Designing Information
Security
Security Planning
Susan Lincke
Security Planning: An Applied Approach | 6/21/2016 | 2
Objectives
Student should know:
Define information security principles: need-to-know, least privilege, segregation of
duties, privacy
Define information security management positions: data owner, data custodians,
security administrator
Define access control techniques: mandatory, discretionary, role-based, physical, single
sign-on
Define authentication combination: single factor, two factor, three factor multifactor
Define Biometric: FRR, FAR, FER, EER
Define elements of BLP: read down, write up, tranquility principle, declassification
Define military security policy: level of trust, confidentiality principle
Define backup rotation, incremental backup, differential backup, degauss, audit trail,
audit reduction, criticality classification, sensitivity classification
Develop an information security classification scheme that addresses confidentiality and
availability
Security Planning: An Applied Approach | 6/21/2016 | 3
Information Security Goals
Confidentiality
CIA Triad
Integrity
Availability
Conformity to Law
& Privacy Requirements
Security Planning: An Applied Approach | 6/21/2016 | 4
Information Security Principles
Need-to-know: Persons should have ability to access data
sufficient to perform primary job and no more
Least Privilege: Persons should have ability to do tasks sufficient
to perform primary job and no more
Segregation of Duties: Ensure that no person can assume two
roles: Origination, Authorization, Distribution, Verification
Privacy: Personal/private info is retained only when a true
business need exists: Privacy is a liability
Retain records for short time
Personnel office should change permissions as jobs change
Security Planning: An Applied Approach | 6/21/2016 | 5
Review: State Breach Law Protects…
Restricted data generally includes:
Social Security Number
Driver’s license # or state ID #
Financial account number (credit/debit) and access
code/password
DNA profile (Statute 939.74)
Biometric data
Some states & HIPAA protects:
Health status, treatment, or payment
Security Planning: An Applied Approach | 6/21/2016 | 6
President
Chief Sec.
Officer
Physical
Security
Data Owner
Responsible for
security of
data
Business
Executive
Process
Owner
Responsible for
security of
process
Chief Privacy
Officer
Chief Info
Sec. Officer
Protect
customer &
employee rights
Creates and
maintains a
sec. program
IS Auditor
Independent
assurance of
sec. objectives
& controls
Chief Info.
Officer
Manages
Info. Technology
Security
Architect
Security
Admin
Design/ impl.
policies &
procedures
Administrates
computer &
network security
Some positions may be merged
Data
Custodian
Maintains and
protects data:
Backup/restore/
monitor/test
Security Planning: An Applied Approach | 6/21/2016 | 7
Information Owner
or Data Owner
Is responsible for the data within business (mgr/director - not IS
staff)
Determines who can have access to data and may grant
permissions directly OR
Gives written permission for access directly to security
administrator, to prevent mishandling or alteration
Periodically reviews authorization to restrict authorization creep
Security Planning: An Applied Approach | 6/21/2016 | 8
Other Positions
Data Custodian
IS (security or IT) employee who
safeguards the data
Performs backup/restore
Verifies integrity of data
Documents activities
May be System Administrator
Security Administrator
Allocates access to employees
based on written
documentation
Monitors access to terminals
and applications
• Monitors invalid login attempts
Prepares security reports
Security Planning: An Applied Approach | 6/21/2016 | 9
Criticality Classification
Critical $$$$: Cannot be performed manually. Tolerance to
interruption is very low
Vital $$: Can be performed manually for very short time
Sensitive $: Can be performed manually for a period of time, but
may cost more in staff
Nonsensitive ¢: Can be performed manually for an extended
period of time with little additional cost and minimal recovery
effort
Security Planning: An Applied Approach | 6/21/2016 | 10
Sensitivity Classification
(Example)
Proprietary:
Strategic Plan
Confidential:
Salary &
Health Info
Private:
Product Plans
Public
Product Users Manual
near Release
Internal
Security Planning: An Applied Approach | 6/21/2016 | 11
Sensitivity Classification
Workbook
Sensitivity
Classification
Description
Information Covered
Proprietary
Protects competitive edge. Material is of
critical strategic importance to the
company. Dissemination could result
in serious financial impact.
Confidential
Information protected by FERPA, PCI-DSS
and breach notification law. Shall be
available on a need-to-know basis
only. Dissemination could result in
financial liability or reputation loss.
Private
Should be accessible to management or
for use with specific parties. Could
cause internal strife or divulge trade
secrets if released.
Professor research,
Student homework,
Budgets
Public
Disclosure is not welcome, but would not
adversely impact the organization
Teaching lectures
Student information & grades,
Payment card information,
Employee information
Security Planning: An Applied Approach | 6/21/2016 | 12
Data Classification
How do we mark classified information?
How do we determine which data should be classified
to which class?
How do we store, transport, handle, archive classified
information?
How do we dispose of classified data?
What does the law say about handling this information?
Who has authority to determine who gets access, and
what approvals are needed for access?
Security Planning: An Applied Approach | 6/21/2016 | 13
Handling of Sensitive Data
Access
Paper Storage
Disk Storage
Confidential
Need to know
Locked cabinet,
Private
Need to know
Locked cabinet
Locked room if unattended
Locked room
unattended
Passwordprotected
Password-protected,
Encrypted
Labeling
Handling
& Clean desk, low voice,
Encrypted
Clean desk,
Transmission
No SSNs, ID required
Encrypted
Archive
Disposal
Limited email or append
email security notice
Encrypted
Encrypted
Degauss & damage disks
Secure wipe
Shred paper
low voice
Encrypted
Shred paper
Public
Need to know
Locked cabinet or locked
if room if unattended
Password-Protected
Clean desk,
low voice
Reformat disks
Security Planning: An Applied Approach | 6/21/2016 | 14
Storage & Destruction of Confidential
Information
Repair
Remove memory before
sending out for repair
Disposing of Media
Meet record-retention schedules
Reformat disk
Use “Secure wipe” tool
****If highly secure*****
Degauss = demagnetize
Physical destruction
Storage
Encrypt sensitive data
Avoid touching media surface
Keep out of direct sunlight
Keep free of dust & liquids –
in firm container best
Avoid magnetic, radio, or vibrating fields
Use anti-static bags for disks
Avoid spikes in temperature for disks;
bring to room temperature before use
Write protect floppies/magnetic media
Store tapes vertically
Security Planning: An Applied Approach | 6/21/2016 | 15
Permission types
Read, inquiry, copy
Create, write, update, append, delete
Execute, check
Access Matrix Model (HRU)
Jack
File A
File B
rwx
rx
Jill
Jeff
r
File C
Jack
-
rwx
r
d
rx
rwx
-
Security Planning: An Applied Approach | 6/21/2016 | 16
Information Asset Inventory
Asset Name
Work
book
Course Registration
Value to Organization Records which students are taking which classes
Location
IS Main Center
Sensitivity & Criticality
Classifications
Sensitive, Vital
IS System/
Server Name
Peoplesoft
Data Owner
Registrar: Monica Jones
Designated
Custodian
IS Operations: John Johnson
Granted Permissions
Read: Department Staff, Advising
Read/Write: Students, Registration
CISA Review Manual 2009
Access is permitted at any time/any terminal
Security Planning: An Applied Approach | 6/21/2016 | 17
Question
1.
2.
3.
4.
The person responsible for deciding who should have access to
a data file is:
Data custodian
Data owner
Security administrator
Security manager
Security Planning: An Applied Approach | 6/21/2016 | 18
Question
Least Privilege dictates that:
1. Persons should have the ability to do tasks sufficient to
perform their primary job and no more
2. Access rights and permissions shall be commensurate with a
person’s position in the corporation: i.e., lower layers have
fewer rights
3. Computer users should never have administrator passwords
4. Persons should have access permissions only for their security
level: Confidential, Private or Sensitive
Security Planning: An Applied Approach | 6/21/2016 | 19
Question
A concern with personal or private information is that:
1. Data is not kept longer than absolutely necessary
2. Data encryption makes the retention of personal information
safe
3. Private information on disk should never be taken off-site
4. Personal data is always labeled and handled as critical or vital
to the organization
Security Planning: An Applied Approach | 6/21/2016 | 20
Question
1.
2.
3.
4.
The person responsible for restricting and monitoring
permissions is the:
Data custodian
Data owner
Security administrator
Security manager
Security Planning: An Applied Approach | 6/21/2016 | 21
Path Access
Authentication: Login/Password, Biometrics
Remote Access
AUTHENTICATION & ACCESS
CONTROL
Security Planning: An Applied Approach | 6/21/2016 | 22
Security: Defense in Depth
Border Router
Perimeter firewall
Internal firewall
Intrusion Detection System
Policies & Procedures & Audits
Authentication
Access Controls
Security Planning: An Applied Approach | 6/21/2016 | 23
Four Layers of Logical Security
System 1
System 2
App1
Database
App2
Two layers of general access to Networks and Systems
Two layers of granularity of control to Applications and Databases
Security Planning: An Applied Approach | 6/21/2016 | 24
Password Rules
One-way encrypted using a strong algorithm
Never displayed (except ***)
Never written down and retained near terminal or in desk
Passwords should be changed every 30 days, by notifying user in
advance
A history of passwords should prevent user from using same
password in 1 year
Passwords should be >= 8 (better 12) characters, including 3 of:
alpha, numeric, upper/lower case, and special characters
Passwords should not be identifiable with user, e.g., family
member or pet name
Security Planning: An Applied Approach | 6/21/2016 | 25
Authentication Combinations
Single Factor: Something you know
• Login & Password
Multifactor Authentication: Using two or more authentication
methods.
Two Factor: Add one of:
• Something you have: Card or ID
• Something you are or do: Biometric
Three Factor: Uses all three: e.g., badge, thumb, pass code
Security Planning: An Applied Approach | 6/21/2016 | 26
Biometrics
Biometrics: Who you are or what you do
Susceptible to error
False Rejection Rate (FRR): Rate of users rejected in error
False Acceptance Rate (FAR): Rate of users accepted in error
Failure to Enroll Rate (FER): Rate of users who failed to
successfully register
Equal Error Rate
EER:
FRR increases
FRR = FAR
FAR increases
Security Planning: An Applied Approach | 6/21/2016 | 27
Biometrics with Best Response & Lowest
EER
Type (Top Best)
Advantages
Disadvantages
Palm
Hand (3D)
Social acceptance
Physical contact
Social acceptance, low storage
Not unique, injury affects
Iris
No direct contact
High cost, high storage
Retina
Low FAR
High cost, 1-2 cm away: invasive
Fingerprint
Low cost, More storage=Lower
EER
Physical contact-> grime ->poor
quality image
Voice
Phone use, social acceptance
High storage, playback, voice
change, background noise
Signature
Easy to use, low cost
Uniqueness, writing onto tablet
differs from paper
Face
Social
CISA acceptance
Review Manual 2009
Not unique, overcome with high
storage
Security Planning: An Applied Approach | 6/21/2016 | 28
Biometric Info Mgmt & Security Policy
Identification & authentication procedures
Backup authentication
Safe transmission/storage of biometric data
Security of physical hardware
Validation testing
Auditors should ensure documentation & use is professional
Security Planning: An Applied Approach | 6/21/2016 | 29
Single Sign On
Advantages
Disadvantages
One good password replaces Single point of failure -> total
lots of passwords
compromise
IDs consistent throughout
system(s)
Complex software development
due to diverse OS
Reduced admin work in setup Expensive implementation
& forgotten passwords
Quick access to systems
App1
Enter
Password
DB2
App3
Secondary Domains
Primary Domain (System)
Security Planning: An Applied Approach | 6/21/2016 | 30
Recommended Password Allocation
User
Security Admin
User allocated
random password
or sent email w. link
Account
[unlocked]
Inform user
in controlled
manner
Verify user ID
(e.g., email)
First time login:
change
password
[Forgot
Password]
Subsequent
Logins
[Invalid password
Attempts]
Account
[locked]
[Manual] Enter 5 invalid
passwords
Notify
Security
[Auto
Timeout]
System
automatically
unlocks
Account
[unlocked]
Security Planning: An Applied Approach | 6/21/2016 | 31
Admin & Login ID Rules
Restrict number of admin accounts
Admin password should only be known by one user
Admin accounts should never be locked out, whereas others are
Admin password can be kept in locked cabinet in sealed
envelope, where top manager has key
Login IDs should follow a confidential internal naming rule
Common accounts: Guest, Administrator, Admin should be
renamed
Session time out should require password re-entry
Security Planning: An Applied Approach | 6/21/2016 | 32
Access Control Techniques
Mandatory Access Control
File
A
B
C
D
E
User
John
June
May
Al
Don
Group Permi…
Mgmt
rwx, r x
Billing
,r
Factory r x, r x
Billing
Billing
Discretionary Access Control
John
A, B, C, D, E, F
June
A, B, C
May
D, E, F
Role-Based Access Control
Login
John
June
Al
May
Pat
Role
Mgr
Acct.
Acct.
Factory
Factory
Permission
A, B,C,D,E,F
A,B,C
A,B,C
D,E,F
D,E,F
Al
A, B
Don
B, C
Pat
D, F
Tom
E, F
Tim
E
Security Planning: An Applied Approach | 6/21/2016 | 33
Access Control Techniques
Mandatory Access Control: General (system-determined) access
control
Discretionary Access Control: Person with permissions controls
access
Role-Based Access Control: Access control determined by role in
organization
Physical Access Control: Locks, fences, biometrics, badges, keys
Security Planning: An Applied Approach | 6/21/2016 | 34
Workbook:
Role-Based Access Control
Role Name
Instructor
Advising
Registration
Information Access
(e.g., Record or Form) and
Permissions (e.g., RWX)
Student Records: Grading Form RW
Student Transcript (current students) R
Transfer credit form R
Student Records: Student Transcript
(current students) R
Fee Payment R
Transfer credit form R
Student Records: Fee Payment RW
Transfer credit form RW
Security Planning: An Applied Approach | 6/21/2016 | 35
System Access Control
Establish rules for access to information resources
Create/maintain user profiles
Allocate user IDs requiring authentication (per person,
not group)
Notify users of valid use and access before and upon
login
Ensure accountability and auditability by logging user
activities
Log events
Report access control configuration & logs
Security Planning: An Applied Approach | 6/21/2016 | 36
Application-Level Access Control
Create/change file or database structure
Authorize actions at the:
• Application level
• File level
• Transaction level
• Field level
Log network & data access activities to monitor access violations
Security Planning: An Applied Approach | 6/21/2016 | 37
Which Computer Do You Trust?
You plan to make a purchase on-line…
A library or college computer?
Your office computer?
Your children’s computer?
Security Planning: An Applied Approach | 6/21/2016 | 38
Trusted Computing Base (TCB)
Trusted app has
Horizontal dependencies: operating system, hardware
Vertical dependencies: server applications, network, authentication server, …
Trusted Trusted Trusted
App 1
App 2
App 3
Trusted Operating System
Trusted Trusted Trusted
Service Service Service
1
2
3
Trusted Operating System
Trusted Hardware
Trusted Hardware
Trusted network
Security Planning: An Applied Approach | 6/21/2016 | 39
Processing requires Dependencies
Vertical Dependencies:
Secret App requires
Secret-level database
Secret-level OS
Secret-level hardware
Horizontal Dependencies:
Secret App requires:
Secret-level servers
Secret-level communications
Secret-level authentication
Security Planning: An Applied Approach | 6/21/2016 | 40
Trusted Computing Base (TCB)
TCB Subset: Verified security policy, provides reliability
Encapsulated security implementation provides rapid implementation
Security
Policy
Trusted Trusted
App 1
App 2
Trusted
OS
Trusted
App 3
Trusted Trusted Trusted
Service Service Service
1
2
3
Trusted
Encapsulated
OS
security impl.
Encapsulated
security impl.
Trusted Hardware
Trusted Hardware
Trusted network
Security Planning: An Applied Approach | 6/21/2016 | 41
Bell and La Padula Model (BLP)
Property of Confinement:
Read Down: if Subject’s class is
>= Object’s class
Top Secret
Write Up: if Subject’s class is <=
Object’s class
Secret
Tranquility Principle: Object’s
class cannot change
Confidential
Declassification: Subject can
lower his/her own class
Non-Classified
Joe => (Secret)
Security Planning: An Applied Approach | 6/21/2016 | 42
Military Security Policy
(Confid.,
Finance)
Class
Finance
Engineering
Top Secret
Customer list
New plans
Secret
Dept. Budgets Code
Personnel
review
Confidential
Expenses
Emails
Salary
Users
Manuals
Position
Descriptions
Non-Classified Balance sheet
Personnel
Person has an Authorization Level or Level of Trust
(S,D) = (sensitivity, domain) for Subject (potentially Project)
Object has a Security Class
Confidentiality Property: Subject can access object if it
dominates the object’s classification level
(Secret, Eng)
Security Planning: An Applied Approach | 6/21/2016 | 43
BIG Data
Alice Winter
222 Pine Dr.
262-513-2341
Blacklist: Not stored
Or access via permission
Birth=1989
Diabetic
Anonomize: Alter via
statistical distribution
Whitelist:
Permitted to
see
Options include:
Encryption, access control, firewall, security intelligence
Obfuscate: Make data unclear
Distribute data across multiple locations
No single location has useful data (e.g., RAID)
Security Planning: An Applied Approach | 6/21/2016 | 44
IS Auditor Verifies…
Written Policies & Procedures are professional & implemented
Access follows need-to-know
Security awareness & training implemented
Data owners & data custodians meet responsibility for
safeguarding data
Security Administrator provides physical and logical security for IS
program, data, and equipment
Authorization is documented and consistent with reality
See CISA Review Manual for specific details
Security Planning: An Applied Approach | 6/21/2016 | 45
Question
1.
2.
3.
4.
A form of biometrics that is considered invasive by users is:
Retina
Iris
3D hand
Signature
Security Planning: An Applied Approach | 6/21/2016 | 46
Question
A form of biometrics that is not prone to error is
1. Retina
2. Voice
3. Finger
4. Signature
Security Planning: An Applied Approach | 6/21/2016 | 47
Question
Julie is a Data Owner. She configures permissions in the
database to enable users to access the forms she thinks they
should be able to access. This technique is known as
1. Bell and La Padula Model
2. Mandatory Access Control
3. Role-Based Access Control
4. Discretionary Access Control
CISA Review Manual 2009
Security Planning: An Applied Approach | 6/21/2016 | 48
Question
John has a security clearance of (Engineering, Confidential).
Using Bell and La Padula Model, John can write to:
1. Confidential
2. Top Secret, Secret, and Confidential
3. Confidential and Unclassified
4. Unclassified
CISA Review Manual 2009
Security Planning: An Applied Approach | 6/21/2016 | 49
AUDIT TRAILS
Security Planning: An Applied Approach | 6/21/2016 | 50
Audit Trail
Audit trail tracks responsibility
• Who did what when?
• Periodic review will help to find excess-authority access, login successes &
failures, and track fraud
Attackers often want to change the audit trail (to hide tracks)
Audit trail must be hard to change:
• Write-once devices
• Digital signatures
• Security & systems admins and managers may have READ-only access to
log
Audit trail must be sensitive to privacy
• Personal information may be encrypted
Security Planning: An Applied Approach | 6/21/2016 | 51
Audit Trail Tools
Audit Reduction: Filter important logs - eliminate unimportant
logs
Attack/Signature Detection: A sequence of log events may signal
an attack (e.g., 1000 login attempts)
Trend/ Variance-Detection: Notices changes from normal user
or system behavior (e.g., login during night)
Security Planning: An Applied Approach | 6/21/2016 | 52
Question
Audit trails:
1. Should be modifiable only by security administrators
2. Should be difficult to change (e.g., write-once)
3. Should only save important logs, using log reduction
4. Should avoid encryption to ensure no loss and quick
access
Security Planning: An Applied Approach | 6/21/2016 | 53
Summary
Data in inventoried
Data is allocated a sensitivity and criticality class
Class handling is defined for handling, transporting, storage
Roles are allocated permissions (access control)
Authorization ensures access control is enforced: biometrics, two-factor
authentication, single sign-on
Trust enables use
Access may be distributed: Trusted Computing Base
Audit trails enforce accountability
Security Planning: An Applied Approach | 6/21/2016 | 54
Jamie Ramon MD
Doctor
Chris Ramon RD
Dietician
Terry
Pat
Licensed
Software Consultant
Practicing Nurse
HEALTH FIRST CASE STUDY
Designing Information Security
Security Planning: An Applied Approach | 6/21/2016 | 55
Define Sensitivity Classification
Sensitivity
Classification
Proprietary
Description
Protects competitive edge. Material is of critical strategic
importance to the company and its dissemination could
result in serious financial impact.
Confidential
Information protected by law. Shall be made available or
visible on a need-to-know basis only. Dissemination could
result in financial liability or reputation loss.
Private
Should be accessible to management or affected parties
only.
Could cause internal strife or external
embarrassment if released: for use with particular parties
within the organization.
Disclosure is not welcome, but would not adversely
impact the organization
Public
OR
Information is public record
Information
Covered
Security Planning: An Applied Approach | 6/21/2016 | 56
Define Sensitivity Classification
Proprietary:
Strategic
Plan
Confidential:
Salary &
Health Info
Private:
Product Plans
Public
Product Users Manual
near Release
Security Planning: An Applied Approach | 6/21/2016 | 57
How should classes be treated?
Table 4.1.2: Handling of Sensitive Data
Proprietary
Access
Paper Storage
Need to know
Locked cabinet,
Locked
room
if
unattended
Password-protected,
Disk Storage
Encrypted
Labeling
and ‘Confidential’
Clean desk,
Handling
low voice,
shut door policy
Transmission
Encrypted
Archive
Encrypted
Degauss & damage disks
Disposal
Shred paper
Special
Confidential
Need to know
Locked cabinet
Locked
room
unattended
Password-protected
Encrypted
Clean desk,
low voice,
shut door policy
Private
Need to know
Locked cabinet or
if room if unattended
Password-Protected
Clean desk,
low voice,
shut door policy
Encrypted
Encrypted
Secure wipe, damage Reformat disks
disks
Shred paper
locked
Security Planning: An Applied Approach | 6/21/2016 | 58
Define Roles & Role-Based Access Control
Health Plan Eligibility
Health Plan:
Maximum Benefit:
Exclusions
In-Plan Benefits
Procedure
Dates
Co-Pay:
Eligibility: Active
Deductible:
Out-of-Plan Benefits
Coordination of Benefits
Coverage
Role Name
Specific Procedure Request
Max. Coverage
Co-pay / Non-covered
Patient Resp Amounts
Information Access (e.g., Record or Form)
and Permissions (e.g., RWX)
Security Planning: An Applied Approach | 6/21/2016 | 59
Work
book
Information Asset Inventory
Asset Name
Value to
Organization
Location
Security Risk
Classification
Course Registration
Records which students are taking which classes
IS Main Center
Sensitive, Vital
IS Server
Peoplesoft
Data Owner
(Who decides who should have access?)
Designated
Custodian
(Who takes care of backups and sys admin
functions?)
Granted Permissions
Read: Department Staff, Advising
Read/Write: Students, Registration
Access is permitted at any time/any terminal