CNSS Security Model (cont.) - eecs.yorku.ca · CNSS Security Model (cont.) Example: How to protect - confidentiality of data - while in transit (e.g., moved to/by USB) - through education/awareness?

CNSS Security Model (cont.)

most challenging to protect


Example: Data Loss Prevention (DLP) System Data Loss Prevention identifies, monitors, and protects data transfer through deep content inspection and analysis of transaction parameters (source, destination, data object, and protocol), with a centralized management framework. I.e., DLP detects and prevents the unauthorized transmission of confidential information.

Protecting data-in-use accomplished by protecting data-at-rest and data-in-transit!

https://sc1.checkpoint.com/documents/R77/CP_R77_DataLossPrevention_AdminGuide/62453.htm

trusted environment(enterprise network)

DLPSystem

non-trusted environment

no explicit protection of ‘data in use’

But, what if no part of the network/environment is trusted?!

(e.g., in case of Cloud Computing)



Example: Data that needs protection in the Cloud


Example: Homomorphic Encryption

http://www.slideshare.net/NYTechCouncil/computing-on-encrypted-data

Example: Homomorphic Encryption (cont.)


http://www.slideshare.net/NYTechCouncil/computing-on-encrypted-data

Countermeasures/Safeguards Technology - software and hardware solutions (e.g.,

antivirus, firewalls, intrusion-detection systems, etc.)

Policy and practices - administrative controls, such asmanagement directives (e.g., acceptable use policies)

People - aka awareness, training, education - ensurethat users are aware of their roles & responsibilities


• Each of 27 cells in the cube represents an area thatmust be addressed to secure an information system e.g., intersection between data integrity, storage and

technology implies the need to use technology to protectdata integrity of information while in storage solution: new ‘file check sum’ is calculated every time a critical

file is modified …

Information states:

Desired goals:Measures:



Example: How to protect - confidentiality of data- while in transit (e.g., moved to/by USB)- through education/awareness?

Scenario: An employee stores companyinformation on a personal USB drive, in order to transfer it to another computer(e.g., work from home)

Safeguard: Educate employees aboutthe importance of carefully handling data and encrypting data before transferring it to insecure ‘movable’ media – in case that USB is infected or lost, encryption ensuresthat data cannot be read

Are all 27 aspects of security worth investing intoat every company?


Example: Protecting Confidentiality of Data OverWireless …


WiFi used in an area that is within outside reach.

WiFi used in an area that is NOT within outside reach.

• Three main components of a security threat: Target [asset with vulnerability]: organization’s asset that

might be attacked information (its confidentiality, integrity, availability), software,

hardware, network service, system resource, etc.

Agent [may or may not be present]: people/organizations originating the threat – intentional or non-intentional employees, ex-employees, hackers, commercial rivals, terrorists, …

Event: action that exploits target’s vulnerabilitymalicious / accidental destruction or alteration of information, misuse

of authorized information, etc.

Threats

• Security Threat – any action/inaction that could causedisclosure, alteration, loss, damage or unavailability ofa company’s/individual’s assets

Threats (cont.)

Example: Threat in WiFi network

Asset with v.WiFi within

outside reach

Agentcompetitor

interested in seizing your

data

Eventcompetitor

actually invests time & effort to

capture data

Threat

NO EVENT ⇒ NO THREAT !!!

Threats (cont.)

Example: Threat without Agent

Asset with v.

EventThreat

data on a server,not backuped!

flood or fire in the server room

Threats (cont.)

Assetwith vulnerability

Agent EventThreat

deliberateor accidental

outsideror insider

Example of insider agent: SysAdmin has added a new soft-ware to the system and has forgotten to change the password

Example: outsider vs. insider, deliberate vs. accidental

Threats (cont.)

Assetwith vulnerability

Agent EventThreat

THREAT EVENT DELIBERATELY EXECUTED BY AGENT = ATTACK

deliberate

Example: attack definition

Threats (cont.)

• Criteria for threat identification/prioritization : asset identification e.g. what are the company’s main assets:

(a) web servers (e-commerce company), or(b) workstations (software company)?

conditions under which its key assets operate e.g. are there any wireless links / access points?

organizational strategy regarding risk e.g. cost/time of encrypting every file/email vs. worker’s productivity

• Main Groups of Threat Events :

Threat EventsATTACKS

no human

with hum

an agent

• Categories of Threat Events :

Treat Events

Unintentional IntentionalAttacks

PassiveAttacks

ActiveAttacks

always involve humans

Threat Events (cont.)

Not-involving Humans

Involving Humans

• Top Threat-Driven Expenses (C-ACM study)

Threat Events (cont.)

Rating of different threat events based ontheir frequency and significance.

• Forces of Nature fire, flood, earthquake, hurricane, tsunami, electrostatic

discharge, dust contamination

cannot be predicted/prevented

organization must implement controls to limit damageas well as develop incident response plans and business continuity plans

• Hardware and Software Failures and Errors cannot be fully controlled/prevented by the organization

best defence: keep up-to-date about latest hardware and software vulnerabilities

Threat Events: Unintentional / No Human

• Act of Human Error or Failure organization’s own employee’s are

one of its greatest threats examples:

entry of erroneous data accidental deletion or modification of data failure to protect data storing data in unprotected areas

preventative measures: training and ongoing awareness activities enhanced control techniques: require users to type a critical command twice ask for verification of commands by a second party

Threat Events: Unintentional / Human

Much of human error or failure can be prevented!

• Deviations in Quality of Service in organizations that relies

on the Internet and Web,irregularities in available bandwidth can dramatically affect their operation

e.g. employees or customers cannot contact the system

possible ‘defence’: backup ISP

Threat Events: Unintentional / Human (cont.)

Active Attack - attemptsto alter system resources or affect their operation compromises Integrity or

Availability examples: masquerade,

data modification and DoS

Threat Events: Intentional Attacks

Passive Attack - attemptsto learn or make use of info.from the system but does notaffect system resources compromises Confidentiality generally hard to detect !!! examples: release of message

content and traffic sniffing

• Compromise to Intellectual Property (IP) IP = any intangible asset that consist of

human knowledge & ideas – creationsof the mind (copyright, patent, …)

any unauthorized use of IP constitutes a security threat

defense measures: use of digital watermarks and embedded code

Example: Peter Morch story – compromise to IP by insiderIn 2000, while still employed at Cisco Systems, Morch logged into a computer belonging to another Cisco software engineer, and obtained (burned onto a CD) proprietary information about an ongoing project. Shortly after, Morch started working for Calix Networks – a potential competitor with Cisco. He offered them Cisco’s information.Morch was sentenced to 3 years’ probation.

Threat Events: Intentional Attacks (cont.)

• Deliberate Act of Info. Extortion / Blackmail hacker or malicious insider steals

information and demands compensation for its return

example: theft of data files containing customer

credit card information

• Deliberate Act of Sabotage or Vandalism hacker or malicious insider destroys an

asset in order to cause financial loss ordamage the organization’s reputation

example: hackers accessing a system and damaging

or destroying critical data



Example: Two Kazakhstan employees story –info. extortion by insider

In 2002, two employees in a company in Kazakhstan allegedly got access to Bloomberg L.P. financial information database because their company was an affiliate of Bloomberg.

They allegedly demanded $200,000 from Bloomberg to reveal how they got access to the database.

Bloomberg opened an offshore account with $200,000 balance, and invited the pair to London to personally meet with Michael Bloomberg.The meeting was recorded. Soon after the two were arrested ....

In the end, there were sentences to 51 months in prison.

NOTE: finding a vulnerability and requiring payment to learn about it may be considered extortion.http://www.cybercrime.gov/zezevIndict.htm

Example: Maxus story – info. extortion by outsiderIn 2000, a mysterious hacker identified as Maxus demanded $100,000 from CDUniverse company in exchange for not releasing the names and credit card numbers of over 350,000 customers he had obtained from the companywebsite.

After CDUniverse failed to pay him, Maxus decided to set up the site, titled Maxus Credit Cards Datapipe, and to give away the stolen customer data. He announced the site’s presence Dec. 25th on an Internet Relay Chat group devoted to stolen credit cards.

Soon after launching his site, Maxus said it became so popular among creditcard thieves that he had to implement a cap to limit visitors to one stolen card at a time.

The case remains unsolved, as Maxus moved online using stolen accounts and relayed his emails through other sites to conceal the originating IP address …www.nytimes.com/2000/01/10/business/thief-reveals-credit-card-data-when-web-extortion-plot-fails.htmlwww.cyberagecard.com/news/?page=2


Example: Patrick McKenna story – information vandalismby insider

In 2000, McKenna was fired by Bricsnet (software company).

As a revenge, he remotely accessed his former employer’s computer server, and:1) deleted approximately 675 computer files;2) modified computer user access levels;3) altered billing records;4) sent emails, which appeared to have originated from an authorized

representative of the victim company to over 100 clients. Emailscontained false statement about business activities of the company.

He was sentenced to 6 months in prison, followed by 2-years of supervised release. He was also ordered to pay $13,614.11 for caused damages …

http://www.cybercrime.gov/McKennaSent.htm


• Deliberate Act of Trespass unauthorized access to info.

that an organization is trying to protect

low-tech e.g.: shoulder surfing

high-tech e.g.: hacking

shoulder surfing hacker profiles


Example: Princeton vs. Yale – trespass by outsiderYale University’s admission created a web-based system to enable applicants to check the status of their application on-line. To access the system, the applicants had to prove their identity by answering questions regarding their name, birth date, SIN.

Many of these students also applied to other top universities.

At Princeton, Associate Dean and Director of Admissions - Stephen LeMenager - knew that the private information that Yale used to control access was also in the applications that candidates submitted to Princeton. He used this information to log into the Yale system several times as applicants.

When the word got out, he admitted doing the break-ins but said that he was merely testing the security of the Yale system. Princeton put him on administrative leave.

NOTE: The case emphasizes that information used to control access must not be generally available …


• Deliberate Software Attacks a deliberate action aimed to violate / compromise a

system’s security through the use of specialized software

types of attacks:a) Use of Malware

b) Password Cracking

c) DoS and DDoS

d) Spoofing

e) Sniffing

f) Man-in-the-Middle

g) Phishing

h) Pharming

Threat Events: Software Attacks

Documents

CNSS Security Model (cont.) - eecs.yorku.ca · CNSS Security Model (cont.) Example: How to protect - confidentiality of data - while in transit (e.g., moved to/by USB) - through education/awareness?