CS 216

Introduction to Information
Security Concepts

What is Security?
The quality or state of being
secureto be free from
danger
A successful organization
should have multiple layers of
security in place:
Physical security
Personal security
Operations security
Communications security
Network security
Information security

Personal security

Personal security is a general condition that

occurs after adequate efforts are taken to deter,
delay, and provide warning before possible
crime, if such warning occurs, to summon
assistance, and prepare for the possibility of
crime in a constructive manner.

Physical security
Physical security is the protection of personnel,
hardware, programs, networks, and data
from physical circumstances and events that
could cause serious losses or damage to an
enterprise, agency, or institution. This includes
protection from fire, natural disasters, burglary,
theft, vandalism, and terrorism.

Operations security (OPSEC)

Operations security (OPSEC) is a term
originating in U.S. military jargon, as a process
that identifies critical information to determine if
friendly actions can be observed by enemy
intelligence, determines if information obtained
by adversaries could be interpreted to be useful
to them, and then executes selected measures
that eliminate or reduce adversary exploitation
of friendly critical information.

Communications security is the discipline of

preventing unauthorized interceptors from
accessing telecommunications in an
intelligible form, while still delivering content to
the intended recipients.

Network security
Network security consists of the policies adopted
to prevent and monitor unauthorized access,
misuse, modification, or denial of a
computer network andnetwork-accessible
resources.
Network security involves the authorization of
access to data in a network, which is controlled
by the network administrator.

What is Information Security?

The protection of information and its critical
elements, including systems and hardware that
use, store, and transmit that information
Necessary tools: policy, awareness, training,
education, technology
C.I.A. triangle was standard based on confidentiality,
integrity, and availability
C.I.A. triangle now expanded into list of critical
characteristics of information

Critical Characteristics of Information

The value of information comes from the
characteristics it possesses:
Availability
Accuracy
Authenticity
Confidentiality
Integrity
Utility
Possession

Vocabulary: Security Policy

Refers to the way a system is supposed to

function
Can be explicit or implicit
Outlines assumptions of protections and
violations

Vocabulary: Security Policy

The security policy must represent the pertinent
laws, regulations, standards, and general
policies accurately.
There are three types of policy generally used in
secure computer systems:

Confidentiality Policy:
A confidentiality policy typically states that only
authorised users are to be permitted to observe
sensitive data, and that all unauthorised users
are to be prohibited from such observation.

Integrity Policy
An integrity policy has two facets.
The first refers to the quality of the data that is stored in
the computer. The integrity policy will state that the
data should reflect reality to some degree. How best to
do this is the subject of much research activity.
The second facet of integrity policy is associated with the
data being available for use when it is legitimately
needed. No user, whether he or she is or is not
authorised to access some data item, should be able to
unreasonably delay or prohibit another authorised user
from legitimate access.

Availability Policy:
The computer system should be available for use
when it is needed, and it should satisfy some
specified requirements for its mean-time-tofailure and its mean-time-to-repair.

Vocabulary: Incident

Security incident is a violation (or series of

violations) of a systems security policy
Scope can vary from narrow to broad
Incidents are events caused by (malicious)
behavior
Can be automated (a virus) or manual (abuse
of access)

Vocabulary: Threat

Potential cause of a security incident

Can be purposeful (a specific tool used to break
into a site or a malicious insider)
Accidental (floods, fire, lost backup tape, etc.)

Vocabulary: Vulnerability

Flaw in a system that could allow a threat to

violate the security policy

Can be a result of oversight or architecture

Logic flaws can present vulnerabilities

Vulnerabilities are static aspects of systems

Vocabulary: Exploit

Exploit is when a threat capitalizes on a

vulnerability
Exploits can be manual or automated
Exploits demonstrate that there is a problem
with a system

Vocabulary: Malware

Software that does bad stuff

Malware include virus and worm code

Includes software designed to modify legitimate

systems to:

Allow unauthorized remote access

Hide evidence of intrusion

Exfiltrate data from a target

Surreptitiously monitor user activity

And more...

Security Concepts

The Golden Rule (Au)

Authentication

Authenticity

Users are who they claim to be, or at least can

present credentials
Data has not been altered and remains true to
its original form

Audit

The system can track what activity, data and

users

Security as Asset Protection

A secure system must protect:

Confidentiality

Integrity (and Reliability)

Threat: Information disclosure

Threat: Data corruption

Access

Threat: Denial of service

Security Lifecycle

Security is a process not a product

Complexity is the enemy of security

Security is an evolutionary landscape

Secure is a point in time evaluation

Secure is defined by known threats

0 day

0 day is a vulnerability for which there is no

patch available
If 0 day cannot be predicted, how can we defend
against it?

0 day can often be mitigated

How can we detect 0 day?

Defense in depth is often the only defense

against 0 day
When evaluating security you should assume 0
day

A Word on Software Bugs

Software engineering is a robust, and mature,

field of academic study
All software projects of sufficient size and
complexity contain bugs, regardless of
development process
A certain number of bugs will be security related
Conclusion: all software contain security related
bugs

Classifying Software Bugs

Not all bugs are the same

Bugs may present wildly varying threats

Bugs may have different risks associated with

them
All bugs are significant, however

Even if it's bug free

Bug free software can still have vulnerabilities:

Configuration problems:

Logic flaws

Default or weak credentials

Improper trust model
Etc.
Fundamentally insecure design
Software functions exactly as designed but the
result is an unintended vulnerability

Two bug free systems might have insecure

interaction

Vulnerability Synergy

Linking one vulnerability to another

Chains of low risk, or low significant
vulnerabilities can lead to a serious vulnerability
Even if highest risk bugs are all patched, a
combination of low risk bugs could lead to
compromise

Sisyphean Task

A sufficiently resourced and motivated attacker

will always compromise security
Defenders must be right 100% of the time,
attackers need only succeed once

You can't possibly defend against everything

Attacker motivation is unknowable

Protect, Detect, React

The security lifecycle, also known as the security

hamster wheel of pain
EVERY step is critical
Detection is dependent on observation and
reporting

Logs are some of the best places to do detection

More on each step later

How can we get ahead?

The protect/detect/react cycle often requires an

incident to move from detect/react to better
protection
It is important to keep the cycle moving
independently of a security incident
Collecting metrics is key to making informed
decisions
Start with security first...

Secure Design

Threat modeling

Maximize ROI with high impact, low cost,

mitigations

Good authentication, authorization and audit

Fault tolerance or Rugged Design

Applications should protect against unexpected

actions
This includes good exception handling

Test driven design, with tests that should fail

Secure Application Development Lifecycle (SDLC)

Penetration Testing

Actively attacking your own systems

Can reveal flaws in protection, including gaps

Can proactively identify vulnerabilities (prevent

0 day)
Helps more accurately frame risk assessment

Application Security Testing

Black box

Gray box

Penetration testing
Some level of access and documentation
available

White box

Full code review, often combined with other

testing tools

Using Automation

Automation is critical for a timely review

Automation can lead to false positives

Automated tools without skilled human

operators can be useless

Deluge of false positives

Poor risk assignment

Gold Standard for Security

Reporting

Security reporting after a review should include:

List of vulnerabilities, ranked/grouped by

severity
Demonstration of exploit
List of suggested mitigation and work around
strategies
List of patches and/or fixes for the issue

A good security test should be repeatable

Resource Allocation

In the real world resources are limited

Given the scope of security it is impossible to
cover all fronts
How does one make smart resource allocation
decisions?

Risk Calculations

Risk can be used to draw comparisons

Risk generally calculated:

Risk = Likelihood x Severity

Good risk ratings allow you to compare apples

to apples
Can focus attention and resources to greatest
need
How can we baseline these without METRICS?

Flaw in Risk Calculation

Likelihood can never actually be measured

because it is within the attackers control
How can you quantify what you don't know?
Severity may hinge on unknown consequences
or attacker motivation
Some resources may escape risk calculation

Non Technical Threats

Risk calculation involves assessing threats

Some threats are not strictly system related:

Reputational damage

Misinformation

Business risks (ex: grant funding)

Typical Poor Risk Calculation

Home user doesn't protect their machine

because they have no data of value

Risk = medium likelihood x low impact

Home user may not understand full impact:

Attacker can use webcam

Attacker can use mic to record conversations

Attacker can use connection to compromise

wireless router to allow anonymous wireless

Linchpin in Most Flaws

Many risk calculations fail because the

assessor measures risk based on:

Perceived attacker motivation

Without understanding what an attacker is after

there is no effective way to protect resources
Industry best practice may provide a guide

Moving Forward

Goal is an adaptive, metrics based information

security program
Resources should be fluid, and allocated based
on actual need

Reactive capabilities should be maximized

Reduction of misguided protective measures

Constant metrics gathering and reevaluation

Learn, grow, share

Securing Components
Computer can be subject of an attack and/or the
object of an attack
When the subject of an attack, computer is used as
an active tool to conduct attack
When the object of an attack, computer is the entity
being attacked

Figure 1-5 Subject and Object of

Attack

Balancing Information Security and

Access
Impossible to obtain perfect securityit is a process,
not an absolute
Security should be considered balance between
protection and availability
To achieve balance, level of security must allow
reasonable access, yet protect against threats

Figure 1-6 Balancing Security and

Access

Approaches to Information Security

Implementation: Bottom-Up Approach
Grassroots effort: systems administrators attempt to
improve security of their systems
Key advantage: technical expertise of individual
administrators
Seldom works, as it lacks a number of critical features:
Participant support
Organizational staying power

Approaches to Information Security

Implementation: Top-Down Approach
Initiated by upper management
Issue policy, procedures and processes
Dictate goals and expected outcomes of project
Determine accountability for each required action

The most successful also involve formal

development strategy referred to as systems
development life cycle

Security Professionals and the

Organization
Wide range of professionals required to support a
diverse information security program
Senior management is key component; also,
additional administrative support and technical
expertise required to implement details of IS
program

Senior Management
Chief Information Officer (CIO)
Senior technology officer
Primarily responsible for advising senior executives on strategic
planning

Chief Information Security Officer (CISO)

Primarily responsible for assessment, management, and
implementation of IS in the organization
Usually reports directly to the CIO

Information Security Project Team

A number of individuals who are experienced in one
or more facets of technical and non-technical areas:
Champion
Team leader
Security policy developers
Risk assessment specialists
Security professionals
Systems administrators
End users

Data Ownership
Data Owner: responsible for the security and use of
a particular set of information
Data Custodian: responsible for storage,
maintenance, and protection of information
Data Users: end users who work with information to
perform their daily jobs supporting the mission of
the organization

Communities Of Interest
Group of individuals united by similar interest/values
in an organization
Information Security Management and Professionals
Information Technology Management and
Professionals
Organizational Management and Professionals