securing an information resource management system
Post on 22-Dec-2015
214 Views
Preview:
TRANSCRIPT
Securing an Information Securing an Information Resource Management Resource Management
SystemSystem
OverviewOverview
Security issues of an information resource Security issues of an information resource management systemmanagement systemSecure physical networkSecure physical network
Standards and protocols used in information Standards and protocols used in information securitysecurity
Management tools used to implement that Management tools used to implement that systemsystem
Information Security in SocietyInformation Security in Society
Homeland DefenseHomeland DefenseHomeland Defense as an information security Homeland Defense as an information security
systemsystem
Need to communicate sensitive information Need to communicate sensitive information efficiently in a crisisefficiently in a crisis
Information Security in SocietyInformation Security in Society
HD Secretary Tom Ridge and Strategic HD Secretary Tom Ridge and Strategic Communications Resources (SECURE) Communications Resources (SECURE) InitiativeInitiativeFive new HD officers per stateFive new HD officers per state
Secure telephones and video conferencing for Secure telephones and video conferencing for the Governors officethe Governors office
Information Security in SocietyInformation Security in Society
Information based industryInformation based industry
Potential lossPotential loss
New information technology = New information technology =
New vulnerabilitiesNew vulnerabilities
The First StepThe First Step
Secure Information Network Secure Information Network Physical ArchitecturesPhysical Architectures
Homeland exampleHomeland exampleTelephony equipmentTelephony equipmentEmergency Operations CenterEmergency Operations Center
FIPS 140-2FIPS 140-2
FIPS 140-2(Federal Information FIPS 140-2(Federal Information Processing Standard)Processing Standard)
Crypto-modulesCrypto-modules tests hardware, software, firmwaretests hardware, software, firmwarecrypto algorithmscrypto algorithmskey-generationkey-generation
Secure EnvironmentsSecure Environments
Secure Environments:Secure Environments:
authorized personnelauthorized personnel
placing servers locallyplacing servers locally
disconnected information networksdisconnected information networks
Smart CardsSmart Cards
Used in combination with other id-securing Used in combination with other id-securing methodsmethods
PortablePortable SecureSecure
Difficult to replicate, useless to stealDifficult to replicate, useless to steal
Appearance; gold-contactsAppearance; gold-contacts MicroprocessorMicroprocessor Also can be used to facilitate secure Also can be used to facilitate secure
communicationscommunications
Smart CardsSmart Cards
Little interoperability between software and Little interoperability between software and hardware of different vendorshardware of different vendors
Difficult implementation and maintenanceDifficult implementation and maintenance
NIST (National Institute of Standards and NIST (National Institute of Standards and Technology) Technology)
NIST is working on guidlines/specifications NIST is working on guidlines/specifications (as we’ll see in the next section)(as we’ll see in the next section)
FirewallsFirewalls
Located on routers or serversLocated on routers or servers
Blocks specific communications and Blocks specific communications and allows specific communicationallows specific communication
FirewallsFirewalls
Located on routers or serversLocated on routers or servers
Blocks specific communications and Blocks specific communications and allows specific communicationallows specific communication
useful in preventing virusesuseful in preventing viruses
Connected NetworksConnected Networks
Can be physically isolated to provide Can be physically isolated to provide securitysecurity
Controlled communication access pointsControlled communication access points
VLANSVLANS
By remote login, a server can make it By remote login, a server can make it appear as though the user is on a networkappear as though the user is on a network
Secure tunnelingSecure tunneling
WIFIWIFI
Wi-Fi (short for "wireless fidelity")Wi-Fi (short for "wireless fidelity")
Ever-growing WiFI networksEver-growing WiFI networks
WIFIWIFI
Wi-Fi (short for "wireless fidelity")Wi-Fi (short for "wireless fidelity")
Ever-growing WiFI networksEver-growing WiFI networks
UnsecuredUnsecured
WIFIWIFI
Current business trends Demand Robust Current business trends Demand Robust Security Networks (RSNs) on WiFi:Security Networks (RSNs) on WiFi:
RSNRSNDependableDependableSecureSecureVersatileVersatile
WIFIWIFI
WIFI products need toWIFI products need toProvide securityProvide securityMulti-vendor interoperabilityMulti-vendor interoperabilityLong security lifecycle to lengthen usabilityLong security lifecycle to lengthen usabilitySupport hotspots connectivitySupport hotspots connectivity
WIFI and FIPS 140-2WIFI and FIPS 140-2
802.11b IEE standard802.11b IEE standard Minimal securityMinimal security
FIPS 140-2 and 802.11 and Bluetooth standard FIPS 140-2 and 802.11 and Bluetooth standard (for WiFi)(for WiFi)
IEEE, IETF, NIST working to create effective IEEE, IETF, NIST working to create effective standardsstandards Theory: higher level crypto protocols, like IPSec (next Theory: higher level crypto protocols, like IPSec (next
section)section)
WIFIWIFI
Interim methods to minimizing WIFI Interim methods to minimizing WIFI losses:losses:
Detailed wireless topologyDetailed wireless topology Inventory of devicesInventory of devicesFrequent back-upsFrequent back-upsRandom security audits of WiFi infrastructureRandom security audits of WiFi infrastructureMonitor WIFI technology changesMonitor WIFI technology changes
Universals Standards/ProtocolsUniversals Standards/Protocols
Different technology vendors and Different technology vendors and universals standards/protocolsuniversals standards/protocols
Standards and ProtocolsStandards and Protocols
Information security standards/protocols Information security standards/protocols are also policyare also policy
Standards and ProtocolsStandards and Protocols
Congress and the Gramm Leach-Bliley Act Congress and the Gramm Leach-Bliley Act
Bank security policiesBank security policies Information security standards Information security standards Protect customer info Protect customer info Protect other nonpublic infoProtect other nonpublic infoSafe, secure, and reliable transactionsSafe, secure, and reliable transactions
Standards and ProtocolsStandards and Protocols
ISO 17799, ISF, NIST:ISO 17799, ISF, NIST: Guidelines that have standards for information Guidelines that have standards for information
securitysecurity
Security communication protocolsSecurity communication protocols Cryptographic standardsCryptographic standards
What are common cryptographic standards?What are common cryptographic standards?
Cryptographic StandardsCryptographic Standards
Common cryptographic standardsCommon cryptographic standards IntegrityIntegrityAuthenticityAuthenticityAuthorization/access control modelAuthorization/access control modelNon-repudationNon-repudation
Cryptographic StandardsCryptographic Standards
Definition: block cipherDefinition: block cipher
Definition: cipher textDefinition: cipher text
Definition: stream cipherDefinition: stream cipher
Definition: symmetric block cipherDefinition: symmetric block cipheralgorithm to encrypt and decrypt block textalgorithm to encrypt and decrypt block text
Cryptographic StandardsCryptographic Standards
Digital Signature Standard (DSS)Digital Signature Standard (DSS)Authentication and IntegrityAuthentication and IntegrityDigital Signature Algorithm (DSA): public-Digital Signature Algorithm (DSA): public-
private keys schemes (discussed later)private keys schemes (discussed later)
DSADSA
HashingHashing
Definition: message digestDefinition: message digest
Digest encrypted with DSADigest encrypted with DSA
DSADSA
FIPS 180-1 (FIPS Hashing standard)FIPS 180-1 (FIPS Hashing standard)SHA-1, SHA-256 blocks <2^64 bitsSHA-1, SHA-256 blocks <2^64 bitsSHA-384, SHA-512 blocks <2^128 bitsSHA-384, SHA-512 blocks <2^128 bits
changes to a message results in a changes to a message results in a different digest (high probability)different digest (high probability)
also used with stored dataalso used with stored data
KeysKeys
Secret keysSecret keys
KeysKeys
Public-Private KeysPublic-Private Keys
KeysKeys
Key certificatesKey certificates
Key lifecycleKey lifecycle
KeysKeys
Key-substitution vulnerabilityKey-substitution vulnerability
KeysKeys
Key-destruction vulnerabilityKey-destruction vulnerability
KeysKeys
Controlling the key lifecycleControlling the key lifecycle
Crypto-periodsCrypto-periods
PKIPKI
Public Key Infrastructure (PKI)Public Key Infrastructure (PKI)Certificate AuthoritiesCertificate AuthoritiesElectronic transportElectronic transportManual key transportManual key transport
TrustTrust
Lets look at some examplesLets look at some examples
IPSECIPSEC
IPSEC uses keysIPSEC uses keysWorks on the Transport LayerWorks on the Transport Layer
IPSECIPSEC
TunnelingTunneling
IPSecIPSec
Internet Key Exchange (IKE)Internet Key Exchange (IKE)Serial authentication accessSerial authentication accessConfidentialityConfidentialityTransmissions and key crypto periodsTransmissions and key crypto periods
IPSecIPSec
Encapsulating Security Payload (ESP)Encapsulating Security Payload (ESP)Double-encryption schemeDouble-encryption schemeEncrypts dataEncrypts dataEncrypts header (source/destination invisible)Encrypts header (source/destination invisible)
NISTNIST
NIST (National Institute of Standards and NIST (National Institute of Standards and Technology)Technology)
Information security standards for Information security standards for government and industrygovernment and industry
NISTNIST
Business metrics and standardsBusiness metrics and standards
Supports DSS and public key encryptionsSupports DSS and public key encryptions
The MAIDS standardThe MAIDS standard
The AES standardThe AES standard
NISTNIST
The MAIDS standard:The MAIDS standard:Mobile Agent Intrusion Detection and Mobile Agent Intrusion Detection and
SecuritySecurityAutonomous software entitiesAutonomous software entities
Security threatsSecurity threatsMAIDS prevents unauthorized accessMAIDS prevents unauthorized access
ensures secure communication with mobile ensures secure communication with mobile agentsagents
NISTNIST Advanced Encryption Standard (AES)Advanced Encryption Standard (AES)
Keys of 128, 192, 256 bits/ 16, 24, 32 character long Keys of 128, 192, 256 bits/ 16, 24, 32 character long encryption blocksencryption blocks
Symmetric block cipher Symmetric block cipher
Federal Information Processing Standard approved Federal Information Processing Standard approved (FIPS)(FIPS)
AES and IPSEC work with modification of the IKE AES and IPSEC work with modification of the IKE exchangeexchange
AES/IPSEC protocol works at the IP layerAES/IPSEC protocol works at the IP layer
Poisoned dagger: Poisoned dagger:
the human element.the human element.
Personnel and Management Objectives in a Personnel and Management Objectives in a Secure Information EnvironmentSecure Information Environment
Business MindsetBusiness Mindset
““Quite frequently, the risk and the solutions are Quite frequently, the risk and the solutions are seen as part of the IT universe, while business seen as part of the IT universe, while business leaders want to concentrate on product leaders want to concentrate on product development, sales and revenue, and customer development, sales and revenue, and customer care. To change this mindset and to recognize care. To change this mindset and to recognize IS as a business issue, the CISO has to inform, IS as a business issue, the CISO has to inform, educate, and influence his or her business educate, and influence his or her business counterparts:”counterparts:”
--Robert Garigue, Information Systems--Robert Garigue, Information Systems
CIO and the CISO's tasks:CIO and the CISO's tasks:
Describe:Describe:Environmental factors (industry related Environmental factors (industry related
threats)threats)New/developing standardsNew/developing standardsDefenses of digital assets takenDefenses of digital assets takenExisting security incidentsExisting security incidentsFinancial impact of those breachesFinancial impact of those breachesNew/developing metrics the CEO can useNew/developing metrics the CEO can use
CIO and the CISO's tasks:CIO and the CISO's tasks:
Educate:Educate:List risks factors to the bottom lineList risks factors to the bottom lineNew technologies and their risksNew technologies and their risksPotential impact of breachesPotential impact of breachesHow people participate in information How people participate in information
securitysecurity
CIO and the CISO's tasks:CIO and the CISO's tasks:
Influence:Influence:Priorities and resource allocationPriorities and resource allocation Involving security specialists early in new Involving security specialists early in new
projectsprojectsDeciding on organizational structures with Deciding on organizational structures with
information efficiency as a goalinformation efficiency as a goal
CIO and the CISO's tasks:CIO and the CISO's tasks:
information risk analysisinformation risk analysisMeasures bottom line impactMeasures bottom line impactTypes of information lossTypes of information lossMalicious useMalicious usePredictive SystemsPredictive Systems36% chance; 10-20 bill. in lost $36% chance; 10-20 bill. in lost $
CIO and the CISO's tasks:CIO and the CISO's tasks:
Security certificationSecurity certificationUse common business metrics (activity Use common business metrics (activity
reports) to measure the effect information reports) to measure the effect information breaches )breaches )
Are we secure?Are we secure?Directly lead to budget decisionsDirectly lead to budget decisions
Communicating Security PolicyCommunicating Security Policy
Is the policy being followed?Is the policy being followed? Inform employees and management ofInform employees and management of
Security objectivesSecurity objectivesOrganizational accountabilityOrganizational accountabilityStandards and proceduresStandards and proceduresAvailable guidelines supporting the policyAvailable guidelines supporting the policy
Communicating Security PolicyCommunicating Security Policy
Awareness metricsAwareness metrics Is the training effective?Is the training effective? Intranet websiteIntranet website
Access managementAccess management Policy, politics, and technologyPolicy, politics, and technology RBACRBAC
Access based on identity vs. roleAccess based on identity vs. role Operations with the objectOperations with the object
Ongoing defenseOngoing defense
Security testsSecurity testsUpgradesUpgradesCommunication monitoringCommunication monitoringComputer forensicsComputer forensics
A state of necessityA state of necessity
top related