Review of Information Security Concepts
- 1. REVIEW OF INFORMATION SECURITY CONCEPTS
- 2. WHAT IS INFORMATION SECURITY? • Question: What is information security? • Information Security (InfoSec) • Protection of information and its critical elements, • Including the systems and hardware that use, store, and transmit that information. • Topical areas to implement policies and controls: • Network Security – • Physical Security – • Personnel Security – • Operations Security – • Communications Security –
- 3. GOALS AND PRINCIPLES OF INFORMATION SECURITY • Question: What are the critical characteristics of InfoSec? • Goals of Information Security • Confidentiality: Ensures only authorized parties can view information • Policies – Least Privilege • Integrity: Ensures information not altered • Preservation • Reliability • Availability: Ensures information accessible when needed to authorized parties • Principles that Govern Information Security • Authentication: Ensures that the individual is who she claims to be (the authentic or genuine person) and not an imposter • Something you have • Something you are • Something you know • Authorization: Providing permission or approval to specific technology resources • Accounting: Provides tracking of events
- 5. BALANCING INFORMATION SECURITY AND ACCESS • Even with the best efforts of planning and implementation, it is not possible to achieve perfect information security. • Balance protection of information and information assets with the availability of that information to authorized users. • Compromise • Risk • “It’s not a question of if, but when and what” ~Silver
- 6. BUSINESS CONTINUITY AND INCIDENT RESPONSE • Protect the organization’s ability to function • Implement Policies and Procedures to ensure operational needs in case of an attack. • Policies influence security procedures • Countermeasures
- 8. SECURITY PERIMETER AND DEFENSE IN DEPTH • Security perimeter • Defines the boundary between the outer limit of an organization’s security and the beginning of the outside network • Firewalls/Rules • Perimeter does not protect against internal attacks • Organization may choose to set up security domains • Defense in depth • Layered implementation of security • Redundancy • Implementing technology in layers
- 12. THREATS • Malicious code • Includes viruses, worms, Trojan horses, and active Web scripts • Executed with the intent to destroy or steal information • Polymorphic, multivector worm • Constantly changes the way it looks • Uses multiple attack vectors to exploit a variety of vulnerabilities in commonly used software • Compromising Passwords • Cracking, Brute force attack, Dictionary attack
- 14. SPOOFING
- 16. BUFFER OVERFLOW • Use a VM to open • http://www.pitt.edu/~is2470pb/Fall02/Final/rb/Buffer.html • http://www.pitt.edu/~is2470pb/Fall02/Final/sl/Applet1.html • http://www.pitt.edu/~is2470pb/Fall02/Final/sh/BufferOverFlow/BufferO verFlow.html
- 17. SOCIAL ENGINEERING • Here are a few questions you should ask yourself: • Who is contacting me here? (Remember, most contact details can be found on the Internet!) • Why is he contacting me? • Is the way he's contacting me normal for this company? • Is the information he's requesting sensitive? • Is there a way to verify that this is indeed this person?
- 18. SUMMARY • Information security • Protection of information and its critical elements • Information security is a process, not a goal • Takes a wide range of professionals to support the information security program • Organization must establish a functional and well-designed information security program 18
Editor's Notes
- #4: Goals of Information Security Confidentiality: Ensures only authorized parties can view information Policies – Least Privilege Integrity: Ensures information not altered Preservation Reliability Availability: Ensures information accessible when needed to authorized parties Principles that Govern Information Security Authentication: Ensures that the individual is who she claims to be (the authentic or genuine person) and not an imposter Something you have Something you are Something you know Authorization: Providing permission or approval to specific technology resources Accounting: Provides tracking of events
- #5: Desired goals Confidentiality: assurance that sensitive information is not intentionally or accidentally disclosed to unauthorized individuals. Integrity: assurance that information is not intentionally or accidentally modified in such a way as to call into question its reliability. Availability: ensuring that authorized individuals have both timely and reliable access to data and other resources when needed. Information states Storage: Data at rest (DAR) in an information system, such as that stored in memory or on a magnetic tape or disk. Transmission: transferring data between information systems - also known as data in transit (DIT). Processing: performing operations on data in order to achieve a desired objective. Safeguards Policy and practices: administrative controls, such as management directives, that provide a foundation for how information assurance is to be implemented within an organization. (examples: acceptable use policies or incident response procedures) - also referred to as operations. Education: ensuring that the users of information systems are aware of their roles and responsibilities regarding the protection of information systems and are capable of following standards. (example: end-user training on avoiding computer virus infections or recognizing social engineering tactics) - also referred to as personnel Technology: software and hardware-based solutions designed to protect information systems (examples: anti-virus, firewalls, intrusion detection systems, etc.) Scenarios: Encryption of credit cards over the wire Who has access to FERPA information Telework – Central Authentication Data has not been tampered with
- #14: Denial-of-service (DoS) attack Attacker sends a large number of connection or information requests to a target So many requests are made that the target system cannot handle them along with other, legitimate requests for service Distributed denial-of-service (DDoS) Coordinated stream of requests against a target from many locations at the same time Any system connected to the Internet is a potential target for denial-of-service attacks
- #15: Intruder sends messages to IP addresses that indicate to the recipient that the messages are coming from a trusted host
- #16: Attacker monitors (or sniffs) packets from the network Modifies them using IP spoofing techniques Inserts them back into the network Allows the attacker to eavesdrop, change, delete, reroute, add, forge, or divert data
- #17: Occurs when more data is sent to a buffer than it can handle Attacker can make the target system execute instructions Attacker can take advantage of some other unintended consequence of the failure
- #18: Process of using social skills to convince people to reveal access credentials or other valuable information to the attacker “People are the weakest link. You can have the best technology, [then] somebody call[s] an unsuspecting employee. That’s all she wrote, baby. They got everything” Kevin Mitnick