Review of Information Security Concepts

Review of Information Security Concepts

What is Information security?Question: What is information security?Information Security (InfoSec)Protection of information and its critical elements,Including the systems and hardware that use, store, and transmit that information.Topical areas to implement policies and controls:Network Security Physical Security Personnel Security Operations Security Communications Security

Goals and principles of information SecurityQuestion: What are the critical characteristics of InfoSec?Goals of Information SecurityConfidentiality: Ensures only authorized parties can view informationPolicies Least PrivilegeIntegrity: Ensures information not alteredPreservationReliabilityAvailability: Ensures information accessible when needed to authorized partiesPrinciples that Govern Information SecurityAuthentication: Ensures that the individual is who she claims to be (the authentic or genuine person) and not an imposterSomething you haveSomething you areSomething you knowAuthorization: Providing permission or approval to specific technology resourcesAccounting: Provides tracking of events

Goals of Information SecurityConfidentiality: Ensures only authorized parties can view informationPolicies Least PrivilegeIntegrity: Ensures information not alteredPreservationReliabilityAvailability: Ensures information accessible when needed to authorized parties

Principles that Govern Information SecurityAuthentication: Ensures that the individual is who she claims to be (the authentic or genuine person) and not an imposterSomething you haveSomething you areSomething you knowAuthorization: Providing permission or approval to specific technology resourcesAccounting: Provides tracking of events

3

CNSS Security Model

Desired goalsConfidentiality: assurance that sensitive information is not intentionally or accidentally disclosed to unauthorized individuals.Integrity: assurance that information is not intentionally or accidentally modified in such a way as to call into question its reliability.Availability: ensuring that authorized individuals have both timely and reliable access to data and other resources when needed.Information statesStorage: Data at rest (DAR) in an information system, such as that stored in memory or on a magnetic tape or disk.Transmission: transferring data between information systems - also known as data in transit (DIT).Processing: performing operations on data in order to achieve a desired objective.SafeguardsPolicy and practices: administrative controls, such as management directives, that provide a foundation for how information assurance is to be implemented within an organization. (examples: acceptable use policies or incident response procedures) - also referred to as operations.Education: ensuring that the users of information systems are aware of their roles and responsibilities regarding the protection of information systems and are capable of following standards. (example: end-user training on avoiding computer virus infections or recognizing social engineering tactics) - also referred to as personnelTechnology: software and hardware-based solutions designed to protect information systems (examples: anti-virus, firewalls, intrusion detection systems, etc.)

Scenarios:Encryption of credit cards over the wireWho has access to FERPA informationTelework Central AuthenticationData has not been tampered with

4

Balancing Information security and accessEven with the best efforts of planning and implementation, it is not possible to achieve perfect information security.

Balance protection of information and information assets with the availability of that information to authorized users.CompromiseRiskIts not a question of if, but when and what ~Silver

Business Continuity and Incident ResponseProtect the organizations ability to functionImplement Policies and Procedures to ensure operational needs in case of an attack.Policies influence security proceduresCountermeasures

Components of Security

Security Perimeter and Defense in depthSecurity perimeterDefines the boundary between the outer limit of an organizations security and the beginning of the outside networkFirewalls/RulesPerimeter does not protect against internal attacksOrganization may choose to set up security domainsDefense in depthLayered implementation of securityRedundancyImplementing technology in layers

Threats to InfoSec

ThreatsMalicious code Includes viruses, worms, Trojan horses, and active Web scripts Executed with the intent to destroy or steal informationPolymorphic, multivector wormConstantly changes the way it looks Uses multiple attack vectors to exploit a variety of vulnerabilities in commonly used softwareCompromising PasswordsCracking, Brute force attack, Dictionary attack

12

Distributed Denial-of-Service (DDoS)

Denial-of-service (DoS) attackAttacker sends a large number of connection or information requests to a targetSo many requests are made that the target system cannot handle them along with other, legitimate requests for serviceDistributed denial-of-service (DDoS) Coordinated stream of requests against a target from many locations at the same timeAny system connected to the Internet is a potential target for denial-of-service attacks

13

Spoofing

Intruder sends messages to IP addresses that indicate to the recipient that the messages are coming from a trusted host

14

Man-in-the-Middle

Attacker monitors (or sniffs) packets from the networkModifies them using IP spoofing techniquesInserts them back into the networkAllows the attacker to eavesdrop, change, delete, reroute, add, forge, or divert data

15

Buffer OverflowUse a VM to openhttp://www.pitt.edu/~is2470pb/Fall02/Final/rb/Buffer.htmlhttp://www.pitt.edu/~is2470pb/Fall02/Final/sl/Applet1.htmlhttp://www.pitt.edu/~is2470pb/Fall02/Final/sh/BufferOverFlow/BufferOverFlow.html

Occurs when more data is sent to a buffer than it can handleAttacker can make the target system execute instructionsAttacker can take advantage of some other unintended consequence of the failure

16

Social Engineering

Here are a few questions you should ask yourself:Who is contacting me here? (Remember, most contact details can be found on the Internet!)Why is he contacting me?Is the way he's contacting me normal for this company?Is the information he's requesting sensitive? Is there a way to verify that this is indeed this person?

Process of using social skills to convince people to reveal access credentials or other valuable information to the attackerPeople are the weakest link. You can have the best technology, [then] somebody call[s] an unsuspecting employee. Thats all she wrote, baby. They got everythingKevin Mitnick

17

SummaryInformation securityProtection of information and its critical elementsInformation security is a process, not a goalTakes a wide range of professionals to support the information security programOrganization must establish a functional and well-designed information security program

18

18