CMGT 400 Philip Robbins – February 5, 2013 (Week 1) University of Phoenix Mililani Campus Intro to Information Assurance & Security

CMGT 400

Philip Robbins – February 5, 2013 (Week 1)University of Phoenix Mililani Campus

Intro to Information Assurance & Security

Agenda: Week 1

• Introductions• Course Syllabus• Fundamental Aspects

- Information- Information Assurance- Information Security Services- Risk Management, CND, and Incident Response

• Quiz #1• Assignment

Concepts

• Information- What is it?- Why is it important?- How do we protect (secure) it?

Why is this important?

• Information is valuable.

therefore, • Information Systems are valuable.etc…

• Compromise of Information Security Services (C-I-A) have real consequences (loss)- Confidentiality: death, proprietary info, privacy, theft- Integrity: theft, loss of confidence, validity- Availability: lost productivity, disruption of C2,

defense, emergency services

Concepts

• Information Systems

Systems that store, transmit, and process information.

++• Information Security

The protection of information.

______________________________________________________________________________________________• Information Systems Security

The protection of systems that store, transmit, and process information.

Fundamental Concepts

• What is Information Assurance (IA)?- Our assurance (confidence) in the protection of our

information / Information Security Services.

• What are Information Security Services (ISS)?- Confidentiality: Making sure our information is

protected from unauthorized disclosure.- Integrity: Making sure the information we process,

transmit, and store has not been corrupted or adversely manipulated.

- Availability: Making sure that the information is there when we need it and gets to those who need it.

Private vs. Military Requirements

• Which security model an organization uses depends on it’s goals and objectives.– Military is generally concerned with

CONFIDENTIALITY– Private businesses are generally concerned with

AVAILABILITY (ex. Netflix, eBay etc) OR INTEGRITY (ex. Banks).

– Some private sector companies are concerned with CONFIDENTIALITY (ex. hospitals).

• Which ISS do you believe is most important?


• Progression of Terminology

Computer Security(COMPUSEC)

Information Security(INFOSEC)

Information Assurance(IA)

Cyber Security

Legacy Term (no longer used).

Legacy Term (still used).

Term widely accepted today with focus on Information Sharing.

Broad Term quickly being adopted.


• What is Cyberspace?- Term adopted by the USG- The virtual environment of information and

interactions between people.- Telecommunication Network infrastructures- Information Systems- The Internet

Review of Fundamental Concepts

• What is the Defense in Depth Strategy?- Using layers of defense as protection.

• People, Technology, and Operations.

DATA

APPLICATION

HOST

INTERNAL NETWORK

PERIMETER

PHYSICAL

POLICIES & PROCEDURES

Onion Model

Defense-in-Depth

Adversaries attack the weakest link…where is yours?

Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments and authorization Continuous monitoring

Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards

Links in the Security Chain: Management, Operational, and Technical Controls


Information Assurance Framework7. Information Content

Conditioning & Control

6. Identity Authentication & Authorization

5. Education Training & Awareness

4. Design, Configuration, Operations & Administration

1. Physical Security Services

FUNCTIONAL ASSESSMENT

CO

NT

RO

L M

EA

SU

RE

S

SUSTAIN DEFEND RESPOND

2. Cyber Security Services

CONTROL MEASURES

ASSESSMENT

3. Continuity of Operations

Source: Cieslak, Randall (Dec 2011). Cyber Fundamentals. USPACOM Chief Information Officer.

Information

Assurance

Services

(IAS)


Defense in Depth Primary Elements

IntegrityISS

AvailabilityISS

PEOPLE TECHNOLOGY

OPERATIONS

PR

OT

EC

T

DE

TE

CT

RE

AC

T

Information Security Services

INFORMATION SECURITY

ConfidentialityISS

Information Assurance Services

Continuity IAS

Physical IAS

Cyber IASConfiguration IASTraining IAS

Identity A&A IASContent IAS

DiD PDR Paradigm

INFORMATION ASSURANCE

Challenges

• Fixed Resources• Sustainable strategies reduce costs

Time

Cos

t

Incidents

PROTECT

DETECTREACT

Without DiD

With DiD

Cost Prohibitive/ Threshold

Information Systems Security: Privacy

• Defined: the protection and proper handling of sensitive personal information

- Requires proper technology for protection

- Requires processes and controls for appropriate handling

Personally Identifiable Information (PII)

• Name• SSN• Phone number• Driver's license number• Credit card numbers

– etc…

Concept 1: Info Security & Assurance

• You leave your job at ACME, Inc. to become the new Information Systems Security Manager (ISSM) for University of University College (UUC).

• The Chief Information Officer (CIO) of UUC drops by your office to let you know that they have no ISS program at UUC!

• A meeting with the Board of Directors is scheduled and you are asked by the CIO to attend.

• The Board wants to hear your considerations on how to start the new ISS program spanning all national and international networks.

Concept 1: Info Security & Assurance

- What would you tell the Board?

- As an ISSM, what would you consider first?

- What types of questions would you ask the Board and/or to the CIO?

Concept 2: Physical & Logical ISS

• First day on the job and you find yourself already meeting with the local Physical Security and IT Services Managers at UUC.

• You introduce yourself as the new ISSM and both managers eagerly ask you “what can we do to help?”

Concept 2: Physical & Logical ISS

- What do you tell these Managers?

- What types of questions would you ask the Managers?

- As an ISSM, what are some IT, computer, and network security issues you consider important to a new ISS program at UUC?

- What about your meeting with the Board of Directors earlier? How does it apply here?

Concept 3: Risk

• After a month on the job, as an ISSM, you decide to update the CIO on the progress of the UUC ISS program via email when all of a sudden the entire internal network goes down!

• Your Computer Network Defense Team is able to determine the source of the disruption to an unknown vulnerability that was exploited on a generic perimeter router.

• The CIO calls you into his office and indicates to you that he is “concerned about the Risk to the networks at UUC” and ‘wants a risk assessment conducted’ ASAP.

Concept 3: Risk

- What does the CIO mean by “Risk to the networks at UUC”?

- As an ISSM, how would you conduct a risk assessment for the CIO?

- What are some of the elements of risk?

- How is risk measured and why is it important?

Risk Management

• Information Systems Risk Management is the process of identifying, assessing, and mitigating (reducing) risks to an acceptable level.

- Why is this important?

• There is no such thing as

100% security.

- Can risk ever be eliminated?

Risk Management

• Risks MUST be identified, classified and analyzed to asses potential damage (loss) to company.

• Risk is difficult to measure and quantify, however, we must prioritize the risks and attempt to address them!

Risk Management

• Identify assets and their values• Identify Vulnerabilities and Threats• Quantify the probability of damage and cost of

damage• Implement cost effective countermeasures!• ULTIMATE GOAL is to be cost effective. That is:

ensure that your assets are safe, at the same time don’t spend more to protect something than it’s worth*

Who is ultimately responsible for risk?• MANAGEMENT!!!

• Management may delegate to data custodians or business units that shoulder some of the risk.

• However, it is senior management that is ultimately responsible for the companies health - as such they are ultimately responsible for the risk.

Computer Network Defense

• Defending against unauthorized actions that would compromise or cripple information systems and networks.

• Protect, monitor, analyze, detect, and respond to network attacks, intrusions, or disruptions.

Incident Response

• Responding to a Security Breach

- Incident Handling

- Incident Management

- Eradication & Recovery

- Investigation (Forensics / Analysis)

- Legal, Regulatory and Compliance Reporting

- Documentation

Break

• Let’s take a break…

Chapter 1: Introduction and Security Trends

• The Morris Worm

- Robert Morris

- 1988

- First Large scale attack on

the Internet

- No malicious payload (benign)

- Replicated itself

- Infected computer system could no longer run any other programs


• Kevin Mitnick

- Famous Hacker

- 1995

- Wire and computer fraud

- Intercepting wire communication

- Stole software and email accounts

- Jailed: 5 years.


• The Melissa Virus

- David Smith

- 1999

- Infected 1 million computers

- $80 million

- Payload: “list.doc” with macro

- Clogged networks generated

by email servers sending

“Important Messages” from

your address book


• The “I Love You” Virus

- Melissa Variation

- 2000

- 45 million computers

- $10 billion

- Payload: .vbs (script)

- Released by a student in the Phillipines (not a crime)


• The “Code Red” Worm

- 2001

- 350 million computers

- $2.5 billion

- Payload: benign

- Takes control of computers

- DoS attacks: targeted “White House” website


• The “Conficker” Worm

- 2008-2009

- Payload: benign

- Bot network

- Very little damage

- Blocks antivirus updates


• Stuxnet

- 2010

- First Cyber Weapon

- Affected SCADA

systems within IRAN’s

Nuclear Enrichment

Facilities

- Uses 4 “Zero Day”

Vulnerabilities


• What is Malware?

- Malicious Software

- Includes “Viruses” & “Worms”

- Protect using Anit-virus software & System Patching


• Intruders, Hackers, and Threat Agents


• Network Interconnection

- More connections

- From large mainframes to smaller connected systems

- Increased threat & vulnerabilities

- Single point failures?

- Critical Infrastructure

- Information Value

- Information Warfare


• Steps in an Attack

- Ping Sweeps (ping/whois) – identify target

- Port Scans (nmap) – exploit service


• Steps in an Attack

- Bypass firewall

- Bypass IDS & IPS: Avoid detection / logs

- Infect system (either Network or Physical)

- Pivot systems (launch client-side attacks)



• Types of Attacks

- Denial of Service (DoS)

- Distributed Denial of Service (DDoS)

- Botnets (IRC)

- Logic Bombs

- SQL Injection

- Scripting

- Phishing Emails

- HTTP session hijacking (Man in the Middle)

- Buffer Overflows


• Types of Attacks: Botnets


• Types of Attacks: Redirection (Fake Sites)


• Redirection (Fake Sites)


• Types of Attacks: Fake Antivirus


• Types of Attacks: Keyloggers (Remote Stealth Keystroke Dump)


• Types of Attacks: USB Keys (Autorun infection)

Found a bunch of USB keys in a parking lot? Would you stick one of them into your PC?


• Types of Attacks: Spam Email (Storm Worms)


• Types of Attacks: Spear Phishing Emails


• Types of Attacks: SQL injection

Chapter 1 Review Questions

Question #1

Which of the following is an attempt to find andattack a site that has hardware or software that isvulnerable to a specific exploit?

A. Target of opportunity attackB. Targeted attackC. Vulnerability scan attackD. Information warfare attack

Question #1

Which of the following is an attempt to find andattack a site that has hardware or software that isvulnerable to a specific exploit?

A. Target of opportunity attackB. Targeted attackC. Vulnerability scan attackD. Information warfare attack

Question #2

Which of the following threats has not grownover the last decade as a result of increasingnumbers of Internet users?

A. VirusesB. HackersC. Denial-of-service attacksD. All of the above

Question #2

Which of the following threats has not grownover the last decade as a result of increasingnumbers of Internet users?

A. VirusesB. HackersC. Denial-of-service attacksD. All of the above

Question #3

The rise of which of the following has greatlyincreased the number of individuals who probeorganizations looking for vulnerabilities toexploit?

A. Virus writersB. Script kiddiesC. HackersD. Elite Hackers

Question #3

The rise of which of the following has greatlyincreased the number of individuals who probeorganizations looking for vulnerabilities toexploit?

A. Virus writersB. Script kiddiesC. HackersD. Elite Hackers

Question #4

Which of the following is generally viewed as thefirst Internet worm to have caused significantdamage and to have “brought the Internetdown”?

A. MelissaB. I LOVE YOUC. MorrisD. Code Red

Question #4

Which of the following is generally viewed as thefirst Internet worm to have caused significantdamage and to have “brought the Internetdown”?

A. MelissaB. I LOVE YOUC. MorrisD. Code Red

Question #5

The act of deliberately accessing computersystems and networks without authorization isgenerally known as?

A. Computer intrusionsB. HackingC. CrackingD. Probing

Question #5

The act of deliberately accessing computersystems and networks without authorization isgenerally known as?

A. Computer intrusionsB. HackingC. CrackingD. Probing

Question #6

Warfare conducted against the information andinformation processing equipment used by anadversary is known as?

A. HackingB. Cyber terrorismC. Information WarfareD. Network Warfare

Question #6

Warfare conducted against the information andinformation processing equipment used by anadversary is known as?

A. HackingB. Cyber terrorismC. Information WarfareD. Network Warfare

Question #7

Which of the following is not described as acritical infrastructure?

A. Electricity (Power)B. Banking (Finance)C. TelecommunicationsD. Retail Stores

Question #7

Elite hackers don’t account for more than whatpercentage of the total number of individualsconducting intrusive activity on the Internet?

A. Electricity (Power)B. Banking (Finance)C. TelecommunicationsD. Retail Stores

Question #8 (Last one)


A. 1-2 percentB. 3-5 percentC. 7-10 percentD. 15-20 percent



A. 1-2 percentB. 3-5 percentC. 7-10 percentD. 15-20 percent

Break

• Let’s take a break…

Chapter 2: General Security Concepts

• Computer Security (COMPUSEC)

- Ensure computer systems are secure

• Network Security

- Protection of multiple connected (networked) computer systems

• Information Assurance (IA) & Security

- Emphasis on the data; Our assurance (confidence) in the protection of our information / Information Security Services.


• CIA Triad (Information Security Services)


• Operational Model of Computer Security

Protection = Prevention + Detection + Response


• Least Privilege (Need to Know)

- Users should have only the necessary (minimum) rights, privileges, or information to perform their tasks (no additional permissions).

• Implicit Deny

- “Deny all” authorization and access (blacklisted) unless specifically allowed (white list).

- Default security rule for firewalls, routers, etc…


• Separation of Duties

- Ensures tasks are broken down and areaccomplished / involve by more than one individual.

- Check & balance system.

• Job Rotation

- Rotation individuals through jobs / tasks.

- Organization does not become dependent on a single employee.


Be sure to understand the difference between:

Least Privilege vs. Implicit Deny

&

Separation of Duties vs. Job Rotation


• Layered Security

- Defense in Depth

- Redundancy

- No single point of

failure


• Layered Security


• Security Through Obscurity

- Approach of protecting something by hiding it.

- Generally not a good idea.

- Steganography

- Reverse engineering.



Layered Security

vs.

Security Through Obscurity


• Access

- Control what a subject can perform or what objects the subject can interact with.

- i.e. Access Control Lists (ACL’s)

• Authentication

- Verify the identity of a subject. (Who You Are)

- Involves identification

- Passwords, cards, biometrics (fingerprints), etc.- Digital certificates


• Authorization

- Verifies what a subject is authorized to do.


Access vs. Identification

vs.

Authentication vs. Authorization


• Social Engineering

- Talk individuals into

divulging information that

they normally would never

have.

- Used to gain information

on identities, access, or

authorization.

- Data aggregation.

• Policies– Constraints of behavior on systems and

people– Specifies activities that are required, limited,

and forbidden• Example

– Information systems should be configured to require good security practices in the selection and use of passwords


• Requirements– Required characteristics of a system or

process.– Often the same as or similar to the policy– Specifies what should be done, not how to

do it.• Example

– Information systems must enforce password quality standards.



• Guidelines define how to support a policy– Example: ‘As a guideline’ passwords should

not be dictionary words, don’t write passwords down, etc…


• Standards: what products, technical methods will be used to support policy.

• Example– All fiber optic cables must be ACME brand– Passwords must be at least 8 characters,

contain 2 upper and lower case chars…• Procedures: step by step instructions


• Classification of Information

- Sensitivity / Confidentiality

• Example– Unclassified (UNCLASS)– For Official Use Only (FOUO)– Confidential– Secret (S)– Secret Releasable (S//REL)– Top Secret (TS)


• Acceptable Use Policy (AUP)

- Outline of what the organization considers to be

the appropriate / inappropriate use of

company resources.

- Do you have a right to privacy when using a

company’s system / network resources?


• Service Level Agreement (SLA)

- Contractual agreements between entities that

describe specified levels of service.

• Example– Bandwidth allocation– Download / Upload Speeds– Uptime– Support & Maintenance– Data Restoration / Backup


• Bell-LaPadula Confidentiality Security Model

- Principle 1: Simple Security (No Read Up) Rule

No subject can read from an object with a security

classification higher than possessed by the subject.

- Principle 2: * - property (No Write Down) Rule

Allows a subject to write to an object of equal or greater security classification.

Why wouldn’t you be able to write down?


• Biba Integrity Security Model

- Policy 1: Low-Water-Mark

Prevents unauthorized modification of data; subjects writing to objects of a higher integrity label.

- Policy 2: Ring

Allows a subject to read any object without regard to the

object’s level of integrity and without lowering the subject’s

integrity level.

Chapter 2 Review Questions

Question #1

What is the most common form of authenticationused?

A. Smart CardsB. TokensC. Username / PasswordD. Biometrics

Question #1

What is the most common form of authenticationused?

A. Smart CardsB. TokensC. Username / PasswordD. Biometrics

Question #2

The CIA of security includes:

A.Confidentiality, integrity, authenticationB.Confidentiality, integrity, availabilityC.Certificates, integrity, availabilityD.Confidentiality, inspection, authentication

Question #2

The CIA of security includes:

A.Confidentiality, integrity, authenticationB.Confidentiality, integrity, availabilityC.Certificates, integrity, availabilityD.Confidentiality, inspection, authentication

Question #3

The security principle used in the Bell-LaPadulasecurity model that states that no subject canread from an object with a higher securityclassification is the:

A.Simple Security RuleB.Ring policyC.Mandatory access controlD.*-property

Question #3

The security principle used in the Bell-LaPadulasecurity model that states that no subject canread from an object with a higher securityclassification is the:

A.Simple Security RuleB.Ring policyC.Mandatory access controlD.*-property

Question #4

Which of the following concepts requires usersand system processes to use the minimal amount of permission necessary to function?

A.Layer DefenseB.Diversified DefenseC.Simple Security RuleD.Least Privilege

Question #4

Which of the following concepts requires usersand system processes to use the minimal amount of permission necessary to function?

A.Layer DefenseB.Diversified DefenseC.Simple Security RuleD.Least Privilege

Question #5

Which of the following is an access controlmethod based on changes at preset intervals?

A.Simple Security RuleB.Job RotationC.Two-man ruleD.Separation of Duties

Question #5

Which of the following is an access controlmethod based on changes at preset intervals?

A.Simple Security RuleB.Job RotationC.Two-man ruleD.Separation of Duties

Question #6

The Bell-LaPadula security model is an exampleof a security model that is based on:

A.The integrity of the dataB.The availability of the dataC.The confidentiality of the dataD.The authenticity of the data

Question #6

The Bell-LaPadula security model is an exampleof a security model that is based on:

A.The integrity of the dataB.The availability of the dataC.The confidentiality of the dataD.The authenticity of the data

Question #7

The term used to describe the requirement thatdifferent portions of a critical process must beperformed by different people is:

A.Least privilegeB.Defense in DepthC.Separation of DutiesD.Job Rotation

Question #7

The term used to describe the requirement thatdifferent portions of a critical process must beperformed by different people is:

A.Least privilegeB.Defense in DepthC.Separation of DutiesD.Job Rotation

Question #8

Hiding information to prevent disclosure is anexample of:

A.Security through obscurityB.Certificate-based securityC.Discretionary data securityD.Defense in depth

Question #8

Hiding information to prevent disclosure is anexample of:

A.Security through obscurityB.Certificate-based securityC.Discretionary data securityD.Defense in depth


The concept of blocking an action unless it isspecifically authorized is:

A.Implicit denyB.Least privilegeC.Simple Security RuleD.Hierarchical defense model


The concept of blocking an action unless it isspecifically authorized is:

A.Implicit denyB.Least privilegeC.Simple Security RuleD.Hierarchical defense model

Quiz: Week 1

• 10-15 minutes

IDV Assignment due Week #2

• Paper No. 1

- Review fundamentals of information assurance.- Pick a company.- How is their information considered an asset?- How is their information being protected?- Which Information Security Service is most

important to the company?- Are there specific information security

requirements (regulations, policy, standards, etc.) that the company needs to abide to?

Documents

CMGT 400 Philip Robbins – February 5, 2013 (Week 1) University of Phoenix Mililani Campus Intro to Information Assurance & Security