Chapter 01 - June 2024.pdf
Document Details
Uploaded by LavishDryad
2024
Tags
Full Transcript
Information Security 2nd Level/1st Semester: CYS Program 3nd Level/1st Semester: CS & IS Program Course Goals primary goals to this course, a student able to: Describe and classify security issues, tools and techniques, including: − Security goals, threats,...
Information Security 2nd Level/1st Semester: CYS Program 3nd Level/1st Semester: CS & IS Program Course Goals primary goals to this course, a student able to: Describe and classify security issues, tools and techniques, including: − Security goals, threats, − Attackers and attack types, and countermeasures, − identification & authentication, − access controls, and cryptography. Identify security and privacy issues in various aspects of computing, including: − Programs − Operating systems − Networks − Internet applications use this ability to design systems that are more protective of security and privacy. Course Topicss & Textbook Course Topics: Introduction; Security Policy Concept; Toolbox: Authentication, Access Control, and Cryptography; Programs and Programming; The Web—User Side (may be); Operating Systems; Networks; Textbook: Charles P. Pfleeger, etc., 2024, “Security in Computing”, 6th Ed., Pearson Education, Inc. Information Security Chapter 1: Introduction Charles P. Pfleeger Overview Early, the bank robberies are more; Kept large amount of cash, gold & silver, which could not be traced easily, Communication & transportation facilities it might be; ― hours before to were informed of a robbery, ― days before they could arrives at the scene of the crime. A single guard for the night was only marginally effective. Today; many factors work against the potential criminal; Very sophisticated alarm systems and camera systems silently protect secure places, Ex.; banks. The techniques of criminal investigation have become very effective; a person can be identified by; ― Composite sketch, ballistics evidence, ― Fingerprint, voice recognition, retinal patterns, and ― genetic material (DNA), for examples. Overview The security differences between computing systems and banks; Size and portability: ― the physical devices in computing are so small or large, Ability to avoid physical contact: ― Electronic funds transfer account for most transfer of money between banks, Value of assets: ― Variable; from very high to very low, ― an information stored in a computer is also high; Confidentiality information; About a person’s taxes, investments, medical history, or education, Very sensitive information; About new product lines, sales figures, marketing strategy, Military information; military targets, troop movements, weapons capabilities. Importance of Information Security The importance of information security: The rapid development of information and communication technology (ICT). Increased using of ICT in public and private sectors. Increases needing to create and use a safety of an electronically environment that serve the public and private sectors, for examples: Military, security, manufacturing and economic sectors which dependent on the accuracy and truly information. Need of companies and organizations to deal with other companies and organizations locally or globally. Individual needing to kept an information integrity, confidentiality and privacy. Increasing impacts of attacks and e-crimes within growth of using and development of an ICT. The needing to protect an infrastructure of information systems, network systems and web sites from e-crimes. Information Security & Cybersecurity; Computer security, Network security, Information security, Cybersecurity: All of these terms are used to describe the protection of information assets [ISAC 2015], In current discussions of security; both terms of “cybersecurity” and “information security”, are often used interchangeably, − but in reality cybersecurity is a part of information security. Marketing, vendors and analysts often use the term “cyber” too broadly; ‒ due to the increasingly complex nature of information in the digital age. Additionally, the interconnected nature of critical infrastructure systems has introduced a host of new vulnerabilities with far-reaching implications. All of these factors have influenced the shift from information security to cybersecurity. Definition of Information Security; Information Security defined as; protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability. is the protection of information and its critical elements, including the systems and HW that use, store, and transmit that information. − information security includes the broad areas of: information security management, computer and data security, and network security. Cybersecurity can be defined as: the protection of information assets by addressing threats to information processed, stored and transported by internetworked information systems. Information Security vs Cybersecurity; Information security: deals with information, regardless of its format-it encompasses paper documents, digital and intellectual property in people’s minds, and verbal or visual communications. Cybersecurity: is concerned with protecting digital assets-everything from networks to hardware and information that is processed, stored or transported by internetworked information systems. Additionally, concepts such as: − nation-state-sponsored attacks and − advanced persistent threats (APTs) belong almost exclusively to cybersecurity. Characteristics of Computer Intrusion Any part of a computing system can be the target of a crime; For instance, the most valuable property in a bank is the cash, gold, or silver in the vault; ―in fact the customer information in the bank's computer may be far more valuable; Stored on paper, recorded on a storage medium, resident in memory, or transmitted over telephone lines or satellite links. ―this information can be used in myriad ways to make money illicitly, How? Characteristics of Computer Intrusion Ex: A robber intent on stealing something from your house will not attempt to penetrate a two-inch-thick metal door if a window gives easier access. The weakest point is the most serious vulnerability; A Principle of Easiest Penetration: ‘An intruder must be expected to use any available means of penetration’ What Is Computer Security? Computer security is the protection of the items you value, called the assets of a computer or computer system; A computing system is a collection of HW, SW, storage media, data, and person that an organization uses to do computing tasks. A computer assets, involving; HW, SW, data, people, processes, or combinations of these. FIGURE 1-2: Computer Objects of Value What Is Computer Security? Values of Assets; To determine what to protect, we must; first identify what has value and to whom. After identifying the assets to protect, we next determine their value; The value of an asset depends on; the asset owner’s or user’s perspective, and it may be independent of monetary cost. Assets’ values are personal, time dependent, and often imprecise; FIGURE 1-3: Values of Assets. What Is Computer Security? The Vulnerability–Threat–Control Paradigm; The goal of computer security is protecting valuable assets; To study different ways of protection, we use a framework that describes; how assets may be harmed, and; how to counter or mitigate that harm. A vulnerability: are a weaknesses in the system, for example, in procedures, design, or implementation, that might be exploited to cause loss or harm; Or; are weaknesses in products, systems, protocols, algorithms, programs, interfaces, and designs. Examples; ─ The system may be vulnerable to unauthorized data manipulation, the system does not verify a user's identity before allowing data access. What Is Computer Security? The Vulnerability–Threat–Control Paradigm; Threats: a threats to computing systems; are circumstances that have the potential to cause loss or harm; Or; A threat is a condition that could exercise a vulnerability. Examples; ─ Human attacks, Natural disasters, ─ Inadvertent human errors; and ─ Internal HW or SW flaws. Figure 1-4 illustrates a difference between a threat and a vulnerability FIGURE 1-4: Threat and Vulnerability What Is Computer Security? The Vulnerability–Threat–Control Paradigm; A Control; is a protective measure- an action, a device, a procedure, or a technique- that removes or reduces a vulnerability; Attacker: is a human who exploits a vulnerability and perpetrates an attack on the system; An attack can also be launched by another system; − Unauthorized disclosure of data, − modification of data, or − one system sends an overwhelming set of messages to another system, virtually shutting down the second system's ability to function. denial of legitimate access to computing. How do we address these problems? We use a control or countermeasure as protection. What Is Computer Security? The Vulnerability–Threat–Control Paradigm; There are many threats to a computer system, including human-initiated and computer initiated ones; We have all experienced, for example; the results of inadvertent human errors, HW design flaws, and SW failures, natural disasters are threats, too; they can bring a system down when the computer room is flooded or the data center collapses from an earthquake. In general, we can describe the relationship among threats, controls, and vulnerabilities in this way: A threat is blocked by control of a vulnerability. What makes your computer valuable to you; Threats: CIA Triad We can consider potential harm to assets in two ways: we can look at; what bad things can happen to assets, and; who or what can cause or allow those bad things to happen. − These two perspectives enable us to determine how to protect assets; A Computer security mean that we are addressing three important properties (goals) of any computer-related system; Confidentiality, Integrity, and Availability. Threats: CIA Triad The security properties are; confidentiality: the ability of a system to ensure that an asset is viewed only by authorized parties, ─ means that the assets of computing system are accessible only by authorized parties, “read”-type access: reading, viewing, printing. integrity: the ability of a system to ensure that an asset is modified only by authorized parties, ─ means that assets can be modified by authorized parties, writing, changing status, deleting, and creating. availability: the ability of a system to ensure that an asset can be used by any authorized parties, ─ means that assets are accessible to authorized parties at appropriate times, (denial of service). These properties are called the C-I-A/security triad; The privacy is the fourth leg of the three legs of the CIA triad; Threats: reinforcement CIA Triad ISO 7498-2 adds to them two more properties that are desirable, particularly in communication networks: authentication: the ability of a system to confirm the identity of a sender, nonrepudiation or accountability: the ability of a system to confirm that a sender cannot convincingly deny having sent something. U.S. Department of Defense adds auditability: Auditability: the ability of a system to trace all actions related to a given asset. Authorization: Determining whether a user/subject is permitted certain services from an object; authorization makes sense only if the requesting subject has been authenticated. checking that the user/subject has the rights to access C the data or undertake the transaction requested. The following figure illustrates the relationship Asset between security C-I-A and how they apply to every asset we protect; I A Threats: CIA Triad The C-I-A triad can be viewed from a different perspectives: the nature of the harm caused to assets; Harm can also be characterized by four acts: ‒ interception, ‒ interruption, ‒ modification, and ‒ fabrication. From this point of view; confidentiality can suffer if someone intercepts data, integrity can fail if someone or something modifies data or fabricates false data, and availability is lost if someone or something interrupts a flow of data or access to a computer. Threats: Harm acts Interception; means that some unauthorized party has gained access to an asset; ─ The outside party can be a person, a program, or a computing system, ─ Example: illicit copying of program or data files; or ─ wiretapping to obtain data in network. a silent interceptor may leave no traces by which the interception can be readily detected, Effect on confidentiality. Interruption; an asset of the system becomes lost or unavailable or unusable, Examples; ─ malicious destruction of a HW device, ─ Erasure of a program or data file, or ─ Malfunction or failure of an OS file manager. Effect on availability. Threats Harm acts Modification; when an unauthorized party can be access and tampers with an asset; ─ modify the values in a data base, Alter program, or ─ Modify data being transmitted electrically, ─ It is possible to modify HW. Some cases of modification can be detected with simple measures, but other, ─ more subtle, changes may be almost impossible to detect. Effect on integrity. Fabrication; when an unauthorized party can be fabricates counterfeit objects for a computing system; ─ The intruder may wish to; add spurious transactions to a network communication system, add records to an existing data base. Effect on authenticity & integrity Threats Harm acts The fig. illustrates the four acts to cause a security harm; FIGURE 1-5: Four Acts to Cause Security Harm Threats: Confidentiality; authorized people or systems can access to protected data; Ensuring confidentiality can be difficult, Examples: ─ who determines which people or systems are authorized to access the current system? ─ By "accessing" data, do we mean that an authorized party can access: a single bit? the whole collection? pieces of data out of context? ─ Can someone who is authorized disclose those data to other parties? ─ Who owns the data: If you visit a web page? Here are some properties that could mean a failure of data confidentiality: ─ An unauthorized person accesses a data item, ─ An unauthorized process or program accesses a data item, ─ A person authorized to access certain data, where is accesses other data not authorized, ─ An unauthorized person accesses an approximate data value, ─ An unauthorized person learns the existence of a piece of data. Threats: Confidentiality; A person, process, or program is (or is not) authorized to access a data item in a particular way; we call the: Subject: The entity that requests access to a resource; Subject can be; people, computer processes (executing programs), network connections, devices, and similar active entities (Who). Object: The resource that a subject attempts to access (What). the kind of access (such as read, write, or execute) is an access mode (How), and Policy: the authorization a policy; Who + What + How. Threats: Integrity When we survey the way some people use the integrity term, we find several different meanings; if we say that we have preserved the integrity of an item, we may mean that the item is: ― Precise, Accurate, Unmodified, ― modified only in acceptable ways, ― modified only by authorized people, ― modified only by authorized processes, ― Consistent, internally consistent, ― Meaningful, and usable. Welke and Mayfield recognize three particular aspects of: ― Integrity authorized Actions, ― Separation and protection of resources, and ― Error detection and correction. Integrity can be enforced in much the same way as can confidentiality: ― by rigorous control of who or what can access which resources in how ways. Threats: Availability (1) Availability applies both to data and to services (that is, to information and to information processing), and it is similarly complex; different people expect availability to mean different things, Example: an object or service is thought to be available if the following are true: ― It is present in a usable form, ― It has capacity enough to meet the service's needs, ― It is making clear progress; if in a wait mode: it has a bounded waiting time. The service is completed in an acceptable period of time. We can construct an overall description of availability by combining these goals; Threats: Availability (2) Criteria to define availability; we say a data item, service, or system is available if: There is a timely response to our request; Resources are allocated fairly; − Some requesters are not favored over others. The service or system involved follows a philosophy of fault tolerance, whereby; − HW or SW faults lead to graceful cessation ) (انقطاعof service or to work-around, rather than, to crashes and abrupt loss ) (خسارة مفاجئةof information. The service or system can be used easily and in the way it was intended to be used; and Concurrency is controlled; that is, − simultaneous access, − deadlock management, and − exclusive access are supported as required. Threats: Availability and Related Areas; As we can see; expectations of availability are far-reaching, Figure 1-7 depicts some of the properties with which availability overlaps. FIGURE 1-7: Availability and Related Aspects Threats: Computer security seeks to prevent: unauthorized viewing (confidentiality) or modification (integrity) of data, while preserving access (availability). A paradigm of computer security is access control: To implement a policy; ‒ computer security controls all accesses by all subjects to all protected objects in all modes of access. A small, centralized control of access is fundamental to: − preserving confidentiality and integrity, − but it is not clear that a single access control point can enforce availability. ‒ Indeed, experts on dependability will note that: single points of control can become single points of failure: making it easy for an attacker to destroy availability by disabling the single control point. Threats: Computer Network Vulnerabilities; FIGURE 1-8: Computer [Network] Vulnerabilities (from [WAR70]) Threats Types of Threats One way to analyze harm is to consider the cause or source; We call a potential cause of harm a threat, Harm can be caused by either nonhuman events or humans, Examples: − nonhuman threats include; natural disasters like fires or floods; loss of electrical power; failure of a component such as a communications cable, processor chip, or disk drive; or attack by a wild boar. − Human threats can be either benign (nonmalicious) or malicious; Nonmalicious include someone’s accidentally spilling a soft drink on laptop, unintentionally deleting text or file, inadvertently sending an email message to the wrong person, and carelessly typing “12” instead of “21” or clicking “yes” instead of “no” to overwrite a file. Malicious: impersonation, malicious codes, HW destruction, … etc. Threats Types of Threats Most computer security activity relates to malicious, human-caused harm: A malicious person actually wants to cause harm, and; so we often use the term attack for a malicious computer security event. FIGURE 1-9: Kinds of Threats Threats Types of Threats Two retrospective lists of known vulnerabilities are of interest; CVE, the Common Vulnerabilities and Exposures list; is a dictionary of publicly known information security vulnerabilities and exposures. see (http://cve.mitre.org/). CVE’s common identifiers enable data exchange between: − security products and provide a baseline index point for evaluating coverage of security tools and services. CVSS, the Common Vulnerability Scoring System, to measure the extent of harm; provides a standard measurement system that allows accurate and consistent scoring of vulnerability impact. see (http://nvd.nist.gov/cvss.cfm). Threats Advanced Persistent Threat Security experts are becoming increasingly concerned about a type of threat called advanced persistent threat (APT); the resulting impact of individuals attack is limited to what that single attacker can organize and manage. A collection of attackers-think, for example; of the cyber equivalent of a street gang or an organized crime squad, might work together to purloin credit card numbers or similar financial assets to fund other illegal activity. Advanced persistent threat attacks come from organized, well financed, patient assailants; Often affiliated with governments or quasi- governmental groups. Threats Advanced Persistent Threat Advanced persistent threat attackers are: engage in long term campaigns; the attacks are silent, avoiding any obvious impact that would alert a victim, allowing the attacker to exploit the victim’s access rights over a long time. They carefully select their targets, crafting attacks that appeal to specifically those targets; email messages called spear phishing are intended to seduce their recipients. The motive of such attacks is sometimes unclear; One popular objective is economic espionage. Threats Types of Attackers; Computer criminals have access to enormous amounts of, HW, SW, and data; they have the potential to cripple much of effective business and government throughout the world. Computer crime; is any crime involving a computer or aided by the use of one. this definition is admittedly broad, it allows us to consider ways to protect; ourselves, our businesses, and our communities against those who use computers maliciously. the purpose of computer security is to prevent these criminals from doing damage; Threats Types of Attackers; The attacker types are: Individuals: − acting with motives of fun, challenge, or revenge. Organized, Worldwide Groups: − attacks have involved groups of people, − example: attacks on Estonia, loosely connected group. Organized Crime: − Organized crime groups are discovering that computer crime can be lucrative. − Organized crime wants a resource; o such criminals want to stay under the radar to be able to extract profit from the system over time. The novice hacker can use a crude attack, whereas; the professional attacker wants a neat, robust, and undetectable method that can deliver rewards for a long time. Terrorists; Threats Types of Attackers; terrorists The link between computer security and terrorism is quite evident; they using computers in 4-way: Computer as targets of attack: − denial-of-service attacks and web site defacements are popular for any political organization, because; they attract attention to the cause and bring undesired negative attention to the target of the attack. Computer as enabler of attack: − web sites, web logs, and e-mail lists are: effective, fast, and inexpensive ways to get a message to many people. Computer as methods of attack: − to launch offensive attacks requires use of computers; − For example: Stuxnet worm. Computer as enhance of attack: − The Internet has proved to be an invaluable means for terrorists to spread propaganda and recruit agents. Threats Types of Attackers FIGURE 1-10: Attackers Security Threats; Umesh Hodeghatta Rao, Umesha Nayak - The InfoSec Handbook_ An Introduction to Information Security-Apress (2014) The word ‘threat’ in information security means: anyone or anything that poses danger to the information, the computing resources, users, or data. The threat can be from: insiders: who are within the organization, or from; outsiders who are outside the organization. ‒ Studies show that 80% of security incidents are coming from insiders. Security threats can be categorized in many ways; One of the important ways they are categorized is on the basis of the “origin of threat,”; ‒ namely external threats and internal threats. The same threats can be categorized based on the layers. Security Threats; External Threats Umesh Hodeghatta Rao, Umesha Nayak - The InfoSec Handbook_ An Introduction to Information Security-Apress (2014) External threats; originate from outside the organization, ‒ primarily from the environment in which the organization operates. These threats may be primarily: physical threats, socio-economic threats specific to the country like a country’s current social and economic situation, network security threats, communication threats, human threats like threats from hackers, software threats, and legal threats. Security Threats; External Threats Umesh Hodeghatta Rao, Umesha Nayak - The InfoSec Handbook_ An Introduction to Information Security-Apress (2014) Social engineering threats like: using social engineering sites to gather data and impersonate people for the purpose of defrauding them and obtaining their credentials for unauthorized access is increasing. Theft of personal identifiable information, confidential strategies, and intellectual properties of the organization are other important threats. Some of these physical threats or legal threats may endanger an entire organization completely; ‒ Comparatively, other threats may affect an organization partially or for a limited period of time and may be overcome relatively easily. Cybercrimes are exposing the organizations to legal risks too. Security Threats; External Threats Umesh Hodeghatta Rao, Umesha Nayak - The InfoSec Handbook, 2014) Some of the important external threats are illustrated in the following Figure; Security Threats; Internal Threats Umesh Hodeghatta Rao, Umesha Nayak - The InfoSec Handbook, 2014) Internal threats originate from within the organization. The primary contributors to internal threats are: ‒ employees, contractors, or suppliers to whom work is outsourced. ‒ The major threats are: o frauds, misuse of information, and/or destruction of information. Many internal threats primarily originate for the following reasons: Weak Security Policies, Weak Security Administration, and Lack of user security awareness. Security Threats; Internal Threats Umesh Hodeghatta Rao, Umesha Nayak - The InfoSec Handbook, 2014) Weak Security Policies, including: ‒ Unclassified or improperly classified information, leading to the divulgence or unintended sharing of confidential information with others, particularly outsiders. ‒ Inappropriately defined or implemented authentication or authorization, leading to unauthorized or inappropriate access. ‒ Undefined or inappropriate access to customer resources or contractors/suppliers, leading to fraud, misuse of information, or theft. ‒ Unclearly defined roles and responsibilities, leading to no lack of ownership and misuse of such situations. ‒ Inadequate segregation of duties, leading to fraud or misuse. ‒ Unclearly delineated hierarchy of “gatekeepers” who are related to information security, leading to assumed identities. Security Threats; Internal Threats Umesh Hodeghatta Rao, Umesha Nayak - The InfoSec Handbook, 2014) Weak Security Administration, including: ‒ Weak administrative passwords being misused to steal data or compromise the systems. ‒ Weak user passwords allowed in the system and applications, leading to unauthorized access and information misuse. ‒ Inappropriately configured systems and applications, leading to errors, wrong processing, or corruption of data. ‒ Non-restricted administrative access on the local machines and/or network, leading to misuse of the system or infection of the systems. ‒ Non-restricted access to external media such as USB or personal devices, leading to theft of data or infection of the systems. Security Threats; External and Internal Threats Umesh Hodeghatta Rao, Umesha Nayak - The InfoSec Handbook, 2014) Weak Security Administration, including: Continue; ‒ Non-restricted access to employees through personal devices or from unauthenticated networks and the like, leading to data theft. ‒ Unrestricted access to contractors and suppliers leading to theft or misuse of information including through dumpster diving or shoulder surfing. ‒ Unrestricted website surfing, leading to infections of viruses, phishing, or other malware. ‒ Unrestricted software downloads leading to infection, copyright violations, or software piracy. ‒ Unrestricted remote access leading to unauthorized access or information theft. ‒ Accidentally deleting data permanently. Security Threats; Internal Threats Umesh Hodeghatta Rao, Umesha Nayak - The InfoSec Handbook, 2014) Lack of user security awareness, including: ‒ Identity theft and unauthorized access due to weak password complexity. ‒ Not following company policies, such as appropriate use of assets, clean desk policy, or clear screen policy, leading to virus attacks or confidential information leakage. ‒ Divulging user IDs and/or passwords to others, leading to confidential information leakage. ‒ Falling prey to social engineering attacks. ‒ Falling prey to phishing and similar attacks. ‒ Downloading unwanted software, applications, or images or utilities/tools leading to malware, viruses, worms, or Trojan attacks. ‒ Improper e-mail handling/forwarding leading to the loss of reputation or legal violations. ‒ Improper use of utilities like messengers or Skype and unauthorized divulgence of information to others. Security Threats; Internal Threats Umesh Hodeghatta Rao, Umesha Nayak - The InfoSec Handbook, 2014) Lack of user security awareness, including: Continue; ‒ Inappropriate configuration or relaxation of security configurations, leading to exploitation of the systems. ‒ Entering incorrect information by oversight and not checking it again or processing the wrong information. ‒ Ignoring security errors and still continuing with transactions, leading to the organization being defrauded. Threats Types of Attacks A security goals (C-I-A triad) can be threatened by security attacks; There are different approaches to categorize the security attacks; A. Attacks can be divided into three groups related to a three security goals/properties; Security Attacks Modification Snooping Denial of (release the Masquerading Service message content) Replaying Traffic Analysis Repudiation Threats Types of Attacks B. Attacks can be categorize into four groups related to the harm acts; Interception, Interruption, Modification, and Fabrication. These attacks can be grouped into two broads categories based on their effects on the system; Passive attacks, and Active attacks. Passive and Active Attacks ; A passive attack; Threaten the confidentiality, Does not modify data or harm the system, May harm the sender or the receiver, It is difficult to detect, but can prevent it easily by encryption of the data. An active attack; Threaten the integrity, availability and authenticity, May change the data or harm the system, Easer to detect than to prevent, An attacker can launch them in a variety ways. Passive and Active Attacks ; The following figure depicts these attacks categories; Security Attacks Passive Attacks Active Attacks (Interception Attacks): Snooping - release the Interruption message content. Fabrication Modification [Denial of Traffic Analysis Impersonating, Service- Masquerade (DOS)] Repudiation Attacks Replay Attack Alteration Attack Figure 1: Classification of the Security Attacks Assignments; Assignment: Write a report on the vulnerability, according to types. Write a report on the computer crimes up to date in 2021, according to types. Threats and Attacks on the: Data, Hardware, and Software. Harm The negative consequence of an actualized threat is harm; we protect ourselves against threats in order to reduce or eliminate harm, There are many examples of computer harm: a stolen computer, modified or lost file, revealed private letter, or denied access to data. These events cause harm that we want to avoid; The value of many assets can change over time; so the degree of harm and therefore the severity of a threat can change, too. With unlimited time, money, and capability, we might try to protect against all kinds of harm. Harm; But because our resources are limited, we must prioritize our protection; safeguarding only against serious threats and the ones we can control. Choosing the threats; ─ we try to mitigate a threats by involving a process called risk management, and; ─ it includes weighing the seriousness of a threat against our ability to protect. The possibility for harm to occur is called risk; Harm: Risk and Common Sense; Risk management involves; choosing which threats to control, and; what resources to devote to protection. The number and kinds of threats are practically unlimited because devising an attack requires; an active imagination, determination, persistence, and time as well as access and resources. Harm Risk and Common Sense The nature and number of threats in the computer world reflect life in general: The causes of harm are limitless and largely unpredictable, There are too many possible causes of harm for us to protect ourselves-or our computers-completely against all of them; In real life we make decisions every day about the best way to provide our security. Computer security is similar; Because we cannot protect against everything, we prioritize: Only so much time, energy, or money is available for protection; so we address some risks and let others slide. The risk that remains uncovered by controls is called residual risk; Harm Risk and Common Sense A basic model of risk management involves; a user’s calculating the value of all assets, determining the amount of harm from all possible threats, computing the costs of protection, selecting safeguards (that is, controls or countermeasures) based on the degree of risk and on limited resources, applying the safeguards to optimize harm averted. Harm Risk and Common Sense This approach to risk management is a logical and sensible approach to protection, but it has significant drawbacks; In reality, it is difficult to assess the value of each asset; as we have seen, value can change depending on context, timing, and a host of other characteristics. Even harder is determining the impact of all possible threats; The range of possible threats is: effectively limitless, and it is difficult (if not impossible in some situations) to know the short- and long-term impacts of an action. Harm Risk and Common Sense Although we should not apply protection haphazardly: we will necessarily protect against threats we consider most likely or most damaging; For this reason, it is essential to understand how we perceive threats and evaluate their likely occurrence and impact. Spending for security is based on the impact and likelihood of potential harm; both of which are nearly impossible to measure precisely. Harm Method, Opportunity, and Motive A malicious attacker must have three things: Method: is the how; ─ skills, ─ knowledge, ─ tools, and ─ other things with which to perpetrate the attack. Opportunity: is the when; ─ the time and access to accomplish the attack. Motive: is the why of an attack; ─ a reason to want to perform this attack against this system. Method, opportunity, and motive are all necessary for an attack to succeed; deny any of these, the attack will fail. Vulnerabilities Computer systems have vulnerabilities; weak authentication, lack of access control, errors in programs, finite or insufficient resources, and inadequate physical protection. each of these vulnerabilities can allow harm to C-I-A triad; Security analysts speak of a system’s attack surface; System’s attack surface is the system’s full set of vulnerabilities-actual and potential, Thus, the attack surface includes; physical hazards, malicious attacks by outsiders, stealth data theft by insiders, mistakes, and impersonations. Our next step is to find ways to block threats by neutralizing vulnerabilities; Information Security Classification The type of information security classification labels selected and used will depend on the nature of the organization, examples: In the business sector, labels such as: Public, Sensitive, Private, Confidential. In the government sector, labels such as: Unclassified, Unofficial, Protected, Confidential, Secret, Top Secret and their non-English equivalents. Example; Common military data classifications: Unclassified, Confidential, Secret, Top Secret. In cross-sectorial formations, the Traffic Light Protocol, which consists of: White, Green, Amber, and Red. Data Classification Procedures The following outlines the necessary steps for a proper classification program: 1. Define classification levels. 2. Specify the criteria that will determine how data are classified. 3. Identify data owners who will be responsible for classifying data. 4. Identify the data custodian who will be responsible for maintaining data and its security level. 5. Indicate the security controls, or protection mechanisms, required for each classification level. 6. Document any exceptions to the previous classification issues. Data Classification Procedures The necessary steps for a proper classification program: Continue; 7. Indicate the methods that can be used to transfer custody of the information to a different data owner. 8. Create a procedure to periodically review the classification and ownership. Communicate any changes to the data custodian. 9. Indicate procedures for declassifying the data. 10. Integrate these issues into the security- awareness program so all employees understand how to handle data at different classification levels. Data Classification; Commercial Business & Military Data Classification Examples Organization Classification Definition Examples That Would Use This How many people are Disclosure is not welcome, but it would not Commercial working on a specific Public cause an adverse impact to company or project business personnel. Upcoming projects Requires special precautions to ensure the integrity and confidentiality of the data by Financial information protecting it from unauthorized modification Details of projects Commercial Sensitive or deletion. Profit earnings and business Requires higher-than-normal assurance of Forecasts accuracy and completeness. Personal information for use within a Work history company. Human resources Commercial Private Unauthorized disclosure could adversely information business affect personnel or the company. Medical information For use within the company only. Trade secrets Data exempt from disclosure under the Healthcare information Commercial Freedom of Information Act or other laws Confidential Programming code business and regulations. Information that keeps Military Unauthorized disclosure could seriously the company competitive affect a company. Data Classification; Commercial Business & Military Data Classification Examples Classification Definition Examples Organizations That Would Use This Computer manual and Unclassified Data is not sensitive or classified. warranty information Military Recruiting information Sensitive but Minor secret. Medical data unclassified If disclosed, it may not cause serious Military Answers to test scores (SBU) damage. Deployment plans for If disclosed, it could cause serious Secret troops Military damage to national security. Nuclear bomb placement Blueprints of new wartime If disclosed, it could cause grave weapons. Top secret Military damage to national security. Spy satellite information. Espionage data. Primary layers of information security Umesh Hodeghatta Rao, Umesha Nayak - The InfoSec Handbook_ An Introduction to Information Security-Apress (2014) information security layers are: Physical Security, Hardware Security, Network security, Communications Security, Software Security, Human or personnel security. All of the important layers are supported by: policies, procedures, and processes to plan, implement, monitor, audit, detect, correct, and change of any of the components of all the layers that constitute a layered approach to information security. Appropriate coordination between the various layers, and the distribution of risks and opportunities to different layers, will vary, depending on the: cost effectiveness and ease of use, and the impact on the efficiency and effectiveness of information security. Primary layers of information security The following figure depicts the context diagram of various layers of information security interacting with each other and providing a robust security architecture; Security Achievement; Security is achieved by implementing policies, guidelines, procedures, governance, and other software functions; Information security consists of three main components: hardware, software, and a communication system. Various tools are developed daily to combat the compromise of information security; Several standards and guidelines have been implemented to reduce the propensity for information security breaches. Security Achievement; Information security also spans to physical aspects like: hardware and infrastructure, the operating system, networks, applications, software systems, utilities, and tools. Other important contributors (favorable or adverse) to the field of information security are: human beings, particularly employees, contractors, system providers, hackers, and crackers. Controls computer crime is certain to continue; For this reason, we must look carefully at controls for preserving C-I-A triad. To protect against harm, then, we can; neutralize the threat, close the vulnerability, or both. We can deal with harm in several ways; prevent it, by blocking the attack or closing the vulnerability, deter it, by making the attack harder but not impossible, deflect it, by making another target more attractive, mitigate it, by making its impact less severe, detect it, either as it happens or some time after the fact, recover from its effects. Controls In their cybersecurity frameworks; both the National Institute of Standards and Technology (NIST) and the European Union Agency for Network and Information Security (ENISA) have identified five key functions necessary for the protection of digital assets. These functions coincide with incident management methodologies and : Protecting Digital Assets include the following activities: Identify: Use organizational understanding to minimize risk to systems, assets, data and capabilities. Protect: Design safeguards to limit the impact of potential events on critical services and infrastructure. Detect: Implement activities to identify the occurrence of a cybersecurity event. Respond: Take appropriate action after learning of a security event. Recover: Plan for resilience and the timely repair of compromised capabilities and services. Controls To consider the controls, that attempt to prevent exploiting a computing system's vulnerabilities; we begin by thinking about traditional ways to enhance physical security; ─ In the Middle Ages, castles and fortresses were built to protect the people and valuable property inside. The fortress might have had one or more security characteristics, including: a strong gate or door, to repel invaders, heavy walls to withstand objects thrown or projected against them, a surrounding moat, to control access, arrow slits, to let archers shoot at approaching enemies, crenellations to allow inhabitants to lean out from the roof and pour hot or vile liquids on attackers, a drawbridge to limit access to authorized people, gatekeepers to verify that only authorized people and goods could enter. Controls The following figure illustrates how we use a combination of controls to secure our valuable resources; FIGURE 1-12: Effects of Controls Controls We can group controls into three largely independent classes; Physical controls; stop or block an attack by using something tangible, such as; − walls and fences, − Locks, − (human) guards, − sprinklers and other fire extinguishers. Procedural or administrative controls; use a command or agreement that requires or advises people how to act; for example; − laws, regulations, − policies, procedures, guidelines, − copyrights, patents, − contracts, agreements. Controls Technical controls; counter threats with technology (hardware or software), including; − Passwords, access controls enforced by an OS or application, Encryption, − network protocols, firewalls, intrusion detection and prevention systems, network traffic flow regulators. The following figures illustrates the information assurance model and the Types of Countermeasures. Maconachy, Schou, Ragsdale ; (MSR) Model (Information Assurance Model) Types of Countermeasures Controls None of these classes is necessarily better than or preferable to the others; they work in different ways with different kinds of results, and it can be effective to use overlapping controls or defense in depth: more than one control, or more than one class of control to achieve protection. Figure of Security concepts and relationships; Summary Information Security Concepts: Security important, Information Security definition, Computer or Computer system assets: − HW, SW, data, people, processes, or combinations of these. C-I-A (security) triad, and also: − Authentication, nonrepudiation or accountability, and auditability. Threat: condition that exercises vulnerability, Vulnerability: weakness, Control: reduction of threat or vulnerability. Risk Management Model: assets value; harm amount from all possible threats; protection costs; selecting safeguards. Incident: vulnerability + threat. Attackers and attack types; method, opportunity & motive. Data and information security Classification, information security layers, Security Achievement, dealing with harm, and controls.
