FOUNDATIONAL CONCEPTS

Dr. Andy Wu

BCIS 4630 Fundamentals of IT Security

2

Overview• Things of Threes

– CIA– SNL

• Defense in Depth

• Regulations

• Security governance– Best practices models

• ISO 17799• CobiT

3

The CIA Triad

• Three properties of information that are the goals of security protection.– Confidentiality– Integrity– Availability

4

The “Saturday Night Live” Triad• The S-N-L Triad

– Segregation of Duties– Need to Know– Least Privilege

• Related concepts include security clearances and data classification.

• Often these principles are discussed as related to human users.– Their proper application prevents many organizational problems for InfoSec.– However, remember they’re equally applicable to inanimate subjects such

as OS processes.

5

Segregation of Duties • Aka “separation of duties” or “separation of privileges”.

• No single person should have enough authority to cause a critical event to happen.– A task is designed so that separate actions must be performed by

different people and these actions in combination achieve the task.– Prevents one individual from having control of an entire process and

so as to manipulate the process for personal gain.

• Collusion will be needed for abuse, making abuse more difficult and less likely.

6

Need to Know• Subjects should be granted access only to the objects necessary

for completion of their tasks.

• Having the authorization or clearance to see a particular classification level of information is not sufficient reason to see all information at that level.

• No access should be granted solely by virtue of office, position, rank, or security clearance.

7

Least Privilege

• Subjects should be granted the minimum level of access (the most restrictive set of privileges) needed for the performance of authorized tasks.– If Read-Only is sufficient, don’t grant Read-Write.– Should not grant more rights than necessary just because

it is easier to do.

• Limits the damage that may result from security breaches or incidents.

8

Data Classification• Know what you’re protecting!

• Provides users with a way to stratify sensitive information.

• Provides a system for applying safeguards appropriate to the level of confidentiality required.

• Government and private industry have similar classification systems, although:– Normally government classification systems are more restrictive and

bureaucratic than industry systems.– The ones used by non-government entities have more variations.

9

Classification Systems

• U.S. Government Classifications– Top Secret, Secret, Confidential, Sensitive but Unclassified

(For Official Use Only), and Unclassified

• Common Industry Classifications– Trade Secret, Company Confidential/Proprietary, Unclassified– Trade secrets are often not protected by patents or

copyrights, employees must understand legal obligation to not disclose information.

10

Data Classification

• Don’t go overboard.– Too many types will frustrate users.– In 1956 George Miller wrote an article The Magical

Number Seven Plus or Minus Two: Some Limits on Our Capacity for Processing Information. He showed that the amount of information which people can process and remember is often limited to about seven items.

• The classifications must be mutually exclusive.

11

Security Clearances• Go hand-in-hand with data classification.

• If you as a consultant or your organization works with certain government entities, you are required to obtain clearances before you perform work.

• It can sometimes involve rigorous background checks, polygraphs, and agreements about disclosure of sensitive information.

• Usually clearance is tied to essential activities of an individual’s current job.

12

Confidentiality Model - Bell-LaPadula• Simple security rule (No read up) – No subjects can read

information from an object with a higher security classification.

13

Confidentiality Model - Bell-LaPadula• *-property (No write down) – A subject cannot write to an

object with a lower security classification.

14

Security by Obscurity

• Protects information and systems by hiding them.

• Usually not a good approach to security.– One of the few exceptions may be steganography

(steganos Gk., covered).– Not to be confused with stenography.

• Should be implemented with other security measures.

15

Master of Defense in Depth - Vauban

Source: P. Griffith, The Vauban Fortifications of France, Osprey.

16

El Morro Fort, San Juan, PR

Source: bitscn.com.

Five layers (levels) of protection; The inner layer has the highest concentration of protective measures.

17

Defense in Depth – Orig. Flavor

Source: P. Griffith, The Vauban Fortifications of France, Osprey.

18

Defense in Depth – Orig. Flavor

Source: P. Griffith, The Vauban Fortifications of France, Osprey.

19

Layered Protection

Based on Carr et l, The Management of Network Security, Prentice Hall.

20

Defense in Depth• Aka “Layered protection”.

• Broached by the SANS Institute.

• Organization must have a layered defense at the perimeter, network, equipment, and data layers.

• Because there are so many potential attackers taking advantage of numerous attack vectors, there is no single method for successfully protecting a network.

• Instead, we should protect a network with a variety of defensive mechanisms so that if one mechanism fails, another will already in place to thwart an attack.

21

Layered Protection• Makes the effort needed to pull off a compromise more costly in time

and labor than it is worth to a potential attacker.

• Delays the attacker to buy time for implementing incident response actions.

• Eliminates the existence of one single point of failure in security.

• More general types of protection in the outer layers so that performance does not degrade.

• Granularity increases as layers get closer to the resource to be protected and packets are fewer and more specific.

22

Layered Protection

• However, more layers mean more complexity.

• They are more expensive too.

• Sometimes one layer may hamper the correct functioning of another.– Example: Network-based intrusion detection systems

cannot read network traffic if it is encrypted.

• Again, balance is the key.

23

Sarbanes-Oxley Act (SOX)• Public Company Accounting Reform and Investor Protection Act of

2002

• Intended to prevent Enron scandals of the future.

• Protects investors by requiring accuracy and reliability in corporate disclosures.

• Created new penalties for acts of wrongdoing, both civil and criminal.– CEOs and CFOs are personally liable. Certification of fraudulent reports

may be punished by fines up to $1 million and/or imprisonment of up to 10 years.

24

SOXSec. 201

• Services outside scope of auditor practice

Sec. 302

• Corporate responsibility for financial reports

Sec. 404

• Assessment of internal controls

Sec. 409

• Real time issuer disclosures

Sec. 802

• Criminal penalties for altering documents

Sec. 806

• Protection of employees exposing fraud

Sec. 807

• Criminal penalties for defrauding shareholders

25

Critical Aspects of SOX• Specifies new financial reporting requirements.

– Section 302 requires CEOs and CFOs to certify their company’s SEC reports.

• Requires all financial reports to include an internal control report.– Section 404 requires CEOs and CFOs to report on the effectiveness of the

company’s internal controls over financial reporting.– To comply with Section 404, companies have to ensure that their data are

accurate.

• Auditing firms are also required to attest to the accuracy of the assessment.

26

Gramm-Leach-Bliley Act (GLBA)• The Financial Modernization Act of 1999

• Protects personal financial information held by financial institutions– Privacy Rule– Safeguards Rule– Pretexting Rule

27

GLBA – Privacy Rule

• A financial institution may not share non-public information on a consumer with non-affiliated third parties unless it gives notice to the consumer (notice of privacy).

• The customer must be given a chance to opt out.

28

GLBA – Safeguards Rule• The federal bank regulatory agencies, the Securities and

Exchange Commission (SEC), and the Federal Trade Commission (FTC) are required to issue security standards for financial institutions.

• Standards for:– Protecting the security and confidentiality of customer information.– Protecting against threats to the security or integrity of customer

information.– Protecting against unauthorized access to or use of customer information

that could result in harm to a customer.

29

GLBA – Safeguards Rule

• FTC requires financial institutions to create an information security program.– Specifies the administrative, technical, and physical controls to

protect information.– Assign an “owner” of the program.– Conduct risk assessments and address identified risks.– Review the program on an ongoing basis.

• Financial institutions must also ensure that its service providers protect customer information.

30

GLBA – Pretexting Rule

• It is illegal to make false, fictitious, or fraudulent statements to a financial institution or its customers to obtain customer information.

• It is illegal to use forged, counterfeited, lost, or stolen documents to achieve the same end.

• Violations are subject to criminal penalties.

• Security awareness training is a primary protection measure in this respect.

31

HIPAA• Health Insurance Portability and Accountability Act of 1996

• Protects against loss of health insurance due to change of jobs.

• Protects the privacy and security of personal health information.

• Protected health information (PHI) is any individually identifiable information, including:– Info on the physical and mental health of a person.– Notes doctors put into a person’s medical record.– Billing and payment related to healthcare.

32

HIPAA

• Covered entities include health plans, health care clearinghouses, and any health care provider that transmits certain types of health information in electronic form.

• Covered entities must follow the HIPAA Privacy and Security Rules.

• Office for Civil Rights (OCR) enforces the privacy and security rules.

• Financial penalties for non-compliance.

33

HIPAA – Privacy Rule• The Privacy Rule dictates how covered entities must protect the

privacy of PHI.

• First time the U.S. government has specified federal privacy protections for PHI.

• Covered entities may not use or disclose PHI without permission. They must limit how their employees use and access PHI.

• The Rule requires covered entities to put safeguards in place to protect a person’s PHI.

34

HIPAA – Security Rule• The Security Rule dictates how covered entities must protect the

confidentiality, integrity, and availability of electronic PHI (EPHI).

• Covered entities must create, review, and update policies and procedures to comply with the Security Rule.

• Covered entities must implement administrative, physical, and technical safeguards.

• The Rule includes standards that must be implemented for each safeguard (“implementation specifications”).

35

BS7799• The British standard for information security management.

• Provides the framework necessary to create a secure system.

• First version was created in 1995. Revised version was released in 1999.– Volume 1 – Code of Practices for Information Security Management

provides guidance on best practice in security management.– Volume 2 – Specification for Information Security Management

Systems specifies the standard against which an organization can be assessed and certified.

36

California SB1386• California’s Database Security Breach Notification Act of 2003

was the first notification law.– Created by and more commonly referred to as California Senate Bill

1386.– Realizing that identity theft was one of the fastest growing crimes.

• Covers any entity that stores personal information on a California resident.

• The entity must notify California residents of a breach of its computer systems.

37

Personal Information• CA SB1386 defines this broadly:

– Social security number– Driver’s license/CA ID number– Account/CC number, with related security code, access code, password, etc.– Medical information– Health insurance information

• Information accessible to the public through government records is not personal information.

• If data are encrypted, then no notification is required.

38

Other States Follow Suit

• After the ChoicePoint breach, many other states created their own notification laws.– As of January 2010, 45 states (incl. D.C.)

• Many were modeled after the SB1386.

• There are a number of differences across states.

39

Major Differences• An incident can be a breach in one state, but not in another.

• State notification laws may differ from state to state in terms of:– Activities that constitute a breach– Entities covered by the law– Time for notifying residents– What to include in the notification– Minimum requirement for encryption– Civil/criminal penalties for failure to notify

• If an entity operates in multiple states, it must comply in each and every one of those states.

40

Self-Regulation – PCI DSS• The Payment Card Industry Security Council is a private industry

organization.

• Any credit card-accepting merchant or service provider must comply with the Payment Card Industry Data Security Standard (PCI DSS).

• DSS provides an uniform approach to safeguarding sensitive cardholder data for all credit card issuers.

• It identifies 12 basic categories of security requirements for credit card data protection.

41

PCI DSS• Applies only to the systems that process, store, or transmit credit card data.

• Uses preventive, detective, and corrective controls to secure data.

• Compliance level is based on the size of merchants’ credit card operations.

• Compliance audits are performed periodically.– Questionnaire – Perimeter scan – On-site security audit

• Enforcement is weak. Card companies use the threat of financial penalties to compel compliance.

42

ISO/IEC17799:2005• The Code of Practice for Information Security Management is a standard

sanctioned by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).– Based on UK’s BS7799– First edition was ISO/IEC17799:1999

• Is proposed to be ISO/IEC27002– ISO27001 (Based on BS7799 Part 2): Audit and certification– ISO27002 (Based on BS7799 Part 1): Code of Practices for ISMS– ISO27003 (Unofficial): Implementation guidance– ISO27004 (Unofficial): Measurement and metrics

43

Using ISO17799• Provides a series of systematic recommendations for building a security program

that fits a company’s business model.

• If a company follows ISO17799 as their information security standard, they will address many of the other legal requirements placed on them by the Sarbanes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA).

• It’s easy to map the requirements from SOX, GLBA, and HIPAA to ISO17799.

• The controls suggested by the standard should be selected based on risk assessment.

• Short of providing guidance on how to implement the standard based on a company’s unique requirements.

44

Structure of ISO17799• 11 control areas, 39 control objectives, 133 controls

• A control is an action, process, or technology that can lower the risk to a company.– A management control requires management approval, support, or

activities.– An operational control is action- or task-oriented.– A technical control requires modification, configuration, or verification of

information processing facilities.

• Some companies use the TOC of the standard to structure their information security policies.

45

ISO17799 Control Areas

• Security Policy

• Organization of information security

• Asset management

• Human resources security

• Physical and environmental security

• Communications and operations management

46

ISO17799 Control Areas

• Access control

• Information systems acquisition, development, and maintenance

• Information security incident management

• Business continuity management

• Compliance

47

ISO17799 Example: Security Policy• The Security Policy control area has one control

objective and two controls– Control objective: 5.1 Security policy (Sections 1 through

4 are non-action items)– Control #1: 5.1.1 Information security policy document– Control #2: 5.1.2 Review of the information security policy

• These two controls, esp. 5.1.1 is the focus of an information security program.

48

ISO17799 Example: Security Policy• 5.1.1 Information security policy document

– Is there a formal information security document published by management representing the business, legal, contractual, and regulatory requirements?

– Is the policy document available to all employees and users?– How is the policy communicated to all affected parties? How often?– How does the information security policy document support the business

objectives?– Is there a documented structure for risk assessment and risk management within

the policy?– Are all the 11 control areas represented in the policy?– Does the policy reference other policies, standards, or procedures when

appropriate?

49

ISO17799 Example: Security Policy• 5.1.2 Review of the information security policy

– How often is the information security policy reviewed?– Does management engage qualified external subject matter experts to

review the policy?– Is the policy reviewed and revised based on a defined process?– How are events or plans reviewed to determine if a policy revision or

update is required?– Is formal management approval process required for policy changes?

50

Other Security Frameworks

• National Institute of Standard and Technology (NIST) Special Publications (800 series)

• These are not InfoSec-specific frameworks but both have a significant security focus:– Control Objectives for Information and Related

Technology (CobiT)– IT Infrastructure Library (ITIL)

51

CobiT and Security• CobiT centers on the IT processes of an organization, which are broken down into four

domains:– Planning and Organize (PO)– Acquire and Implement (AI)– Deliver and Support (DS)– Monitor and Evaluate (ME)

• CobiT hierarchy– Domains– Control Objectives– Detailed Control Objectives

• DS5 Ensure Systems Security governs security and contains 11 DSOs.

• CobiT Security Baseline includes DS5 and other relevant control objects.

52

CobiT

Source: ITGI, CobiT Security Baseline.

53

ITIL• Also originates in UK (Office of Government Commerce).

• A collection of books grouped into areas including service delivery, service support, security management, application management, etc.

• Focuses on IT services and quality.

• Like CobiT, ITIL focuses on IT processes.– One of ITIL’s underpinnings is embedding security into everyday processes .

• Security management is a major part and singled out as a book.– The Control process in Security Management stresses the importance of

operational level agreement via the use of SLAs.