1 / 48

The Current Landscape of Information Security

The Current Landscape of Information Security. School of Management Research Forum Benjamin Khoo, PhD New York Institute of Technology School of Management kkhoo@nyit.edu. Abstract.

dinos
Télécharger la présentation

The Current Landscape of Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Current Landscape of Information Security School of Management Research Forum Benjamin Khoo, PhDNew York Institute of Technology School of Managementkkhoo@nyit.edu

  2. Abstract The technological explosion of the Internet has resulted in distributed, network centric systems that have affected all aspects of our lives. Information is the critical commodity that is the common thread through these advances. The rapidly increasing production of and access to information is transforming myriad parts of society and their relationship to one another, from business to government to communities to private individuals. Each day millions of dollars of business transactions and many communication channels are conducted through the information infrastructure via the Internet. Organizations of all types (business, academia, government, etc.) are facing risks resulting from their ever-increasing reliance on the information infrastructure. The impetus for recent developments in information security arose from directives issued in the aftermath of 9/11. This presentation will discuss the current landscape of Information Security from the organizational perspective. Information Security is an applied science when viewed from this perspective and it is cross-functional, involving the economics, audit, personnel and management aspects.

  3. Agenda • Introduction • Environmental Influences • Landscape: Areas of Practice/Research • Interaction, Application & Transmission Security • Security through Obscurity • Summary

  4. Introduction Emerging Threats • Today’s threat is not simply hackers looking for computing resources, defacement opportunities, or simple network and host access • Convergence between criminal activities and technology leveraged attacks is here • Social Engineering attacks such as Phishing scams, data theft, identity theft /fg/ • Today’s threat is: • Direct attacks from technologically enabled criminals • Attacks targeted at business logic and process • Resource target is data theft, often for financial gain • The untrained employee and public /fg/

  5. Introduction (continue) • Secrecy ≠ Security. – Secrecy: You can't find the safe. – Security: You can't open the safe, even if you know how it works. – Secret systems are never secure! • The best way to assure that an encryption algorithm is secure is to have thousands of knowledgeable people try to break it. • Security ≠ Technology – Security comes from well-thought-out protocols (in the diplomatic sense). – Technology only gives you a means to implement a portion of the protocol.

  6. What is Information Security? Information Security is the protection of the confidentiality, integrity and availabilityof information and its critical elements, including the software and hardware that use, store, process and transmitthat information through the application of policy, technology, and education and awareness. Adapted from Whitman, Michael E. and Mattord, Herbert J. A Foundation in Information Security , 2004.

  7. Security is about risk and liability • If the cost of fixing a security breach is higher than the cost of writing off the loss, businesses will take the loss. • Security is all about lowering risk to a reasonable level, not eliminating risk. • Ultimately, security comes from a “web of contracts” (in the legal sense) that impose liability when security is compromised. – E.g. Insurance is an important component of a secure eBusiness system. (SSL ≠ security).

  8. Business At Risk • Brand and Intellectual Property losses • Legal / Regulatory costs • System abuse • System access denied • Data stolen, deleted, or modified • IT and end-user productivity costs

  9. What Affects IT Security? • Viruses, worms, Trojan horses • Phishing, identity theft • Physical security (people, procedures and processes) /fg/ • Firewalls, network security • Defects in platform / patches • Authentication / authorization • Application security

  10. Security Attacks On the Rise

  11. Hacking tools freely available Business applications exposed on internet Increasing tangible and intangible costs Security Attacks On the Rise (2) Network 75 percent of hacks happen at the application Application Database Server Web Server App Server Operating System

  12. Security … Security … Security • Security incidents reported to CERT grew by 2,099% between 1998 and 2002 • Estimates put the cost of the MyDoom worm alone at over $4 billion • …several new versions have surfaced on the Internet … That could mean that bigger Doom is on the way …

  13. Environmental Influences

  14. Environmental Influences • President's National Strategy to Secure Cyberspace, February 2003 - NSA and DHS designed and operated the National Centers of Academic Excellence in Information Assurance Education (CAEIAE) and the CAE-Research (CAE-R) outreach programs. - Institutions awarded the designation are eligible to apply for scholarships and grants - Such institutions are encouraged to conduct research in information assurance and may become focal points of recruiting by federal departments and agencies seeking individuals with information assurance expertise. - Allocated $Millions in funding

  15. Environmental Influences 2. Department of Defense issued Directive 8570.1M officially in 2006 & allocated $millions in funds

  16. Environmental Influences • Academia - with funding as National Centers of Academic Excellence in Information Assurance Education (CAEIAE) - Information Security/Assurance degree programs- Certification programs for IT Security and Audit professionals e.g. CISA, CISM, CISSP, etc. /fg/

  17. Environmental Influences • Industry - Regulated by government e.g. Health Insurance Portability and Accountability Act (HIPAA) , Sarbanes- Oxley Act, etc. - Industry Professional Standards e.g. Code of Conduct, Ethics, Best Practices, Career Skills Specifications, etc.

  18. Environmental Influences 5. Professional Societies (e.g. ISACA, (ISC)2, ASQ, ISSA, IIA, HTCCIA, etc.)/fg/ - Provides technical knowledge supporting directives - Professional Certifications e.g. CISA, CISM, CISSP, etc.

  19. Landscape of Information Security

  20. Landscape of Information Security Organizational Perspective: • Managementa. Security Policyb. Personnel (Social Engineering)c. Risk Assessmentd. Budgeting/Costing/Economics of Information Security

  21. Landscape of Information Security Organizational Perspective: 2. Audita. Security Policy Auditb. Information Security Practice Auditc. IT Governance Audit

  22. Landscape of Information Security Organizational Perspective: 3. Training/Educationa. Ethics b. Security Education, Training and Awareness (SETA) for knowledge workersc. Inculcating a Responsibility, Integrity, Trust and Ethicality (RITE) subculture.

  23. Landscape of Information Security Organizational Perspective: 4. Operationsa. Systems Administration Tools e.g. Network Administration, Database Administration, etc.b. Security Tools e.g. Firewalls, Anti-virus, etc. c. Application Software Deploymentd. Hardware Installation

  24. Landscape of Information Security Organizational Perspective: 5. Application Software Development in the Processing, Transmission and Storage of Data a. Security Functional & Assurance Requirement Analysis b. Integration of Secured Development Practices in: i. Microsoft .Net Languages ii. Java Programming Language iii. Other Web Scripting Languages

  25. Organizational Perspective: 6. Monitoring, Enforcement and Management Support of IT Controls a. Monitoring IT Security and Information Assurance Practices and Procedures b. Enforcing IT Security and Information Assurance Practices and Procedures c. Making Management Aware and taking supportive action to protect, detect and correct thru updating policies and procedures, training and continuous monitoring Landscape of Information Security

  26. Proactive Security Development Software developers must always be vigilant and work smart. Security Principles to live by: • Secure by Design, Default and Deployment • Learn from Mistakes • Minimize Your Attack Surface • Use Least Privilege • Assume External Systems are Insecure • Remember that Security Features != Secure Features • Never Depend on Security by Obscurity Alone • Fix Security Issues Correctly • Plan on Failure

  27. Information Security: CIA

  28. Primary Protection ConfidentialityEnsuring unauthorized access to information will be denied. IntegrityEnsuring that business transaction data is not altered or corrupted. If something has been changed or modified since it was created, verifying that the changes are legitimate. AvailabilityEnsuring that data availability is as expected. A denial-of-service attack or a natural disaster is an example of data availability threats.

  29. Secondary Protection Intellectual propertyEnsuring that asset such as business intelligence, source code, and any data related to intellectual property is safeguarded. (User’s Data) PrivacyFor example, Web sites and applications should have a privacy statement that defines how user information will be handled. In addition, the producer also needs to put in a concerted effort to protect user’s data. Network Computing ResourcesEnsuring that unauthorized uses of network resources are denied.

  30. Characteristics of a Secure System • Access control: – Only authorized individuals can access it. • Confidentiality: – Only authorized individuals can read the text. • Authentication: – The writers are who they say they are. • Non-repudiation: – The writers can't claim they didn't write it. • Integrity: – The document you received is the one I sent.

  31. What Applications Need Protection? • Anything on the Internet • Any application contains IP that competitors would benefit from • If you have a reason to make something closed source

  32. Categories of Application Security • Data Security • Encryption • Client-side Application Security • Licensing • IP Protection • Code Theft • Server Security • Limited to Interactional Interface

  33. Data Security • Encryption works well for data • Sometimes, it's effectively perfect • All Encryption algorithms are crackable • It just might take millions of years • Small problems are usually solved • Keeping the key secret • Transporting the key

  34. Interactional Security • Input Validation • Language environments such as Java/.NET prevent memory overwriting attacks • Prevent SQL injection • Prevent injected executables • Verify Ranges

  35. Transmission Security • Packet Sniffing • Ethereal, Sniffit, Tcpdump • Packet Spoofing • Wardriving • Netstumbler • WEP Cracking • Airsnort

  36. Applications are not Data* • At least as far as security goes* • Encryption doesn't work well for applications • Computers can't run encrypted programs • Problem = Deliver code a computer can understand that humans cannot • Encrypting class loaders worked (java) • For a minute or two anyway

  37. Application Security • The client is in the hands of the enemy • The “bad guy” has all the time in the world to examine the how/what/where of your application • Anything you protect can be unprotected • Anything you hide can be found • Watermarking is an attempt to solve this • Networked/Interactional systems always care about security • What's protectable in your application? • Open source is obviously not necessarily protection worthy

  38. Security through Obscurity • This is bad right? • Actually, it depends: • What are we protecting • Sometimes more protection never hurts • How much security are we getting? • Seems to work for house keys, missiles, and hackers • How much does it cost to implement? • A lot of security for a little might be worth it, a little for nothing is good too

  39. Security through Obscurity • Security through obscurity is likely the world's most prevalent security model • Probably because in many cases it is cheap or even free • If it's all you have... • Add to a good solution • Rely on it accordingly

  40. Security through Obscurity • Short version: What's the return-on-investment • Or, security-for-investment • How do we measure what security we've gained? • Defensively, StO should increase the time it takes to get what is being secured

  41. Security through Obscurity • Increasing the time it takes to hack decreases the ROI of the thief • Increases his exposure to be detected • Makes other targets more appealing • Gives him more work • Frustrates him (or challenges him)

  42. Summary

  43. References • Selected Publications on Information Securityhttp://iris.nyit.edu/~kkhoo/Spring2008/Topics/Topic10/ • Information Systems Audit & Control Association (ISACA)http://www.isaca.org/ • International Information Systems Security Certification Consortium (ISC)2https://www.isc2.org/cgi-bin/index.cgi • National Security Agency (Centers of Academic Excellence)http://www.nsa.gov/ia/academia/caeiae.cfm?MenuID=10.1.1.2

  44. References • Preemptive Solutions, Inc. • http://www.preemptive.com • Code Security whitepapers, demos, etc. • http://www.securityfocus.com/archive/1/272037 • Many Javascript injection attacks • http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/default.aspx • MSFT article on SQL injection

  45. References • “Writing Secure Code”, Howard/Leblanc, Microsoft Press, ISBN 0735615888 • Excellent Reference • “Decompiling Java”, G.Nolan, Apress, ISBN 1590592654 • Details of reverse-engineering and protecting Java • COLLBERG: Christian Collberg, Clark Thomborson, Watermarking, Tamper-Proofing, and Obfuscation--Tools for Software Protection, IEEE Transactions on Software Engineering 28:8, 735-746, August 2002 • University of Arizona

More Related