Fundamentals Of Information Security - CyberSD
2y ago
31 Views
1 Downloads
1.21 MB
52 Pages
Report/dmca
Download PDF

Transcription

Fundamentals of InformationSecurityEd CrowleyITEC 2337Fall 20101

Qualifications Access Data Certified Examiner (ACE) NSA Information Security (INFOSEC) Certifications : Assessment Methodology (IAM) Evaluation Methodology (IEM)Dozen earned certificates from the usual suspectsISC2, Cisco, Microsoft, Novell, CompTIA Former IS Director, Network Administrator,Heathkit/Zenith Educational Media Designer US Army, Military Police Academy Graduate (’70) Former security clearance holder German Shepherd Sentry Dog Handler 2

Security Service Introduced MGen Smith atthe Colloquium for Information SystemsSecurity Education (CISSE)Served as Center for Academic Excellence(CAE/2Y) consultant for CyberWatchServed on CISSE planning committeeConducted CISSP review seminars (cryptoand final) for local ISSA ChapterDeveloped UH Graduate Level SecuritySpecialization3

UH Security Specialization Enterprise assessment and evaluation focus.Houston’s only NSA/NTISSI certified program. 4011-- Information Systems Security Professionals4014 -- Information Systems Security Officers4016 – Information Assurance Risk ManagementUH recognized by the NSA and DHS as a Center ofExcellence in Information Assurance Education (June 09)4

Topics Introduction Security as a DisciplineSun Tzu and Boyd Boyd’s OODA Model Course Content Security Models MOM Integrated Security Model PPT ModelSecurity as a Process Systems Theory Trends Attacks, Attackers, andDefendersRisk Primitives Vulnerabilities ThreatsTrends in Threat AgentsAttacks and AttackersThreats Worms Malicious Software5

Security as a Discipline Grew out of earlier work by a variety ofmilitary practitioners including: Sun Tzu Col. Boyd Von ClausewitzModels are important Models abstract an actual situation and aidthe study of security–Boyd's OODA Model6

Selected Principles of Sun Tzu “Know the enemy and know yourself; in a hundred battlesyou will never be in peril.” All warfare is based on deception. (Info War!) Speed is the essence of war. Strike where the enemy has taken no precautions. To rely on rustics and not prepare is the greatest of crimes;To be prepared beforehand for any contingency is thegreatest of Virtues. Lead by examplehttp://www.youtube.com/watch?v 15l6yJgYAWAJohn Boyd further developed these principles .

Boyd’s OODA Loop Decisions based on observations of evolving situation temperedwith implicit filtering of problem being addressed. Observations the raw information on which decisions and actionsare based. Prior to making a decision, observed information must first beprocessed to orient it.Boyd has said:The second O, orientation – as the repository of our geneticheritage, cultural tradition, and previous experiences – is themost important part of the O-O-D-A loop since it shapes the waywe observe, the way we decide, the way we act.-- from “Organic Design for Command and Control”

OrientationOnly action that Boyd himself defined. Can be thought of as the focus of the OODALoop. In many ways, the purpose of our class is tofacilitate your ability to orientate i.e.– Previous Experience– New Information– Analysis and SynthesisNow, lets look at some of my previous security experiences.

US Army, ‘69-’71German Shepherd Sentry Dog Handler.11

Chemical Munitions – The Assets

Sentry Dog Handler TrainingThe Contributions of the Military Working Dog in Vietnam, A thesis frrom the U.S. Army Command andGeneral Staff College by MARY KATHLEEN MURRAY, LCDR, USN

Lessons Learned

My Personal Class Goals1. Produce students with an accurateawareness of the current informationsecurity environment2. Produce students that can identify andimprove the security posture of themselves,their families, and their organizations3. Produce students that can do anddemonstrate digital security4. Produce students that can continue to learn

Cyber Security ToolsInsecure.org--From onlinesecurity toolssurveyIn our active learning modules, we will use many of top rated security tools.Now, lets look at the separate class modules.

Security Principles and Models Security is a process. Needs to be based upon a model.Some helpful data points: Generally Accepted Security Principles (GASSP)(OCED and NIST 800-14) Layered Security Model (aka DID) Integrated Security ModelRisk Management (NIST 800-30)ISC2 Ten DomainsCompTIA Six Domains 18

Systems and Security Effective security has to be thought of as asystem within larger systemsReal world issues include design tradeoffs,unseen variables, and imperfectimplementations.Not a product but a process. DynamicLayered Security Model aka DID19

Security is a Process Each layer adds security over existing layers Like a chain, security is only as secure as theweakest linkSecurity is not a product Theoretically, not possible to penetrate multiplelayers simultaneouslyIt can’t be bought.Like the context that it exists within,information system security is dynamic20

Systems Theory In order to understand system security of,you need to look at the entire system and itscontext.Viewing any component in isolation is amistake.Security should not depend on any particulartechnology.21

Three Models MOM Integrated Security PPT

Opportunity Theft ModelSometimesdescribed asDesire,Skill,Opportunity.23

Information Assurance: An IntegratedApproach**V Maconachy, S Schou, D Ragsdale, D Welch24

InformationAssurance: AnIntegrated Approach Developed and modified over time.Authored by Vic Maconachy et. al.25

PPT Model

Trends Identified in a National Strategy toSecure Cyberspace*Over time: Cyber incidents increasing in: NumberSophisticationSeverityCost.The nation’s economy increasingly dependent on cyberspace Unknown interdependencies and single points of failure.A digital disaster strikes some enterprise every day.Infrastructure disruptions have cascading impacts, multiplying theircyber and physical effects.*www.dhs.gov/xlibrary/assets/National Cyberspace Strategy.pdf27

Required Knowledge Trend etc Attack Scripts Tools with GUI Packet Spoofing Stealth Diagnostics Sniffers Sweepers Hijacking Sessions BackdoorshighSophistication ofAttacker Toolslow DisablingAudits Exploiting KnownVulnerabilities Password Cracking Self-Replicating Code Password Guessing198019851990Required Knowledgeof Attackers1995Attackers Require Less Knowledge as Tool Sophistication Increases28

Exploit Availability Tools that automate the process of breakinginto systemsReadily available on the Internet29

ncing/

Trends in Threat AgentsAdrian LamoKevin MitnickKevin PoulsenAlexey IvanovVasiliy GorshkovMafia BoyJohn Walker32

Potential Attackers Common criminals Industrial spies Competitive advantageHackers Financial gainPeople skilled beyond their maturityNational Intelligence organizationsMalicious InsidersInternet Businesses (Spyware)33

Attacker Attributes Attackers may have different : ObjectivesSkill levelsRisk toleranceThe appropriate incident response depends,in part, to the threat attributes found in thatparticular situation34

Malicious Insiders Not necessarily employees ConsultantsContractorsNot necessarily in the same country as youMany security measures firewalls, intrusiondetection systems, etc. deal with externalthreats. Insiders aren’t impacted by perimeter security.Certain technologies (VPNs for example) may screen aninsider’s activities from your ID systems.35

DefendersSpring 05SecuritySeminar36

Risk Primitives Vulnerability Threat A weakness in system security procedures, system design,implementation, internal controls, etc., that could beexploited to violate system security .Any circumstance or event with the potential to cause harmto a system in the form of destruction, disclosure,modification of data, and/or denial of service.Risk The probability that a particular threat will exploit aparticular vulnerability . From NCSC-TG-004 Aqua Book See also RFC 282837

Vulnerabilities? Vulnerabilities can be found in: People Processes Lack of situational awarenessSocial engineeringInsiders (bribes and incompetence)Online Financial TransactionsConventional Financial TransactionsCredit, debit, and ATM cardsTechnologyComputer and Communications Systems Point of sale terminals VA databases, etc Vulnerabilities are Dynamic 38

Technical SolutionsIf you think technology can solveyour security problems, then:1. You don’t understand theproblems and2. You don’t understand thetechnology.B. Schneier39

Internet Threat Attributes, one Automation Automated infections (Worms and Trojan Horses) Honey Pot Project Record (17 seconds)Speed of Exploit Propagation Morris Worm, 1988Negates traditional commerce reaction responseDistance doesn’t matter No International Borders on the InternetLegal jurisdiction scope40

Threat Characteristics, two Blue color represents Slammer, 30 minutesafter release In the first minute, the infected populationdoubled in size every 8.5 ( 1) seconds.After approximately three minutes, the wormachieved max scanning rate (over 55 millionscans per second) 41

Worms and Viruses Robert Morris Internet Worm, 1988First conviction underthe 1987 ComputerSecurity ActFather was the chiefscientist at NSA’s,National ComputerSecurity Center (NCSC)42

Malicious Software Trojans Email A virus posing as a photo of Russiantennis player Anna Kournikova. Spreadtwice as fast as I Love You. DDOS PolymorphicEncryptedDistributed Denial of Service AttackMafia Boy and Tribal Flood knocked downYahoo and Ebay.Spyware43

INFOWar A military adversary who tries to underminehis target’s ability to wage war by attackingthe information or network infrastructure.Short term focus of affecting his target’sability to wage war.Objects: Military advantageChaosAssymetrical Warfare44

Proactive Solutions The notion of fixing a security flaw after itbecomes a problem won’t work on theInternet.Education and Training are criticalcomponents of any security plan.45

Questions?46

Selected References, OneKevin Mitnick http://www.defensivethinking.com/Kevin Lee Poulsen Adrian Lamo http://online.securityfocus.com/news/595 http://online.securityfocus.com/news/358Alexey Ivanov and Vasiliy Gorshkov http://www.fbi.gov/page2/seattle.htm http://research.yale.edu/lawmeme/modules.php?name News&file article&sid 38447

Selected References Two Rome //www.fas.org/irp/congress/1996 hr/s960605b.htmLove ester ssp1.htmlI Love Youhttp://home.planet.nl/ faase009/iloveyou.htmlISC248

Questions?49

Operation Red Hathttp://en.wikipedia.org/wiki/Operation Red Hat

Sentry Dog Teams – Security ControlGerman Shepherd DogColt 45 AutomaticM-16 (Optional)Two way radioAmmo, Flashlight, Poncho, Compression Bandages

Nine Risk Assessment Steps (NIST)1.2.3.4.SystemCharacterizationThreat IdentificationVulnerabilityIdentificationControl Analysis1.2.3.4.5.LikelihoodDeterminationImpact AnalysisRisk ationNoteSteps 2, 3, 4, 5, and 6, may be conducted in parallel.52

4 UH Security Specialization Enterprise assessment and evaluation focus. Houston’s only NSA/NTISSI certified program. 4011-- Information Systems Security Professionals 4014 -- Information Systems Security Officers 4016 –Information Assurance Risk Management UH recognized by the NSA and DHS as a Center of Excellence in Information Assurance

Related Books

ADWORDS-FUNDAMENTALSQ&As

ADWORDS-FUNDAMENTALSQ&As

Managing Security with SAP Solution Manager

Managing Security with SAP Solution Manager

INFORMATION SECURITY FUNDAMENTALS

INFORMATION SECURITY FUNDAMENTALS

Business Fundamentals - Textbook Equity

Business Fundamentals - Textbook Equity

IT Security & Audit Policy Page 1 of 91 - NSIT

IT Security & Audit Policy Page 1 of 91 - NSIT

Introduce Coding Using Microsoft TouchDevelop & Kodu

Introduce Coding Using Microsoft TouchDevelop & Kodu

Comptia security SY0-501 – Study Guide - Cybrary

Comptia security SY0-501 – Study Guide - Cybrary

Physical Security Policy - London School of Economics

Physical Security Policy - London School of Economics

Security Audit - Cisco

Security Audit - Cisco

Chapter 12. Database Security - University of Cape Town

Chapter 12. Database Security - University of Cape Town

CompTIA Security Guide to Network Security Fundamentals .

CompTIA Security Guide to Network Security Fundamentals .

PopularTags

Recent Views