principles and practice of modern information security n.
Skip this Video
Loading SlideShow in 5 Seconds..
Principles and Practice of Modern Information Security PowerPoint Presentation
Download Presentation
Principles and Practice of Modern Information Security

Principles and Practice of Modern Information Security

705 Vues Download Presentation
Télécharger la présentation

Principles and Practice of Modern Information Security

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. 2 - Introduction What is information security? Changing nature of information security Importance of information security The need for information security Terminology Adversaries Security attacks Information security services Information security mechanisms Security layers Security management Enterprise-wide information security framework Principles and Practice of Modern Information Security Impson/Mehravari/Rush 9/1/2001

  2. What is Information Security? • Information Security processes, services, and mechanisms deal with measures to deter, prevent, detect, and correct security violations that involve systems that process, store, or transmit information. • Example of violations: • Unauthorized disclosure of data. • Unauthorized modification of data. • Unauthorized access to computing and communication resources. • Unauthorized consumption of computing and communication resources. • Information Security is a key and required enabler of • Business partnership • Electronic commerce • National security • Etc., Etc., Etc. … … Impson/Mehravari/Rush 9/1/2001

  3. Changing Nature of Information Security • Prior to widespread use of data processing equipment • The security of information was provided by means of: • Physical Security (e.g., locked rooms; Rugged filing cabinets with combination lock) • Administrative Security (e.g., Who is trusted to have the key to the locked room; Personnel screening during hiring process) • After introduction of the computers and time-sharing systems • Needed automated tools for protecting information stored on computers. • i.e., “Computer Security” or “System Security.” Impson/Mehravari/Rush 9/1/2001

  4. Changing Nature of Information Security (cont.) • After introduction of distributed systems and computer networks • Data had to be protected during transit. • Access via communication links to resources had to be controlled • i.e., “Network Security.” • Today • There are no clear separations between “computer security,” “system security,” and “network security.” • It is the information processed, stored, or carried by information systems that must be protected. • i.e., “Information Security” and “Information Assurance.” Impson/Mehravari/Rush 9/1/2001

  5. Importance of Information Security • Explosive use of information technologies • Move to Internet and Web based applications • Recognition by government, business, and consumers the utility of electronic commerce • Global interconnectivity among participants. • Negative consequences of inadequate information security • 62% of US companies reported security breaches in the last 12 months (Reuters survey) • 9 of 10 U.S. companies reported security breaches in the last 12 months with losses totaling in the billions (FBI survey) • Computer crime cost US business and government an estimated $10B in 1999, • Financial fraud • Theft, destruction, modification of electronic data • Recent attacks on leading web sites in US (e.g., down time). • Legal drivers Impson/Mehravari/Rush 9/1/2001

  6. Need for Information Security • No longer discretionary for enterprises • Independent of what business they are in. • Business needs for secure applications and services • Private and public information over the same infrastructure. • Internet, Extranet, Intranet Security • Information security is a key enabler for virtual presence, e-Business, e-Commerce, and extranets. • Emerging legal and regulatory drivers • HIPAA • Electronic Signature in Global and National Commerce Act. • Cost reduction • Secure use of shared resources • Secure use of public computing and communication resources. • Etc., etc., etc… Impson/Mehravari/Rush 9/1/2001

  7. Need for Information Security Cannot have commerce without security Yesterday’s Commerce Tomorrow’s Commerce eBusiness Information Assurance Authentication Data Integrity Data Privacy Non-Repudiation Availability Access Control Information Security Networking, Connectivity, Distributed Systems, Collaborative Technologies security Impson/Mehravari/Rush 9/1/2001

  8. What could go wrong? ???? Espionage Viruses Denial of service Phone fraud Social engineering Software piracy The Enterprise Proprietary Information Intellectual Properties Software Hardware Communications Systems ???? Cyber crimes Unauthorized access ????? Accidents Vandalism Coordinated attacks ????? ????? Snooping ??? Trojan horses Eavesdropping Impson/Mehravari/Rush 9/1/2001

  9. Consequences of Inadequate Info. Sec. • Company reputation • Lose of proprietary information • Exposure of trade secrets • Lose of customer information • Lose of clients and suppliers • Lose of revenues • Lawsuits and litigations • Appearance on the front page of New York Times! • Etc., Etc., Etc., … … Impson/Mehravari/Rush 9/1/2001

  10. Terminology • Vulnerability • Flaws in systems that have adverse security consequences (known or unknown design flaws, implementation flaws, mismanagement). • E.g., Unlocked doors, Password on yellow stickies, Programming errors, Operating system design flaws, Protocol design flaws. • Security Attacks • Means of exploiting vulnerabilities. • Same vulnerabilities can be exploited by different attacks. • E.g., Eavesdropping, Masquerading, Breaking in, Altering data, Injecting data, Disrupting communications. • Countermeasures • Means of addressing vulnerabilities or specific attacks. • Often we do not fix the vulnerabilities; we adopt countermeasures which address one or more attacks. • E.g., Locks on doors, Encrypting data, Biometrics authentication, One-time passwords, Firewalling. Impson/Mehravari/Rush 9/1/2001

  11. Terminology (cont.) • Threats • Motivated and capable adversaries initiating attacks utilizing system vulnerabilities. • Security Mechanism • A specific mechanism that is designed to detect, prevent, or recover from a security attack. • E.g., Password, Firewall, Encryption, Digital signatures. • Security Service • A service that enhances the protection and assurance of the data processing systems and the information transmission infrastructure. • Security services are intended to counter security attacks, and use one or more security mechanisms to provide the service. • E.g., Authentication, Confidentiality, Access control. Impson/Mehravari/Rush 9/1/2001

  12. “Professional” hackers “Teenage” hackers Disgruntled employees Industrial spies Real spies Terrorists Special interest groups Journalists Criminals Competitors Etc., etc., etc. Those who do it For fun For profit For revenge To test techniques To show capability To compete To put on their resume To gain practical experience Etc., etc., etc. Adversaries (i.e., “The bad guys”) Impson/Mehravari/Rush 9/1/2001

  13. Security Attacks • What is meant by security attacks? • Means of exploiting vulnerabilities. • Same vulnerabilities can be exploited by different attacks. • Examples of security attacks: • Eavesdropping, Masquerading, Breaking in, Altering data, Injecting data, Disrupting communications, Inserting viruses, Fabricating data, Etc. • Types of attacks • Passive attacks • Active attacks. Impson/Mehravari/Rush 9/1/2001

  14. Release of Message Contents Interception Traffic Analysis Passive Attacks • Passive Attacks • Attacker listens without modifying data or affecting operation of the infrastructure. • Could be difficult to detect. • It is often preventable. • E.g., Release of data, Traffic analysis. Secrecy Passive Attacks Impson/Mehravari/Rush 9/1/2001

  15. Interruption Modification Fabrication Active Attacks • Active Attacks • Attacker modifies data or disrupts infrastructure operations. • Difficult to prevent. • Generally detectable. • E.g., Masquerading, Replay, Modification of data, Denial of Service. Active Attacks Availability Integrity Authenticity Impson/Mehravari/Rush 9/1/2001

  16. Key Types of Security Attacks Information Source Information Destination (A) Normal flow of information (B) Interruption (C) Interception (D) Modification (E) Fabrication Impson/Mehravari/Rush 9/1/2001

  17. Information Security Services • A wish list of things that one would like to implement to take care of security concerns. • Security services use one or more security mechanisms to provide the service. • Information Security Services • Data Confidentiality Services • Authentication Services • Data Integrity Services • Access Control Services • Non-Repudiation Services • Availability Services. Impson/Mehravari/Rush 9/1/2001

  18. Information Security Services Data Confidentiality • Deals with such questions as: • Has the data been made disclosed to unauthorized entities? • To prevent information from being made available or disclosed to unauthorized entities. • Applies to information while stored, being processed, or in transit. • To prevent all forms of disclosure such as printing and displaying, including revealing the existence of information objects. • Mechanisms used to provide data confidentiality include: • Encryption • Physical isolation. Impson/Mehravari/Rush 9/1/2001

  19. Information Security Services Data Confidentiality Types of data confidentiality services • Prevent unauthorized disclosure of data • Connection-oriented confidentiality • E.g., protecting all data transmitted between two entities. • Connectionless confidentiality • E.g., protecting only important messages. • Selective field confidentiality • E.g. protecting the message field but not the address field • Traffic flow confidentiality • Origin-destination patterns • E.g., who is talking to whom? • Message size • Frequency of message transmission. Impson/Mehravari/Rush 9/1/2001

  20. Information Security Services Authentication • To ensure that all participants in a transaction are who they say they are. • To verify the claimed identity • Must identify all elements involved • User, client, server, device, application, process, network, etc. • Mechanisms used to provide authentication services • Something you know • Lock combinations, passwords, PIN numbers. • Something you have • ATM card, physical key, token device, smart card. • Something you are • Retina scan, fingerprint, voice analysis, hand-written signature. • Combination of above • E.g, ATM card plus PIN number. Impson/Mehravari/Rush 9/1/2001

  21. Information Security Services Authentication Types of authentication services • Data origin authentication • Is the source of data as is claimed? • Often applies to connectionless transactions • E.g., Single messages such as email or alarm signals. • Peer entity authentication • Is the user sending the data who he claims to be? • Often applies to connection oriented transactions • E.g., Connecting a remote terminal to a host. • There are two aspects to this: • At the time of connection establishment, must authenticate the entities involved. • During the connection, must ensure that the connection is not interfered with (e.g, a 3rd party masquerading as one of the two). Impson/Mehravari/Rush 9/1/2001

  22. Information Security Services Data Integrity • To prevent the information from being altered or destroyed. • Includes preventing such actions as writing, modifying, changing status, deleting, creating, delaying, resequencing, and replaying. • Mechanisms used for data integrity include: • Checksums • Cyclic Redundancy Checks (CRC) • Cryptographic checksums • Message digest functions • One-way hash. Impson/Mehravari/Rush 9/1/2001

  23. Information Security Services Data Integrity (cont.) Types of data integrity services • Per-message integrity • Applies to connectionless transactions • Protects message contents from undetected modifications • Related to data origin authentication. • Message stream integrity • Applies to connection-oriented transactions • Protects messages from duplication, insertion, modification, reordering, replay, and destruction • Sometimes provided by transport layer protocols. • Partial sequence integrity • Hybrids of above two types • Needs some protection against replay and reordering • E.g., Packet audio/video application on top of UDP. Impson/Mehravari/Rush 9/1/2001

  24. Information Security Services Access Control • To prevent unauthorized access or use of computing and communication resources. • Including the use of a resource by an authorized user in an unauthorized manner. • Mechanisms used for access control include: • Firewall • Operating system features (access control lists) • Application control • Physical access control. Impson/Mehravari/Rush 9/1/2001

  25. Information Security Services Non-Repudiation • To prevent any one of the entities involved in an information transaction (sender, receiver, etc) from denying involvement in all or part of the activity. • Methods used for non-repudiation • digital signatures. • Types of non-repudiation services • Origin non-repudiation • To prevent a sender from denying that a message was sent. • Receipt non-repudiation • To prevent recipient from denying that a message was received. • Other types • Proof of submission • Proof of delivery. Impson/Mehravari/Rush 9/1/2001

  26. Information Security Services Availability • Deals with attacks resulting in loss or reduction in availability of computing and communication resources. • Addresses denial of service attacks. • Possible to detect, could be hard to prevent. • Mechanisms used to deal with • Replicated communication facilities • Replicated computing resources • Reliability schemes • Robust computing and communication architectures • Sophisticated load-balancing and routing schemes. Impson/Mehravari/Rush 9/1/2001

  27. Information Security Mechanisms • Specific mechanisms that are designed to detect, prevent, or recover from a security attack. • I.e., mechanisms used to implement security services. • Example of Security mechanisms • Access Control List • Firewalls • Cryptography • Symmetric • Public Key • Checksums • Digital signatures • Public Key Infrastructure (PKI) • Virtual Private Networks (VPN) • One-time Passwords • Smart cards • Biometrics • Intrusion detection systems (IDS) • Network-based • Host-based • Application-based • Routing control • Notarization • Etc., Etc., Etc. … … Impson/Mehravari/Rush 9/1/2001

  28. Information Security Mechanisms Cryptography • The process of encoding a message before transmission so that an unauthorized party cannot decipher it. • It is used in the implementation of many services: • Data Confidentiality Services • Authentication Services • Data Integrity Services • Access Control Services • Non-Repudiation Services. • Two types of cryptography • Symmetric encryption • Public-key encryption or asymmetric encryption. Impson/Mehravari/Rush 9/1/2001

  29. Key Key Comm. Channel The quick brown fox jumped over the lazy Encryption Algorithm Decryption Algorithm The quick brown fox jumped over the lazy sy1 isn8p dmwos jx xk3jdlalc dkso dlse sy1 isn8p dmwos jx xk3jdlalc dkso dlse plaintext ciphertext ciphertext plaintext Source Destination Information Security Mechanisms Symmetric Cryptography • The original intelligible message (plaintext) is transformed into an unintelligible message (ciphertext) via an encryption algorithm by the sender. • The ciphertext is converted to the original plaintext via a matching decryption algorithm by the receiver. • Sender and receiver use the same key to encrypt and decrypt (i.e., symmetric encryption). • The key is kept secret (i.e., secret key). Impson/Mehravari/Rush 9/1/2001

  30. Information Security Mechanisms Key Distribution for Symmetric Encryption • Proper generation, distribution, and management of “keys” for symmetric encryption mechanisms is non-trivial. • Key distribution techniques • Means of delivering keys to two parties who wish to use encryption to communicate. • Types of key distribution for symmetric encryption • Physically by the parties • Physically by a trusted 3rd party • Electronically by the parties • Electronically by a trusted 3rd party • Electronically by use of public-key encryption. Impson/Mehravari/Rush 9/1/2001

  31. B’s Public Key B’s Private Key Comm. Channel The quick brown fox jumped over the lazy Encryption Algorithm Decryption Algorithm The quick brown fox jumped over the lazy sy1 isn8p dmwos jx xk3jdlalc dkso dlse sy1 isn8p dmwos jx xk3jdlalc dkso dlse plaintext ciphertext ciphertext plaintext Source (Alice) Destination (Bob) Information Security Mechanisms Asymmetric or Public-key Cryptography • Each party is issued its own “public key” and “private key”. • The public keys of all parties are made public. • The private key of each individual is kept secret. • The sender uses the public key of the receiver and the encryption algorithm to transform the plaintext into ciphertext. • The receiver uses its own private key to transform the received ciphertext via the matching decryption algorithm. Impson/Mehravari/Rush 9/1/2001

  32. Information Security Mechanisms Key Distribution for Public-Key Encryption • Proper generation, distribution, and management of “keys” for public-key encryption mechanisms is non-trivial. • Techniques for distribution of the public keys for public-key encryption • Public announcement • Let the world know what is your public-key. • Publicly available directory • Put your public-key in yellow pages. • Public-key authority • Refer interested parties to a trusted 3rd party central authority. • Public-key certificates • A reliable mechanism for parties to exchange public-keys without contacting a central public-key authority. • Public Key Infrastructure (PKI). Impson/Mehravari/Rush 9/1/2001

  33. Information Security Mechanisms Public Key Infrastructure - PKI • The software and/or hardware elements necessary to manage and enable the effective use of public-key encryption. • PKI provides such services as: • key management • key certificate issuance • key certificate revocation • key and certificate validation • key recovery. • It does NOT do encryption. • It does NOT provide security and privacy. • End-user applications use PKI to access/manage keys and certificates so that they can use public-key encryption mechanisms. Impson/Mehravari/Rush 9/1/2001

  34. A’s Private Key A’s Public Key Comm. Channel The quick brown fox jumped over the lazy Encryption Algorithm Decryption Algorithm The quick brown fox jumped over the lazy sy1 isn8p dmwos jx xk3jdlalc dkso dlse sy1 isn8p dmwos jx xk3jdlalc dkso dlse plaintext ciphertext ciphertext plaintext Source (Alice) Destination (Bob) Information Security Mechanisms Digital Signature • In addition to secrecy, cryptography mechanisms can also be used to provide non-repudiation services. • How does it work? (This is just the idea; there is more to it than this.) • Sender A encrypts “some” plaintext using A’s private key. • The resulting ciphertext is sent to receiver B. • Receiver B uses A’s public key to decrypt the ciphertext. • Since the data was encrypted using A’s private key, only A could have prepared the message. Impson/Mehravari/Rush 9/1/2001

  35. Information Security Mechanisms Firewall • An application software or hardware element that controls and monitors access to the network. • Collection of components placed between two networks that collectively have the following properties: • All traffic from inside to outside, and vice-versa, must pass through the firewall • Only authorized traffic, as defined by the local security policy, will be allowed to pass • The firewall itself is immune to penetration Impson/Mehravari/Rush 9/1/2001

  36. Information Security Mechanisms Virtual Private Network -VPN • VPNs are logical secure networks implemented over existing physical network infrastructures. • Uses of VPNs • Provide “secure communications” over unsecure “public networks” • Secure logical extensions of a given internal corporate private network via other existing public and/or private physical networks (E.g.: the Internet) • Support growing mobile virtual workforce • Reduce costs associated with connecting physically dispersed sites and mobile users • Provide secure access to internal Corporate IT resources. • Generally speaking: • VPNs are NOT private dedicated networks • VPNs do NOT provide guarantee bandwidth. Impson/Mehravari/Rush 9/1/2001

  37. Functional Security Physical security Procedural security Personal or human security Operating system security Application security Perimeter security Network and communication security Compromising emanations security Virus & malicious code security Protocol Layer Security Physical layer security Data link layer security Network layer security Transport layer security Session layer security Presentation layer security Application layer security Security Layers Many things must be brought together simultaneously at different layers in order to have a good security solution: Impson/Mehravari/Rush 9/1/2001

  38. Security Layering Guidelines & Principles • Minimize alternatives and choices for implementing a security service. • The same security service may be implemented at different layers. • Security service implementation should not duplicate existing layer functionality. • Security service implementation should not violate layer independence. • Minimize the number of trusted entities involved. • Encourage modularity. Impson/Mehravari/Rush 9/1/2001

  39. Security Management (i.e., What can be done?) • Recognize that: • All systems are vulnerable. • There are no perfectly secure systems. • Systems are adequately secure only relative to a perceived threat. • Information security must be an ongoing process. • Any successful information security program must address complete life cycle of enterprise activities. • What types of things to do? • Design and implement an enterprise-wide information security architecture that addresses a full range of issues. • Characterize the threats for your system. • Put in place countermeasures for only relevant threats. • Determine the remaining residual vulnerabilities. Impson/Mehravari/Rush 9/1/2001

  40. Policies, Processes, and Procedures • Policies specify acceptable use of resources and the minimum level of control required for protection of information and resources • Risk assessments determine the criticality of information and resources • Policy compliance and vulnerability assessments are used to determine technical security posture and compliance with Corporate policies • Security bulletin response developed to respond to vendor and government issued software and hardware vulnerabilities • Incident response process identifies steps to follow in the event of a security breach • Metrics process measures the response to identified exposures and risks Impson/Mehravari/Rush 9/1/2001

  41. Sample Enterprise Information Security Framework • Disaster recovery reviews • System accreditation and certification • Information security expert certification program Validation & Certification Auditing, Monitoring, & Investigation • Penetration testing • Policy/regulation/requirements compliance assessment • Vulnerability assessment • Research and development • Technology evaluation • Comparative studies • Product development • System integration • Feasibility studies Technologies & Products • User training • Expert training • User awareness campaign Awareness & Training • Lectures and presentations • System admin. training • Security architecture • Security engineering • Reference models • Process development • Architecture development • Contingency planning Architecture & Processes • Business needs analysis • Risk assessment • Tracking emerging standards • Requirement definition • Policy definition • Security plan definition Policies & Standards Impson/Mehravari/Rush 9/1/2001

  42. Sample Information Security Methodology Audit Asses Environment 1 7 Define/Understand Business Needs & Requirements • On-going • Awareness • & Training • SecurityManagement Implementation 6 2 5 Architecture, Technology, & Product Selection 3 Evaluate Risk & Threats 4 Develop Policies, Processes, & Practices Impson/Mehravari/Rush 9/1/2001

  43. Summary There is a need for a comprehensive information assurance capabilities and expertise to mitigate today’s information security risks • Information security at all levels of the system • human, application, network, client, physical, etc. • Complete information security services • Authentication, access control, data privacy, data integrity, non-repudiation, availability • Adhering to an enterprise-wide framework • Policies, standards, architecture, processes, technologies, products, monitoring, validation, certification • Utilizing state-of-the-art standards-based technologies • Encryption, firewall, PKI, biometrics, anti-virus, VPN, digital signatures, intrusion detection, smart cards, etc. • Supporting needs of a wide-range of entities • Military, government, state & local agencies, commercial industries, and internal needs of the enterprise Impson/Mehravari/Rush 9/1/2001

  44. References • Books/Articles/Periodicals: • D. Brent Chapman, Simon Cooper, and Elizabeth D. Zwicky, Building Internet Firewalls, 2nd Edition, O’Reilly & Associates, pp. 890, June 2000. • Mike Erwin, Charlie Scott, and Paul Wolfe, Virtual Private Networks, 2nd Edition, O’Reilly & Associates, pp. 225, December 1998. • G.T. Gangemi, Sr., and Deborah Russell, Computer Security Basics, O’Reilly & Associates, pp. 468, April 1991. • Simson Garfinkel, PGP: Pretty Good Privacy, O’Reilly & Associates, pp. 426, December 1994. • Simson Garfinkel and Gene Spafford, Web Security & Commerce, O’Reilly & Associates, pp. 503, June 1997. • Simson Garfinkel and Gene Spafford, Practical UNIX & Internet Security, 2nd Edition, O’Reilly & Associates, pp. 1000, April 1996. • Bruce Schneier, Applied Cryptographys, 2nd Edition, John Wiley & Sons, pp. 784, 1995. • William Stallings, Cryptography & Network Security: Principles & Practice, 2nd Edition, Prentice Hall, pp. 569, July 1998. • William Stallings, Network Security Essentials: Applications and Standards, Prentice Hall, pp. 366, April 2000. • Organizations: • ACM - Association for Computing Machinery • CERT - The CERT Coordination Center is part of the Networked Systems Survivability Program at the Software Engineering First - Forum of Incident Response and Security Teams - • IEEE - Institute of Electrical and Electronics Engineers - • IETF - Internet Engineering Task Force - • Institute at Carnegie Mellon University - • Communications Society of IEEE - • ISO - International Organization for Standards - • ITU - International Telecommunications Union - • SANS - System Administration, Networking, and Security Institute - • IISSCC or ISC2 - International Information System Security Certification Consortium - Impson/Mehravari/Rush 9/1/2001

  45. References (cont.) • Conferences: • Multiple security related conference sponsored by SANS - • Networld+Interop - • Multiple conferences sponsored by the Communication Society of IEEE - • IEEE Computer Security Foundations Workshop - • 10th FIRST Conference and Workshop on Computer Securit Incident Handling and Response - • Multiple conferences sponsored by ACM - • WWW URLs: • - COAST - Comprehensive set of links to sites related to cryptography and network • - IETF Security Area - Keep up to date on Internet security standardization efforts • - Computer and Network Security Reference Index - A good index to vendor and commercial products, FAQs, newsgroup archives, papers, and other web sites • - The Cryptography FAQ - Lengthy and worthwhile FAQ covering all aspects of cryptography. • - Tom Dunigan's Security Page - An excellent list of pointers to cryptography and network security web sites. • - IEEE Technical Committee on Security and Privacy - An excellent list of pointers to cryptography and network security web sites. • - AES Home Page - NIST's page on the forthcoming Advanced Encryption Standard • - SANS Network Security Roadmap • - CERT Coordination Center • - RSA Laboratories' Frequently Asked Questions Impson/Mehravari/Rush 9/1/2001