Chapter 1_v2_4ae5c53304efd603cdc931dd29ec9247(1).pdf

Full Transcript

Cybersecurity Fundamentals (CY 101) Chapter 1: Overview Outline Computer Security Concepts Computer Security Terminology Threats, Attacks, and Assets Security Functional Requirements Attack Surface Computer Security Strategy Comp...

Cybersecurity Fundamentals (CY 101) Chapter 1: Overview Outline Computer Security Concepts Computer Security Terminology Threats, Attacks, and Assets Security Functional Requirements Attack Surface Computer Security Strategy Computer Security Concepts The NIST Internal/Interagency Report NISTIR 7298 (Glossary of Key Information Security Terms, July 2019) Defines the Term Computer Security as Follows: “ Measures and controls that ensure confidentiality, integrity, and availability of information processed and stored by a computer, including hardware, software, firmware, information data, and telecommunications.” Objectives of cyber security CIA model: Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information Integrity Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity Availability Ensuring timely and reliable access to and use of information Confidentiality This term covers two related concepts: Data confidentiality: Only authorized subjects should be able to read given data Privacy: Only authorized people can collect and keep information about you Only those you approve can access that information Achieved by: Access control Cryptograph Examples: Business Plan Recipe for Coca-Cola Source code Your password Personnel Records Integrity This term covers two related concepts: Data integrity: Information and programs should be modified a controlled manner System integrity: System performs its intended function in an unimpaired manner Examples of integrity policies: Only by authorized subjects In a consistent/meaningful fashion Never modify Only by a given method Availability Applies to data and services Presence of object/service for use Enough of object/service to meet demand Sufficient speed/timeliness of access or response Fair use of shared object/service Objectives of cyber security Figure 1.1: Essential Network and Computer Security Requirements Authenticity Confirmation of the identity (or other feature) of some object User authentication “I am who I say I am!” Document authorship/agreement “I wrote that document!” Group membership “I’m with the government, we’re here to help you.” Authenticity vs. Integrity: Integrity means an object doesn’t change An object is authentic if it is the same object as it claims So, if an object can change in some way and yet still retain its identity, it can be authentic but lack integrity. Accountability The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. Traceability of actions supports various security measures and aids in post-incident analysis. Secure systems are not yet an achievable goal, we must be able to trace a security breach to a responsible party. Levels of Impact Low The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. Moderate The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. High The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Exercise For each of the given scenarios, rate the relative importance of Confidentiality, Integrity, Authentication, Accountability, and Availability, and give short reasons why you chose the ordering. Scenarios: 1. Information collected/accessed via an Automatic Teller Machine(ATM) 2. Semi-public web site advising stockholders 3. Control Programs on a 777 Jet 4. Smart Home System Controlling Door Locks and Security Cameras Computer Security Challenges 1. Computer security is not as simple as it might first appear to the novice. 2. In developing a particular security mechanism or algorithm, one must always consider potential attacks on those security features. 3. Procedures used to provide particular services are often counterintuitive. 4. Physical and logical placement needs to be determined. 5. Security mechanisms typically involve more than a particular algorithm or protocol and also require that participants possess some secret information which raises questions about the creation, distribution, and protection of that secret information. 6. Attackers only need to find a single weakness, while the designer must find and eliminate all weaknesses to achieve perfect security. Computer Security Challenges (cont.) 7. There is a natural tendency on the part of users and system managers to perceive little benefit from security investment until a security failure occurs 8. Security requires regular and constant monitoring 9. Security is still too often an afterthought and is incorporated into a system after the design is complete, rather than being an integral part of the design process 10.Many users and even security administrators view strong security as an impediment to efficient and user-friendly operation of an information system or use of information Computer Security Terminology Adversary (threat agent) Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities. Attack Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself. Countermeasure A device or technique that has as its objective the impairment of the operational effectiveness of undesirable or adversarial activity, or the prevention of espionage, sabotage, theft, or unauthorized access to or use of sensitive information or information systems. Computer Security Terminology (cont.) Risk A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence. Security Policy A set of criteria for the provision of security services. It defines and constrains the activities of a data processing facility in order to maintain a condition of security for systems and data. System Resource (Asset) A major application, general support system, high impact program, physical plant, mission critical system, personnel, equipment, or a logically related group of systems. Computer Security Terminology (cont.) Threat Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Vulnerability Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Security Concepts and Relationships Figure 1.2: Security Concepts and Relationships Assets of a Computer System Hardware Software Data Communication facilities and networks Vulnerabilities, Threats and Attacks Categories of vulnerabilities Corrupted (loss of integrity) Leaky (loss of confidentiality) Unavailable or very slow (loss of availability) Threats Capable of exploiting vulnerabilities Represent potential security harm to an asset Attacks (threats carried out) Active – attempt to alter system resources or affect their operation Passive – attempt to learn or make use of system information that does not affect system resources Insider – initiated by an entity inside the security parameter Outsider – initiated from outside the perimeter Exercise State the specific "asset", "attack" and "risk”, for the given scenario. A user visiting a compromised web page, that contains a hidden link to a malicious site with code that compromises the user's web browser, which then installs spyware that subsequently monitors the user accessing their internet banking site, and sends their credentials to the adversary. Solution: The asset: is the users internet banking credentials The attack: is the use of "drive-by-download" to compromise browser to reveal the users banking credentials The risk: is the likelihood that the user will lose their credentials via this attack and hence that the attacker is able to steal money from their account. Countermeasures Means used to deal with security attacks Prevent Detect Recover May itself introduce new vulnerabilities Residual vulnerabilities may remain Goal is to minimize residual level of risk to the assets Threats, Attacks, and Assets Threat Consequence Threat Action (Attack) Unauthorized Disclosure Exposure: Sensitive data are directly released to an unauthorized A circumstance or event entity. whereby an entity gains Interception: An unauthorized entity directly accesses sensitive data unauthorized access to data. traveling between authorized sources and destinations. Inference: A threat action whereby an unauthorized entity indirectly accesses sensitive data (but not necessarily the data contained in the communication) by reasoning from characteristics or by-products of communications. Intrusion: An unauthorized entity gains access to sensitive data by circumventing a system’s security protections. Deception Masquerade: An unauthorized entity gains access to a system or A circumstance or event that performs a malicious act by posing as an authorized entity. may result in an authorized Falsification: False data deceive an authorized entity. entity receiving false data Repudiation: An entity deceives another by falsely denying and believing it to be true. responsibility for an act. Table 1.2: Threat Consequences and the Types of Threat Actions that Cause Each Consequence Threats, Attacks, and Assets (cont.) Threat Consequence Threat Action (Attack) Disruption Incapacitation: Prevents or interrupts system operation by A circumstance or event disabling a system component. that interrupts or prevents Corruption: Undesirably alters system operation by the correct operation of adversely modifying system functions or data. system services and Obstruction: A threat action that interrupts delivery of functions. system services by hindering system operation. Source: Based on RFC Usurpation Misappropriation: An entity assumes unauthorized logical 4949 A circumstance or event or physical control of a system resource. that results in control of Misuse: Causes a system component to perform a function system services or or service that is detrimental to system security functions by an unauthorized entity Table 1.2: Threat Consequences and the Types of Threat Actions that Cause Each Consequence Computer and Network Assets, with Examples of Threats Blank Availability Confidentiality Integrity Hardware Equipment is stolen or An unencrypted USB drive A door sensor is replaced with one disabled, thus denying is stolen. that sends a closed status, service. regardless of actual door position, at certain times. Software Programs are deleted, An unauthorized copy of A working program is modified, denying access to users. software is made. either to cause it to fail during execution or to cause it to do some unintended task. Data Files are deleted, denying An unauthorized read of Existing files are modified, or new access to users. data is performed. An files are fabricated. analysis of statistical data reveals underlying data. Communica- Messages are destroyed or Messages are read. The Messages are modified, delayed, tion Lines and deleted. Communication traffic pattern of messages reordered, or duplicated. False Networks lines or networks are is observed. messages are fabricated. rendered unavailable. Passive and Active Attacks We can distinguish two types of attacks: Passive Attack Active Attack Attempts to learn or make use of Attempts to alter system resources or information from the system, but it affect their operation does not affect system resources Involve some modification of the data Eavesdropping on, or monitoring of, stream or the creation of a false transmissions stream Goal of attacker is to obtain Four categories: information that is being transmitted Replay Two types: Masquerade Release of message contents Modification of messages Traffic analysis Denial of service Exercise For each of the given scenarios, is this an active attack or a passive attack? Scenarios: 1. An unauthorized user intercepts and listens to communication between two parties to gather sensitive information. Passive Attack 2. A hacker sends malicious code to a server, aiming to disrupt its normal operation and render it inaccessible. Active Attack 3. An intruder gains unauthorized access to a computer system and quietly observes user activities without making any changes. Passive Attack Security Functional Requirements Access Control: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices. Awareness and Training: (i) Ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, regulations, and policies related to the security of organizational information systems; and (ii) ensure that personnel are trained. Audit and Accountability: (i) Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. Security Functional Requirements (cont.) Certification, Accreditation, and Security Assessments: (i) Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities; (iii) authorize the operation of organizational information systems and any associated information system connections; (iv) monitor information system security controls to ensure the continued effectiveness of the controls. Configuration Management: (i) Establish and maintain baseline configurations and inventories of organizational information (ii) establish and enforce security configuration settings for information technology products employed in organizational information systems. Security Functional Requirements (cont.) Contingency Planning: Establish, maintain, and implement plans for emergency response, backup operations, and postdisaster recovery for organizational information systems Identification and Authentication: Identify information system users, processes acting on behalf of users, or devices, and authenticate (or verify) the identities of those users. Incident Response: (i) Establish an operational incident-handling capability for organizational information systems that includes preparation, detection, analysis, containment, recovery, and user-response activities; (ii) track, document, and report incidents to appropriate organizational officials. Security Functional Requirements (cont.) Maintenance: (i) Perform periodic and timely maintenance on organizational information systems; (ii) provide effective controls on the tools, techniques, mechanisms, and personnel. Media Protection: Protect information system media, both paper and digital; limit access to information on information system media to authorized users; sanitize or destroy information system media before disposal or release for reuse. Physical and Environmental Protection: (i) Limit physical access to information systems, equipment (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; (v) provide appropriate environmental controls in facilities containing information systems. Security Functional Requirements (cont.) Planning: Develop, document, periodically update, and implement security plans for organizational information systems. Personnel Security: (i) Ensure that individuals occupying positions of responsibility within organizations are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures. Risk Assessment: Periodically assess the risk to organizational operations (including mission, functions, image, or reputation). Security Functional Requirements (cont.) Systems and Services Acquisition: (i) Allocate sufficient resources to adequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; (iv) ensure that third-party providers employ adequate security measures to protect information, applications, and/or services System and Communications Protection: (i) Monitor, control, and protect organizational communications (ii) employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems. Security Functional Requirements (cont.) System and Information Integrity: (i) Identify, report, and correct information and information system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organizational information systems (iii) monitor information system security alerts and advisories and take appropriate actions in response. Attack Surfaces Consist of the reachable and exploitable vulnerabilities in a system Examples: Open ports on outward-facing Web and other servers, and code listening on those ports Services available on the inside of a firewall Code that processes incoming data, email, XML, office documents, and industry- specific custom data exchange formats Interfaces, SQL, and Web forms An employee with access to sensitive information that is vulnerable to a social engineering attack Attack Surface Categories Network Attack Surface Vulnerabilities over an enterprise network, wide-area network, or the Internet Included in this category are network protocol vulnerabilities, such as those used for a denial-of-service attack, disruption of communications links, and various forms of intruder attacks Software Attack Surface Vulnerabilities in application, utility, or operating system code Particular focus is Web server software Human Attack Surface Vulnerabilities created by personnel or outsiders, such as social engineering, human error, and trusted insiders Defense in Depth and Attack Surface Figure 1.4: Defense in Depth and Attack Surface Computer Security Strategy Security Policy Formal statement of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources Security Implementation Involves four complementary courses of action: ▪ Prevention ▪ Detection ▪ Response ▪ Recovery Computer Security Strategy (cont.) Assurance Encompassing both system design and system implementation, assurance is an attribute of an information system that provides grounds for having confidence that the system operates such that the system’s security policy is enforced Evaluation Process of examining a computer product or system with respect to certain criteria Involves testing and may also involve formal analytic or mathematical techniques Standards Standards have been developed to cover management practices and the overall architecture of security mechanisms and services The most important of these organizations are: National Institute of Standards and Technology (NIST) NIST is a U.S. federal agency that deals with measurement science, standards, and technology Internet Society (ISOC) ISOC is a professional membership society that provides leadership in addressing issues that confront the future of the Internet International Telecommunication Union (ITU-T) ITU is a United Nations agency in which governments and the private sector coordinate global telecom networks and services International Organization for Standardization (ISO) ISO is a nongovernmental organization whose work results in international agreements that are published as International Standards Questions/Comments?

Use Quizgecko on...
Browser
Browser