security planning susan lincke designing information security
TRANSCRIPT
Security PlanningSusan Lincke
Designing Information Security
Security Planning: An Applied Approach | 04/19/23 | 2
ObjectivesStudent should know:
Define information security principles: need-to-know, least privilege, segregation of duties, privacy
Define information security management positions: data owner, data custodians, security administrator
Define access control techniques: mandatory, discretionary, role-based, physical, single sign-on
Define authentication combination: single factor, two factor, three factor multifactor
Define Biometric: FRR, FAR, FER, EER
Define elements of BLP: read down, write up, tranquility principle, declassification
Define military security policy: level of trust, confidentiality principle
Define backup rotation, incremental backup, differential backup, degauss, audit trail, audit reduction, criticality classification, sensitivity classification
Develop an information security classification scheme that addresses confidentiality and availability
Security Planning: An Applied Approach | 04/19/23 | 3
Information Security Goals
CIA Triad
Confidentiality
Integrity Availability
Conformity to Law& Privacy Requirements
Security Planning: An Applied Approach | 04/19/23 | 4
Information Security Principles
Need-to-know: Persons should have ability to access data sufficient to perform primary job and no moreLeast Privilege: Persons should have ability to do tasks sufficient to perform primary job and no moreSegregation of Duties: Ensure that no person can assume two roles: Origination, Authorization, Distribution, VerificationPrivacy: Personal/private info is retained only when a true business need exists: Privacy is a liabilityRetain records for short timePersonnel office should change permissions as jobs change
Security Planning: An Applied Approach | 04/19/23 | 5
Review: State Breach Law Protects…
Restricted data generally includes:Social Security NumberDriver’s license # or state ID #Financial account number (credit/debit) and access code/passwordDNA profile (Statute 939.74)Biometric dataSome states & HIPAA protects:Health status, treatment, or payment
Security Planning: An Applied Approach | 04/19/23 | 6
President
BusinessExecutive
Chief Privacy OfficerProtect
customer & employee rights
Chief InfoSec. OfficerCreates andmaintains a sec. program
Data OwnerResponsible for
security ofdata
Chief Sec. OfficerPhysical Security
Security ArchitectDesign/ impl.
policies &procedures
Security Admin
Administrates computer &
network security
Process Owner
Responsible forsecurity of
process
IS AuditorIndependentassurance of
sec. objectives& controls
Some positions may be merged
DataCustodianMaintains and protects data:
Backup/restore/monitor/test
Chief Info. OfficerManages
Info. Technology
Security Planning: An Applied Approach | 04/19/23 | 7
Information Owneror Data OwnerIs responsible for the data within business (mgr/director - not IS staff)Determines who can have access to data and may grant permissions directly ORGives written permission for access directly to security administrator, to prevent mishandling or alterationPeriodically reviews authorization to restrict authorization creep
Security Planning: An Applied Approach | 04/19/23 | 8
Other Positions
Data CustodianIS (security or IT) employee who safeguards the dataPerforms backup/restoreVerifies integrity of dataDocuments activitiesMay be System Administrator
Security AdministratorAllocates access to employees based on written documentationMonitors access to terminals and applications• Monitors invalid login attemptsPrepares security reports
Security Planning: An Applied Approach | 04/19/23 | 9
Criticality Classification
Critical $$$$: Cannot be performed manually. Tolerance to interruption is very low
Vital $$: Can be performed manually for very short time
Sensitive $: Can be performed manually for a period of time, but may cost more in staff
Nonsensitive ¢: Can be performed manually for an extended period of time with little additional cost and minimal recovery effort
Security Planning: An Applied Approach | 04/19/23 | 10
Sensitivity Classification(Example)
Proprietary:Strategic Plan
Confidential:Salary &
Health Info
Private:Product Plans
PublicProduct Users Manual
near Release
Internal
Security Planning: An Applied Approach | 04/19/23 | 11
Sensitivity ClassificationWorkbook
SensitivityClassification
Description Information Covered
Proprietary Protects competitive edge. Material is of critical strategic importance to the company. Dissemination could result in serious financial impact.
Confidential Information protected by FERPA, PCI-DSS and breach notification law. Shall be available on a need-to-know basis only. Dissemination could result in financial liability or reputation loss.
Student information & grades,
Payment card information,Employee information
Private Should be accessible to management or for use with specific parties. Could cause internal strife or divulge trade secrets if released.
Professor research, Student homework,
Budgets
Public Disclosure is not welcome, but would not adversely impact the organization
Teaching lectures
Security Planning: An Applied Approach | 04/19/23 | 12
Data Classification
How do we mark classified information?How do we determine which data should be classified to which class?How do we store, transport, handle, archive classified information?How do we dispose of classified data?What does the law say about handling this information?Who has authority to determine who gets access, and what approvals are needed for access?
Security Planning: An Applied Approach | 04/19/23 | 13
Handling of Sensitive Data
Confidential Private PublicAccess Need to know Need to know Need to knowPaper Storage Locked cabinet,
Locked room if unattended
Locked cabinet
Locked room if unattended
Locked cabinet or locked room if unattended
Disk Storage Password-protected,
Encrypted
Password-protected
Encrypted
Password-Protected
Labeling & Handling
Clean desk, low voice,
No SSNs, ID required
Clean desk,
low voice
Clean desk,
low voiceTransmission Encrypted
Limited email or append email security notice
Encrypted
Archive Encrypted EncryptedDisposal Degauss & damage disks
Shred paper
Secure wipe
Shred paper
Reformat disks
Security Planning: An Applied Approach | 04/19/23 | 14
Storage & Destruction of Confidential Information
StorageEncrypt sensitive dataAvoid touching media surfaceKeep out of direct sunlightKeep free of dust & liquids – in firm container bestAvoid magnetic, radio, or vibrating fieldsUse anti-static bags for disksAvoid spikes in temperature for disks; bring to room temperature before useWrite protect floppies/magnetic mediaStore tapes vertically
Disposing of MediaMeet record-retention schedulesReformat diskUse “Secure wipe” tool****If highly secure*****Degauss = demagnetize Physical destruction
RepairRemove memory before sending out for repair
Security Planning: An Applied Approach | 04/19/23 | 15
Permission types
Read, inquiry, copyCreate, write, update, append, deleteExecute, check
Access Matrix Model (HRU)
File A File B File C Jack
Jack rwx rx -
Jill rwx r d
Jeff r rx rwx -
Security Planning: An Applied Approach | 04/19/23 | 16
Information Asset Inventory Asset Name Course Registration
Value to Organization Records which students are taking which classes
Location IS Main Center
Sensitivity & CriticalityClassifications
Sensitive, Vital
IS System/Server Name
Peoplesoft
Data Owner Registrar: Monica Jones
DesignatedCustodian
IS Operations: John Johnson
Granted Permissions Read: Department Staff, AdvisingRead/Write: Students, Registration
Access is permitted at any time/any terminal
CISA Review Manual 2009
Workbook
Security Planning: An Applied Approach | 04/19/23 | 17
Question
The person responsible for deciding who should have access to a data file is:
1. Data custodian2. Data owner3. Security administrator4. Security manager
Security Planning: An Applied Approach | 04/19/23 | 18
Question
Least Privilege dictates that:1. Persons should have the ability to do tasks sufficient to
perform their primary job and no more2. Access rights and permissions shall be commensurate with a
person’s position in the corporation: i.e., lower layers have fewer rights
3. Computer users should never have administrator passwords4. Persons should have access permissions only for their security
level: Confidential, Private or Sensitive
Security Planning: An Applied Approach | 04/19/23 | 19
Question
A concern with personal or private information is that:1. Data is not kept longer than absolutely necessary2. Data encryption makes the retention of personal information
safe3. Private information on disk should never be taken off-site 4. Personal data is always labeled and handled as critical or vital
to the organization
Security Planning: An Applied Approach | 04/19/23 | 20
Question
The person responsible for restricting and monitoring permissions is the:
1. Data custodian2. Data owner3. Security administrator4. Security manager
Security Planning: An Applied Approach | 04/19/23 | 21
AUTHENTICATION & ACCESS CONTROL
Path AccessAuthentication: Login/Password, BiometricsRemote Access
Security Planning: An Applied Approach | 04/19/23 | 22
Security: Defense in Depth
Border RouterPerimeter firewallInternal firewallIntrusion Detection SystemPolicies & Procedures & AuditsAuthenticationAccess Controls
Security Planning: An Applied Approach | 04/19/23 | 23
Four Layers of Logical Security
DatabaseApp1
App2
System 1 System 2
Two layers of general access to Networks and SystemsTwo layers of granularity of control to Applications and Databases
Security Planning: An Applied Approach | 04/19/23 | 24
Password Rules
One-way encrypted using a strong algorithmNever displayed (except ***)Never written down and retained near terminal or in deskPasswords should be changed every 30 days, by notifying user in advanceA history of passwords should prevent user from using same password in 1 yearPasswords should be >= 8 (better 12) characters, including 3 of: alpha, numeric, upper/lower case, and special charactersPasswords should not be identifiable with user, e.g., family member or pet name
Security Planning: An Applied Approach | 04/19/23 | 25
Authentication Combinations
Single Factor: Something you know• Login & PasswordMultifactor Authentication: Using two or more authentication methods. Two Factor: Add one of:• Something you have: Card or ID• Something you are or do: BiometricThree Factor: Uses all three: e.g., badge, thumb, pass code
Security Planning: An Applied Approach | 04/19/23 | 26
Biometrics
Biometrics: Who you are or what you doSusceptible to errorFalse Rejection Rate (FRR): Rate of users rejected in errorFalse Acceptance Rate (FAR): Rate of users accepted in errorFailure to Enroll Rate (FER): Rate of users who failed to successfully register
Equal Error Rate EER:
FRR = FARFAR increasesFRR increases
Security Planning: An Applied Approach | 04/19/23 | 27
Biometrics with Best Response & Lowest EER
Type (Top Best) Advantages Disadvantages
Palm Social acceptance Physical contact
Hand (3D) Social acceptance, low storage Not unique, injury affects
Iris No direct contact High cost, high storage
Retina Low FAR High cost, 1-2 cm away: invasive
Fingerprint Low cost, More storage=Lower EER
Physical contact-> grime ->poor quality image
Voice Phone use, social acceptance High storage, playback, voice change, background noise
Signature Easy to use, low cost Uniqueness, writing onto tablet differs from paper
Face Social acceptance Not unique, overcome with high storage
CISA Review Manual 2009
Security Planning: An Applied Approach | 04/19/23 | 28
Biometric Info Mgmt & Security Policy
Identification & authentication proceduresBackup authenticationSafe transmission/storage of biometric dataSecurity of physical hardwareValidation testingAuditors should ensure documentation & use is professional
Security Planning: An Applied Approach | 04/19/23 | 29
Single Sign OnAdvantages
One good password replaces lots of passwords
IDs consistent throughout system(s)
Reduced admin work in setup & forgotten passwords
Quick access to systems
Disadvantages
Single point of failure -> total compromise
Complex software development due to diverse OS
Expensive implementation
Secondary Domains
App1 DB2 App3
Primary Domain (System)
Enter Password
Security Planning: An Applied Approach | 04/19/23 | 30
Recommended Password Allocation
User allocatedrandom password
or sent email w. link
First time login:change
password
UserSecurity Admin
Verify user ID(e.g., email)
NotifySecurity
Inform user in controlled
manner
[Forgot Password]
Enter 5 invalidpasswords
Account[locked]
[Invalid passwordAttempts]
System automatically
unlocks
[Auto Timeout]
Account[unlocked]
Account[unlocked]
[Manual]
SubsequentLogins
Security Planning: An Applied Approach | 04/19/23 | 31
Admin & Login ID Rules
Restrict number of admin accountsAdmin password should only be known by one userAdmin accounts should never be locked out, whereas others areAdmin password can be kept in locked cabinet in sealed envelope, where top manager has keyLogin IDs should follow a confidential internal naming ruleCommon accounts: Guest, Administrator, Admin should be renamedSession time out should require password re-entry
Security Planning: An Applied Approach | 04/19/23 | 32
Access Control Techniques
Mandatory Access Control Discretionary Access Control
File User Group Permi…A John Mgmt rwx, r xB June Billing , r C May Factory r x, r xD Al BillingE Don Billing
Role-Based Access Control
Login Role PermissionJohn Mgr A, B,C,D,E,FJune Acct. A,B,CAl Acct. A,B,CMay Factory D,E,FPat Factory D,E,F
JohnA, B, C, D, E, F
JuneA, B, C
MayD, E, F
AlA, B
DonB, C
PatD, F
TomE, F
TimE
Security Planning: An Applied Approach | 04/19/23 | 33
Access Control Techniques
Mandatory Access Control: General (system-determined) access control
Discretionary Access Control: Person with permissions controls access
Role-Based Access Control: Access control determined by role in organization
Physical Access Control: Locks, fences, biometrics, badges, keys
Security Planning: An Applied Approach | 04/19/23 | 34
Workbook:Role-Based Access Control
Role Name Information Access (e.g., Record or Form) andPermissions (e.g., RWX)
Instructor Student Records: Grading Form RW Student Transcript (current students) R Transfer credit form R
Advising Student Records: Student Transcript (current students) R Fee Payment R Transfer credit form R
Registration Student Records: Fee Payment RW Transfer credit form RW
Security Planning: An Applied Approach | 04/19/23 | 35
System Access Control
Establish rules for access to information resourcesCreate/maintain user profilesAllocate user IDs requiring authentication (per person, not group)Notify users of valid use and access before and upon loginEnsure accountability and auditability by logging user activitiesLog eventsReport access control configuration & logs
Security Planning: An Applied Approach | 04/19/23 | 36
Application-Level Access ControlCreate/change file or database structureAuthorize actions at the:• Application level• File level• Transaction level• Field levelLog network & data access activities to monitor access violations
Security Planning: An Applied Approach | 04/19/23 | 37
Which Computer Do You Trust?
You plan to make a purchase on-line…
Your office computer?A library or college computer?
Your children’s computer?
Security Planning: An Applied Approach | 04/19/23 | 38
Trusted Computing Base (TCB)
Trusted Hardware
Trusted Operating System
TrustedApp 1
TrustedApp 2
Trusted
App 3
Trusted Hardware
Trusted Operating System
TrustedService
1
TrustedService
2
Trusted
Service 3
Trusted network
Trusted app hasHorizontal dependencies: operating system, hardwareVertical dependencies: server applications, network, authentication server, …
Security Planning: An Applied Approach | 04/19/23 | 39
Processing requires Dependencies
Vertical Dependencies:Secret App requiresSecret-level databaseSecret-level OSSecret-level hardware
Horizontal Dependencies:Secret App requires:Secret-level serversSecret-level communicationsSecret-level authentication
Security Planning: An Applied Approach | 04/19/23 | 40
Trusted Computing Base (TCB)
Trusted Hardware
Trusted OS
TrustedApp 1
TrustedApp 2
TrustedApp 3
Trusted Hardware
TrustedOS
TrustedService
1
TrustedService
2
TrustedService
3
Trusted network
Security Policy
Encapsulated security impl.
Encapsulated security impl.
TCB Subset: Verified security policy, provides reliabilityEncapsulated security implementation provides rapid implementation
Security Planning: An Applied Approach | 04/19/23 | 41
Bell and La Padula Model (BLP)
Property of Confinement:
Read Down: if Subject’s class is >= Object’s class
Write Up: if Subject’s class is <= Object’s class
Tranquility Principle: Object’s class cannot change
Declassification: Subject can lower his/her own class
Top Secret
Secret
Confidential
Non-Classified
write
read
& write
read
read
Joe => (Secret)
Security Planning: An Applied Approach | 04/19/23 | 42
Military Security Policy
Person has an Authorization Level or Level of Trust(S,D) = (sensitivity, domain) for Subject (potentially Project)Object has a Security ClassConfidentiality Property: Subject can access object if it dominates the object’s classification level
Class Finance Engineering Personnel
Top Secret Customer list New plans
Secret Dept. Budgets Code Personnel review
Confidential Expenses Emails Salary
Non-Classified Balance sheet Users Manuals
Position Descriptions
(Secret, Eng)(Confid., Finance)
Security Planning: An Applied Approach | 04/19/23 | 43
BIG Data
Alice Winter 222 Pine Dr. 262-513-2341 Birth=1989 Diabetic
Options include:Encryption, access control, firewall, security intelligenceObfuscate: Make data unclearDistribute data across multiple locationsNo single location has useful data (e.g., RAID)
Blacklist: Not storedOr access via permission
Anonomize: Alter via statistical distribution
Whitelist: Permitted to see
Security Planning: An Applied Approach | 04/19/23 | 44
IS Auditor Verifies…
Written Policies & Procedures are professional & implementedAccess follows need-to-knowSecurity awareness & training implementedData owners & data custodians meet responsibility for safeguarding dataSecurity Administrator provides physical and logical security for IS program, data, and equipmentAuthorization is documented and consistent with realitySee CISA Review Manual for specific details
Security Planning: An Applied Approach | 04/19/23 | 45
Question
A form of biometrics that is considered invasive by users is:1. Retina2. Iris3. 3D hand4. Signature
Security Planning: An Applied Approach | 04/19/23 | 46
Question
A form of biometrics that is not prone to error is1. Retina2. Voice3. Finger4. Signature
Security Planning: An Applied Approach | 04/19/23 | 47
Question
Julie is a Data Owner. She configures permissions in the database to enable users to access the forms she thinks they should be able to access. This technique is known as
1.Bell and La Padula Model
2.Mandatory Access Control
3.Role-Based Access Control
4.Discretionary Access Control
CISA Review Manual 2009
Security Planning: An Applied Approach | 04/19/23 | 48
Question
John has a security clearance of (Engineering, Confidential). Using Bell and La Padula Model, John can write to:
1.Confidential
2.Top Secret, Secret, and Confidential
3.Confidential and Unclassified
4.Unclassified
CISA Review Manual 2009
Security Planning: An Applied Approach | 04/19/23 | 49
AUDIT TRAILS
Security Planning: An Applied Approach | 04/19/23 | 50
Audit Trail
Audit trail tracks responsibility• Who did what when?• Periodic review will help to find excess-authority access, login successes &
failures, and track fraud
Attackers often want to change the audit trail (to hide tracks)Audit trail must be hard to change:• Write-once devices• Digital signatures• Security & systems admins and managers may have READ-only access to log
Audit trail must be sensitive to privacy• Personal information may be encrypted
Security Planning: An Applied Approach | 04/19/23 | 51
Audit Trail Tools
Audit Reduction: Filter important logs - eliminate unimportant logs
Attack/Signature Detection: A sequence of log events may signal an attack (e.g., 1000 login attempts)
Trend/ Variance-Detection: Notices changes from normal user or system behavior (e.g., login during night)
Security Planning: An Applied Approach | 04/19/23 | 52
Question
Audit trails:1. Should be modifiable only by security administrators2. Should be difficult to change (e.g., write-once)3. Should only save important logs, using log reduction4. Should avoid encryption to ensure no loss and quick
access
Security Planning: An Applied Approach | 04/19/23 | 53
Data in inventoried
Data is allocated a sensitivity and criticality class
Class handling is defined for handling, transporting, storage
Roles are allocated permissions (access control)
Authorization ensures access control is enforced: biometrics, two-factor authentication, single sign-on
Trust enables use
Access may be distributed: Trusted Computing Base
Audit trails enforce accountability
Summary
Security Planning: An Applied Approach | 04/19/23 | 54
HEALTH FIRST CASE STUDY
Designing Information Security
Jamie Ramon MDDoctor
Chris Ramon RDDietician
TerryLicensed
Practicing Nurse
PatSoftware Consultant
Security Planning: An Applied Approach | 04/19/23 | 55
Define Sensitivity Classification
Sensitivity
Classification
Description Information Covered
Proprietary Protects competitive edge. Material is of critical strategic importance to the company and its dissemination could result in serious financial impact.
Confidential Information protected by law. Shall be made available or visible on a need-to-know basis only. Dissemination could result in financial liability or reputation loss.
Private Should be accessible to management or affected parties only. Could cause internal strife or external embarrassment if released: for use with particular parties within the organization.
Public Disclosure is not welcome, but would not adversely impact the organization
OR
Information is public record
Security Planning: An Applied Approach | 04/19/23 | 56
Define Sensitivity Classification
Medical appointments
Credit card information
Budget
Personnel records
Patient treatmentContracts & Licenses
Business
Statistics
Security Planning: An Applied Approach | 04/19/23 | 57
How should classes be treated?Table 4.1.2: Handling of Sensitive Data
Proprietary Confidential PrivateAccess Need to know Need to know Need to knowPaper Storage Locked cabinet,
Locked room if unattended
Locked cabinetLocked room if unattended
Locked cabinet or locked room if unattended
Disk Storage Password-protected,Encrypted
Password-protectedEncrypted
Password-Protected
Labeling and Handling
‘Confidential’Clean desk, low voice,shut door policy
Clean desk,low voice,shut door policy
Clean desk,low voice,shut door policy
Transmission Encrypted Encrypted Archive Encrypted Encrypted Disposal Degauss & damage disks
Shred paperSecure wipe, damage disksShred paper
Reformat disks
Special
Security Planning: An Applied Approach | 04/19/23 | 58
Define Roles & Role-Based Access Control
Role Name Information Access (e.g., Record or Form)
and Permissions (e.g., RWX)
Health Plan EligibilityHealth Plan: Eligibility: ActiveMaximum Benefit: Co-Pay: Deductible:ExclusionsIn-Plan Benefits Out-of-Plan Benefits Coordination of Benefits
Specific Procedure RequestProcedure Coverage Max. Coverage Co-pay / Non-coveredDates Patient Resp Amounts
Security Planning: An Applied Approach | 04/19/23 | 59
Information Asset Inventory Asset Name Course Registration
Value to Organization
Records which students are taking which classes
Location IS Main Center
Security Risk Classification
Sensitive, Vital
IS Server Peoplesoft
Data Owner (Who decides who should have access?)
Designated Custodian
(Who takes care of backups and sys admin functions?)
Granted Permissions Read: Department Staff, AdvisingRead/Write: Students, Registration
Access is permitted at any time/any terminal
Workbook