95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. [email protected]...
-
date post
15-Jan-2016 -
Category
Documents
-
view
222 -
download
0
Transcript of 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. [email protected]...
![Page 1: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/1.jpg)
95752:1-1
95-752 Introduction to Information Security Management
Tim Shimeall, [email protected]
Office Hours by Appointment
Course website: http://www.andrew.cmu.edu/course/95-752
![Page 2: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/2.jpg)
95752:1-2
Course Covers
Introduction/Definitions
Physical security
Access control
Data security
Operating system security
Application security
Network security
![Page 3: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/3.jpg)
95752:1-3
Student Expectations
• Grading:– 2 Homeworks– Midterm– Paper/project
• All submitted work is sole effort of student
• Students are interested in subject area
• Students have varied backgrounds
![Page 4: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/4.jpg)
95752:1-4
Information Revolution• Information Revolution as pervasive at the
Industrial Revolution
• Impact is Political, Economic, and Social as well as Technical
• Information has an increasing intrinsic value
• Protection of critical information now a critical concern in Government, Business, Academia
![Page 5: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/5.jpg)
95752:1-5
A Different Internet
• Armies may cease to march• Businesses may be bankrupted• Individuals may lose their social identity• Threats not from novice teenagers, but
purposeful military, political, and criminal organizations
![Page 6: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/6.jpg)
95752:1-6
Computer Terms (1)
Computer – A collection of the following:Central Processing Unit (CPU): Instruction-
processing
Memory(RAM) : Transient storage for data
Disk: More permanent storage for data
Monitor: Display device
Printer: Hard copy production
Network card: communication circuitry
![Page 7: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/7.jpg)
95752:1-7
Computer Terms (2)
Software: Instructions for a computerOperating System: interaction among
components of computer
Application software: common tasks (e.g., email, word processing, program construction, etc.)
API/Libraries: Support for common tasks
![Page 8: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/8.jpg)
95752:1-8
Vulnerability (2001)Out-of-the-box Linux PC hooked to Internet, not announced:[30 seconds] First service probes/scans detected[1 hour] First compromise attempts detected[12 hours] PC fully compromised:
– Administrative access obtained– Event logging selectively disabled– System software modified to suit intruder– Attack software installed– PC actively probing for new hosts to intrude
• Clear the disk and try again!
![Page 9: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/9.jpg)
95752:1-9
Why is Security Difficult
• Managers unaware of value of computing resources
• Damage to public image
• Legal definitions often vague or non-existent
• Legal prosecution is difficult
• Many subtle technical issues
![Page 10: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/10.jpg)
95752:1-10
Objectives of Security
• Privacy – Information only available to authorized users
• Integrity – Information retains intended content and semantics
• Availability – Information retains access and presence
Importance of these is shifting, depends on organization
![Page 11: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/11.jpg)
95752:1-11
Security Terms
Exposure - “actual harm or possible harm”
Vulnerability - “weakness that may be exploited”
Attack - “human originated perpetration”
Threat - “potential for exposure”
Control - “preventative measure”
![Page 12: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/12.jpg)
95752:1-12
Classes of Threat
• Interception
• Modification
• Masquerade
• Interruption
Most Security Problems Are People Related
![Page 13: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/13.jpg)
95752:1-13
Software Security Concerns
• Theft
• Modification
• Deletion
• Misplacement
![Page 14: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/14.jpg)
95752:1-14
Data Security Concerns
• Vector for attack
• Modification
• Disclosure
• Deletion
“If you have a $50 head, buy a $50 helmet”
![Page 15: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/15.jpg)
95752:1-15
Network Security Concerns
• Basis for Attack
• Publicity
• Theft of Service
• Theft of Information
Network is only as strong as its weakest link
Problems multiply with number of nodes
![Page 16: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/16.jpg)
95752:1-16
Motivations to Violate Security
• Greed
• Ego
• Curiosity
• Revenge
• Competition
• Political/Idiological
![Page 17: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/17.jpg)
95752:1-17
People and Computer Crime
• Most damage not due to attacks“Oops!”“What was that?”
• No clear profile of computer criminal• Law and ethics may be unclear
“Attempting to apply established law in the fast developing world of the Internet is somewhat like trying to board a moving bus” (Second Circuit, US Court of Appeals, 1997)
![Page 18: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/18.jpg)
95752:1-18
Theory of Technology Law
• Jurisdiction: – subject matter – power to hear a type of case
– Personal – power to enforce a judgment on a defendant
• Between states: Federal subject matter• Within state: State/local subject matter• Criminal or Civil
– Privacy/obscenity covered now
– intellectual property covered later
![Page 19: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/19.jpg)
95752:1-19
Privacy Law
• Common law: – Person’s name or likeness– Intrusion– Disclosure– False light
• State/Local law: Most states have computer crime laws, varying content
• International law: patchy, varying content
![Page 20: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/20.jpg)
95752:1-20
Federal Privacy Statutes• ECPA (communication)• Privacy Act of 1974 (Federal collection/use)• Family Educational Rights & Privacy Act (school records)• Fair Credit Reporting Act (credit information)• Federal Cable Communications Privacy Act (cable
subscriber info)• Video Privacy Act (video rental information)• HIPAA (health cared information)• Sarbanes-Oxley Act (corporate accounting)• Patriot Act (counter-terrorism)Plus state law in more the 40 states, and local laws
![Page 21: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/21.jpg)
95752:1-21
Federal Obscenity Statues
• Miller tests (Miller v. California, 1973):– Average person applying contemporary community
standards find appeals prurient interest– Sexual content– Lack of literary, artistic, political or scientific value
• Statues:– Communications Decency Act (struck down)– Child Online Protection Act (struck down)– Child Pornography Protection Act (struck down –
virtual child porn; live children still protected)
![Page 22: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/22.jpg)
95752:1-22
Indian Trust Funds
• Large, developing, case: Cobell vs. Norton– http://www.indiantrust.com/
• Insecure handling of entrusted funds
• Legal Internet disruption
• Criminal contempt proceedings
• Judicial overstepping
![Page 23: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/23.jpg)
95752:1-23
Three Security Disciplines• Physical
– Most common security discipline– Protect facilities and contents
• Plants, labs, stores, parking areas, loading areas, warehouses, offices, equipment, machines, tools, vehicles, products, materials
• Personnel– Protect employees, customers, guests
• Information– The rest of this course
![Page 24: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/24.jpg)
95752:1-24
How Has It Changed?
• Physical Events Have Cyber Consequences
•Cyber Events Have Physical Consequences
![Page 25: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/25.jpg)
95752:1-25
Why Physical Security?
• Not all threats are “cyber threats”• Information one commodity that can be stolen
without being “taken”• Physically barring access is first line of defense• Forces those concerned to prioritize!• Physical Security can be a deterrent• Security reviews force insights into value of what
is being protected
![Page 26: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/26.jpg)
95752:1-26
Layered Security• Physical Barriers
• Fences• Alarms• Restricted Access Technology
• Physical Restrictions• Air Gapping• Removable Media• Remote Storage
• Personnel Security Practices• Limited Access• Training• Consequences/Deterrence
![Page 27: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/27.jpg)
95752:1-27
Physical Barriers
• Hardened Facilities• Fences• Guards• Alarms• Locks• Restricted Access Technologies
– Biometrics– Coded Entry– Badging
• Signal Blocking (Faraday Cages)
![Page 28: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/28.jpg)
95752:1-28
Outer Protective Layers
• Structure– Fencing, gates, other barriers
• Environment– Lighting, signs, alarms
• Purpose– Define property line and discourage trespassing– Provide distance from threats
![Page 29: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/29.jpg)
95752:1-29
Middle Protective Layers
• Structure– Door controls, window controls– Ceiling penetration– Ventilation ducts– Elevator Penthouses
• Environment– Within defined perimeter, positive controls
• Purpose– Alert threat, segment protection zones
![Page 30: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/30.jpg)
95752:1-30
Inner Protective Layers
• Several layers• Structure
– Door controls, biometrics– Signs, alarms, cctv– Safes, vaults
• Environment– Authorized personnel only
• Purpose– Establish controlled areas and rooms
![Page 31: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/31.jpg)
95752:1-31
Other Barrier Issues
• Handling of trash or scrap• Fire:
– Temperature– Smoke
• Pollution:– CO– Radon
• Flood• Earthquake
![Page 32: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/32.jpg)
95752:1-32
Physical Restrictions• Air Gapping Data
• Limits access to various security levels• Requires conscious effort to violate• Protects against inadvertent transmission
• Removable Media• Removable Hard Drives• Floppy Disks/CDs/ZIP Disks
• Remote Storage of Data• Physically separate storage facility• Use of Storage Media or Stand Alone computers• Updating of Stored Data and regular inventory
![Page 33: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/33.jpg)
95752:1-33
Personnel Security Practices• Insider Threat the most serious
• Disgruntled employee• Former employee• Agent for hire
• Personnel Training• Critical Element• Most often overlooked
• Background checks• Critical when access to information required• Must be updated• CIA/FBI embarrassed
![Page 34: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/34.jpg)
95752:1-34
Activities or Events
• Publications, public releases, etc.
• Seminars, conventions or trade shows
• Survey or questionnaire
• Plant tours, “open house”, family visits
• Governmental actions: certification, investigation
• Construction and Repair
![Page 35: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/35.jpg)
95752:1-35
NISPOMNational Industrial Security Program
Operating Manual• Prescribes requirements, restrictions and other
safeguards for information• Protections for special classes of information:• National Security Council provides overall policy
direction• Governs oversight and compliance for 20
government agencies
![Page 36: 95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website:](https://reader035.fdocuments.us/reader035/viewer/2022062305/56649d495503460f94a26390/html5/thumbnails/36.jpg)
95752:1-36
Methods of Defense
Overlapping controls– Authentication– Encryption– Integrity control– Firewalls– Network configuration– Application configuration– Policy