cryptography ch 4: a model for information security planning mohammed minhajuddin khan

CRYPTOGRAPHY

Ch 4: A Model for Information Security Planning

Mohammed Minhajuddin Khan

Topics• Information System Architecture And

Design Layer Specify the information system security measures.Specify the information system security measures. Combination of Systems, Networks, Service Combination of Systems, Networks, Service

Applications, and underlying Telecommunication Applications, and underlying Telecommunication Services - Information System.Services - Information System.

Information system’s security depends on how the Information system’s security depends on how the underlying architecture is designed and implemented.underlying architecture is designed and implemented.

• Web Services Protection Layer Specify the information system security measures.Specify the information system security measures. The use of Internet and open systems open the need The use of Internet and open systems open the need

to secure this layer of services that interact with Web.to secure this layer of services that interact with Web.

• The Eight P’s Of Security Layer Address the soft side of information security.Address the soft side of information security. This layer is concern with the people This layer is concern with the people

INFORMATION SYSTEM ARCHITECTURE AND DESIGN

LAYERThis level generally operate in an open environment, So we can’t expect choke security. The information security specialist should be concerned with

Create Create Choke pointChoke point, well-known as gateway. This should be created , well-known as gateway. This should be created to perform screening (Screening of Identity, content checking, & to perform screening (Screening of Identity, content checking, & malicious signatures). This are easy to develop through the use of malicious signatures). This are easy to develop through the use of routers.routers.

Viruses & worms Viruses & worms have long been the misery of information security have long been the misery of information security professionals. Virus scanners are option to protect from this nemesis. professionals. Virus scanners are option to protect from this nemesis. Virus scanners work by checking information content for a Virus scanners work by checking information content for a Malicious signature. Malicious signature.

Maintaining a posture of Maintaining a posture of least privilegeleast privilege. The idea behind the . The idea behind the principle of least privilege is to minimize the attacker’s potential.principle of least privilege is to minimize the attacker’s potential.

To understand the security profile of To understand the security profile of Third-party providersThird-party providers. Third-. Third-party providers are usually high-profile hacker targets. Information party providers are usually high-profile hacker targets. Information security specialist should understand the provider security issues security specialist should understand the provider security issues and to take action to protect the organization’s information. Here is and to take action to protect the organization’s information. Here is a a good example of why applying cryptographic methods and good example of why applying cryptographic methods and authentication processes is importantauthentication processes is important..

Implement event monitoring, intrusion detection, and logging systems. Implement event monitoring, intrusion detection, and logging systems. Through these systems, law enforcement officials may also benefit in Through these systems, law enforcement officials may also benefit in the investigation of a crime.the investigation of a crime.

Develop a Develop a permission-basedpermission-based architecture (Closed architectures). architecture (Closed architectures). Example: Router (When creating access control lists).Example: Router (When creating access control lists).

Extend Cryptographic methods for use at the network and system level Extend Cryptographic methods for use at the network and system level (VPN, SSL, SET, IPsec, etc). This are the crux of this work. By using (VPN, SSL, SET, IPsec, etc). This are the crux of this work. By using this network encryption services, it is possible to form secure tunnels this network encryption services, it is possible to form secure tunnels through the open Internet. through the open Internet.

Securing the information system from both internal and external threats. Securing the information system from both internal and external threats. 70%70% of all computer of all computer crimecrime originates from within the pool of originates from within the pool of trusted trusted insidersinsiders. So, the security management and corporate management . So, the security management and corporate management should keeps a watch-full eye on both internal and external.should keeps a watch-full eye on both internal and external.

Create System-level, Application-level, and Network-level tie-ins to the Create System-level, Application-level, and Network-level tie-ins to the authenticationauthentication and and verificationverification system. system.

INFORMATION SYSTEM ARCHITECTURE AND DESIGN

LAYER

WEB SERVICES PROTECTION LAYER

The web services are browsing simple or complex information, file transfer, name and address resolution, secure funds transfer, transaction processing, and use of the web for private communications. Here the information is public, so the cryptographic methods should provide secure transactions & have to be more complex to break.

Goals to accomplish in this layer: Client-side user privacy. Client-side user privacy. A primary function of the web services A primary function of the web services

layer in our security model is to prevent attacks.layer in our security model is to prevent attacks.

Prevention of inappropriate release of secure content by clients. Prevention of inappropriate release of secure content by clients.

Protection of the Web server from being accessed in an Protection of the Web server from being accessed in an unauthorized way.unauthorized way. To know the software flaw or a loophole in a To know the software flaw or a loophole in a website. Methods be used to secure these areas (ex: proxy services)website. Methods be used to secure these areas (ex: proxy services)

Prevention of document corruption. Prevention of document corruption. Web services are all about Web services are all about document access and control. Use of various document access and control. Use of various cryptographic cryptographic techniquestechniques such as such as digital signaturesdigital signatures, , code signingcode signing, and , and integrity integrity checkingchecking to validate the integrity of the document. to validate the integrity of the document.

The primary concerned at this layer is with attacks against the brand, infiltration of client-side systems, springboard attacks, denial-of-service attacks, and malware.

THE EIGHT P’s OF SECURITY LAYER

The information security breaches are most often caused by either human error or an inconsistency in the implementation of security procedures. By developing a plan that is concerned with the 8 Ps of information security, planners are likely to gain more cooperation and acceptance of the plan. People would like to believe that they can buy security off the shelf.People would like to believe that they can buy security off the shelf.

Persuading people from all levels to buy into the security plan is Persuading people from all levels to buy into the security plan is difficult. Clients need to feel secure in the online access provided and difficult. Clients need to feel secure in the online access provided and need to have easy to follow procedures for successfully executing need to have easy to follow procedures for successfully executing secure transactions. Any breaches can lead to a significant attack.secure transactions. Any breaches can lead to a significant attack.

Therefore, the outermost layer of the security model focus on Therefore, the outermost layer of the security model focus on encouraging and directing people to take the correct actions with encouraging and directing people to take the correct actions with regard to security.regard to security.

By incorporating these 8 Ps of security into the security design, we By incorporating these 8 Ps of security into the security design, we will have a far greater chance of success.will have a far greater chance of success.


1.1. PeoplePeople

People need guidelines to direct their actions in the People need guidelines to direct their actions in the use of the information and the information system.use of the information and the information system.

People need to understand the consequences of their People need to understand the consequences of their actions both technical and no-technical.actions both technical and no-technical.

People need to understand what these attacks are People need to understand what these attacks are and how to prevent them.and how to prevent them.

Caution to be taken when working on non-secure Caution to be taken when working on non-secure network (through PDA, NOTEBOOK, ETC).network (through PDA, NOTEBOOK, ETC).

Use personal firewalls, virus scanners, and safe Use personal firewalls, virus scanners, and safe online habits can terminate hacker activity. online habits can terminate hacker activity.

How they store, use, and transmit information.How they store, use, and transmit information. The cryptographic methods layer work only if people The cryptographic methods layer work only if people

apply the encryption to information requiring apply the encryption to information requiring confidentiality. confidentiality.


2.2. PlanningPlanning

Security planning needs to bring all of the elements Security planning needs to bring all of the elements of the planning process together as a single, well-of the planning process together as a single, well-thought-out unified idea.thought-out unified idea.

Take into consideration the requirements of the Take into consideration the requirements of the organization, summary of the risk analysis, organization, summary of the risk analysis, information on the cost benefit of a security design, information on the cost benefit of a security design, and current vulnerabilities.and current vulnerabilities.

The strategy needs to determine the actions that will The strategy needs to determine the actions that will be taken by the crisis-management team, users, and be taken by the crisis-management team, users, and management in the event of an attack.management in the event of an attack.

To use this section of the plan to build confidence in To use this section of the plan to build confidence in the strategy, not to develop the implementation the strategy, not to develop the implementation strategy. strategy.

Finally the security plan should conclude with the Finally the security plan should conclude with the policies that apply to each area of the security model. policies that apply to each area of the security model. Policies should tell us what to do, when to do it, and Policies should tell us what to do, when to do it, and why we are doing something.why we are doing something.


3.3. Policy Policy

Policies are categorized, high-level description of the Policies are categorized, high-level description of the security controls put in organization.security controls put in organization.

Legal notices regarding use/monitoring/trespass/and Legal notices regarding use/monitoring/trespass/and copy right of information or the information system, copy right of information or the information system, proper use of company resources, requirements fro proper use of company resources, requirements fro trusted third parties, e-mail/Web/other application trusted third parties, e-mail/Web/other application access and usage, etc.access and usage, etc.

These policies need to be directed at the user These policies need to be directed at the user community and should be specific and easy to follow.community and should be specific and easy to follow.

Policies generally define the rights of the employer, Policies generally define the rights of the employer, employee, user, and guest. employee, user, and guest.

The better defined the security policies are, the less The better defined the security policies are, the less the concern for legal liability, waste of corporate the concern for legal liability, waste of corporate resources, or exposure of confidential information.resources, or exposure of confidential information.


4.4. Procedure Procedure

It provide the technical details of enacting a It provide the technical details of enacting a policy/process combination. policy/process combination.

A procedure should specify how something is A procedure should specify how something is implemented.implemented.

Example: choke point will be created in network, Example: choke point will be created in network, Screening router, detail of constructing the access Screening router, detail of constructing the access control list, and fail-safe stance enabled.control list, and fail-safe stance enabled.


5.5. Process Process

Defines the actions that should be taken by the user Defines the actions that should be taken by the user community and security professionals to enable the community and security professionals to enable the workability of the security plan.workability of the security plan.

These process should complement the policies by These process should complement the policies by instructing users, regarding the steps they need to instructing users, regarding the steps they need to perform to be compliant with the policy.perform to be compliant with the policy.


6.6. Product Product

Products are the tools, hardware, and software that Products are the tools, hardware, and software that support the implementation and realization of the support the implementation and realization of the security implementation.security implementation.

Products need to be purchased in a legal way with Products need to be purchased in a legal way with specified plan and the policy and not the other way.specified plan and the policy and not the other way.

It is important the product being used with all its pros It is important the product being used with all its pros and cons.and cons.

By clearly articulating the product functionality and By clearly articulating the product functionality and limitations, we can better determine if the product limitations, we can better determine if the product meets the needs of the planmeets the needs of the plan


7.7. Perseverance Perseverance

Perseverance speaks to the drive and heart of the Perseverance speaks to the drive and heart of the information security professional, the determination of information security professional, the determination of management, and the spirit of the user community.management, and the spirit of the user community.

Initially, a security plan may not be completely Initially, a security plan may not be completely effective. Once a workable plan is accomplished quite effective. Once a workable plan is accomplished quite a bit by implementing it.a bit by implementing it.

Information security takes a long time to “burn in” and Information security takes a long time to “burn in” and settle.settle.

After the plan is in place, the information security After the plan is in place, the information security analyst needs to begin monitoring and making analyst needs to begin monitoring and making adjustments accordingly. adjustments accordingly.


8.8. Pervasiveness Pervasiveness

Information security is everywhere in the organization, Information security is everywhere in the organization, not just in the computer memory or at the network not just in the computer memory or at the network gateways. gateways.

Information security success is measured by the Information security success is measured by the combination of everyone’s actions.combination of everyone’s actions.

By working through the eight Ps, our plan will By working through the eight Ps, our plan will become more acceptable to the user community.become more acceptable to the user community.

People will become more involved in security People will become more involved in security because you will have given them a role to play because you will have given them a role to play and goals to meet.and goals to meet.

Question

Jqf vb cqn jnrxnbc yvex ve cqn bntdavcl tqrve? Jqf vb cqn jnrxnbc yvex ve cqn bntdavcl tqrve? Ufnb cqvb jnrxnbc yvex qrin rel afyn, vo bf cqne Ufnb cqvb jnrxnbc yvex qrin rel afyn, vo bf cqne Ve jqvtq Yrlna? Savnoyl unbtavsn cqn afyn fo Ve jqvtq Yrlna? Savnoyl unbtavsn cqn afyn fo cqvb jnrxnbc yvex ve cqrc Yrlna?cqvb jnrxnbc yvex ve cqrc Yrlna?

Who is the weakest link in the security chain? Who is the weakest link in the security chain? Does this weakest link have any role, if so Does this weakest link have any role, if so then in which Layer? Briefly describe the role then in which Layer? Briefly describe the role of this weakest link in that Layer?of this weakest link in that Layer?

cryptography ch 4: a model for information security planning mohammed minhajuddin khan

Documents

information systems

information content

complex information

organizations information

security management

choke security

ps of security layer

layer of services