1. Introduction.ppt.pdf

Full Transcript

Dept. of Electrical & Computer Engineering
North South University

EEE661 / CSE525 / ETE536
Introduction to Computer Security

Dr. Hafiz Abdur Rahman, P.Eng. SMIEEE
Professor
Electrical and Computer Engineering
North South University, Bangladesh

January 27, 2022

Fall 2017 1
Course Outline

❑ An introductory course at the graduate level
❑ It covers the topics of
The CISSP exam at varying depth
But is NOT a CISSP course
❑ Textbooks:
Matt Bishop: Computer Security Art and Science
Official ISC2 Guide to the CISSP CBK

EEE661 / CSE525 / ETE536 Fall 2017
2
Objectives

❑ Roles and responsibilities of individuals in a
security program
❑ Security planning in an organization
❑ Security awareness in the organization
❑ Differences between policies, standards,
guidelines and procedures
❑ Risk Management practices and tools

EEE661 / CSE525 / ETE536 Fall 2017 3
Syllabus of the Course

❑ Bishop’s book for the first part
❑ Papers for some classes
❑ ISC2 book for the second part

EEE661 / CSE525 / ETE536 Fall 2017 4
Introduction
❑ Purpose of information security:
❑ to protect an organization's information resources 🡺
data, hardware, and software.
❑ To increase organizational success: IS are
critical assets supporting its mission

EEE661 / CSE525 / ETE536 Fall 2017 5
Information Security TRIAD

EEE661 / CSE525 / ETE536 Fall 2017 6
IT Security Requirements - I

Security should be designed for two requirements:
1. Functional: Define behavior of the control means 🡺 based on
risk assessment
Properties:
❑ should not depend on another control:
❑ Why? fail safe by maintaining security during a system failure
2. Assurance: Provide confidence that security functions perform
as expected.
❑ Internal/External Audit.
❑ Third Party reviews
❑ Compliance to best practices

Examples
❑ Functional: a network Firewall to permit or deny traffic.
❑ Assurance: logs are generated, monitored, and reviewed

EEE661 / CSE525 / ETE536 Fall 2017 7
Organizational & Business Requirements
❑ Focus on organizational mission:
❑ Business or goals driven
❑ Depends on type of organization:
❑ Military , Government, or Commercial.
❑ Must be sensible and cost effective
❑ Solution considers the mission and environment 🡺
Trade-off

EEE661 / CSE525 / ETE536 Fall 2017 8
IT Security Governance

Integral part of corporate governance:
❑ Fully integrated into overall risk-based threat
analysis
Ensure that IT infrastructure:
❑ Meets all requirements.
❑ Supports the strategies and objectives of the
company.
❑ Includes service level agreements [if outsourced].

EEE661 / CSE525 / ETE536 Fall 2017 9
Security Governance: Major parts

1. Leadership:
Security leaders must be part of the company leadership --
where they can be heard.
2. Structure:
occurs at many levels and should use a layered approach.
3. Processes:
follow internationally accepted “best practices”:
Job rotation , Separation of duties, least privilege, mandatory
vacations, …etc.
Examples of standards : ISO 17799 & ISO 27001:2005

EEE661 / CSE525 / ETE536 Fall 2017 10
Security Blueprints

Provide a structure for organizing requirements
and solutions.
❑ Ensure that security is considered holistically.
To identify and design security requirements

EEE661 / CSE525 / ETE536 Fall 2017 11
Policy Overview
1. Operational environment is a web of laws, regulations,
requirements, and agreements or contracts with
partners and competitors

2. Change frequently and interact with each other

3. Management must develop and publish security
statements addressing policies and supporting
elements, such as standards , baselines, and
guidelines.

EEE661 / CSE525 / ETE536 Fall 2017 12
Policy overview

EEE661 / CSE525 / ETE536 Fall 2017 13
Functions of Security policy

1. Provide Management Goals and Objectives in writing
2. Ensure Document compliance
3. Create a security culture
4. Anticipate and protect others from surprises
5. Establish the security activity/function
6. Hold individuals responsible and accountable
7. Address foreseeable conflicts
8. Make sure employees and contractors aware of
organizational policy and changes to it
9. Require incident response plan
10. Establish process for exception handling, rewards,
and discipline

EEE661 / CSE525 / ETE536 Fall 2017 14
Policy Infrastructure

1. High level policies interpreted
into functional policies.
2. Functional polices derived
from overarching policy and
create the foundation for
procedures, standards, and
baselines to accomplish the
objectives
3. Polices gain credibility by top
management buy-in.

EEE661 / CSE525 / ETE536 Fall 2017 15
Examples of Functional Policies
1. Data classification
2. Certification and accreditation
3. Access control
4. Outsourcing
5. Remote access
6. Acceptable mail and Internet usage
7. Privacy
8. Dissemination control
9. Sharing control

EEE661 / CSE525 / ETE536 Fall 2017 16
Policy Implementation

❑ Standards, procedures, baselines, and
guidelines turn management objectives and
goals [functional policies] into enforceable
actions for employees.

EEE661 / CSE525 / ETE536 Fall 2017 17
Standards and procedure
1. Standards (local): Adoption of common
hardware and software mechanism and
products throughout the enterprise.
Examples: Desktop, Anti-Virus, Firewall
2. Procedures: step by step actions that must be
followed to accomplish a task.
3. Guidelines: recommendations for product
implementations, procurement and planning,
etc.
Examples: ISO17799, Common Criteria, ITIL

EEE661 / CSE525 / ETE536 Fall 2017 18
Security Baselines
Benchmarks: to ensure that a minimum level of
security configuration is provided across
implementations and systems.
❑ establish consistent implementation of security
mechanisms.
❑ Platform unique
Examples:
❑ VPN Setup,
❑ IDS Configuration,
❑ Password rules

EEE661 / CSE525 / ETE536 Fall 2017 19
Three Levels of security planning
1. Strategic: long term
❑ Focus on high-level, long-range organizational
requirements
❑ Example: overall security policy
2. Tactical: medium-term
❑ Focus on events that affect all the organization
❑ Example: functional plans
3. Operational: short-term
❑ Fight fires at the keyboard level, directly affecting
how the organization accomplishes its objectives.

EEE661 / CSE525 / ETE536 Fall 2017 20
Organizational roles and responsibilities

❑ Everyone has a role:
❑ with responsibility clearly communicated and
understood
❑ Duties associated with the role must be
assigned
❑ Examples:
❑ Securing email
❑ Reviewing violation reports
❑ Attending awareness training

EEE661 / CSE525 / ETE536 Fall 2017 21
Specific Roles and Responsibilities (duties)
❑ Executive Management:
❑ Publish and endorse security policy
❑ Establish goals and objectives
❑ State overall responsibility for asset protection.
❑ IS security professionals:
❑ Security design, implementation, management,
❑ Review of organization security policies.
❑ Owner:
❑ Information classification
❑ Set user access conditions
❑ Decide on business continuity priorities
❑ Custodian:
❑ Entrusted with the Security of the information
❑ IS Auditor:
❑ Audit assurance guarantees.
❑ User:
❑ Compliance with procedures and policies

EEE661 / CSE525 / ETE536 Fall 2017 22
Personnel Security: Hiring staff

❑ Background check/Security clearance
❑ Check references/Educational records
❑ Sign Employment agreement
❑ Non-disclosure agreements
❑ Non-compete agreements

❑ Low level Checks
❑ Consult with HR Department
❑ Termination/dismissal procedure

EEE661 / CSE525 / ETE536 Fall 2017 23
Third party considerations

Include:
❑ Vendors/Suppliers
❑ Contractors
❑ Temporary Employees
❑ Customers
Must established procedures for these groups.

EEE661 / CSE525 / ETE536 Fall 2017 24
Personnel good practice

❑ Job description; roles and responsibilities
❑ Least privilege/Need to know
❑ Compliance with need to share
❑ Separation of duties / responsibilities
❑ Job rotation
❑ Mandatory vacations

EEE661 / CSE525 / ETE536 Fall 2017 25
Security Awareness

❑ Awareness training
❑ Remind employees of security responsibility
❑ Motivate personnel to comply with them
❑ Videos
❑ Newsletters
❑ Posters
❑ Key-chains

EEE661 / CSE525 / ETE536 Fall 2017 26
Training and Education

Job training
❑ Provide skills to perform security functions.
❑ Focus on security-related job skills
❑ Address security requirements of the organization, etc.
Professional Education
❑ Provide decision-making and security management
skills important for success of security program.

EEE661 / CSE525 / ETE536 Fall 2017 27
Good training practice
Address all the audience
❑ Management
❑ Data Owner and custodian
❑ Operations personnel
❑ User
❑ Support personnel

EEE661 / CSE525 / ETE536 Fall 2017 28
Risk in NIST SP 800-30

Risk is a function of the likelihood of a given
threat-source’s exercising a particular potential
vulnerability and the resulting impact of that
adverse event on the organization

EEE661 / CSE525 / ETE536 Fall 2017 29
Risk related Definitions

❑ Vulnerability: A Flaw or weakness in system
procedures, design, implementation or internal
controls that could be used breach or violate
the system
❑ Likelihood: probability that a vulnerability may
be used in the threat environment.
❑ Threat: the Potential for a mal-actor to
exercise a vulnerability.
❑ Countermeasure: risk reduction method
(technical, operational, managerial, or
combination)

EEE661 / CSE525 / ETE536 Fall 2017 30
Risk Management concept flow

EEE661 / CSE525 / ETE536 Fall 2017 31
Risk Management Definitions
❑ Asset: something valued (to accomplish goals and objectives)

❑ Threat Agent: anything that can pose or cause a threat.

❑ Exposure: situation when a threat can cause loss.

❑ Vulnerability: weakness that could be exploited.

❑ Attack: Intentional action attempting to cause harm.

❑ Risk: probability that some event can occur

❑ Residual Risk: risk remaining after countermeasures and safeguards have
been applied

EEE661 / CSE525 / ETE536 Fall 2017 32
Risk Management

To identify possible problems before
they occur so that risk-handling
activities may be planned and
invoked as needed during the life of
the product or project

EEE661 / CSE525 / ETE536 Fall 2017 33
The Risk Equation

EEE661 / CSE525 / ETE536 Fall 2017 34
Risk Management

Identify and reduce risks
❑ Mitigating controls [Safeguards &
Countermeasures]
❑ Residual Risk when countermeasures exist but
are not sufficient 🡺 should be at acceptable level

EEE661 / CSE525 / ETE536 Fall 2017 35
Purpose of Risk Analysis
Identify and justify risk mitigation
❑ Assess threats to business processes and IS
❑ Justify use of countermeasures
Describe security based on risk to the organization

EEE661 / CSE525 / ETE536 Fall 2017 36
Benefits of Risk Analysis
❑ Focus on policy and resources
❑ Identify areas with specific risk
❑ good IT Governance, supporting
❑ Business continuity
❑ Insurance and liability decisions
❑ Legitimize security awareness program

EEE661 / CSE525 / ETE536 Fall 2017 37
Emerging threats
❑ Risk Assessment must address new threats
❑ New technology
❑ Change in culture of the organization
❑ Unauthorized use of technology.
❑ May be discovered by periodic risk
assessment

EEE661 / CSE525 / ETE536 Fall 2017 38
Sources of identity threats

❑ Users
❑ System administrators
❑ Security officers
❑ Auditors
❑ Operations
❑ Facility records
❑ Community and government records
❑ Vendor/security provider alerts
❑ Other threats:
❑ Natural disasters – flood, tornado, etc.
❑ Environment -- overcrowding or poor morale
❑ Facility -- physical security or location of building

EEE661 / CSE525 / ETE536 Fall 2017 39
Risk analysis key factors

❑ Obtain senior management support
❑ Establish risk assessment team
❑ Define and approve purpose and scope
❑ Select team members
❑ State their authority and responsibility
❑ Have management review findings and recommendations
❑ Risk team members to include: IS System
Security, IT & Operations Management,
Internal Audit, Physical security, etc

EEE661 / CSE525 / ETE536 Fall 2017 40
Use of automated tools for risk
management
❑ Objective: to minimize manual effort
❑ May be time consuming in setup
❑ Perform calculations quickly
❑ Estimate future expected loss
❑ Determine benefit of security measures

EEE661 / CSE525 / ETE536 Fall 2017 41
Preliminary security evaluation
Identify vulnerabilities

Review existing security measures

Document findings

Obtain management review and approval

EEE661 / CSE525 / ETE536 Fall 2017 42
Risk analysis types
Two types
❑ Quantitative
❑ Qualitative

❑ Both provide valuable metrics

❑ Both required for a full picture

EEE661 / CSE525 / ETE536 Fall 2017 43
Quantitative risk analysis

Determine monetary value
❑ Fully quantitative if all elements are quantified,
but this is difficult to achieve. Requires much
time and personnel effort

EEE661 / CSE525 / ETE536 Fall 2017 44
Determining Asset Value
Cost to acquire, develop, and maintain
❑ Value to owners, custodians, or users
❑ Liability for protection
❑ Recognize real world cost and value
❑ Price others are willing to pay for it
❑ Value of intellectual property
❑ Convertibility/negotiability

EEE661 / CSE525 / ETE536 Fall 2017 45
Quantitative analysis steps

1. Estimate potential single loss expectancy
SLE = Asset Value ($) * Exposure Factor
Exposure Factor=% of asset loss when threat succeeds
Types of loss
❑ Physical destruction, theft, Loss of data, etc
2. Conduct threat analysis
ARO-Annual Rate of Occurrence
Expected number of exposures/incidents per year
Likelihood of unwanted event happening
3. Determine Annual Loss Expectancy (ALE)
Magnitude of risk = Annual Loss Expectancy
Purpose 🡺 to justify security countermeasures
ALE=SLE * ARO
EEE661 / CSE525 / ETE536 Fall 2017 46
Qualitative Risk analysis
❑ Scenario oriented
❑ Does not assign numeric values to risk
components
❑ Qualitative risk analysis is possible
❑ Qualitative risk analysis factors
❑ Rank seriousness of threats and sensitivity of assets
❑ Perform a reasoned risk assessment

EEE661 / CSE525 / ETE536 Fall 2017 47
Other risk analysis methods

Failure modes and effects analysis
❑ Potential failures of each part or module
❑ Examine effects of failure at three levels
❑ Immediate (part or module)
❑ Intermediate (process or package)
❑ System-wide
Fault tree or spanning tree analysis
❑ Create a “tree” of all possible threats and faults
❑ “Branches” are general categories [network threats,
physical threats, component failures, etc.]
❑ Prune “branches” that do not apply
❑ Concentrate on remaining threats.

EEE661 / CSE525 / ETE536 Fall 2017 48
Risk mitigation options

❑ Risk Acceptance

❑ Risk Reduction

❑ Risk Transference

❑ Risk Avoidance

EEE661 / CSE525 / ETE536 Fall 2017 49
The right amount of security

❑ Cost/Benefit analysis- balance cost of
protection versus asset value
❑ Need to assess:
❑ Threats, Adversary, means , motives, and opportunity.
❑ Vulnerabilities and Resulting risk
❑ Risk tolerance

EEE661 / CSE525 / ETE536 Fall 2017 50
Countermeasures Selection Principles
❑ Based on cost/benefit analysis, cost of safeguard
❑ Selection and acquisition
❑ Construction and placement
❑ Environment modification
❑ Nontrivial operating cost
❑ Maintenance, testing
❑ Potential side effects
❑ Cost justified by potential loss
❑ Accountability
❑ At least one person for each safeguard
❑ Associate directly with performance review
❑ Absence of design secrecy

EEE661 / CSE525 / ETE536 Fall 2017 51
Countermeasures Selection Principles
(Cont.)
Audit capability
❑ Must be testable
❑ Include auditors in design and implementation
Vendor Trustworthiness
❑ Review past performance
Independence of control and subject
❑ Safeguards control/constrain subjects
❑ Controllers administer safeguards
❑ Controllers and subject have different populations
Universal application
❑ Impose safeguards uniformly
❑ Minimize exceptions

EEE661 / CSE525 / ETE536 Fall 2017 52
Countermeasures Selection Principles
(Cont.)
❑ Compartmentalization and defense in depth
Role of Safeguards
❑ to improve security through layers
❑ Isolation, economy, and least common mechanism
❑ Isolate from other safeguards
❑ Simple design is cost effective and reliable, etc
❑ Acceptance and tolerance by personnel
❑ Care taken to avoid implementing controls that pose
unreasonable constraints
❑ Less intrusive controls more acceptable
❑ Minimize human intervention
❑ Reduce possibility of errors and “exceptions” by reducing
reliance on administrative staff to maintain control

EEE661 / CSE525 / ETE536 Fall 2017 53
Countermeasures Selection Principles
(Cont.)
❑ Sustainability
❑ Reaction and recovery
Countermeasures, when activated, should:
❑ Avoids asset destruction and stop further damage
❑ Prevent disclosure of sensitive information through a covert channel
❑ Maintain confidence in system security
❑ Capture information related to the attack and attacker
❑ Override and fail-safe defaults
❑ Residual and reset

EEE661 / CSE525 / ETE536 Fall 2017 54
Basis and Origin of Ethics

❑ Religion, law, tradition, culture
❑ National interest
❑ Individual rights
❑ Enlightened self interest
❑ Common good/interest
❑ Professional ethics/practices
❑ Standards of good practice

EEE661 / CSE525 / ETE536 Fall 2017 55
Ethics
❑ Formal ethical theories
❑ Teleology: Ethics in terms of goals, purposes, or ends
❑ Deontology: Ethical behavior is duty
❑ Common ethical fallacies
❑ Computers are a game
❑ Law-abiding citizen, Gentlemanly conduct, Free information
❑ Shatterproof
❑ Candy-from-a-baby
❑ Hackers
❑ Difficult to define
❑ Start with senior management

EEE661 / CSE525 / ETE536 Fall 2017 56
Professional Codes of ethics
Internet Activities Board (IAB)
❑ Any activity is unethical & unacceptable that purposely:
❑ Seeks to gain unauthorized access to the internet resources
❑ Disrupts the intended use of the internet
❑ Wastes resources through such actions
❑ Destroys the integrity of computer-based information
❑ Compromises the privacy of users
❑ Involves negligence in the conduct of internet-wide experiments
ACM and IEEE (look them up)
(ISC)2
❑ Protect society, the commonwealth, and the infrastructure
❑ Provide diligent and competent services to principals, etc
Auditors

Professional codes may have legal importance

EEE661 / CSE525 / ETE536 Fall 2017 57