information security: security challenges and technologies

Carnegie Mellon University ©2006 - 2011 Robert T. Monroe 70-451 Management Information Systems

Information Security:Security Challenges and Technologies

70-451 Management Information SystemsRobert Monroe

November 22, 2011


Quiz

1. In last Sunday’s class we introduced the acronym CIA to describe three fundamental concerns of information security. Write one of the words represented by the letters C, I, or A: ____________ .

2. ___________ is the art and science of sending secure messages from one party to another party.

3. Name one example of a type of security threat described or discussed in last Sunday’s class: ________.


Goals For Today

By the end of today's class you should be able to:

– Apply simple risk management techniques and frameworks to uncover the largest information security risks in an organization, and to focus your information security resources appropriately.

– Explain how cryptography techniques can be used to support Confidentiality, Integrity, and Authentication

– Identify and explain the primary types of information security attacks and risks

– Understand some of the basic technologies and techniques used to address these threats


Information Security Management


Information Security Is A Management Issue First

• Creating information security policies and prioritizing threats is a business issue and responsibility

• The role of the IT team is to provide a secure IT infrastructure that mitigates the threats identified by the business team

• Many management teams abdicate their responsibility for information security. Why?– Incentive structure (costs for failure, success is invisible)– Ignorance, fear, and loathing of technology/technologists– Lack of understanding of threat (wait for the crisis)


Information Security Management Is Risk Management

• You can’t afford to completely secure all digital information in your organization

• Recognize this and address the challenge as a standard risk management problem– Identify and prioritize risks– Plan to meet them so as to minimize expected losses– Focus on your primary business


Identifying and Prioritizing Threats

• Identify and catalog your company’s digital assets– Assign appropriate and explicit levels of importance to them

• Identify threats to those assets– Catastrophic threats – Expensive threats– Non-critical threats

• What would the cost be of having the digital assets– Exposed (stolen)– Destroyed (lost)– Changed

• Prioritize specific threats that need to addressed– Through technical measures– Through personnel and policy measures


Match Your Response To The Threat

• Determine probability and cost of each threat– Why is this is really hard to do accurately with IT?

• Determine whether you need to mitigate the threat through technical measures, policy measures, or both

• Work with technical or policy teams to implement threat mitigation plan


Match Your Response To The Threat: Example

Secure the penwith a leash

Secure the cashwith a vault

Two levels of security in a bank branch:

vs.


Develop Security Policies And Enforce Them

• Set policies defining appropriate usage of IT resources– Make it clear how information is categorized and what the categories mean (e.g.

confidential, company-only, publicly available)– Identify who can access or change what information– Identify who has access to which systems. Why and for how long?– How do you handle sensitive data that has to leave your company?– Identify what employees are allowed to do with their machines

• Can they modify them and install software on them?• Can they surf the web for personal use? Limits to which sites?

• Automate enforcement where it makes sense to do so, put policies in place where automated enforcement might not make sense

• Create policies and procedures for dealing with network/computer attacks– Plan how to handle common problems before they happen so that they don’t run

out of control


Information Security Management Summary

• Information Security is a management issue first– Your IT security policies and approach should be driven by

business goals and constraints– Fundamentally a matter of risk management

• It is non-trivial to identify, quantify, and prioritize your organization’s information security threats – The basic categories and types of threats are quite common– There are standard ways to mitigate most of these threats

• Match your strategy to threats appropriately


Cryptography Primer


Cryptography Helps Secure Information In Transit

• The internet is fundamentally an insecure medium

• Assume your network traffic can be:– Read– Intercepted– Modified– Forged

• Cryptography provides a mechanism for securing information sent over an electronic network – … and so much more!


Cryptography

Cryptography: a collection of mathematical techniques for protecting information

Encryption: The process of using cryptography to scramble a message

Decryption: The process of using cryptography to unscramble a message

Source: Garfinkel, Simpson, Web Security, Privacy & Commerce, 2nd Edition, O’Reilly, 2001

D#°S3ˆß)2Ãa´,! ÔKhÑü0:ö_£é¿íu¼...

Agent Jones:The shipmentarrives tonight...


Cryptography Can Provide:

• Confidentiality• Integrity• Authentication• Non-Repudiation

• Note: Cryptography does not automatically provide availability or an audit trail (though it can strengthen the trust in an audit trail)


Basic Encryption Techniques

• Substitution: Replace each letter in a message with a different letter/symbol – Trivial example:

• Guvf vf n frpeg zrffntr!• This is a secret message!

• Transposition: Scramble the characters in a message– Trivial example:

• !og a si htraE fo noisavnI• Invasion of Earth is a go!

KeyA: NB: OC: PD: QE: RF: S

G: TH: UI: VJ: WK: XL: YM: Z

KeyReverse the order of the characters in the sentence


Symmetric Key Encryption

• Both sender and receiver know the algorithm used to encrypt a message and have the secret key necessary to decrypt it

• Message can be intercepted by a third party but it can not be read

• Block cipher vs. Stream cipher• Common symmetric key algorithms:

– DES, Triple-DES, Blowfish,IDEA, RC2, RC4, RC5, Rinjdael


Alice and Bob

• Alice wants to send a private message to Bob• Secret agent Eve wants to intercept it• Alice and Bob use symmetric key encryption to

keep the message private

Top Secret!


Symmetric Key Analysis

• Benefits– Encryption and decryption can be very fast– Very strong algorithms available

• Drawback: Key Management is difficult– Both parties must initially exchange keys– Both parties must store keys securely– Unique keys necessary for each pair who want to

communicate privately


PKI Example: Alice, Bob, and Eve

• Alice wants to send a private message to Bob but they don’t have a shared secret key

• Secret agent Eve still wants to intercept their message• Alice and Bob use public key encryption to keep the

message private

Top Secret!


Public Key Infrastructure (PKI)

• Public Key Cryptography:A technique for establishing encrypted communication channels between two parties who have not previously exchanged secret encryption keys

• Public Key Infrastructure:A suite of technology products that implement public key cryptography for non-cryptographers


Public Key Encryption

• Pulic Key Algorithms solve key exchange problems– Encrypt with recipients public key– Decrypt with recipients private key

• Drawbacks– Public keys are much larger than private keys– More complex to implement– Much slower than private key systems

• Common public key systems:– Diffie-Hellman, DSA/DSS, Eliptic Curves, RSA


Hybrid Approach

• A hybrid public/private key approach is most commonly used on the web– Generate a private key for this session– Use Public Keys to exchange that private key– All subsequent interactions for that session are encrypted with

private key– Private key is discarded at end of session


Alice and Bob, Scenario 3

• Bob needs to confirm that a message he received from Alice truly came from Alice

• Secret agent Eve wants to impersonate Alice• Solution: Alice uses a Digital Signature to sign her

messages

Top Secret!

Top SecretMessage

From Alice(trust me)


Digital Signatures

• Digital Signatures use cryptographic techniques to provide:– Authentication– Integrity– Non-repudiation

• Digital signatures do not, by themselves, provide confidentiality


Advanced Topic: Steganography

Steganography:The art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message.

Popular recent movie examples: The DaVinci Code and National Treasure

Example:• Load the first image• Apply the Logical And

operation with the number 3 to the image

• Make the image 85 times brighter

• You get the second image.


Limitations Of Cryptography

• Cryptography ≠ Security

• Cryptography can not protect against:– Theft or exposure of unencrypted documents– Stolen encryption keys– Message traffic analysis– Denial of service attacks– Booby-trapped encryption programs– Malicious counter-parties


Securing An IT Infrastructure:Principles and Technologies


Principle: Compartmentalize Resources

• Carefully limit connectivity between:– The public internet– Your public-facing servers– Your employees’ computers (desktops/laptops/pda’s)– Key corporate servers (web, db. app servers, etc.)– Other common groups containing key information assets

• Assign appropriate levels of security to machines in each of these different compartments

• Carefully limit and monitor interactions between them

• Keep the most valuable assets “furthest” from public access


Compartmentalization Technology

• Firewalls– Filter network traffic– Decide what goes in and what goes out of a network– Act as a gatekeeper and buffer between networks

• Such as the public internet and a company’s servers

• Network Address Translation (NAT)– Displays a “reachable” public IP address to outside world– Creates an “unreachable” network address for internal use

• DMZs (DeMilitarized Zones) – A network segment between two firewalls that buffers and limits traffic

between the two network segments


Compartmentalization Example

The Internet

DMZ

CorporateServers

(Public Net)Corporate

Servers(Private Net)

CorporateClients

`` `


Principle: Secure the Perimeter

• Define clear boundaries of your network(s)• For each of these networks, it should be clear what is

‘inside’ the network and what is ‘outside’ the network• Put strong (fire)walls and gatekeepers at the perimeters


Securing The Perimter: Physical Security• A network is not secure without good physical security• Control access to servers and networking equipment

– Physical and procedural barriers– “Need to know/go” basis for access to machines and logins passwords

• Limit the entrance and removal of trusted machines or storage media from the data center (e.g. laptops, USB keys, CD’s, …)

• Beware of backups and old hard drives– Don’t throw them away

without erasing data


Principle: Harden The Platform

• Reduce the “attack surface” – Don’t run unnecessary programs

• Keep up to date with patches and service packs– This is remarkably hard to do in practice!– Patching one problem often causes another

• Build secure applications

vs.


Principle: Strategic Heterogeneity

• Each element of your software and hardware platform have their own unique vulnerabilities

• If you have a standardized platform, once an attacker finds an exploit for one part of the system, he can exploit many other parts of the system also

• A bio-diversity model helps slow an attackers progress by presenting different kinds of defenses

CiscoFirewall

WindowsWeb Server

MainframeDB Server

UnixDB Server

LinuxFirewall


Counter-Principle: Keep It Simple (KISS)

• Heterogeneity comes at a cost – complexity• Complexity and security don’t mix• Why?


Principle: Use Strong Authentication

• Something that you know – user id and password – This is the most common authentication mechanism

• Something that you have– Smartcards– Keys/tokens – RFID tag , code generator, physical key– Physical access to a specific machine

• Something that you are (biometrics)– Fingerprint– Voiceprint– Facial recognition– Iris/retina print– Etc…


Strengthening Authentication

• Require 1, 2, or 3 of what you know/have/are– The more you can supply, the stronger the authentication

• Use a common authentication system for as many systems/interactions as possible– Why is this important?– Why is this hard to do in practice?

MyID/EatShrimp+ + =


Principle: Control Access To Resources

• Access control specifies who has access to which resources

• Access control is different from authentication

• Try to use a consistent model across applications– Common model:

• Users, Permissions, Groups, Roles, Scope– Create “zones” of your network with strong partitions between the zones

• Principle of Least Privileges


Principle: Constant Vigilance

• Securing IT infrastructure requires 24/7/365 vigilance

• Combination of automated and human actions

• Technology: Intrusion detection– Monitors traffic– Looks for attack patterns– Alerts when potential problems are found


Midterm Exam Results

• Overall, most people did well on the exam• 85 points possible• Score range: 50 (58%) to 83 (98%) (out of 85 possible)• Median score: 75 (88%)• Mean score: 72.3 (85%)

90-100 80-89.9 70-79.9 60-69.9 50-59.9 <500

5

10

15

20

# of Scores


References

[AD03] Robert Austin and Christopher Darby, The Myth of Secure Computing, Harvard Business Review, June 2003.