mins 217 module 1 what is information security. information defined in the text as: “knowledge...
Post on 21-Dec-2015
217 views
TRANSCRIPT
MINS 217
Module 1
What is Information Security
Information
• Defined in the text as: “Knowledge obtained from investigation, study, or instruction, intelligence, news, facts…”
• Information is value added knowledge
Security
• Defined in the text as: “Freedom from danger, safety; freedom from fear or anxiety”
• Security means both being, and feeling, safe.
Physical Security
• Physical security has been deemed important for many years and has many constructs in place.– Locks on doors– Safes/vaults– Police/fire departments– Bars on windows– Moats around the castle
Communications Security
• The FDHVDU FLSKHU is an example of an early encryption system developed because messengers were being captured in transit.
• Germany used the Enigma to encrypt messages to their military. See U-571 or try out the Enigma simulator at http://www.ugrad.cs.jhu.edu/~russell/classes/enigma/
Computer/Network Security
• Orange Book – Defined and linked functionality and assurance requirements for specific levels of certification. (NT 4 was C2 certified)
• Red Book – Added network functionality but still linked functionality and assurance.
Information Security
• None of the security efforts (physical communications, computer, or network) mentioned so far have been successful. Why?
Information Security
• Each of the efforts represented a part of a larger problem that must be managed as a whole.
Information Security
• There are no standards at this time to which an organization can certify its systems and be assured of security. Why?– Rapid rate of technological growth continues
making security standards obsolete before they can be implemented.
– It is extremely difficult to prove a system, or even a component of the system, is secure.
Information Security
• Every organization is left to develop a security plan that protects its assets.
• There are many products that can be used in developing a plan, but no blueprint to determine which products to use, and how to weave them together.
• Security is an on-going process with no established finish line.
Information Security Includes
• Virus Protection
• Access Controls
• Firewalls/VPN’s
• Smart Cards
• Biometrics
• Intrusion Detection
• Policy Management
Information Security Includes
• Vulnerability Scanning
• Encryption
• Physical Security
• Etc…
MINS 217
Module 2
Types of Attacks
Types of Attacks
• Access
• Modification
• Denial of Service (DoS)
• Repudiation
Access Attacks
• Snooping – Looking for information by sequentially searching through files
• Eavesdropping – Listening in on a conversation (i.e. sniffer programs)
• Interception – Actively inserting a device into the communications link. The information may or may not then be passed on the legitimate destination.
Modification Attacks
• Changes – Changing information such as a grade or bank account balance on a system.
• Insertion – New information is added to the system.
• Deletion – Removal of existing information
DoS
• Denial of access to:– Information – cutting off access to the
information the user is seeking– Applications – cutting off access to a needed
application– Systems – cutting off access to information by
bringing down the entire system– Communications – cutting off access to
information by saturating or bringing down a communications link
Repudiation
• Masquerading – impersonating a person or device (i.e. taking an IP and/or Ethernet address of a device)
• Denying an event – disputing the accuracy of records which is more easily done in an electronic environment.
MINS 217
Module 3
MINS 217
Module 3
Hacker Techniques
Hacker’s Motivations
• Difference between hackers and crackers.
• Challenge
• Greed
• Vandalism
Historical Hacking Techniques
• Open Sharing (NFS, SMB, Gnutella)
• Bad Passwords (Morris Worm on pg. 41)
• Programming Flaw
• Social Engineering
• Buffer Overflow
• DoS
• DDoS
Advanced Hacking Techniques
• Sniffing switched networks
• Traffic redirection
• ARP spoofing
• DNS spoofing
• IP/MAC spoofing
• Etc…
Malicious Code
• Viruses - programs that piggyback on other programs
• Trojan Horses – A self-contained program that looks like something useful or desirable such as I LOVE YOU.
• Worms – Self-replicating programs (Recall the Morris Worm from module 1. Newer worms such as CodeRed and Slapper continue to be increasingly sophisticated)
MINS 217
Module 4
Information Security Services
Confidentiality
• The confidentiality services should ensure that information is only available to authorized users and applies to:– Files– Information in transmission– Traffic flow
Integrity
• Integrity is required for the prevention of both modification and repudiation attacks.
• The integrity service should ensure the correctness of the information and applies to:– Files– Information in transmission
Availability
• Availability ensures that information and services are accessible. There are several services that work to protect availability:– Backups– Fail-over– Disaster recovery
Accountability
• Should be referred to as AAA – Authentication, Authorization and Accounting. The author has left the second two functions out of this section.
• Authentication – Ensure the identity of the user via something they know, have, or are.
• Authorization – Ensure the user can only access services to which they have been granted access privileges.
• Audit/Accounting – Track each action on the system to the corresponding user.
MINS 217
Module 5
Legal Issues in Information Security
U.S. Criminal Law
• Interesting background can be found on the geocities website at www.access.gpo.gov/uscode/index.html
• 18 US Code 1030 is the primary statute under which computer crime is prosecuted and is fairly vague saying any intentional access of a computer without authorization to do so is illegal.
• Statute also states that the offender must have obtained information that should have been protected, and that the damage is at least $5,000.
More U.S. Criminal Law
• There are extensions to 18 US Code 1030– 18 US Code 1029 – possessing more then 15
counterfeit credit cards is illegal with or without $5,000 in damages.
– 18 US Code 2319 sets a $1,000 limit for copyright infringements (delete Napster)
– 18 US Code 2511 sets rules on interception– Patriot Act (Uniting and Strengthening America by
Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001) – Increases sentences and relaxes constraints on 18 US Code 1030
Sarbanes-Oxley
• Sarbanes-Oxley Act of 2002 – requires corporate officers to certify that they are responsible for establishing, maintaining, and regularly evaluating the effectiveness of the internal controls of the issuers of the firms financial statements.
• Places a “watch-dog” requirement on auditors that still seems to not be clearly defined.
Privacy Issues
• HIPAA (Health Insurance Portability and Accountability Act)– Sets rules for the standardization and privacy
of health information– To whom does this apply????– Rules in effect as of April 15, 2003– Compliance required for many organizations
by April 15, 2005.
Privacy Continued
• Graham-Leach-Bliley (Financial Services Modernization Act)– Sets rules on the privacy and protection of
customer information
MINS 217
Module 6
Policy
Why is Policy Important?
• Policy provides a common understanding in terms of the goals for security:– Determines how security should be
implemented– Puts everyone on the same page
• See caution regarding education on the top of pg. 117
Defining Policies
• Policies should clearly define its:– Purpose – why was it created– Scope – to whom/what it applies– Responsibility – to whom does the policy
apply
Information Policy
• Information should be classified as to restricted, sensitive, public etc…– Defines protections on each class of info– Defines who has access to each class of info– Defines responsibilities for those with access– Sets rules on how info is transmitted– Determines who, and in what situations, info
can be destroyed– Determines acceptable method for destruction
Security Policy
• Defines requirements for security on computing and communications systems– Authentication/Authorization/Account… (audit)– Access control– Network connectivity
• Importance of VPN’s to wireless and remote conn.
– Encryption– Waivers
Computer Use Policy
• Defines acceptable use of computers– Computers are company owned and only
company computers can be used– Ownership of information– Only company business can be performed– No expectation of privacy!!!!
Other Policies
• Internet Use
• File storage
• Backups
• Etc…
User Management Policy
• New employee procedure– User profiles are very important here
• Transferred employee• Employee termination
– Critical to remove all of an employees access immediately
– This is difficult to impossible if the user has multiple user names on separate systems that are autonomously managed
System Administration
• Software upgrades
• Vulnerability scans
• Log reviews
• System monitoring
• Backups– Exactly what is backed up, where the backups
are stored, and policies on access to these backups are all important issues
Incident Response Procedure
• In the past this was too often overlooked and incidents were dealt with in an ad-hoc fashion. Objectives to consider:– Protecting the organizations information– Protecting the organizations systems– Restoring operations– Prosecuting offenders– Reducing bad publicity (reducing bad publicity
too often results in an unwillingness to prosecute)
Incident Response Procedure
• Meeting the objectives for a successful incident response requires many processes working effectively:– Identifying the event– Escalation– Information control (reputations are at stake)– Response– Clear authority– Documentation control
Disaster Recovery Plans
• These can be very brief or very complex depending on the organization and include single system failures up to site-wide events.
• An organization may choose to have an entire “hot site” prepared.
• One particular company requires each employee to have a home office. The companies services can be operated out of an ISP site.
Business Continuity Plans
• Business continuity addresses how the company will operate during a crisis:– Some services may be suspended– Some services must remain functional
• Levi Strauss during the 1989 San Francisco quake
– Every business function must have a plan, even if that plan is simply to suspend the function
Creating Policy
• Defining priorities (What is important?)
• Defining acceptable behavior
• Identifying stakeholders
• Defining insightful outlines (RFC 2196)
• Develop the policy with security driving the process
Deploying Policy
• Gain buy-in – this is a huge process as this policy truly affects everyone in the organization. This requires active and visible support from the top of the organization down.
• Education is critical as employees must understand policy and the reasons behind it before they will truly buy in. Policy is better as an education tool then a club.
MINS 217
Module 7
Managing Risk
Risk
• Risk is the potential for loss that requires protection.
Vulnerability
• A vulnerability is a potential avenue of attack. This can be application or operating system related. It can also be a custodian leaving the computer room door open during cleaning
Threat
• Threat - an action or event that may violate the security of the system.
• Figure 7-1, page 145 in course text
Agents
• Agents are people wishing to do harm to an organization.
• Agents require:– Access– Knowledge– Motivation
Access
• The agent must have access to the organization, this access may include– Physical access to resources or facilties– Network access– Access in transit between two sources
Knowledge
• The agent must have some type of useful knowledge such as:– User ID’s– Passwords– File names or locations– Phone numbers– IP addresses– Security procedures
Motivation
• Challenge
• Greed
• Malicious intent
Agents to Consider
• Employees• Ex-employees• Hackers• Commercial rivals• Terrorists• Criminals• Suppliers• Customers
Risk
• Threat x Vulnerability = Risk
• Either threats or vulnerabilities alone are not a risk. Only when combined is a risk created.
Identifying Vulnerabilities
• At least one good place to start looking for vulnerabilities is at the entrance and exit points (physical and electronic) within the organization.
• Some organizations have determined it’s too difficult to accomplish this task.
Identifying Vulnerabilities
• Some examples:– Internet connections– Remote access points– Connections to other organizations– Physical access to facilities– User access points– Wireless access points
Identifying Threats
• Much more difficult to manage threat identification then vulnerabilities
• Imagine if you had to do this for Microsoft
Countermeasures
• Firewalls
• Anti-virus software
• Access controls
• Two-factor authentication systems– Biometrics– Smart cards
• Badges
• Encryption
Module 8
Information Security Process
Cost of Reactive Security
• Total Cost of Security = Cost of Incident + Cost of Countermeasures
Cost of Proactive Security
• Cost of Information Security = Cost of Countermeasures• Cost of the Incident + Cost of Countermeasures >> Cost of
Countermeasures
• Caveat - The information above comes from the author and does not reflect that of the instructor
• While improving security does reduce the likelihood of an incident, it cannot remove the possibility
• Trying to remove the possibility of an incident cannot be accomplished cost effectively
Five Phases of Info Security
• Assessment
• Policy
• Implementation
• Training
• Audit
• See Figure 8-1 on page 163
Information Assessment
• Determine the value of information assets• Determine the threats (all four categories)• Determine current operational vulnerabilities• Determine information asset risk exposure• Determine appropriate measures to reduce risk
to an appropriate level• Provide a foundation for a security plan
Five Types of Assessment
• System-level vulnerability assessment
• Network-level risk assessment
• Organization-wide risk assessment
• Audit
• Penetration test
Assessment Information Sources
• Three primary sources– Employee interview– Document review– Physical inspection
• Examine areas shown on page 165
Network
• Some of the issues you should inspect and document are shown on pages 165 and 166
• Read the paragraphs at the bottom of page 166 for some important insights
Physical Security
• Issues like locks on doors to who has the keys.
• Power
• Disaster Notification
• There are many pertinent issues outlined on pages 167 and 168.
Policies and Procedures
• See page 168 for a list of policies and procedures to inspect
• Note these lists are not comprehensive. Rather they simply provide an example of the types of issues to investigate.
• Also, read the “Ask the Expert” cut out at the top of page 171.
Attitude/Adherance
• Attitude– The “tone at the top” is a reference to the
emphasis top management places on security
• Adherence– Both the intended as well as the actual
security environment must be monitored. It’s not enough to say “this” is the way it’s supposed to be done.
Employees
• Many different areas in the chapter refer to the importance of employees knowing and understanding the security policies.
• It is also critical to ensure that employees buy into the importance of security policies and understand their individual roles and responsibilities.
Develop Policy
• Information policy
• Security policy
• Use policy
• Backup policy
• Account management policy
• Incident handling procedure
• Disaster recovery plan
Implement Security
• Security reporting systems• Authentication systems• Internet security
– Firewalls, VPNs, etc…
• IDS• Encryption• Physical Security• Staff
Awareness Training
• Executives
• Developers
• Administrators
• Employees
• Security staff
Conduct Audits
• Policy adherence audits
• Periodic and new project assessment audits
• Penetration tests
Develop Security Awareness
• Regular emails (perhaps with quizzes)
• Back of badges
• Posters on walls
• Periodic classes
Module 10
Firewalls
Application-Level Firewalls
• Also referred to as proxy firewalls
• All connections terminate on the firewall
• The firewall accepts the connection, analyzes the packet, and if appropriate opens a new connection and forwards to the destination– IP address of the original sender??– Does this violate RIAA proposed legislation??
Packet-Filtering Firewalls
• Connections do not terminate on the firewall.
• The firewall inspects the packet in transit and decides whether to pass it along.
• Stateful inspection allows a “reflexive” feature. (iptables)
• Almost layer 7 protocol independent– FTP
Firewall Design
• Single firewall– Users in front of firewall– Users behind firewall
• Dual firewall– DMZ
Module 11
Virtual Private Networks
Benefits of a Private Network
• Information remains in an organizations system (computers and network links)
• Reduced or perhaps no access limitations for users at remote sites.
• Instantaneous access to applications without the need for increased security relative to users at the local site
Drawbacks of a Private Network
• Cost
• Cost
• Cost
• Cost
• Implementation time
Definition of VPN
• Traffic is encrypted to prevent eavesdropping
• Endpoints authenticate and authorize session before data is exchanged
• Multiple protocols are supported
• Connection is point to point (Note that the session may travel a very diverse network)
Characteristics of VPN’s
• Encryption– Strong enough to ensure security for as long
as the information is valuable
• End point authentication
• Different application-level protocols
• Point-to-point– Access-lists determine “tunnels” and ensure
that each tunnel has appropriate encryption
User VPN’s
• VPN’s between an individual workstation and a central server (campus solution)
• The central server requires an authentication process
• The VPN allows the organization to limit the protocols, files, or systems that can be accessed based on user profile.
• The VPN can also allow use of protocols not otherwise available. (campus MS)
Issues with User VPN’s
• Users can have simultaneous access to networks while connected via VPN to an organizations network.
• If users are infected with a virus or trojan and are allowed access on ports like 135-139 then they can spread the virus.
• Both issues above show that security on the end-users computer must be trustworthy.
Managing User VPN’s
• Organizations must be careful what access is allowed via VPN’s
• If security constraints on VPN connected devices is to be minimal then:– Multi-factor authentication should be used– The organization must directly support the
computers that are allowed to make a VPN connection to the organizations network.
Site VPN
• Allows the secure connection of two networks across the Internet.
• Generally accomplish by border routers or firewalls near the border of the network.
• The router/firewall uses access lists including the sending and receiving IP addresses to determine which packets to drop into the “tunnel”.
Benefits of Site VPN’s
• Considerable cost savings when compared with leased-line alternatives.
• No need to install VPN client software on each users computer.
• Strict limitations can be placed on access making site VPN’s a highly desirable technology for inter-company connections.
Issues with Site VPN’s
• Site VPN’s extend the organizations security perimeter.
• The level of access allowed via the VPN must be balanced by the security integrity of the remote network.
• Key updates must be managed carefully
Managing Site VPN’s
• If edge routers are used as a VPN peering point then CPU loads on the router must be much more carefully managed.
• Access lists must be created with care. Mistyping a single digit in an access list can cause the organization to be sending critical data in the clear. An IDS should be used to ensure data is encrypted.
Module 12
Encryption
Basic Encryption Concepts
• Confidentiality – Hides information either in transit or in storage.
• Integrity – Encryption can be used to identify changes to information in transit, or in storage.
• Accountability – Encryption can be used to authenticate the sender of information and prevent repudiation attacks.
Encryption Terms
• Plaintext – Information in its original form.
• Ciphertext – Information that has been obfuscated by the encryption algorithm.
• Algorithm – The method used to obfuscate the original information.
• Key – The information used to authorize the conversion of data.
Encryption Terms continued
• Encryption – The process of changing from plaintext to ciphertext.
• Decryption – The process of changing from ciphertext to plaintext.
• Cryptography – The use of encryption to conceal data.
• Cryptanalysis – Analyzing cryptographic algorithms to identify weaknesses.
Attacks Against Encryption
• Through weaknesses in the algorithm
• Through brute force against the key
• Through weaknesses in the surrounding system.
Private Key Encryption
• Commonly referred to as symmetric key encryption
• Must use the same key at both the sender and receiver
• Enigma
• http://www.ugrad.cs.jhu.edu/~russell/classes/enigma/
Substitution Ciphers
• Used for many years (Caesar Cipher)
• Susceptible to statistical frequency based attacks and others
• Generally considered weak
One Time Pads
• Theoretically the only unbreakable encryption system.
• The weakness is in the fact that the pad must be carried by the user and is therefore subject to confiscation.
• The cost of creating and distributing pads leads organizations to reuse them. This creates the potential for failure.
Symmetric Encryption Standards
• DES• 3DES• AES (Rijndael)
• IDEA• RC5• Skipjack• Blowfish
Public Key Encryption
• Commonly referred to as an “asymmetric encryption algorithm”
• Uses a key pair with one key encrypting the message and another key decrypting
• Having one key does not allow you to determine the other key
• Provides encryption and authentication services
PKI Encryption Algorithms
• Diffie-Hellman
• RSA
• Elgamal
• Digital Signature Algorithm
• Elliptical Curve Algorithm
Digital Signatures
• In many ways far superior to pen and paper signatures
• Allow for authentication of the source and also tests for modifications
Key Management
• The author refers to key management as “the bane of all encryption systems”
• Generating good keys and distributing them can be difficult and expensive
• Whom should we trust to be the keeper of the keys?
Certificate Authority
• The CA is a central keeper of the keys.
• There may be differing levels of CA’s within an organization.
• The organization may also choose to trust other CA’s (Verisign) to authenticate keys from outside sources.
Module 13
Intrusion Detection
Early forms of Intrusion Detection
• Guards and dogs– Both dogs and guards provided a means to
identify that something was happening and attempt to stop it.
• Alarm system– Businesses have found that a simple sticker
in the window can deter thieves.– A computer based IDS is a little more difficult
as it’s harder to tell the bad guys (packets intended to do harm) from the good.
Intrusion Detection Systems
• Host based– On a host looking for attacks against that
particular host
• Network based– On a separate device that watches network
traffic looking for indications of an attack
Host-based IDS
• There are many different types of sensors that are part of the IDS watching for different types of patterns– Log analyzers– Signature-based sensors– System call analyzers– Application behavior analyzers– File integrity analyzers
Network-based IDS
• Places network interface into promiscuous mode
• Advantages– Completely hidden– Monitors traffic to large number of devices
• Disadvantages– Who writes the rule set and how do you keep
it up to date?– High bandwidth can cause packet misses
Configuring an IDS
• Define the goals of the IDS and what to monitor. This must include thresholds etc…
• Attack recognition
• Policy monitoring
• Policy enforcement
• Incident response