Information Security Week 1-2-8 PDF

Summary

This document provides an overview of information security concepts, including possible security violations, threat consequences, and security services.

Full Transcript

Information
Security

Information Security
Week 1

1
Roadmap
Security?
Security types
Possible Security violation
Threat consequences

Information Security
Key objectives of computer security
OSI security architecture
Security policy
Security terminology

2
What is Security?
“The quality or state of being secure—to be free
from danger”
A successful organization should have multiple
layers of security in place:

Information Security
Physical security
Personal security
Operations security
Communications security
Network security
3
Information security
What is security?
The protection of information and its critical elements,
including systems and hardware that use, store, and transmit
that information
Necessary tools: policy, awareness, training, education,

Information Security
technology

4
Definitions
Computer Security - generic name for the collection of tools
designed to protect data and to thwart hackers
Network Security - measures to protect data during their
transmission over a network
Internet Security - measures to protect data during their

Information Security
transmission over a collection of interconnected networks

5
Information security:
a “well-informed sense of assurance that the information risks
and controls are in balance.” — Jim Anderson, (2002)

Information Security
6
Network and Internet security
The field of network and Internet security consists of
measures to deter, prevent, detect, and correct security
violations that involve the transmission of information.

Information Security
7
Possible security violations:
User A transmits a file to user B. The file contains sensitive
information(e.g., payroll records) that is to be protected from
disclosure. User C, who is not authorized to read the file, is
able to monitor the transmission and capture a copy of the file
during its transmission.
D transmits a message to computer E, instructing E to update

Information Security
an authorization file. User F intercepts the message, alters its
contents to add or delete entries and forward to E which
accepts the message as being from D.
User F constructs its own message and transmits to E as if
coming from D
Denying sending a message
8
Threat Consequences
Unauthorized disclosure is a threat to confidentiality

Exposure: This can be deliberate or be the result of a
human, hardware, or software error

Information Security
Interception: unauthorized access to data

Inference: e.g., traffic analysis, use of limited access
to get detailed information

Intrusion: unauthorized access to sensitive data 9
Threat Consequences
Deception is a threat to either system or data integrity
Masquerade: e.g., an attempt by an unauthorized
user to gain access to a system by posing as an
authorized user; Trojan horse.

Information Security
Falsification: altering or replacing of valid data or
the introduction of false data

Repudiation: denial of sending, receiving or
possessing the data. 10
Threat Consequences
Disruption is a threat to availability or system integrity

Incapacitation: a result of physical destruction of or
damage to system hardware

Information Security
Corruption: system resources or services function in an
unintended manner; unauthorized modification

Obstruction: e.g. overload the system or interfere with
communications
11
Threat Consequences
Usurpation is a threat to system integrity.

Misappropriation: e.g., theft of service, distributed
denial of service attack

Information Security
Misuse: security functions can be disabled or thwarted

12
Key Objectives of Computer Security:
Three key objectives of computer security are:
Confidentiality
Integrity
Availability

Information Security
Two additional most commonly mentioned security concepts :
Authenticity
Accountability

13
Confidentiality:
This term covers two related concepts:
Data confidentiality:
Assures that private or confidential information is not made
available or disclosed to unauthorized individuals.

Information Security
Privacy:
Assures that individuals control or influence what information
related to them may be collected and stored and by whom and to
whom that information may be disclosed.

14
Integrity
This term covers two related concepts:
Data integrity:
Assures that information and programs are changed only in a
specified and authorized manner.

Information Security
System integrity:
Assures that a system performs its intended function in an
unimpaired manner, free from inadvertent unauthorized
manipulation of the system.

15
Availability
Assures that systems work promptly and service is not denied
to authorized users.

Information Security
16
 CIA Triad

Information Security
17
Authenticity:
The property of being genuine and being able to be verified
and trusted; confidence in the validity of a transmission, a
message, or message originator.
This means verifying that users are who they say they are and
that each input arriving at the system came from a trusted

Information Security
source.

18
 Accountability
The security goal that generates the requirement for actions
of an entity to be traced uniquely to that entity. This supports
nonrepudiation, deterrence, fault isolation, intrusion
detection and prevention, and after-action recovery and legal
action.

Information Security
19
OSI Security architecture
ITU-T X.800 Security Architecture for OSI local copy defines a
systematic way of defining and providing security
requirements provides a useful, although abstract, overview
of network security concepts

Information Security
The OSI security architecture focuses on
security attack
security mechanism
security service

20
Security Attack
any action that compromises the security of information
owned by an organization
information security is about how to prevent attacks, or failing
that, to detect attacks on information-based systems
have a wide range of attacks

Information Security
Threat Vs. Attack
Threat: a circumstance or scenario with the potential to
exploit a vulnerability, and cause harm to a system.
Attack: A deliberate attempt to breach system security.
note: often threat & attack mean same

21
 Classify Security Attacks
PASSIVE ATTACKS - eavesdropping on, or monitoring
of, transmissions to:
obtain message contents, or
monitor traffic flows

Information Security
ACTIVE ATTACKS -modification of data stream to:
masquerade of one entity as some other
replay previous messages
modify messages in transit
denial of service 22
 Passive attack

Information Security
23
 …

Information Security
24
 Active attack

Information Security
25
 …

Information Security
26
 …

Information Security
27
 …

Information Security
28
Security Service
is something that enhances the security of the data
processing systems and the information transfers of
an organization
intended to counter security attacks

Information Security
make use of one or more security mechanisms to
provide the service
replicate functions normally associated with
physical documents
eg have signatures, dates; need protection from
disclosure, tampering, or destruction; be
notarized or witnessed; be recorded or licensed 29
Security Services
X.800 defines it as:
A service provided by a protocol layer of
communicating open systems, which ensures adequate
security of the systems or of data transfers

Information Security
RFC 2828 defines it as:
A processing or communication service provided by a
system to give a specific kind of protection to system
resources
X.800 defines it in 5 major categories

30
Security Services (X.800)
Authentication - assurance that the
communicating entity is the one claimed
Access Control - prevention of the unauthorized
use of a resource

Information Security
Data Confidentiality –protection of data from
unauthorized disclosure
Data Integrity - assurance that data received is as
sent by an authorized entity
Non-Repudiation - protection against denial by
one of the parties in a communication 31
Security Mechanism
A mechanism that is designed to detect, prevent, or
recover from a security attack.
Examples of mechanisms are encryption algorithms,
digital signatures, and authentication protocols.

Information Security
32
Security Mechanisms (X.800)
specific security mechanisms:
encipherment, digital signatures, access
controls, data integrity, authentication
exchange, traffic padding, routing control,

Information Security
notarization
pervasive security mechanisms:
trusted functionality, security labels, event
detection, security audit trails, security
recovery
33
Security Policy
At the least, a security policy is an informal description of
desired systems behaviors.
More usefully, a security policy is a formal statement of rules
and practices that specify or regulate how a system or
organization provides security services to protect sensitive and

Information Security
critical system resources.

34
Factors needed to consider while
developing a Security Policy
The value of asset being protected
The vulnerabilities of the system
Potential threats

Information Security
35
Computer Security Terminology
Adversary (threat agent) - An entity that attacks, or is a threat
to, a system.
Attack - An assault on system security that derives from an
intelligent threat; a deliberate attempt to evade security
services and violate security policy of a system.
Countermeasure - An action, device, procedure, or technique
that reduces a threat, a vulnerability, or an attack by
eliminating or preventing it, by minimizing the harm it can
cause, or by discovering and reporting it so that corrective
action can be taken.
Computer Security
Terminology
Risk - An expectation of loss expressed as the probability
that a particular threat will exploit a particular vulnerability
with a particular harmful result.
Security Policy - A set of rules and practices that specify
how a system or org provides security services to protect
sensitive and critical system resources.
System Resource (Asset) - Data; a service provided by a
system; a system capability; an item of system equipment;
a facility that houses system operations and
equipment.
Computer Security Terminology
Threat - A potential for violation of security,
which exists when there is a circumstance,
capability, action, or event that could breach
security and cause harm.

Vulnerability - Flaw or weakness in a system's
design, implementation, or operation and
management that could be exploited to violate
the system's security policy.
Security Concepts and Relationships
Further Readings
Computer Security by William Stallings and Lawrie Brown

Cryptography and Network Security by William Stalling 6th
Edition, 2012

Information Security
40
 Information Security
41
Risk assessment and
Management
Week 2
Accessing risk
To retain complete control over your networks
and data, you must take a proactive approach
to security, an approach that starts with
assessment to identify and categorize your
risks.
…
◻ Risk assessment can be performed using five
steps:
1. Check existing security policies
2. Analyze , prioritize and categorize resources
3. Consider business concerns
4. Evaluate existing security controls
5. Leverage existing management and control
architecture
Security Policy
◻ Security policy is a document that reflects the
overall security concepts, standards, and
processes that form the foundation for every
security measures taken by an organizations.
…
◻ Security policy of an organization should cover
the following:
⬜ Physical security to protect the people,
equipment, facilities and computer assets.
⬜ User ID and rights managements to ensure only
authorized users have access to organization’s
network devices.
⬜ Network Security to protect the network devices.

⬜ System security to deploy the necessary
defenses.
…
◻ Authorized security tools and testing required
for particular computer environment.
◻ Auditing procedures to periodically check
security compliance.
Benefits of security policy
◻ Communicates a common vision for security
throughout a company.
◻ Represents a single easy to use source of
security requirement.
◻ Exists as a flexible document that should be
updated at least annually to address new
threats.
Example security policy
◻ F:\no-uninett-terena-information-security-
policy-best-practice-document-gn3-na3-t4-
ufs126.pdf
Categories of security control
◻ The five security processes are explained in
terms of three categories of security control:
◻ Preventive controls: prevent malicious activity
from occurring.
◻ Detective controls: uncover evidence of
malicious activity.
◻ Corrective controls: fix problems that have
occurred in the environment.
Security processes
◻ Each organization must perform following
security processes for building a sound
security infrastructure.
⬜ Education
⬜ Vulnerability management

⬜ Issue management

⬜ Risk management

⬜ Incident management
Security education
◻ Security education plan is preventive control.
◻ Security education give users knowledge, how
to prevent potential security breaches by
abusers.
◻ Security education defines employees
responsibilities in adhering to security
guidelines.
Vulnerability Management Process

Security advisory
◻ Software bugs introduced during development

produce security exposures.
◻ To combat these exposures, most manufacturers

release additional software code called patches
to fix bugs and publish advisories that notify the IT
community of software problems.
◻ Every software consumer must have a process to

receive these security advisories and apply the
necessary patches.
Vulnerability life cycle
◻ Every software vulnerability life cycle has four
major stages:
◻ Discovery
◻ Repair
◻ Notification
◻ Deployment
Discovery
◻ Discovery stage begins when someone
encounters a software vulnerability
◻ The optimal action for someone who discover
the vulnerability is to notify the manufacturer,
so it can be fixed before they are widely
exploited.
Repair
◻ The manufacturer researches the vulnerability
and develops a software patch to address the
issue.
◻ When problem can not be fixed using software
patch, the manufacturer may recommend
configuration changes within the software that
may fix the problem. This type of solution is
usually labeled a workaround.
Notification
◻ After the patch or workaround has been
developed , the manufacturer notifies the
public about the problem and releases a fix.
Deployment
◻ The deployment stage consists of deploying
the manufacturer's fix.
◻ The notification and deployment stage pose
the greatest risk to all IT environments. The
entire public know about the vulnerability,
advanced abusers have developed
automated tools to exploit the vulnerability,
and fixes are in process of being deployed
Vulnerability management process

◻ Once an organization is receiving the
appropriate advisories, formal guidelines must
be established to determine the severity of the
exposures to the environment caused by the
software bugs, the time line to apply fixes and
the group responsible for applying the fixes.
These steps make up the vulnerability
management process.
…
◻ In the context of security control security
advisory process is considered preventive, as
it helps in preventing malicious attacks.
ISSUE MANAGEMENT
▪ Security issue management is a
preventive and corrective measure.
▪ It identifies and fixes exposures before
the abusers can take advantage of
them.
SECURITY ISSUES
▪ Vulnerabilities uncovered by the
security advisory process.
▪ Deviation from security policy
▪ Vulnerability uncovered during security
testing
▪ Security incidents
RESOLVING SECURITY ISSUES
Issue fixed
Fixing the security exposure is the best outcome.
Issue mitigated
Second option is to find a compromise. When a risk is
mitigated, a degree of security is implemented to
reduce the risk represented by the exposure. e.g.
implementation of firewall to block particular network
traffic instead of installing software patch on the server.
Risk accepted
Third option is to accept the risk and decide not to
address the security problem. This is the least desirable
outcome.
EXAMPLE
If a security vulnerability is found with in the Red Hat
Linux operating system, and a company can not
upgrade the various deployed servers because
upgrading may break business applications, a firewall
may be able to block the necessary ports to prevent
attackers form exploiting vulnerability.
SECURITY RISK MANAGEMENT
▪ This is a preventive security control.
▪ It compares the financial cost of
implementing security measures with
possible cost of security breach.
▪ The risk management is an extension
of issue management process.
EXAMPLE
If a Red Hat Linux server does not have the latest patch installed,
this exposure should be tracked through the security issue
management process.

However imagine a situation in which the system administrator
notifies the application developers that a patch is imminent, to
this notice application developer respond the warning that the
implementation of the patch will break their application. If
management decides that the patch should be installed
regardless of the application problem the issue management
process is then followed until the issue is closed.

If the management agrees that the application is critical, the
management team must accept the risk and initiate the risk
management process.
RISK MANAGEMENT
PROCESS
Assessing risk
Quantitative risk assessment provide the financial
figures by comparing control cost vs. threat cost. This
involves six basic steps, illustrated in fig.
1.Determine the asset value (AV) for each information
asset.
2.Identify threats to the asset.
3.Determine the exposure factor (EF) for each
information asset in relation to each threat.
4.Calculate the single loss expectancy (SLE).
5.Calculate the annualized rate of occurrence (ARO).
6.Calculate the annualized loss expectancy (ALE).
◻ Determine the exposure factor—This is a subjective potential percentage of loss to a specific asset if a specific
threat is realized. This is usually in the form of a percentage, similar to how weather reports predict the likelihood of
weather conditions.
◻ Calculate the single loss expectancy (SLE)—The SLE value is a dollar figure that represents the organization's loss
from a single loss or the loss of this particular information asset. SLE is calculated as follows:
⬜ Single Loss Expectancy = Asset Value x Exposure Factor
◻ Items to consider when calculating the SLE include the physical destruction or theft of assets, loss of data, theft of
information, and threats that might delay processing.
◻ Assign a value for the annualized rate of occurrence (ARO)—The ARO represents the estimated frequency at
which a given threat is expected to occur. Simply stated, how many times is this expected to happen in one year?
◻ Assign a value for the annualized loss expectancy (ALE)—The ALE is an annual expected financial loss to an
organization's information asset because of a particular threat occurring within that same calendar year. ALE is
calculated as follows:
⬜ Annualized Loss Expectancy (ALE) =
⬜ Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO)
◻ The ALE is typically the value that senior management needs to assess to prioritize resources and determine what
threats should receive the most attention.
◻ Analyze the risk to the organization—The final step is to evaluate the data and decide to accept, reduce, or
transfer the risk.
Quantitative risk assessment
◻ Qualitative risk assessment consist of subjective
components, such as professional experience,
education, judgment to analyze the risk.

◻ Managing risk
The accepted risk must be assessed on regular basis to
decide either to fix the problem or allow t to remain
untreated.
SECURITY INCIDENT
MANAGEMENT

The process is a detective and corrective security
control.
It contains the planning for the proper detective
measures.
It contains the necessary contact information and
procedures for quick, efficient and effective responses
to security threats.
…
It consist of the following concepts
Preparation
Reaction
Assessment
PREPARATION
Learn applicable laws
Build a computer incidence response team
Develop a communication plan
Develop a response plan
Conduct training
Post no trespassing
Detect malicious activity
REACTION
stay calm
Start a detailed log
conduct thorough interviews
Coordinate communication
Determine the extent of the intrusion
Protect evidence
Contain the problem
Determine the root of the problem
Restore business operations
ASSESSMENT
It is time to review current security policies, processes
and practices for necessary improvements.
Further Readings
◻ Chapter No 4. Managing IT Risk : Book : Principles of
Information Security by Michael E.Whitman,
◻ Chapter no. 5 Plan for Security : Book: Principles of
Information Security by Michael.E Whitman
◻ Web Security for network and system administrators
By David MAckey
◻ http://technet.microsoft.com/enus/security/dn481339

◻ Microsoft Security Bulletins – Updates & News.htm
Cryptographic Tools

Lecture 8
 Message Authentication
 protects against active attacks
 verifies received message is authentic
 contents unaltered
 from authentic source
 timely and in correct sequence
 can use conventional encryption
 only sender & receiver have key needed
 or separate authentication mechanisms
 append authentication tag to cleartext message
Message Authentication Codes
Secure Hash Functions
Message
Authentication
 Hash Function Requirements
 applied to any size data
 H produces a fixed-length output.
 H(x) is relatively easy to compute for any given x
 one-way property
 computationally infeasible to find x such that H(x) = h
 weak collision resistance
 computationally infeasible to find y ≠ x such tha H(y) = H(x)
 strong collision resistance
 computationally infeasible to find any pair (x, y) such that H(x) = H(y)
Examples of Crypto Hash Functions
 MD4 = Message Digest 4 [RFC 1320] - 32b operations
 MD5 = Message Digest 5 [RFC 1321] - 32b operations
 SHA = Secure hash algorithm [NIST]
 SHA-1 = Updated SHA
 SHA-2 = SHA-224, SHA-256, SHA-384, SHA-512 SHA-512 use
64-bit operations
 Public Key Authentication
Authentication and/or data integrity
 Public Key Infrastructure (PKI)
 Public Key Infrastructure (PKI): integrated system of software,
encryption methodologies, protocols, legal agreements, and
third-party services enabling users to communicate securely
 PKI systems based on public key cryptosystems; include digital
certificates and certificate authorities (CAs)
Public Key Infrastructure
PKIX Management
 functions:
 registration
 initialization
 certification
 key pair recovery
 key pair update
 revocation request
 cross certification
 protocols:
 CMP(certificate management protocols ),
 CMC(certificate management messages )
PKI services
PKI protects information assets in several ways:
 Authentication – Digital Certificate
 To identify a user who claim who he/she is, in order to access the resource.
 Non-repudiation – Digital Signature
 To make the user becomes unable to deny that he/she has sent the message, signed
the document or participated in a transaction.
 Confidentiality - Encryption
 To make the transaction secure, no one else is able to read/retrieve the ongoing
transaction unless the communicating parties.
 Integrity - Encryption
 To ensure the information has not been tampered during transmission.
 Authorization. Digital certificates issued in a PKI environment can replace user
IDs and passwords, enhance security, and reduce some of the overhead required for
authorization processes and controlling access privileges
 Digital Signatures
 Encrypted messages that can be mathematically proven to be
authentic
 Created in response to rising need to verify information
transferred using electronic systems
 Asymmetric encryption processes used to create digital signature
Digital Signature
 Digital signature can be used in all electronic communications
 Web, e-mail, e-commerce
 It is an electronic stamp or seal that append to the document.
 Ensure the document being unchanged during transmission.

All copyrights reserved by C.C. Cheung 2003.
 How digital Signature works?

User A Transmit via the Internet

Use A’s private key to sign the document

User B rece
Verify the signature the docume
by A’s public key stored signature at
at the directory
User B

All copyrights reserved by C.C. Cheung 2003.
 Digital Signature Generation and
Verification

Message Sender Message Receiver
Message Message

Hash function Hash functi
Public
Digest Key

Private Encryption Decryption
Key
Signature Expected Digest Digest
All copyrights reserved by C.C. Cheung 2003.
Digital Certificates
 Electronic document containing key value and identifying
information about entity that controls key

 Digital signature attached to certificate’s container file to certify
file is from entity it claims to be from
Figure 8-5 Digital Signatures
Digital Certificate

 Reference

All copyrights reserved by C.C. Cheung 2003.
Protocols for Secure Communications
 Secure Socket Layer (SSL) protocol: uses public key encryption to
secure channel over public Internet

 Secure Hypertext Transfer Protocol (S-HTTP): extended version of
Hypertext Transfer Protocol; provides for encryption of individual
messages between client and server across Internet

 S-HTTP is the application of SSL over HTTP; allows encryption of
information passing between computers through protected and secure
virtual connection

Principles of Information Security, 2nd edition
Protocols for Secure Communications
(continued)
 Securing E-mail with S/MIME, PEM, and PGP

 Secure Multipurpose Internet Mail Extensions (S/MIME): builds on
Multipurpose Internet Mail Extensions (MIME) encoding format by
adding encryption and authentication

 Privacy Enhanced Mail (PEM): proposed as standard to function with
public key cryptosystems; uses 3DES symmetric key encryption

 Pretty Good Privacy (PGP): uses IDEA Cipher for message encoding

Principles of Information Security, 2nd edition
Protocols for Secure Communications
(continued)
 Securing Web transactions with SET, SSL, and S-HTTP

 Secure Electronic Transactions (SET): developed by MasterCard and
VISA in 1997 to provide protection from electronic payment fraud

 Uses DES to encrypt credit card information transfers

 Provides security for both Internet-based credit card transactions and
credit card swipe systems in retail stores

Principles of Information Security, 2nd edition
References & further readings
 Computer Security: Principles and Practice :Chapter 2 –
Cryptographic Tools by William Stallings and Lawrie Brown
 Cryptography and network security by William stalling
chapters :11,12,13,14
 Understanding Public Key Infrastructure (PKI) An RSA Data
Security White Paper