BCIS 4630 Fundamentals of IT Security
FOUNDATIONAL CONCEPTS
Dr. Andy Wu
Overview
• Surveying the battle ground
– Adversaries
• Things of Threes – CIA, AAA, SNL
• Defense in Depth
• Regulations
• Security governance – ISO 17799, CobiT, ITIL
2
Weakest Link in Security Is…
• People!
• Not technology. Technology is powerless if people
don’t use them right.
• Not organizational process. Useless if people don’t
follow them.
• Your security is only as good as its weakest link.
3
Code-Red Worm (July 2001)
• On July 19, 2001, over 350,000 computers connected to
the Internet were infected by the Code-Red worm. The
incident took only 14 hours to occur.
• Damages caused by the worm (including variations of
the worm released on later dates) exceeded $2.5 billion.
• The vulnerability exploited by the Code-Red worm had
been known for a month.
4
Slammer Worm (January 2003)
• It exploited a buffer-overflow vulnerability in
computers running Microsoft's SQL Server or
Microsoft SQL Server Desktop Engine.
• This vulnerability was not new. It had been
discovered in July 2002.
• Microsoft had released a patch for the vulnerability
even before it was announced.
5
It’s a Balancing Act
• Security can be looked at as a tradeoff between risks
and benefits.
– Cost of implementing the security mechanism
• Tradeoff involves security versus costs of
implementation, user convenience, business goals,
etc.
• Security often is an inconvenience to users.
6
And It’s a Uphill Battle… for Good Guys
• You have to be secure in all bases, whereas an
attacker only has to be real good at one thing to be
successful.
7
Forget It If You Want to Be Popular
• People are not born security-minded. They may not
appreciate your help.
• If your security measures inconvenience them
enough, they will bypass or even undermine them.
• Don’t be surprised if you’re not invited to parties.
8
Who Are Your Adversaries, then?
• Hackers
– Black hat
– Gray hat
– White hat (actually they’re your friends)
• Pen Testing
• “Get-out-of-the-jail-free card”
• Script kiddies
• Organized crime
9
Typical Hacker
• Young male in late 20s.
• Dress is causal, intellectual or humorous slogan T-shirts, jeans, running
shoes, etc.
– “Outdoorsy”: hiking boots, khakis, chamois shirts, etc.
– Hates business attire.
• Reads Scientific American and Smithsonian
• Attracted to ethnic, spicy, oriental, exotic foods
• Anti-physical and avoid sports
– If any, almost always self-competitive and intellectual, involving concentration,
stamina, and micro-motor skills
Source: Schell et al. The Hacking of America.
10
Hacker Myths and Truths
• Myth: Hackers are computer addicts
– Truth: They’re more like “heavy users”
• Myth: Hackers have odd sleeping patterns
– Truth: 79% sleep sometime 12AM-8AM, for an average of
6.26 hours
• Hackers communicate only with their computers, not
with other people
– Truth: Hackers spend considerable time during the week
communicating with their colleagues.
Source: Schell et al. The Hacking of America.
11
Hacker Myths and Truths
• Myth: Hackers are a threat to network administrators
– Truth: Hacker convention attendees have considerable
white hat skill sets.
– Divided views on hiring hackers as security professionals.
• Myth: Hackers are creative.
– Truth: This seems to be true.
12
Script Kiddies
• Download and run tools that others have developed.
– May not even know why and how the tools work.
• Generally not as interested in attacking specific targets.
• Look for any people or organizations that may not have patched a newly
discovered vulnerability.
• At least 85 to 90% of the individuals conducting “unfriendly” activities on the
Internet are probably accomplished by these individuals.
• Do not underestimate the potential damage they can inflict despite their lower
level of technical sophistication. These kids ain’t cute!
13
Traditional Hacker Motivations
• Feeling of addiction
• The urge of curiosity
• Boredom with education system
• Enjoyment of feeling of power
• Peer recognition
• Political acts
• What is missing?
Source: Taylor, Paul, Hackers: Crime in the Digital Sublime.
14
Hacker Motivation
• “Sutton’s Law”
– Because that’s where the money is!
• Alarming change: the serious attackers are out for
specific purposes with certain types of damage or
fraud in mind.
• Some of them are becoming part of or are hired by
the cyber-equivalent of the mafia.
15
Alarming Trend
Source: CERT
16
Change in Hacker Characteristics
• A the level of sophistication of attacks has increased,
the level of knowledge necessary to exploit
vulnerabilities has decreased.
– The rise of non-affiliated intruders, including “scriptkiddies,” has greatly increased the number of individuals
who probe organizations looking for vulnerabilities to
exploit.
17
What Are You Trying to Protect?
• Three properties of information that are the goals of
security protection.
– Confidentiality
– Integrity
– Availability
18
Confidentiality
• The protection of information within systems so that
unauthorized people, programs, and processes
cannot access that information.
• Sensitive information is protected against
unauthorized disclosure.
• Encryption is a primary tool to ensure confidentiality.
19
Integrity
• The protection of information or processes from
intentional or accidental unauthorized changes.
• Integrity ≠Business accuracy, logicalness, relevance,
ethicalness, etc. of information
• Integrity = No unauthorized alteration
20
Availability
• The assurance that information and systems are
accessible by authorized users whenever needed.
– Protected against denial-of-service (DoS) attacks and
vandalism
– Protected against losses stemming from natural disasters or
human errors and actions (this type probably is more common)
• Time can be of the essence for many information-related
activities.
21
DAD Triad
• Disclosure
– Unauthorized individuals gain access to confidential information
• Alteration
– Data is modified through some unauthorized mechanism
• Denial
– Authorized users cannot gain access to a system for legitimate
purposes
• DAD activities may be malicious or accidental
22
AAA
• Authentication
– Is the user really who she says she is?
• Authorization
– Now the user is indeed Joan, what is she allowed to do the
system(s)?
• Accounting (Auditing)
– Joan has been authenticated and authorized. What has she
done to the system?
23
Authentication
• Verifies the identity of subjects (they are who/what
they claim to be).
24
Authorization
• Defines a subject’s access
rights to an object (“access
control list”, ACL); she will
be able to use those rights
once she has been
properly authenticated.
25
Accountability (Auditing)
•
Ensures that users are accountable for their actions; provides evidence for
investigating security breaches.
26
The “Saturday Night Live” Triad
• The S-N-L Triad
– Segregation of Duties
– Need to Know
– Least Privilege
• Related concepts include security clearances and data classification.
• Often these principles are discussed as related to human users.
– Their proper application prevents many organizational problems for InfoSec.
– However, remember they’re equally applicable to inanimate subjects such as OS
processes.
27
Segregation of Duties
• Aka “separation of duties” or “separation of privileges”.
• No single person should have enough authority to cause a
critical event to happen.
– A task is designed so that separate actions must be performed by
different people and these actions in combination achieve the task.
– Prevents one individual from having control of an entire process
and so as to manipulate the process for personal gain.
• Collusion will be needed for abuse, making abuse more
difficult and less likely.
28
Need to Know
• Subjects should be granted access only to the objects necessary
for completion of their tasks.
• Having the authorization or clearance to see a particular
classification level of information is not sufficient reason to see all
information at that level.
• No access should be granted solely by virtue of office, position,
rank, or security clearance.
29
Least Privilege
• Subjects should be granted the minimum level of
access (the most restrictive set of privileges) needed
for the performance of authorized tasks.
– If Read-Only is sufficient, don’t grant Read-Write.
– Should not grant more rights than necessary just because
it is easier to do.
• Limits the damage that may result from security
breaches or incidents.
30
Data Classification
• Know what you’re protecting!
• Provides users with a way to stratify sensitive information.
• Provides a system for applying safeguards appropriate to the
level of confidentiality required.
• Government and private industry have similar classification
systems, although:
– Normally government classification systems are more restrictive
and bureaucratic than industry systems.
– The ones used by non-government entities have more variations.
31
Classification Systems
• U.S. Government Classifications
– Top Secret, Secret, Confidential, Sensitive but Unclassified
(For Official Use Only), and Unclassified
• Common Industry Classifications
– Trade Secret, Company Confidential/Proprietary, Unclassified
– Trade secrets are often not protected by patents or
copyrights, employees must understand legal obligation to not
disclose information.
32
Data Classification
• Don’t go overboard.
– Too many types will frustrate users.
– In 1956 George Miller wrote an article The Magical
Number Seven Plus or Minus Two: Some Limits on Our
Capacity for Processing Information. He showed that the
amount of information which people can process and
remember is often limited to about seven items.
• The classifications must be mutually exclusive.
33
Security Clearances
• Go hand-in-hand with data classification.
• If you as a consultant or your organization works with certain
government entities, you are required to obtain clearances
before you perform work.
• It can sometimes involve rigorous background checks,
polygraphs, and agreements about disclosure of sensitive
information.
• Usually clearance is tied to essential activities of an
individual’s current job.
34
Confidentiality Model - Bell-LaPadula
• Simple security rule (No read up) – No subjects can read
information from an object with a higher security classification.
35
Confidentiality Model - Bell-LaPadula
• *-property (No write down) – A subject cannot write to an
object with a lower security classification.
36
Security by Obscurity
• Protects information and systems by hiding them.
• Usually not a good approach to security.
– One of the few exceptions may be steganography
(steganos Gk., covered).
– Not to be confused with stenography.
• Should be implemented with other security measures.
37
Master of Defense in Depth - Vauban
38
Source: P. Griffith, The Vauban Fortifications of France, Osprey.
El Morro Fort, San Juan, PR
Five layers (levels) of protection;
The inner layer has the highest
concentration of protective measures.
Source: bitscn.com.
39
Defense in Depth – Orig. Flavor
40
Source: P. Griffith, The Vauban Fortifications of France, Osprey.
Defense in Depth – Orig. Flavor
41
Source: P. Griffith, The Vauban Fortifications of France, Osprey.
Layered Protection
42
Based on Carr et l, The Management of Network Security, Prentice Hall.
Defense in Depth
• Aka “Layered protection”.
• Broached by the SANS Institute.
• Organization must have a layered defense at the perimeter, network,
equipment, and data layers.
• Because there are so many potential attackers taking advantage of numerous
attack vectors, there is no single method for successfully protecting a
network.
• Instead, we should protect a network with a variety of defensive mechanisms
so that if one mechanism fails, another will already in place to thwart an
attack.
43
Layered Protection
• Makes the effort needed to pull off a compromise more costly in
time and labor than it is worth to a potential attacker.
• Delays the attacker to buy time for implementing incident response
actions.
• Eliminates the existence of one single point of failure in security.
• More general types of protection in the outer layers so that
performance does not degrade.
• Granularity increases as layers get closer to the resource to be
protected and packets are fewer and more specific.
44
Layered Protection
• However, more layers mean more complexity.
• They are more expensive too.
• Sometimes one layer may hamper the correct
functioning of another.
– Example: Network-based intrusion detection systems
cannot read network traffic if it is encrypted.
• Again, balance is the key.
45
So, Do I Really Have to Have Security?
• For many organizations, it’s NOT optional.
• Mandatory regulations required by government
–
–
–
–
SOX
GLBA
HIPAA
Data center requirements for financial institutions
• “Self regulations”
– PCI DSS
46
Sarbanes-Oxley Act (SOX)
• Public Company Accounting Reform and Investor Protection Act of
2002
• Intended to prevent Enron scandals of the future.
• Protects investors by requiring accuracy and reliability in corporate
disclosures.
• Created new penalties for acts of wrongdoing, both civil and
criminal.
– CEOs and CFOs are personally liable. Certification of fraudulent reports
may be punished by fines up to $1 million and/or imprisonment of up to
10 years.
47
SOX
Sec.
201
Sec.
302
Sec.
404
Sec.
409
Sec.
802
Sec.
806
Sec.
807
• Services outside scope of auditor practice
• Corporate responsibility for financial reports
• Assessment of internal controls
• Real time issuer disclosures
• Criminal penalties for altering documents
• Protection of employees exposing fraud
• Criminal penalties for defrauding shareholders
48
Critical Aspects of SOX
• Specifies new financial reporting requirements.
– Section 302 requires CEOs and CFOs to certify their company’s SEC
reports.
• Requires all financial reports to include an internal control report.
– Section 404 requires CEOs and CFOs to report on the effectiveness of
the company’s internal controls over financial reporting.
– To comply with Section 404, companies have to ensure that their data are
accurate.
• Auditing firms are also required to attest to the accuracy of the
assessment.
49
Gramm-Leach-Bliley Act (GLBA)
• The Financial Modernization Act of 1999
• Protects personal financial information held by
financial institutions
– Privacy Rule
– Safeguards Rule
– Pretexting Rule
50
GLBA – Privacy Rule
• A financial institution may not share non-public
information on a consumer with non-affiliated third
parties unless it gives notice to the consumer (notice
of privacy).
• The customer must be given a chance to opt out.
51
Concern for Privacy
52
Based on: Wu, Prybutok, Koh, and Hanus, “A nomological model of RFID privacy concern,” Business Process Management Journal, 18(3),
2012, pp. 420-444, adapted from original work by Smith, Milberg, and Burke, MIS Quarterly, 20(2), 1996, pp. 167-196.
Concern for Privacy
Dimension
Description
Collection
Concern that large amount of personal information is collected
and stored in databases.
Unauthorized
Secondary Use
Concern that personal information is collected ostensibly for
one purpose but, once collected, used for another purpose
(secondary use). This can be done either inside or outside of
the company that collected the data.
Improper Access
Concern that personal information, once collected, becomes
accessible to people who do not have the authorization to view
or work with it.
Errors
Concern that personal information may become corrupted and
erroneous due to malicious or inadvertent modifications.
53
Source: Wu, Prybutok, Koh, and Hanus, “A nomological model of RFID privacy concern,” Business Process Management Journal, 18(3),
2012, pp. 420-444, adapted from original work by Smith, Milberg, and Burke, MIS Quarterly, 20(2), 1996, pp. 167-196.
GLBA – Safeguards Rule
• FTC requires financial institutions to create an
information security program.
– Specifies the administrative, technical, and physical controls
to protect information.
– Assign an “owner” of the program.
– Conduct risk assessments and address identified risks.
– Review the program on an ongoing basis.
• Financial institutions must also ensure that its service
providers protect customer information.
54
HIPAA
• Health Insurance Portability and Accountability Act of 1996
• Protects against loss of health insurance due to change of jobs.
• Protects the privacy and security of personal health information.
• Protected health information (PHI) is any individually identifiable
information, including:
– Info on the physical and mental health of a person.
– Notes doctors put into a person’s medical record.
– Billing and payment related to healthcare.
55
HIPAA – Security Rule
• The Security Rule dictates how covered entities must protect
the confidentiality, integrity, and availability of electronic PHI
(EPHI).
• Covered entities must create, review, and update policies and
procedures to comply with the Security Rule.
• Covered entities must implement administrative, physical, and
technical safeguards.
• The Rule includes standards that must be implemented for
each safeguard (“implementation specifications”).
56
What About Availability
57
Disaster Recovery Regulations
• September 11 exposed the risks of data loss caused by
disastrous events.
• On April 7, 2003, the Securities and Exchange Commission
(SEC), Comptroller of the Treasury, and the Federal Reserve
issued the Interagency Paper on Sound Practices to
Strengthen the Resilience of the U.S. Financial System.
• Now, financial institutions that account for at least 5% of the
transactions in critical financial markets are required to
implement sound business continuity practices.
C.F.: Yang and Wu, “Using virtualization to ensure uninterrupted access to software applications for financial services firms,”
Proceedings of the 45th Hawaii International Conference on System Sciences, 2012, pp. 5623-5630.
58
Three-Datacenter Strategy
• One required practice is to maintain sufficient geographically
dispersed resources, most importantly, data centers. The
targeted recovery time is two hours.
• Largest institutions are required to maintain three data centers.
• Although DR practices are not mandatory for other financial
services firms, many of those firms are adopting the practices
because it is prudent to do so.
• Medium firms’ voluntarily compliance calls for two data
centers.
C.F.: Yang and Wu, “Using virtualization to ensure uninterrupted access to software applications for financial services firms,”
Proceedings of the 45th Hawaii International Conference on System Sciences, 2012, pp. 5623-5630.
59
California SB1386
• California’s Database Security Breach Notification Act of 2003
was the first notification law.
– Created by and more commonly referred to as California Senate
Bill 1386.
– Realizing that identity theft was one of the fastest growing crimes.
• Covers any entity that stores personal information on a
California resident.
• The entity must notify California residents of a breach of its
computer systems.
60
Personal Information
• CA SB1386 defines this broadly:
– Social security number
– Driver’s license/CA ID number
– Account/CC number, with related security code, access code, password,
etc.
– Medical information
– Health insurance information
• Information accessible to the public through government records is
not personal information.
• If data are encrypted, then no notification is required.
61
Other States Follow Suit
• After the ChoicePoint breach, many other states
created their own notification laws.
– As of January 2010, 45 states (incl. D.C.)
• Many were modeled after the SB1386.
• There are a number of differences across states.
62
Self-Regulation – PCI DSS
• The Payment Card Industry Security Council is a private
industry organization.
• Any credit card-accepting merchant or service provider must
comply with the Payment Card Industry Data Security
Standard (PCI DSS).
• DSS provides an uniform approach to safeguarding sensitive
cardholder data for all credit card issuers.
• It identifies 12 basic categories of security requirements for
credit card data protection.
63
PCI DSS
• Applies only to the systems that process, store, or transmit credit card data.
• Uses preventive, detective, and corrective controls to secure data.
• Compliance level is based on the size of merchants’ credit card operations.
• Compliance audits are performed periodically.
– Questionnaire
– Perimeter scan
– On-site security audit
• Enforcement is weak. Card companies use the threat of financial penalties to
compel compliance.
64
BS7799
• The British standard for information security management.
• Provides the framework necessary to create a secure system.
• First version was created in 1995. Revised version was
released in 1999.
– Volume 1 – Code of Practices for Information Security
Management provides guidance on best practice in security
management.
– Volume 2 – Specification for Information Security Management
Systems specifies the standard against which an organization can
be assessed and certified.
65
ISO/IEC17799:2005
• The Code of Practice for Information Security Management is a standard
sanctioned by the International Organization for Standardization (ISO) and
the International Electrotechnical Commission (IEC).
– Based on UK’s BS7799
– First edition was ISO/IEC17799:1999
• Is proposed to be ISO/IEC27002
–
–
–
–
ISO27001 (Based on BS7799 Part 2): Audit and certification
ISO27002 (Based on BS7799 Part 1): Code of Practices for ISMS
ISO27003 (Unofficial): Implementation guidance
ISO27004 (Unofficial): Measurement and metrics
66
Using ISO17799
• Provides a series of systematic recommendations for building a security
program that fits a company’s business model.
• If a company follows ISO17799 as their information security standard, they
will address many of the other legal requirements placed on them by the
Sarbanes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA), and the
Health Insurance Portability and Accountability Act (HIPAA).
• It’s easy to map the requirements from SOX, GLBA, and HIPAA to ISO17799.
• The controls suggested by the standard should be selected based on risk
assessment.
• Short of providing guidance on how to implement the standard based on a
company’s unique requirements.
67
Structure of ISO17799
• 11 control areas, 39 control objectives, 133 controls
• A control is an action, process, or technology that can lower the
risk to a company.
– A management control requires management approval, support, or
activities.
– An operational control is action- or task-oriented.
– A technical control requires modification, configuration, or verification of
information processing facilities.
• Some companies use the TOC of the standard to structure their
information security policies.
68
ISO17799 Control Areas
• Security Policy
• Organization of information security
• Asset management
• Human resources security
• Physical and environmental security
• Communications and operations management
69
ISO17799 Control Areas
• Access control
• Information systems acquisition, development, and
maintenance
• Information security incident management
• Business continuity management
• Compliance
70
ISO17799 Example: Security Policy
• The Security Policy control area has one control
objective and two controls
– Control objective: 5.1 Security policy (Sections 1 through
4 are non-action items)
– Control #1: 5.1.1 Information security policy document
– Control #2: 5.1.2 Review of the information security policy
• These two controls, esp. 5.1.1 is the focus of an
information security program.
71
ISO17799 Example: Security Policy
• 5.1.1 Information security policy document
– Is there a formal information security document published by management
representing the business, legal, contractual, and regulatory requirements?
– Is the policy document available to all employees and users?
– How is the policy communicated to all affected parties? How often?
– How does the information security policy document support the business
objectives?
– Is there a documented structure for risk assessment and risk management within
the policy?
– Are all the 11 control areas represented in the policy?
– Does the policy reference other policies, standards, or procedures when
appropriate?
72
ISO17799 Example: Security Policy
• 5.1.2 Review of the information security policy
– How often is the information security policy reviewed?
– Does management engage qualified external subject matter experts to
review the policy?
– Is the policy reviewed and revised based on a defined process?
– How are events or plans reviewed to determine if a policy revision or
update is required?
– Is formal management approval process required for policy changes?
73
Other Security Frameworks
• National Institute of Standard and Technology (NIST)
Special Publications (800 series)
• These are not InfoSec-specific frameworks but both
have a significant security focus:
– Control Objectives for Information and Related
Technology (CobiT)
– IT Infrastructure Library (ITIL)
74
CobiT and Security
•
•
CobiT centers on the IT processes of an organization, which are broken down into four
domains:
–
Planning and Organize (PO)
–
Acquire and Implement (AI)
–
Deliver and Support (DS)
–
Monitor and Evaluate (ME)
CobiT hierarchy
–
Domains
–
Control Objectives
–
Detailed Control Objectives
•
DS5 Ensure Systems Security governs security and contains 11 DSOs.
•
CobiT Security Baseline includes DS5 and other relevant control objects.
75
CobiT
76
Source: ITGI, CobiT Security Baseline.
ITIL
• Also originates in UK (Office of Government Commerce).
• A collection of books grouped into areas including service delivery, service
support, security management, application management, etc.
• Focuses on IT services and quality.
• Like CobiT, ITIL focuses on IT processes.
– One of ITIL’s underpinnings is embedding security into everyday processes .
• Security management is a major part and singled out as a book.
– The Control process in Security Management stresses the importance of
operational level agreement via the use of SLAs.
77