95-752 Introduction to Information
Security Management
Tim Shimeall, Ph.D.
tjs@cert.org
412-268-7611
Office Hours by Appointment
Course website: http://www.andrew.cmu.edu/course/95-752
95752:1-1
Course Covers
Introduction/Definitions
Physical security
Access control
Data security
Operating system security
Application security
Network security
95752:1-2
Student Expectations
• Grading:
– 2 Homeworks
– Midterm
– Paper/project
• All submitted work is sole effort of student
• Students are interested in subject area
• Students have varied backgrounds
95752:1-3
Information Revolution
• Information Revolution as pervasive at the
Industrial Revolution
• Impact is Political, Economic, and Social as well
as Technical
• Information has an increasing intrinsic value
• Protection of critical information now a critical
concern in Government, Business, Academia
95752:1-4
A Different Internet
•
•
•
•
Armies may cease to march
Businesses may be bankrupted
Individuals may lose their social identity
Threats not from novice teenagers, but
purposeful military, political, and criminal
organizations
95752:1-5
Computer Terms (1)
Computer – A collection of the following:
Central Processing Unit (CPU): Instructionprocessing
Memory(RAM) : Transient storage for data
Disk: More permanent storage for data
Monitor: Display device
Printer: Hard copy production
Network card: communication circuitry
95752:1-6
Computer Terms (2)
Software: Instructions for a computer
Operating System: interaction among
components of computer
Application software: common tasks (e.g.,
email, word processing, program
construction, etc.)
API/Libraries: Support for common tasks
95752:1-7
Vulnerability (2001)
Out-of-the-box Linux PC hooked to Internet, not
announced:
[30 seconds] First service probes/scans detected
[1 hour] First compromise attempts detected
[12 hours] PC fully compromised:
–
–
–
–
–
Administrative access obtained
Event logging selectively disabled
System software modified to suit intruder
Attack software installed
PC actively probing for new hosts to intrude
• Clear the disk and try again!
95752:1-8
Why is Security Difficult
• Managers unaware of value of
computing resources
• Damage to public image
• Legal definitions often vague or nonexistent
• Legal prosecution is difficult
• Many subtle technical issues
95752:1-9
Objectives of Security
• Privacy – Information only available to
authorized users
• Integrity – Information retains intended
content and semantics
• Availability – Information retains access
and presence
Importance of these is shifting, depends on
organization
95752:1-10
Security Terms
Exposure - “actual harm or possible harm”
Vulnerability - “weakness that may be
exploited”
Attack - “human originated perpetration”
Threat - “potential for exposure”
Control - “preventative measure”
95752:1-11
Classes of Threat
•
•
•
•
Interception
Modification
Masquerade
Interruption
Most Security Problems Are People
Related
95752:1-12
Software Security Concerns
•
•
•
•
Theft
Modification
Deletion
Misplacement
95752:1-13
Data Security Concerns
•
•
•
•
Vector for attack
Modification
Disclosure
Deletion
“If you have a $50 head, buy a $50 helmet”
95752:1-14
Network Security Concerns
•
•
•
•
Basis for Attack
Publicity
Theft of Service
Theft of Information
Network is only as strong as its weakest link
Problems multiply with number of nodes
95752:1-15
Motivations to Violate Security
•
•
•
•
•
•
Greed
Ego
Curiosity
Revenge
Competition
Political/Idiological
95752:1-16
People and Computer Crime
• Most damage not due to attacks
“Oops!”
“What was that?”
• No clear profile of computer criminal
• Law and ethics may be unclear
“Attempting to apply established law in the fast
developing world of the Internet is somewhat
like trying to board a moving bus” (Second
Circuit, US Court of Appeals, 1997)
95752:1-17
Theory of Technology Law
• Jurisdiction:
– subject matter – power to hear a type of case
– Personal – power to enforce a judgment on a defendant
• Between states: Federal subject matter
• Within state: State/local subject matter
• Criminal or Civil
– Privacy/obscenity covered now
– intellectual property covered later
95752:1-18
Privacy Law
• Common law:
–
–
–
–
Person’s name or likeness
Intrusion
Disclosure
False light
• State/Local law: Most states have computer
crime laws, varying content
• International law: patchy, varying content
95752:1-19
Federal Privacy Statutes
•
•
•
•
•
ECPA (communication)
Privacy Act of 1974 (Federal collection/use)
Family Educational Rights & Privacy Act (school records)
Fair Credit Reporting Act (credit information)
Federal Cable Communications Privacy Act (cable
subscriber info)
• Video Privacy Act (video rental information)
• HIPAA (health cared information)
• Sarbanes-Oxley Act (corporate accounting)
• Patriot Act (counter-terrorism)
Plus state law in more the 40 states, and local laws
95752:1-20
Federal Obscenity Statues
• Miller tests (Miller v. California, 1973):
– Average person applying contemporary community
standards find appeals prurient interest
– Sexual content
– Lack of literary, artistic, political or scientific value
• Statues:
– Communications Decency Act (struck down)
– Child Online Protection Act (struck down)
– Child Pornography Protection Act (struck down –
virtual child porn; live children still protected)
95752:1-21
Indian Trust Funds
• Large, developing, case: Cobell vs. Norton
– http://www.indiantrust.com/
•
•
•
•
Insecure handling of entrusted funds
Legal Internet disruption
Criminal contempt proceedings
Judicial overstepping
95752:1-22
Three Security Disciplines
• Physical
– Most common security discipline
– Protect facilities and contents
• Plants, labs, stores, parking areas, loading areas,
warehouses, offices, equipment, machines, tools,
vehicles, products, materials
• Personnel
– Protect employees, customers, guests
• Information
– The rest of this course
95752:1-23
How Has It Changed?
• Physical Events Have Cyber Consequences
•Cyber Events Have Physical Consequences
95752:1-24
Why Physical Security?
• Not all threats are “cyber threats”
• Information one commodity that can be stolen
without being “taken”
• Physically barring access is first line of defense
• Forces those concerned to prioritize!
• Physical Security can be a deterrent
• Security reviews force insights into value of what
is being protected
95752:1-25
Layered Security
• Physical Barriers
• Fences
• Alarms
• Restricted Access Technology
• Physical Restrictions
• Air Gapping
• Removable Media
• Remote Storage
• Personnel Security Practices
• Limited Access
• Training
• Consequences/Deterrence
95752:1-26
Physical Barriers
• Hardened Facilities
•
•
•
•
•
Fences
Guards
Alarms
Locks
Restricted Access Technologies
– Biometrics
– Coded Entry
– Badging
• Signal Blocking (Faraday Cages)
95752:1-27
Outer Protective Layers
• Structure
– Fencing, gates, other barriers
• Environment
– Lighting, signs, alarms
• Purpose
– Define property line and discourage trespassing
– Provide distance from threats
95752:1-28
Middle Protective Layers
• Structure
–
–
–
–
Door controls, window controls
Ceiling penetration
Ventilation ducts
Elevator Penthouses
• Environment
– Within defined perimeter, positive controls
• Purpose
– Alert threat, segment protection zones
95752:1-29
Inner Protective Layers
• Several layers
• Structure
– Door controls, biometrics
– Signs, alarms, cctv
– Safes, vaults
• Environment
– Authorized personnel only
• Purpose
– Establish controlled areas and rooms
95752:1-30
Other Barrier Issues
• Handling of trash or scrap
• Fire:
– Temperature
– Smoke
• Pollution:
– CO
– Radon
• Flood
• Earthquake
95752:1-31
Physical Restrictions
• Air Gapping Data
• Limits access to various security levels
• Requires conscious effort to violate
• Protects against inadvertent transmission
• Removable Media
• Removable Hard Drives
• Floppy Disks/CDs/ZIP Disks
• Remote Storage of Data
• Physically separate storage facility
• Use of Storage Media or Stand Alone computers
• Updating of Stored Data and regular inventory
95752:1-32
Personnel Security Practices
• Insider Threat the most serious
• Disgruntled employee
• Former employee
• Agent for hire
• Personnel Training
• Critical Element
• Most often overlooked
• Background checks
• Critical when access to information required
• Must be updated
• CIA/FBI embarrassed
95752:1-33
Activities or Events
•
•
•
•
•
Publications, public releases, etc.
Seminars, conventions or trade shows
Survey or questionnaire
Plant tours, “open house”, family visits
Governmental actions: certification,
investigation
• Construction and Repair
95752:1-34
NISPOM
National Industrial Security Program
Operating Manual
• Prescribes requirements, restrictions and other
safeguards for information
• Protections for special classes of information:
• National Security Council provides overall policy
direction
• Governs oversight and compliance for 20
government agencies
95752:1-35
Methods of Defense
Overlapping controls
–
–
–
–
–
–
–
Authentication
Encryption
Integrity control
Firewalls
Network configuration
Application configuration
Policy
95752:1-36