CS 216
Introduction to Information
Security Concepts
�What is Security?
The quality or state of being
secureto be free from
danger
A successful organization
should have multiple layers of
security in place:
Physical security
Personal security
Operations security
Communications security
Network security
Information security
�Personal security
Personal security is a general condition that
occurs after adequate efforts are taken to deter,
delay, and provide warning before possible
crime, if such warning occurs, to summon
assistance, and prepare for the possibility of
crime in a constructive manner.
�Physical security
Physical security is the protection of personnel,
hardware, programs, networks, and data
from physical circumstances and events that
could cause serious losses or damage to an
enterprise, agency, or institution. This includes
protection from fire, natural disasters, burglary,
theft, vandalism, and terrorism.
�Operations security (OPSEC)
Operations security (OPSEC) is a term
originating in U.S. military jargon, as a process
that identifies critical information to determine if
friendly actions can be observed by enemy
intelligence, determines if information obtained
by adversaries could be interpreted to be useful
to them, and then executes selected measures
that eliminate or reduce adversary exploitation
of friendly critical information.
�Communications security is the discipline of
preventing unauthorized interceptors from
accessing telecommunications in an
intelligible form, while still delivering content to
the intended recipients.
�Network security
Network security consists of the policies adopted
to prevent and monitor unauthorized access,
misuse, modification, or denial of a
computer network andnetwork-accessible
resources.
Network security involves the authorization of
access to data in a network, which is controlled
by the network administrator.
�What is Information Security?
The protection of information and its critical
elements, including systems and hardware that
use, store, and transmit that information
Necessary tools: policy, awareness, training,
education, technology
C.I.A. triangle was standard based on confidentiality,
integrity, and availability
C.I.A. triangle now expanded into list of critical
characteristics of information
��Critical Characteristics of Information
The value of information comes from the
characteristics it possesses:
Availability
Accuracy
Authenticity
Confidentiality
Integrity
Utility
Possession
�Vocabulary: Security Policy
Refers to the way a system is supposed to
function
Can be explicit or implicit
Outlines assumptions of protections and
violations
�Vocabulary: Security Policy
The security policy must represent the pertinent
laws, regulations, standards, and general
policies accurately.
There are three types of policy generally used in
secure computer systems:
�Confidentiality Policy:
A confidentiality policy typically states that only
authorised users are to be permitted to observe
sensitive data, and that all unauthorised users
are to be prohibited from such observation.
�Integrity Policy
An integrity policy has two facets.
The first refers to the quality of the data that is stored in
the computer. The integrity policy will state that the
data should reflect reality to some degree. How best to
do this is the subject of much research activity.
The second facet of integrity policy is associated with the
data being available for use when it is legitimately
needed. No user, whether he or she is or is not
authorised to access some data item, should be able to
unreasonably delay or prohibit another authorised user
from legitimate access.
�Availability Policy:
The computer system should be available for use
when it is needed, and it should satisfy some
specified requirements for its mean-time-tofailure and its mean-time-to-repair.
�Vocabulary: Incident
Security incident is a violation (or series of
violations) of a systems security policy
Scope can vary from narrow to broad
Incidents are events caused by (malicious)
behavior
Can be automated (a virus) or manual (abuse
of access)
�Vocabulary: Threat
Potential cause of a security incident
Can be purposeful (a specific tool used to break
into a site or a malicious insider)
Accidental (floods, fire, lost backup tape, etc.)
�Vocabulary: Vulnerability
Flaw in a system that could allow a threat to
violate the security policy
Can be a result of oversight or architecture
Logic flaws can present vulnerabilities
Vulnerabilities are static aspects of systems
�Vocabulary: Exploit
Exploit is when a threat capitalizes on a
vulnerability
Exploits can be manual or automated
Exploits demonstrate that there is a problem
with a system
�Vocabulary: Malware
Software that does bad stuff
Malware include virus and worm code
Includes software designed to modify legitimate
systems to:
Allow unauthorized remote access
Hide evidence of intrusion
Exfiltrate data from a target
Surreptitiously monitor user activity
And more...
�Security Concepts
The Golden Rule (Au)
Authentication
Authenticity
Users are who they claim to be, or at least can
present credentials
Data has not been altered and remains true to
its original form
Audit
The system can track what activity, data and
users
�Security as Asset Protection
A secure system must protect:
Confidentiality
Integrity (and Reliability)
Threat: Information disclosure
Threat: Data corruption
Access
Threat: Denial of service
�Security Lifecycle
Security is a process not a product
Complexity is the enemy of security
Security is an evolutionary landscape
Secure is a point in time evaluation
Secure is defined by known threats
�0 day
0 day is a vulnerability for which there is no
patch available
If 0 day cannot be predicted, how can we defend
against it?
0 day can often be mitigated
How can we detect 0 day?
Defense in depth is often the only defense
against 0 day
When evaluating security you should assume 0
day
�A Word on Software Bugs
Software engineering is a robust, and mature,
field of academic study
All software projects of sufficient size and
complexity contain bugs, regardless of
development process
A certain number of bugs will be security related
Conclusion: all software contain security related
bugs
�Classifying Software Bugs
Not all bugs are the same
Bugs may present wildly varying threats
Bugs may have different risks associated with
them
All bugs are significant, however
�Even if it's bug free
Bug free software can still have vulnerabilities:
Configuration problems:
Logic flaws
Default or weak credentials
Improper trust model
Etc.
Fundamentally insecure design
Software functions exactly as designed but the
result is an unintended vulnerability
Two bug free systems might have insecure
interaction
�Vulnerability Synergy
Linking one vulnerability to another
Chains of low risk, or low significant
vulnerabilities can lead to a serious vulnerability
Even if highest risk bugs are all patched, a
combination of low risk bugs could lead to
compromise
�Sisyphean Task
A sufficiently resourced and motivated attacker
will always compromise security
Defenders must be right 100% of the time,
attackers need only succeed once
You can't possibly defend against everything
Attacker motivation is unknowable
�Protect, Detect, React
The security lifecycle, also known as the security
hamster wheel of pain
EVERY step is critical
Detection is dependent on observation and
reporting
Logs are some of the best places to do detection
More on each step later
�How can we get ahead?
The protect/detect/react cycle often requires an
incident to move from detect/react to better
protection
It is important to keep the cycle moving
independently of a security incident
Collecting metrics is key to making informed
decisions
Start with security first...
�Secure Design
Threat modeling
Maximize ROI with high impact, low cost,
mitigations
Good authentication, authorization and audit
Fault tolerance or Rugged Design
Applications should protect against unexpected
actions
This includes good exception handling
Test driven design, with tests that should fail
Secure Application Development Lifecycle (SDLC)
�Penetration Testing
Actively attacking your own systems
Can reveal flaws in protection, including gaps
Can proactively identify vulnerabilities (prevent
0 day)
Helps more accurately frame risk assessment
�Application Security Testing
Black box
Gray box
Penetration testing
Some level of access and documentation
available
White box
Full code review, often combined with other
testing tools
�Using Automation
Automation is critical for a timely review
Automation can lead to false positives
Automated tools without skilled human
operators can be useless
Deluge of false positives
Poor risk assignment
�Gold Standard for Security
Reporting
Security reporting after a review should include:
List of vulnerabilities, ranked/grouped by
severity
Demonstration of exploit
List of suggested mitigation and work around
strategies
List of patches and/or fixes for the issue
A good security test should be repeatable
�Resource Allocation
In the real world resources are limited
Given the scope of security it is impossible to
cover all fronts
How does one make smart resource allocation
decisions?
�Risk Calculations
Risk can be used to draw comparisons
Risk generally calculated:
Risk = Likelihood x Severity
Good risk ratings allow you to compare apples
to apples
Can focus attention and resources to greatest
need
How can we baseline these without METRICS?
�Flaw in Risk Calculation
Likelihood can never actually be measured
because it is within the attackers control
How can you quantify what you don't know?
Severity may hinge on unknown consequences
or attacker motivation
Some resources may escape risk calculation
�Non Technical Threats
Risk calculation involves assessing threats
Some threats are not strictly system related:
Reputational damage
Misinformation
Business risks (ex: grant funding)
�Typical Poor Risk Calculation
Home user doesn't protect their machine
because they have no data of value
Risk = medium likelihood x low impact
Home user may not understand full impact:
Attacker can use webcam
Attacker can use mic to record conversations
Attacker can use connection to compromise
wireless router to allow anonymous wireless
�Linchpin in Most Flaws
Many risk calculations fail because the
assessor measures risk based on:
Perceived attacker motivation
Without understanding what an attacker is after
there is no effective way to protect resources
Industry best practice may provide a guide
�Moving Forward
Goal is an adaptive, metrics based information
security program
Resources should be fluid, and allocated based
on actual need
Reactive capabilities should be maximized
Reduction of misguided protective measures
Constant metrics gathering and reevaluation
Learn, grow, share
�Securing Components
Computer can be subject of an attack and/or the
object of an attack
When the subject of an attack, computer is used as
an active tool to conduct attack
When the object of an attack, computer is the entity
being attacked
�Figure 1-5 Subject and Object of
Attack
�Balancing Information Security and
Access
Impossible to obtain perfect securityit is a process,
not an absolute
Security should be considered balance between
protection and availability
To achieve balance, level of security must allow
reasonable access, yet protect against threats
�Figure 1-6 Balancing Security and
Access
�Approaches to Information Security
Implementation: Bottom-Up Approach
Grassroots effort: systems administrators attempt to
improve security of their systems
Key advantage: technical expertise of individual
administrators
Seldom works, as it lacks a number of critical features:
Participant support
Organizational staying power
��Approaches to Information Security
Implementation: Top-Down Approach
Initiated by upper management
Issue policy, procedures and processes
Dictate goals and expected outcomes of project
Determine accountability for each required action
The most successful also involve formal
development strategy referred to as systems
development life cycle
�Security Professionals and the
Organization
Wide range of professionals required to support a
diverse information security program
Senior management is key component; also,
additional administrative support and technical
expertise required to implement details of IS
program
�Senior Management
Chief Information Officer (CIO)
Senior technology officer
Primarily responsible for advising senior executives on strategic
planning
Chief Information Security Officer (CISO)
Primarily responsible for assessment, management, and
implementation of IS in the organization
Usually reports directly to the CIO
�Information Security Project Team
A number of individuals who are experienced in one
or more facets of technical and non-technical areas:
Champion
Team leader
Security policy developers
Risk assessment specialists
Security professionals
Systems administrators
End users
�Data Ownership
Data Owner: responsible for the security and use of
a particular set of information
Data Custodian: responsible for storage,
maintenance, and protection of information
Data Users: end users who work with information to
perform their daily jobs supporting the mission of
the organization
�Communities Of Interest
Group of individuals united by similar interest/values
in an organization
Information Security Management and Professionals
Information Technology Management and
Professionals
Organizational Management and Professionals
