The document provides an introduction to information security concepts including the CIA triad of confidentiality, integrity and availability. It discusses threats, vulnerabilities and risks and the importance of risk management. Key security principles are covered such as defense in depth, metrics, and the evolution of security risks and regulations.
1. The C, I, A’s of Security Introduction to Security Presentation Given To Students in The Master of Information Strategy, System and Technology Curriculum at Muskingum College Scott Frost CISSP, CISM, CISA The Polaris Consulting Group, LLC.
2. Honesty on the Internet 12 Sept 2009 Copyright The Polaris Consulting Group
3.
4.
5.
6.
7. CIA – How they work together Confidentiality Integrity Availability Secure 12 Sept 2009 Copyright The Polaris Consulting Group
29. Modern Defense in Depth? 12 Sept 2009 Copyright The Polaris Consulting Group Fire Network Access Control Firewall Network Design Guards and badges Log Monitoring Encryption DMZ
30.
31.
32.
33.
34.
35.
36.
37.
38.
Notas do Editor
Related story of companies taking down their web site during code red
Possession: For example, if confidential information such as a user ID-password combination is in a sealed container and the container is stolen, the owner justifiably feels that there has been a breach of security even if the container remains closed (this is a breach of possession or control over the information). Utility example: For example, if data is encrypted and the decryption key is unavailable, the breach of security is in the lack of utility of the data Source: http://www.pcmag.com/encyclopedia_term/0,2542,t=Parkerian+Hexad&i=48859,00.asp Six fundamental, atomic, non-overlapping attributes of information that are protected by information security measures. Defined by Donn B. Parker, renowned security consultant and writer, they are confidentiality , possession , integrity , authenticity , availability and utility .
Guidelines for the Management of IT Security as published by ISO Vulnerability Vulnerability is the likelihood of success of a particular threat category against a particular organization. Notice that if this were the likelihood of success of a particular attack (e.g., the Ping of Death) against a particular machine, the likelihood would be either 0 or 1 (0 percent or 100 percent). But since we are concerned about vulnerability at an organizational level (with, say, 1,000 PCs and 50 servers configured and architected in a particular way) to an entire class of threat, binary terms don't work. Instead, vulnerability has to be quantified in terms of a probability of success, expressed as a percent likelihood.
Threats generally have numbers associated with them – e.g. Florida is likely to have 1.4 hurricanes each year
Scanners can often assist with identifying known vulnerabilities
Controls Software Operating system controls that protect users from each other or from sensitive data Program controls that enforce security restrictions Virus scanners, intrusion detection systems, etc. Hardware Locks Firewalls Smartcards Physical Door locks Guards Backups
Threat: Earthquake Vulnerability: Building not up to earthquake code Cost: Millions Risk: Low Threat: Computer Virus Vulnerability: Likely medium to high Costs: Depends Risk:
http://en.wikipedia.org/wiki/Information_security#Risk_management Identification of assets and estimating their value. Include: people, buildings, hardware, software, data (electronic, print, other), supplies. Conduct a threat assessment. Include: Acts of nature, acts of war , accidents, malicious acts originating from inside or outside the organization. Conduct a vulnerability assessment , and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, physical security , quality control , technical security. Calculate the impact that each threat would have on each asset. Use qualitative analysis or quantitative analysis. Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset. Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity. Business environment is constantly changing and as a result introducing new vulnerabilities Countermeasures are also constantly changing and must be reevaluated
Examples to discuss: Accepting the risk FTP server is prone to being owned – yet it isn’t worth the time or trouble to properly defend it because it would exceed the cost of the item Mitigating the Risk Vulnerability audit indicates that your web server is vulnerable to cross site scripting attacks, has an old operating system Transferring the Risk: You are a Heisman winning quarterbook as a junior, you want to come back for your senior season – what do you do to manage the risk? Deny the risk:
Clifford Stoll (the author) managed some computers at Lawrence Berkeley Laboratories in California. One day, his supervisor (Dave Cleveland) asked him to resolve a USD$ 0.75 accounting error in the computer usage accounts. He traced the error to an unauthorized user who had apparently used up 9 seconds of computer time and not paid for it, and eventually realized that the unauthorized user was a hacker who had acquired root access to the LBL system by exploiting a vulnerability in the movemail function of the original GNU Emacs . Over the next ten months, Stoll spent a great deal of time and effort tracing the hacker's origin. He saw that the hacker was using a 1200 baud connection and realized that the intrusion was coming through a telephone modem connection. Stoll's colleagues, Paul Murray and Lloyd Bellknap, helped with the phone lines. Over the course of a long weekend he rounded up fifty terminals, mostly by "borrowing" them from the desks of co-workers away for the weekend, and teletype printers and physically attached them to the fifty incoming phone lines. When the hacker dialed in that weekend, Stoll located the phone line, which was coming from the Tymnet routing service. With the help of Tymnet, he eventually tracked the intrusion to a call center at MITRE , a defense contractor in McLean, Virginia . Stoll, after returning his "borrowed" terminals, left a teletype printer attached to the intrusion line in order to see and record everything the hacker did. Stoll recorded the hacker's actions as he sought, and sometimes gained, unauthorized access to military bases around the United States, looking for files that contained words such as "nuclear" or " SDI ". The hacker also copied password files (in order to make dictionary attacks ) and set up Trojan horses to find passwords. Stoll was amazed that on many of these high-security sites the hacker could easily guess passwords, since many system administrators never bothered to change the passwords from their factory defaults. Even on army bases, the hacker was sometimes able to log in as "guest" with no password. Over the course of this investigation, Stoll contacted various agents at the FBI , CIA , NSA , and Air Force OSI . Since this was almost the first documented case of hacking, (Stoll seems to have been the first to keep a daily log book of the hacker's activity), there was some confusion as to jurisdiction and a general reluctance to share information. Studying his log book, Stoll saw that the hacker was familiar with VMS , as well as AT&T Unix . He also noted that the hacker tended to be active around the middle of the day, Pacific time. Stoll hypothesized that since modem bills are cheaper at night, and most people have school or a day job and would only have a lot of free time for hacking at night, the hacker was in a time zone some distance to the east. With the help of Tymnet and various agents from various agencies, Stoll eventually found that the intrusion was coming from West Germany via satellite. The Deutsche Bundespost , the German post office, also had authority over the phone system, and they traced the calls to a university in Bremen . In order to entice the hacker to stay on the line long enough to be backtracked from Bremen, Stoll set up an elaborate hoax (known today as a honeypot ), inventing a new department at LBL that had supposedly been newly formed because of an imaginary SDI contract. He knew the hacker was mainly interested in SDI, so he filled the "SDInet" account (operated by the imaginary secretary Barbara Sherwin) with large files full of impressive-sounding bureaucratese . The ploy worked, and the Deutsche Bundespost finally located the hacker at his home in Hanover . The hacker's name was Markus Hess , and he had been engaged for some years in selling the results of his hacking to the Soviet KGB . There was ancillary proof of this when a Hungarian spy contacted the imaginary SDInet at LBL, based on information he could only have gotten through Hess (apparently this was the KGB's method of double-checking to see if Hess was just making up the information he was selling them). Stoll later had to fly to Germany to testify at the trial of Hess and a confederate. Although Hess was active at the same time and in the same area as the German Chaos Computer Club , they do not seem to have been working together. http://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg_%28book%29
Gramm (http://www.securitymanagement.com/archive/library/gramm_tech0902.pdf) Access controls on customer information systems Access restrictions at physical locations containing customer information Encryption of electronic customer information Procedures to ensure that system modifications do not affect security Dual control procedures, segregation of duties, and employee background checks Monitoring systems to detect actual attacks on or intrusions into customer information Response programs that specify actions to be taken when unauthorized access has occurred Protection from physical destruction or damage to customer information Could also talk about FERPA ( Family Educational Rights and Privacy Act ) that was enacted in 1974. This is a USA Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record.
you cannot make good decisions about security without first determining what your security goals are A risk management program that is constantly evaluating the risks to the business and setting priorities
Security and Loss Prevention 5 th Edition by Philip P. Purpura pg 135
- Credit Card Industry Grapples with Security Fresh details of large-scale cyber attacks against data processor Heartland Payment Systems, Inc. and supermarket chain Hannaford Brothers show the challenges facing the efforts of the credit card industry to upgrade security measures. While both companies say their computer networks met the tough new standards meant to prevent data breaches, Visa, Inc. said Heartland may have let its guard down. The positions reflect broader disagreements in the industry, as squabbling between merchants and financial firms over technology and the cost of systems upgrades continues to impede progress while the financial stakes get higher. Fraud involving credit and debit cards reached $22 billion last year, up from $19 billion in 2007, according to California consulting firm Javelin Strategy & Research. More information: http://www.reuters.com/article/smallBusinessNews/idUSTRE57N4LQ20090824
- "Dirty Websites" Pose Biggest Security Risk The 100 most dangerous sites on the web are propagating an average of 18,000 different pieces of malware, according to leading security software maker Symantec. While 48 of the top 100 worst are adult-themed sites, others featured diverse topics, ranging from deer hunting and catering, to figure skating, electronics, and legal services. "We used to tell people if you stick with the 'safe neighborhood' you will be safe, and what we see from this list is that even if you stick to the safe neighborhood, it doesn't mean you are safe," said Symantec's Dan Schrader. "Your own judgment doesn't tell you anything about the security practices of that site." Ken Pappas of Top Layer Security adds that "The list of most-offensive websites is changing and new websites are constantly being infected. This is not something like building a ten most-wanted for criminals at large. "Whether it's ten viruses or ten thousand doesn't matter; the point is, many people are going to what they believe is a legitimate and trusted website. They have no idea or warnings it will potentially put malware in the computer." More information: http://www.scmagazineus.com/dirtiest-websites-host-average-18000-threats/article/146919/ http://safeweb.norton.com/dirtysites
Center for Internet Security is a not-for-profit organization that helps enterprises reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls, and provides enterprises with resources for measuring information security status and making rational security investment decisions. National Security Agency Guidelines for Security Configurations Computer Security Resource Center supported by the National Institute of Standards and Technology