InfoSec Training Introduction to Information Security Concepts Copyright Justin C. Klein Keane Vocabulary: Security Policy Refers to the way a system is supposed to function Can be explicit or implicit Outlines assumptions of protections and violations If you users don't have passwords is account hijack a violation of policy? Copyright Justin C. Klein Keane Vocabulary: Incident Security incident is a violation (or series of violations) of a systems security policy Scope can vary from narrow to broad Incidents are events caused by (malicious) behavior Can be automated (a virus) or manual (abuse of access) Copyright Justin C. Klein Keane Vocabulary: Threat Potential cause of a security incident Can be purposeful (a specific tool used to break into a site or a malicious insider) Accidental (floods, fire, lost backup tape, etc.) Copyright Justin C. Klein Keane Vocabulary: Vulnerability Flaw in a system that could allow a threat to violate the security policy Can be a result of oversight or architecture Logic flaws can present vulnerabilities Vulnerabilities are static aspects of systems Copyright Justin C. Klein Keane Vocabulary: Exploit Exploit is when a threat capitalizes on a vulnerability Exploits can be manual or automated Exploits demonstrate that there is a problem with a system Copyright Justin C. Klein Keane Vocabulary: Malware Software that does bad stuff Malware include virus and worm code Includes software designed to modify legitimate systems to: Allow unauthorized remote access Hide evidence of intrusion Exfiltrate data from a target Surreptitiously monitor user activity And more... Copyright Justin C. Klein Keane What is Security? Defined in terms of threats Secure from what? Copyright Justin C. Klein Keane Security Concepts The Golden Rule (Au) Authentication Authenticity Users are who they claim to be, or at least can present credentials Data has not been altered and remains true to its original form Audit The system can track what activity, data and users Copyright Justin C. Klein Keane Security as Asset Protection A secure system must protect: Confidentiality Integrity (and Reliability) Threat: Information disclosure Threat: Data corruption Access Threat: Denial of service Copyright Justin C. Klein Keane Security Lifecycle Security is a process not a product Complexity is the enemy of security Security is an evolutionary landscape “Secure” is a point in time evaluation “Secure” is defined by known threats Copyright Justin C. Klein Keane 0 day 0 day is a vulnerability for which there is no patch available If 0 day cannot be predicted, how can we defend against it? 0 day can often be mitigated How can we detect 0 day? Defense in depth is often the only defense against 0 day When evaluating security you should assume 0 day Copyright Justin C. Klein Keane A Word on Software Bugs Software engineering is a robust, and mature, field of academic study All software projects of sufficient size and complexity contain bugs, regardless of development process A certain number of bugs will be security related Conclusion: all software contain security related bugs Copyright Justin C. Klein Keane Classifying Software Bugs Not all bugs are the same Bugs may present wildly varying threats Bugs may have different risks associated with them All bugs are significant, however Copyright Justin C. Klein Keane Even if it's bug free Bug free software can still have vulnerabilities: Configuration problems: Logic flaws Default or weak credentials Improper trust model Etc. Fundamentally insecure design Software functions exactly as designed but the result is an unintended vulnerability Two bug free systems might have insecure interaction Copyright Justin C. Klein Keane Vulnerability Synergy Linking one vulnerability to another Chains of low risk, or low significant vulnerabilities can lead to a serious vulnerability Even if highest risk bugs are all patched, a combination of low risk bugs could lead to compromise Copyright Justin C. Klein Keane Sisyphean Task A sufficiently resourced and motivated attacker will always compromise security Defenders must be right 100% of the time, attackers need only succeed once You can't possibly defend against everything Attacker motivation is unknowable Copyright Justin C. Klein Keane Protect, Detect, React The security lifecycle, also known as the security hamster wheel of pain EVERY step is critical Detection is dependent on observation and reporting Logs are some of the best places to do detection More on each step later Copyright Justin C. Klein Keane How can we get ahead? The protect/detect/react cycle often requires an incident to move from detect/react to better protection It is important to keep the cycle moving independently of a security incident Collecting metrics is key to making informed decisions Start with security first... Copyright Justin C. Klein Keane Secure Design Threat modeling Maximize ROI with high impact, low cost, mitigations Good authentication, authorization and audit Fault tolerance or Rugged Design Applications should protect against unexpected actions This includes good exception handling Test driven design, with tests that should fail Secure Application Development Lifecycle (SDLC) Copyright Justin C. Klein Keane Penetration Testing Actively attacking your own systems Can reveal flaws in protection, including gaps Can proactively identify vulnerabilities (prevent 0 day) Helps more accurately frame risk assessment Copyright Justin C. Klein Keane Application Security Testing Black box Gray box Penetration testing Some level of access and documentation available White box Full code review, often combined with other testing tools Copyright Justin C. Klein Keane Using Automation Automation is critical for a timely review Automation can lead to false positives Automated tools without skilled human operators can be useless Deluge of false positives Poor risk assignment Copyright Justin C. Klein Keane Gold Standard for Security Reporting Security reporting after a review should include: List of vulnerabilities, ranked/grouped by severity Demonstration of exploit List of suggested mitigation and work around strategies List of patches and/or fixes for the issue A good security test should be repeatable Copyright Justin C. Klein Keane Resource Allocation In the real world resources are limited Given the scope of security it is impossible to cover all fronts How does one make smart resource allocation decisions? Copyright Justin C. Klein Keane Risk Calculations Risk can be used to draw comparisons Risk generally calculated: Risk = Likelihood x Severity Good risk ratings allow you to compare apples to apples Can focus attention and resources to greatest need How can we baseline these without METRICS? Copyright Justin C. Klein Keane Flaw in Risk Calculation Likelihood can never actually be measured because it is within the attackers control How can you quantify what you don't know? Severity may hinge on unknown consequences or attacker motivation Some resources may escape risk calculation Copyright Justin C. Klein Keane Non Technical Threats Risk calculation involves assessing threats Some threats are not strictly system related: Reputational damage Misinformation Business risks (ex: grant funding) Copyright Justin C. Klein Keane Typical Poor Risk Calculation Home user doesn't protect their machine because they have no data of value Risk = medium likelihood x low impact Home user may not understand full impact: Attacker can use webcam Attacker can use mic to record conversations Attacker can use connection to compromise wireless router to allow anonymous wireless Copyright Justin C. Klein Keane Linchpin in Most Flaws Many risk calculations fail because the assessor measures risk based on: Perceived attacker motivation Without understanding what an attacker is after there is no effective way to protect resources “Industry best practice” may provide a guide Copyright Justin C. Klein Keane Moving Forward Goal is an adaptive, metrics based information security program Resources should be fluid, and allocated based on actual need Reactive capabilities should be maximized Reduction of misguided protective measures Constant metrics gathering and reevaluation Learn, grow, share Copyright Justin C. Klein Keane