PROBLEM
People often break security
Both intentionally and unintentionally
Here, we consider the unintentional
For example, suppose you want to buy something online
To make it concrete, suppose you want to buy Information Security:
Principles and Practice, 2nd edition from amazon.com
26
THE PEOPLE PROBLEM
27
THE PEOPLE PROBLEM
What could go wrong?
Trudy tries man-in-the-middle attack
SSL is secure, so attack doesn’t “work”
But, Web browser issues a warning
What do you, the user, do?
If user ignores warning, attack works!
None of the security mechanisms failed
But user unintentionally broke security
28
THE THREE FOUNDATIONS OF
NETWORK SECURITY
People
Processes
Technology
COMPUTER SECURITY
30
CIA TRIAD
31
KEY OBJECTIVES
Confidentiality
Data Confidentiality-information not disclosed to
unauthorized individuals
Privacy– individuals control how their information is
collected, stored, shared
Integrity
Data integrity- Assures that information and programs are changed only
in a specified and authorized manner.
System integrity- Assures that a system performs its intended function in
an unimpaired manner, free from deliberate or inadvertent unauthorized
manipulation of the system
Availability– service not denied to authorized users
.
32
SECURITY GOALS
Confidentiality
Concealment of information or resources
Integrity
Trustworthiness of data or resources
Availability
Ability to use information or resources
33
CONFIDENTIALITY
34
INTEGRITY
36
AUTHENTICITY AND
ACCOUNTABILITY
Two additional objectives:
Authenticity- being genuine and able to be verified or
trust; verifying that users are who they say they are
Accountability-actions of an entity can be traced
uniquely to that entity; supports nonrepudiation,
deterrence, fault isolation, intrusion, detection and
prevention.
37
LEVELS OF IMPACT
38
SECURITY BREACH
LOW IMPACT
Loss has limited adverse effect
For example:
Effectiveness of the functions of an organization are noticeably reduced
Results in minor damage to organizational assets
Results in minor financial loss
Results in minor harm to individuals
39
SECURITY BREACH
MODERATE IMPACT
Loss may have serious adverse effect on organizational
operations, assets or individuals.
For example:
Effectiveness of the functions of an organization are significantly reduced
Results in significant damage to organizational assets
Results in significant financial loss
Results in significant harm to individuals
40
SECURITY BREACH
HIGH IMPACT
Loss is expected to have severe or catastrophic adverse effect on
organizational operations, assets or individuals.
For example:
Effectiveness of the functions of an organization are reduced so
that the organization cannot perform its primary function(s).
Results in major damage to organizational assets
Results in major financial loss
Results in severe or catastrophic harm to individuals, involving
loss of life or serious life-threatening injuries
41
*SECURITY
Motivation: Why do we need security?
43
CONCERNS CONTINUED…
Is the web site I am downloading information from a
legitimate one, or a fake?
44
Passive attacks do not affect system resources
Eavesdropping, monitoring
Two types of passive attacks
Release of message contents
Traffic analysis
Passive attacks are very difficult to detect
Message transmission apparently normal
• No alteration of the data
Emphasis on prevention rather than detection
• By means of encryption
Passive Attacks
Passive Attacks (2)
Traffic Analysis
Active attacks try to alter system resources or
affect their operation
Modification of data, or creation of false data
Four categories
Masquerade
Replay
Modification of messages
Denial of service: preventing normal use
• A specific target or entire network
Difficult to prevent
The goal is to detect and recover
Active Attacks (1)
Masquerade
Active Attacks (2)
Replay
Active Attacks (3)
Modification of Messages
Active Attacks (4)
Denial of Service
Summary of Passive and Active Threats
53
Key Information Security Concepts
Access: A subject or object’s ability to use, manipulate, modify, or
affect another subject or object. Authorized users have legal access to a
system, whereas hackers have illegal access to a system. Access
controls regulate this ability.
Asset: The organizational resource that is being protected. An asset
can be logical, such as a Web site, information, or data; or an asset
can be physical, such as a person, computer system, or other
tangible object. Assets, and particularly information assets, are the
focus of security efforts; they are what those efforts are attempting to
protect.
Attack: An intentional or unintentional act that can cause damage
to or otherwise compromise information and/or the systems that
support it. Attacks can be active or passive, intentional or
unintentional, and direct or indirect. Someone casually reading sensitive
information not intended for his or her use is a passive attack. A hacker
attempting to break into an information system is an intentional attack.
Slide 54
Slide 55
Control, safeguard, or countermeasure: Security mechanisms, policies, or
procedures that can successfully counter attacks, reduce risk, resolve
vulnerabilities, and otherwise improve the security within an organization. The
various levels and types of controls are discussed more fully in the following
chapters.
Exploit: A technique used to compromise a system. This term can be a
verb or a noun. Threat agents may attempt to exploit a system or other
information asset by using it illegally for their personal gain. Or, an exploit can
be a documented process to take advantage of a vulnerability or exposure,
usually in software, that is either inherent in the software or is created by the
attacker. Exploits make use of existing software tools or custom-made
software components.
Exposure: A condition or state of being exposed. In information security,
exposure exists when a vulnerability known to an attacker is present.
Loss: A single instance of an information asset suffering damage or
unintended or unauthorized modification or disclosure. When an
organization’s information is stolen, it has suffered a loss.
Slide 56
Protection profile or security posture: The entire set of controls
and safeguards, including policy, education, training and
awareness, and technology, that the organization implements (or
fails to implement) to protect the asset. The terms are sometimes
used interchangeably with the term security program, although
the security program often comprises managerial aspects of
security, including planning, personnel, and subordinate programs.
Risk: The probability that something unwanted will happen.
Organizations must minimize risk to match their risk appetite—the
quantity and nature of risk the organization is willing to accept.
Subjects and objects: A computer can be either the subject of an
attack—an agent entity used to conduct the attack—or the object
of an attack—the target entity. A computer can be both the subject
and object of an attack, when, for example, it is compromised by an
attack (object), and is then used to attack other systems (subject).
Slide 57
Threat: A category of objects, persons, or other entities that
presents a danger to an asset. Threats are always present and can
be purposeful or undirected. For example, hackers purposefully
threaten unprotected information systems, while severe storms
incidentally threaten buildings and their contents.
Threat agent: The specific instance or a component of a threat.
For example, all hackers in the world present a collective threat,
while Kevin Mitnick, who was convicted for hacking into phone
systems, is a specific threat agent. Likewise, a lightning strike,
hailstorm, or tornado is a threat agent that is part of the threat of
severe storms.
Vulnerability: A weaknesses or fault in a system or protection
mechanism that opens it to attack or damage. Some examples of
vulnerabilities are a flaw in a software package, an unprotected
system port, and an unlocked door. Some well-known vulnerabilities
have been examined, documented, and published; others remain
latent (or undiscovered).
Slide 58
Components of an Information
System
Slide 59
Securing the Components
The computer can be either or both the
subject of an attack and/or the object of
an attack
When a computer is
– the subject of an attack, it is used as an
active tool to conduct the attack
– the object of an attack, it is the entity being
attacked
Slide 60
Figure 1-5 – Subject and
Object of Attack
Slide 61
Components of an Information System
Slide 62
Balancing Security and
Access
It is impossible to obtain perfect security
- it is not an absolute; it is a process
Security should be considered a balance
between protection and availability
To achieve balance, the level of security
must allow reasonable access, yet
protect against threats
Slide 63
Figure 1-6 – Balancing
Security and Access
Slide 64
Bottom Up Approach
Security from a grass-roots effort -
systems administrators attempt to
improve the security of their systems
Key advantage - technical expertise of the
individual administrators
Seldom works, as it lacks a number of
critical features:
– participant support
– organizational staying power
Slide 65
Figure 1-7 – Approaches to
Security Implementation
Slide 66
Top-down Approach
Initiated by upper management:
– issue policy, procedures, and processes
– dictate the goals and expected outcomes of the project
– determine who is accountable for each of the required
actions
This approach has strong upper management
support, a dedicated champion, dedicated funding,
clear planning, and the chance to influence
organizational culture
May also involve a formal development strategy
referred to as a systems development life cycle
– Most successful top-down approach
Slide 67
The Systems Development
Life Cycle
Information security must be managed in
a manner similar to any other major
system implemented in the organization
Using a methodology
– ensures a rigorous process
– avoids missing steps
The goal is creating a comprehensive
security posture/program
Slide 68
Figure 1-8 – SDLC Waterfall
Methodology
Slide 69
SDLC and the SecSDLC
The SecSDLC may be
– event-driven - started in response to some
occurrence or
– plan-driven - as a result of a carefully
developed implementation strategy
At the end of each phase comes a
structured review
Slide 70
Investigation
What is the problem the system is being
developed to solve?
– The objectives, constraints, and scope of the
project are specified
– A preliminary cost/benefit analysis is
developed
– A feasibility analysis is performed to
assesses the economic, technical, and
behavioral feasibilities of the process
Slide 71
Analysis
Consists primarily of
– assessments of the organization
– the status of current systems
– capability to support the proposed systems
Analysts begin to determine
– what the new system is expected to do
– how the new system will interact with existing systems
Ends with the documentation of the findings and
a feasibility analysis update
Slide 72
Logical Design
Based on business need, applications are
selected capable of providing needed services
Based on applications needed, data support
and structures capable of providing the needed
inputs are identified
Finally, based on all of the above, select specific
ways to implement the physical solution are
chosen
At the end, another feasibility analysis is
performed
Slide 73
Physical Design
Specific technologies are selected to
support the alternatives identified and
evaluated in the logical design
Selected components are evaluated
based on a make-or-buy decision
Entire solution is presented to the end-
user representatives for approval
Slide 74
Implementation
Components are ordered, received,
assembled, and tested
Users are trained and documentation
created
Users are then presented with the system
for a performance review and acceptance
test
Slide 75
Maintenance and Change
Tasks necessary to support and modify
the system for the remainder of its useful
life
The life cycle continues until the process
begins again from the investigation phase
When the current system can no longer
support the mission of the organization, a
new project is implemented
Slide 76
Security Systems
Development Life Cycle
The same phases used in the traditional
SDLC adapted to support the specialized
implementation of a security project
Basic process is identification of threats
and controls to counter them
The SecSDLC is a coherent program
rather than a series of random, seemingly
unconnected actions
Slide 77
Investigation
Identifies process, outcomes and goals of
the project, and constraints
Begins with a statement of program
security policy
Teams are organized, problems analyzed,
and scope defined, including objectives,
and constraints not covered in the
program policy
An organizational feasibility analysis is
performed
Slide 78
Analysis
Analysis of existing security policies or
programs, along with documented current
threats and associated controls
Includes an analysis of relevant legal
issues that could impact the design of the
security solution
The risk management task (identifying,
assessing, and evaluating the levels of
risk) also begins
Slide 79
Logical & Physical Design
Creates blueprints for security
Critical planning and feasibility analyses to
determine whether or not the project should
continue
In physical design, security technology is
evaluated, alternatives generated, and final
design selected
At end of phase, feasibility study determines
readiness so all parties involved have a chance
to approve the project
Slide 80
Implementation
The security solutions are acquired (made
or bought), tested, and implemented, and
tested again
Personnel issues are evaluated and
specific training and education programs
conducted
Finally, the entire tested package is
presented to upper management for final
approval
Slide 81
Maintenance and Change
The maintenance and change phase is
perhaps most important, given the high
level of ingenuity in today’s threats
The reparation and restoration of
information is a constant duel with an
often unseen adversary
As new threats emerge and old threats
evolve, the information security profile of
an organization requires constant
adaptation
Slide 82
Slide 83
Security Professionals and the
Organization
It takes a wide range of professionals to
support a diverse information security
program
To develop and execute specific security
policies and procedures, additional
administrative support and technical
expertise is required
Slide 84
Senior Management
Chief Information Officer
– the senior technology officer
– primarily responsible for advising the senior
executive(s) for strategic planning
Chief Information Security Officer
– responsible for the assessment, management, and
implementation of securing the information in the
organization
– may also be referred to as the Manager for Security,
the Security Administrator, or a similar title
Slide 85
Security Project Team
A number of individuals who are experienced in
one or multiple requirements of both the
technical and non-technical areas:
– The champion
– The team leader
– Security policy developers
– Risk assessment specialists
– Security professionals
– Systems administrators
– End users
Slide 86
Data Ownership
Data Owner - responsible for the security
and use of a particular set of information
Data Custodian - responsible for the
storage, maintenance, and protection of
the information
Data Users - the end systems users who
work with the information to perform their
daily jobs supporting the mission of the
organization
Slide 87
Communities Of Interest
Each organization develops and
maintains its own unique culture and
values. Within that corporate culture,
there are communities of interest:
– Information Security Management and
Professionals
– Information Technology Management and
Professionals
– Organizational Management and
Professionals
Slide 88
Information Security: Is It an
Art or a Science?
With the level of complexity in today’s
information systems, the implementation
of information security has often been
described as a combination of art and
science
Slide 89
Security as Art
No hard and fast rules nor are there many
universally accepted complete
solutions
No magic user’s manual for the security
of the entire system
Complex levels of interaction between
users, policy, and technology controls
Slide 90
Security as Science
Dealing with technology designed to
perform at high levels of performance
Specific conditions cause virtually all
actions that occur in computer systems
Almost every fault, security hole, and
systems malfunction is a result of the
interaction of specific hardware and
software
If the developers had sufficient time, they
could resolve and eliminate these faults
Slide 91
Security as a Social Science
Social science examines the behavior of
individuals interacting with systems
Security begins and ends with the
people that interact with the system
End users may be the weakest link in
the security chain
Security administrators can greatly reduce
the levels of risk caused by end users,
and create more acceptable and
supportable security profiles
Slide 92
Exercises
Classify each of the following as an attack on confidentiality, integrity,
and/or availability (more than one may apply). Justify your answers.
Slide 93
Consider an automated teller machine (ATM) in
which users provide a personal identification
number (PIN) and a card for account access.
Give examples of confidentiality, integrity, and
availability requirements associated with the
system. In each case, indicated the degree of
importance of the requirement.
Slide 94
1. Consider the statement: an individual threat agent,
like a hacker, can be a factor in more than one
threat category. If a hacker hacks into a network,
copies a few files, defaces the Web page, and
steals credit card numbers, how many different
threat categories does this attack fall into?
Slide 95
Differences
Availability
Accuracy-
Authenticity
Slide 96