Lecture 1 - Security Concepts.ppt

7/25/2019 Lecture 1 - Security Concepts.ppt

1/55

CS 216

Introduction to InformationSecurity Concepts


2/55

What is Security?

The quality or state of beingsecureto be free fromdanger

A successful organizationshould have multiple layers ofsecurity in place

!hysical security

!ersonal security

"perations security

Communications security

#et$or% security

Information security


3/55

Personal security

!ersonal security is a general condition that

occurs after adequate efforts are ta%en to deter&delay& and provide $arning before possiblecrime& if such $arning occurs& to summonassistance& and prepare for the possibility of

crime in a constructive manner'


4/55

Physical security

Physical securityis the protection of personnel&hard$are& programs& net$or%s& and data

from physicalcircumstances and events thatcould cause serious losses or damage to anenterprise& agency& or institution' This includesprotection from fire& natural disasters& burglary&

theft& vandalism& and terrorism'


5/55

Operations security (OPSEC)

Operations security(OPSEC) is a termoriginating in *'S' military +argon& as a process

that identifies critical information to determine iffriendly actions can be observed by enemyintelligence& determines if information obtainedby adversaries could be interpreted to be useful

to them& and then e,ecutes selected measuresthat eliminate or reduce adversary e,ploitationof friendly critical information'


6/55

Communications securityis the discipline ofpreventing unauthorized interceptors from

accessingtelecommunicationsin anintelligible form& $hile still delivering content tothe intended recipients'


7/55

Network security

Network securityconsists of the policies adoptedto prevent and monitor unauthorized access&

misuse& modification& or denial of acomputer networkandnetwork-accessibleresources'

Network securityinvolves the authorization of

access to data in a network& $hich is controlledby the networkadministrator'


8/55

What is n!ormation Security?

The protection of information and its criticalelements& including systems and hard$are thatuse& store& and transmit that information

#ecessary tools policy& a$areness& training&education& technology

C'I'A' triangle $as standard based on confidentiality&

integrity& and availability

C'I'A' triangle no$ e,panded into list of criticalcharacteristics of information


9/55


10/55

Critical Characteristics o! n!ormation

The value of information comes from thecharacteristics it possesses

Availability

Accuracy

Authenticity

Confidentiality

Integrity

*tility

!ossession


11/55

"oca#ulary$ Security Policy

.efers to the $ay a system is supposed tofunction

Can be e,plicit or implicit "utlines assumptions of protections and

violations


12/55

"oca#ulary$ Security Policy

The security policy must represent the pertinentla$s& regulations& standards& and general

policies accurately'There are three types of policy generally used in

secure computer systems


13/55

Con!i%entiality Policy$

A confidentiality policy typically states that onlyauthorised users are to be permitted to observe

sensitive data& and that all unauthorised usersare to be prohibited from such observation'


14/55

nte&rity Policy

An integrity policy has t$o facets'

The first refers to the quality of the data that is stored in

the computer' The integrity policy $ill state that thedata should reflect reality to some degree' /o$ best todo this is the sub+ect of much research activity'

The second facet of integrity policy is associated $ith the

data being available for use $hen it is legitimatelyneeded' #o user& $hether he or she is or is notauthorised to access some data item& should be able tounreasonably delay or prohibit another authorised userfrom legitimate access'


15/55

'aila#ility Policy$

The computer system should be available for use$hen it is needed& and it should satisfy somespecified requirements for its mean-time-to-failure and its mean-time-to-repair'


16/55

"oca#ulary$ nci%ent

Security incident is a violation (or series ofviolations) of a systems security policy

Scope can vary from narro$ to broad Incidents are events caused by (malicious)

behavior

Can be automated (a virus) or manual (abuseof access)


17/55

"oca#ulary$ hreat

!otential cause of a security incident

Can be purposeful (a specific tool used to brea%

into a site or a malicious insider)Accidental (floods& fire& lost bac%up tape& etc')


18/55

"oca#ulary$ "ulnera#ility

0la$ in a system that could allo$ a threat toviolate the security policy

Can be a result of oversight or architecture 1ogic fla$s can present vulnerabilities

2ulnerabilities are static aspects of systems


19/55

"oca#ulary$ E*ploit

3,ploit is $hen a threat capitalizes on avulnerability

3,ploits can be manual or automated 3,ploits demonstrate that there is a problem

$ith a system


20/55

"oca#ulary$ +alware

Soft$are that does bad stuff

4al$are include virus and $orm code

Includes soft$are designed to modify legitimatesystems to

Allo$ unauthorized remote access

/ide evidence of intrusion

3,filtrate data from a target

Surreptitiously monitor user activity

And more'''


21/55

Security Concepts

The 5olden .ule (Au)

Authentication

*sers are $ho they claim to be& or at least canpresent credentials

Authenticity

6ata has not been altered and remains true toits original form

Audit

The system can trac% $hat activity& data andusers


22/55

Security as 'sset Protection

A secure system must protect

Confidentiality

Threat Information disclosure ntegrity (and .eliability)

Threat 6ata corruption

'ccess

Threat 6enial of service


23/55

Security ,i!ecycle

Security is a process not a product

Comple,ity is the enemy of security

Security is an evolutionary landscape Secure is a point in time evaluation

Secure is defined by %no$n threats


24/55

- %ay

7 day is a vulnerability for $hich there is nopatch available

If 7 day cannot be predicted& ho$ can $e defend

against it8 7 day can often be mitigated

/o$ can $e detect 7 day8

6efense in depth is often the only defenseagainst 7 day

9hen evaluating security you should assume 7day


25/55

' Wor% on So!tware .u&s

Soft$are engineering is a robust& and mature&field of academic study

All soft$are pro+ects of sufficient size andcomple,ity contain bugs& regardless ofdevelopment process

A certain number of bugs $ill be security related

Conclusion all soft$are contain security relatedbugs


26/55

Classi!yin& So!tware .u&s

#ot all bugs are the same

:ugs may present $ildly varying threats

:ugs may have different ris%s associated $iththem

All bugs are significant& ho$ever


27/55

Een i! it/s #u& !ree

:ug free soft$are can still have vulnerabilities

Configuration problems

6efault or $ea% credentials

Improper trust model 3tc'

1ogic fla$s

0undamentally insecure design

Soft$are functions e,actly as designed but theresult is an unintended vulnerability

T$o bug free systems might have insecureinteraction


28/55

"ulnera#ility Syner&y

1in%ing one vulnerability to another

Chains of lo$ ris%& or lo$ significant

vulnerabilities can lead to a serious vulnerability 3ven if highest ris% bugs are all patched& a

combination of lo$ ris% bugs could lead tocompromise


29/55

Sisyphean ask

A sufficiently resourced and motivated attac%er$ill al$ays compromise security

6efenders must be right ;77< of the time&attac%ers need only succeed once

=ou can>t possibly defend against everything

Attac%er motivation is un%no$able


30/55

Protect0 etect0 eact

The security lifecycle& also %no$n as the securityhamster $heel of pain

323.= step is critical

6etection is dependent on observation an%reporting

1ogs are some of the best places to do detection

4ore on each step later


31/55

3ow can we &et ahea%?

The protect?detect?react cycle often requires anincident to move from detect?react to betterprotection

It is important to %eep the cycle movingindependently of a security incident

Collecting metrics is %ey to ma%ing informed

decisions

Start $ith security first'''


32/55

Threat modeling 4a,imize ."I $ith high impact& lo$ cost&

mitigations

5ood authentication& authorization and audit

0ault tolerance or .ugged 6esign

Applications should protect against une,pectedactions

This includes good e,ception handling Test driven design& $ith tests that shoul%fail

Secure Application 6evelopment 1ifecycle (S61C)

Secure esi&n


33/55

Penetration estin&

Actively attac%ing your o$n systems

Can reveal fla$s in protection& including gaps

Can proactively identify vulnerabilities (prevent7 day)

/elps more accurately frame ris% assessment


34/55

'pplication Security estin&

:lac% bo,

!enetration testing

5ray bo, Some level of access and documentation

available

9hite bo,

0ull code revie$& often combined $ith othertesting tools


35/55

4sin& 'utomation

Automation is critical for a timely revie$

Automation can lead to false positives

Automated tools $ithout s%illed humanoperators can be useless

6eluge of false positives

!oor ris% assignment

5ol% Stan%ar% !or Security


36/55

5ol% Stan%ar% !or Securityeportin&

Security reporting after a revie$ should include

1ist of vulnerabilities& ran%ed?grouped byseverity

6emonstration of e,ploit

1ist of suggested mitigation and $or% aroundstrategies

1ist of patches and?or fi,es for the issueA good security test should be repeatable


37/55

esource 'llocation

In the real $orld resources are limited

5iven the scope of security it is impossible to

cover all fronts /o$ does one ma%e smart resource allocation

decisions8


38/55

isk Calculations

.is% can be used to dra$ comparisons

.is% generally calculated

.is% @ 1i%elihood , Severity 5ood ris% ratings allo$ you to compare apples

to apples

Can focus attention and resources to greatestneed

/o$ can $e baseline these $ithout 43T.ICS8


39/55

law in isk Calculation

1i%elihood can never actually be measuredbecause it is $ithin the attac%ers control

/o$ can you quantify $hat you don>t %no$8 Severity may hinge on un%no$n consequences

or attac%er motivation

Some resources may escape ris% calculation


40/55

Non echnical hreats

.is% calculation involves assessing threats

Some threats are not strictly system related

.eputational damage 4isinformation

:usiness ris%s (e, grant funding)


41/55

ypical Poor isk Calculation

/ome user doesn>t protect their machinebecause they have no data of value

.is% @ medium li%elihood , lo$ impact /ome user may not understand full impact

Attac%er can use $ebcam

Attac%er can use mic to record conversations Attac%er can use connection to compromise

$ireless router to allo$ anonymous $ireless


42/55

,inchpin in +ost laws

4any ris% calculations fail because theassessor measures ris% based on

!erceived attac%er motivation

9ithout understanding $hat an attac%er is afterthere is no effective $ay to protect resources

Industry best practice may provide a guide


43/55

+oin& orwar%

5oal is an adaptive& metrics based informationsecurity program

.esources should be fluid& and allocated basedon actual need

.eactive capabilities should be ma,imized

.eduction of misguided protective measures Constant metrics gathering and reevaluation

1earn& gro$& share

S i C t


44/55

Securin& Components

Computer can be sub+ect of an attac% and?or theob+ect of an attac%

9hen the sub+ect of an attac%& computer is used asan active tool to conduct attac%

9hen the ob+ect of an attac%& computer is the entitybeing attac%ed

i&ure 178 9 Su#:ect an% O#:ect o!


45/55

i&ure 1 8 Su#:ect an% O#:ect o!'ttack

.alancin& n!ormation Security an%


46/55

.alancin& n!ormation Security an%'ccess

Impossible to obtain perfect securityit is a process&not an absolute

Security should be considered balance bet$eenprotection and availability

To achieve balance& level of security must allo$

reasonable access& yet protect against threats

i&ure 176 9 .alancin& Security an%


47/55

& & y'ccess

'pproaches to n!ormation Security


48/55

pp ymplementation$ .ottom74p 'pproach

5rassroots effort systems administrators attempt toimprove security of their systems

ey advantage technical e,pertise of individualadministrators

Seldom $or%s& as it lac%s a number of critical features

!articipant support

"rganizational staying po$er


49/55

'pproaches to n!ormation Security


50/55

pp ymplementation$ op7own 'pproach

Initiated by upper management

Issue policy& procedures and processes

6ictate goals and e,pected outcomes of pro+ect

6etermine accountability for each required action

The most successful also involve formaldevelopment strategy referred to as systemsdevelopment life cycle

Security Pro!essionals an% theO i ti


51/55

Or&ani;ation

9ide range of professionals required to support adiverse information security program

Senior management is %ey componentB also&additional administrative support and technicale,pertise required to implement details of ISprogram

Senior +ana&ement


52/55

Senior +ana&ement

Chief Information "fficer (CI")

Senior technology officer

!rimarily responsible for advising senior e,ecutives on strategicplanning

Chief Information Security "fficer (CIS")

!rimarily responsible for assessment& management& andimplementation of IS in the organization

*sually reports directly to the CI"

n!ormation Security Pro:ect eam


53/55

n!ormation Security Pro:ect eam

A number of individuals$ho are e,perienced in oneor more facets of technical and non-technical areas

Champion

Team leader

Security policy developers

.is% assessment specialists

Security professionals

Systems administrators

3nd users

ata Ownership
http://information_security_project_tea.htm/http://information_security_project_tea.htm/


54/55

ata Ownership

6ata "$ner responsible for the security and use ofa particular set of information

6ata Custodian responsible for storage&maintenance& and protection of information

6ata *sers end users $ho $or% $ith information toperform their daily +obs supporting the mission ofthe organization

Communities O! nterest


55/55

Communities O! nterest

5roup of individuals united by similar interest?valuesin an organization

Information Security 4anagement and !rofessionals

Information Technology 4anagement and!rofessionals

"rganizational 4anagement and !rofessionals

Documents

Lecture 1 - Security Concepts.ppt