Information Security Management. Introduction.
By Yuliana Martirosyan,
Based on Bell G. Reggard, Information Security Management. Concepts and Practices.
2. 13. Security Solutions
Information protection is not a goal in itself but rather the reduction of
owner’s harm resulting from it.
American Bar association reported a decade ago that hackers caused
harm as high as $10 million.
FBA reports that business lose $7.5 billion a year to attacks.
13.1 Introduction
4. 13. Security Solutions
13.2.1 Security Management
13.2.1.1 Information Security Management
This is the most important class of security solutions.
It is related to organizational security of the company.
There are two main components:
1. Effectiveness in securing the system (ISO 27002)
2. Information Security Management system (ISO 27001)
13.2 Security Solutions
5. 13. Security Solutions
13.2.1 Security Management
13.2.1.2 Simple Network Management
Major components used in networking are routers, switches, firewalls and
access servers. (Network topology)
Routers draw a hierarchy of LANs and autonomous systems to find
optimal paths to information recourses worldwide.
13.2 Security Solutions
Network Management
Data Centers
Unicenter
from IBM
Network Management
System tools
Open View from HP
Enterprise System
Management
ESM
6. 13. Security Solutions
13.2.2 Cryptographic Solutions
13.2.2.1 Cryptography
Hash Functions
Symmetric Cryptography
Public-Key Cryptography
Digital Signatures
Virtual Private Networks
13.2.2.1 The Main Cryptographic Mechanisms
Symmetric Cryptography: Private Key (AES)
Asymmetric Cryptography: Public Key (RSA)
13.2 Security Solutions
7. 13. Security Solutions
13.2.2 Cryptographic Solutions
13.2.2.3 Block and Stream Ciphers in Symmetric Cryptography
Symmetric ciphers are now usually implemented using:
• Block ciphers: a fixed-length block of plain text is converted into cipher text
of the same length
• Stream ciphers: data is encrypted bit/byte at a time
13.2.2.4 Digital Signatures
Used to or demonstrating the authenticity of a digital message or document.
DS algorithms: RSA, DSS, Elliptic Curves
Crypto-systems : PGP, S/MIME
13.2 Security Solutions
8. 13. Security Solutions
13.2.2 Cryptographic Solutions
13.2.2.5 Virtual Private Networks (VPN)
A virtual private network (VPN) is a computer network that uses a public
telecommunication infrastructure such as the Internet to provide remote
offices or individual users with secure access to their organization's network.
Intranet VPN:
several buildings may be connected to a data center (strong encryption)
Remote Access VPN
laptops that connect intermittently from different locations (authentication)
Extranet VPN
access corporate resources across various network architectures
13.2 Security Solutions
11. 13. Security Solutions
13.2.2 Cryptographic Solutions
13.2.2.5.2 Layer Two Tunnel Protocol (L2TP)
Layer Two Tunneling Protocol (L2TP) is a combination of PPTP and Layer
2 Forwarding.
The main rival to PPTP for VPN tunneling was Cisco’s L2F.
13.2.2.5.1 Internet Protocol Security (IPSEC)
IPsec is a collection of protocols that provide low-level network security.
IPsec exists at the network layer.
13.2 Security Solutions
12. 13. Security Solutions
13.2.3 Access Control
Access control is a system which enables an authority to control access to
areas and resources in a given physical facility or computer-based
information system.
The three most widely recognized models are:
• Discretionary Access Control (DAC)
• Mandatory Access Control (MAC)
• Role Based Access Control (RBAC)
13.2 Security Solutions
14. 13. Security Solutions
13.2.3 Access Control
Authentication
Encryption can be used not only to hide data from prying eyes.
For example, cryptographic method, Tripwire.
It build database of cryptographic checksums for selected files.
Attempts to unauthorized access to data will be detected by Tripwire
Biometrics
Fingerprints, Facial Recognition, Hand geometry, DNA
13.2 Security Solutions
15. 13. Security Solutions
13.2.4 Data Traffic Control
Security Rules:
Rule1: Trust Inside
Rule 2: Least privilege
Rule 3: Selective blocking Opposite of Rule 2
Firewalls:
Network firewalls
Application firewalls
Stateful inspection firewalls
13.2 Security Solutions
16. 13. Security Solutions
13.2.5 Security Analysis
Security Testing: Penetration testing
External Source Penetration Test
Internal source penetration Test
Target system penetration test
Vulnerability Assessment
The process of identifying and quantifying weaknesses of the system, and
determine their effect.
Analyze threats that potentially can cause compromise, spoofing, or denial
of service.
13.2 Security Solutions
20. Security Control Management Class, Family and Identifier
Class Family Identifier
Management Risk Assessment RA
Management Planning PL
Management System and Services Acquisition SA
Management
Certification, Accreditation, and
Security Assessment
CA
13. Security Solutions
13.3 The NIST Security Solution Taxonomy
21. Class Family Identifier
Operational Personnel Security PS
Operational
Physical and Environmental
Protection
PE
Operational Contingency Planning CP
Operational Configuration Management CM
Operational Maintenance MA
Operational System and Information Integrity SI
Operational Media Protection MP
Operational Incident Response IR
Operational Awareness and Training AT
13. Security Solutions
13.3 The NIST Security Solution Taxonomy
Security Control Technical Class, Family and Identifier
22. Security Control Technical Class, Family and Identifier
Class Family Identifier
Operational Identification and Authentication IA
Operational Access Control AC
Operational Audit and Accountability AU
Operational
System and Communications
Protection
SC
13. Security Solutions
13.3 The NIST Security Solution Taxonomy
23. 1 Risk Assessment and Treatment
2 Security Policy
3 Organization of Information Security
4 Asset Management
5 Human Resources Security
6 Physical Security
7 Communications and Ops Management
8 Access Control
9 Information Systems Acquisition, Development, Maintenance
10 Information Security Incident management
11 Business Continuity
12 Compliance
13. Security Solutions
13.4 The ISO Security Taxonomy
Hinweis der Redaktion
We organize information security solutions into six classes: security management, cryptography, access control, data traffic control, security analysis, and physical security.
Sophisticated computer management systems, called system controllers, have been around for decades. This units were hooked up in mainframes in data centers.
OpenView has built-in IP network management standard Simple Network Management Protocol (SNMP).
ESM: fuziness in the area separating networks and computers from the development of the client-serve technology that moved data from data centers to internetworking topology.
Symmetric Algorithm main parts are:
Plaintext
Encryption Algorithm
Secret Key – the main secret
Cipher Text
Decryption
Modern symmetric block encryption algorithms are mainly based on the Feistel block cipher structure. Feistel proposed the use of a cipher that alternates substitutions and permutations. In fact, this is a practical application of a proposal by Claude Shannon to develop a product cipher that alternates confusion and diffusion functions.
Diffusion, when each cipher text digit is affected by many plaintext digits.
Confusion, when the relationship between the statistics of the cipher text and the value of the encryption key is as complex as possible.
Block ciphers include DES, IDEA, SAFER, Blowfish…
Also I would like to mention that the Skipjack -- this last being the algorithm used in the US National Security Agency (NSA) Clipper chip, used for U. S. government's Escrowed Encryption Standard (EES), is block cipher.
Intranet VPN
This is considered "client transparent" VPN. It is usually implemented for networks within a common network infrastructure but across various physical locations. For instance several buildings may be connected to a data center, that they can access securely through private lines. Those VPNs need to be especially secure with strong encryption and meet strict performance and bandwidth requirements.
Remote Access VPN
Here VPN is "client initiated". It is intended for remote users that need to connect to their corporate LAN from various point of connections. It is intended for telecommuters and salesmen equipped with laptops that connect intermittently from different locations (homes, hotels, conference halls...). The key factor here is flexibility as performance and bandwidth are usually minimal and less of an issue. More than encryption, authentication will be the main security concern.
Extranet VPN
In this case VPN uses the Internet as main backbone. It usually addresses a wider scale of users and locations, enabling users to access corporate resources across various network architectures. They rely on VPN standards to ensure maximum compatibility while trying not to overly compromise security.
Computers can use the PPTP protocol to securely connect to a private network as a remote access client by using a public data network such as the Internet. In other words, PPTP enables on-demand, virtual private networks over the Internet or other public TCP/IP-based data networks. PPTP can also be used by computers connected to a LAN to create a virtual private network across the LAN.
PPTP is configured by adding virtual devices referred to as virtual private networks (VPNs) to the RAS and Dial-Up Networking.
Most PPTP sessions are started by a client dialing up an ISP network access server.
The Point-to-Point Protocol (PPP) is a data link layer protocol which encapsulates other network layer protocols for transmission on synchronous and asynchronous communication lines.
Two precise definitions of "point-to-point" in the context of data communications follow:
A network configuration in which a connection is established between two, and only two points. The connection may include switching facilities.
A circuit connecting two points without the use of any intermediate terminal or computer.
The PPP protocol is used to create the dial-up connection between the client and network access server and performs the following three functions:
Establishes and ends the physical connection. The PPP protocol uses a sequence defined in RFC 1661 to establish and maintain connections between remote computers.
Authenticates users. PPTP clients are authenticated by using the PPP protocol. Clear text, encrypted, or Microsoft encrypted authentication can be used by the PPP protocol.
Creates PPP datagrams that contain encrypted IPX, NetBEUI, or TCP/IP packets . PPP creates datagrams which contain one or more encrypted TCP/IP, IPX, or NetBEUI data packets. Because the network packets are encrypted, all traffic between a PPP client and a network access server is secure.
Layer Two Tunneling Protocol (L2TP) is a combination of PPTP and Layer 2 Forwarding (L2F), a technology proposed by Cisco® Systems, Inc. Rather than having two incompatible tunneling protocols competing in the marketplace and causing customer confusion, the IETF mandated that the two technologies be combined into a single tunneling protocol that represents the best features of PPTP and L2F. L2TP is documented in RFC 2661.
Access control techniques
Access control techniques are sometimes categorized as either discretionary or non-discretionary. The three most widely recognized models are Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role Based Access Control (RBAC). MAC and RBAC are both non-discretionary.
(DAC) is an access policy determined by the owner of an object. The owner decides who is allowed to access the object and what privileges they have.
(MAC) is an access policy determined by the system, not the owner. MAC is used in multilevel systems that process highly sensitive data, such as classified government and military information. A multilevel system is a single computer system that handles multiple classification levels between subjects and objects.
(RBAC) is an access policy determined by the system, not the owner. RBAC is used in commercial applications and also in military systems, where multi-level security requirements may also exist. RBAC differs from DAC in that DAC allows users to control access to their resources, while in RBAC, access is controlled at the system level, outside of the user's control. Although RBAC is non-discretionary, it can be distinguished from MAC primarily in the way permissions are handled. MAC controls read and write permissions based on a user's clearance level and additional labels. RBAC controls collections of permissions that may include complex operations such as an e-commerce transaction, or may be as simple as read or write. A role in RBAC can be viewed as a set of permissions.
The principle of least privilege states that only the minimum access necessary to perform an operation should be granted, and that access should be granted only for the minimum amount of time necessary.
Network firewalls protect the perimeter of a network by watching traffic that enters and leaves.
An application firewall is a form of firewall which controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the firewall.
Stateful firewall (any firewall that performs stateful packet inspection (SPI) or stateful inspection) is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall; others will be rejected.
A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source.
The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities.
External testing(Black box) refers to attacks on the organization's network perimeter using procedures performed from outside the organization's systems, that is, from the Internet or Extranet.
Internal testing (White box) penetration test evaluates the efficacy of a network’s internal protection. Network configurations, source codes and the occasional password are provided in the white box penetration test.
Security controls in the security control catalog (NIST SP 800-53, Appendix F) have a well-defined organization and structure.
The security controls are organized into classes and families for ease of use in the control selection and specification process.
There are three general classes of security controls (i.e., management, operational, and technical18). Each family contains security controls related to the security function of the family. A standardized, two-character identifier is assigned to uniquely identify each control family. Table summarizes the classes and families in the security control catalog and the associated family identifiers.
An agency has the flexibility to tailor the security control baseline in accordance with the terms and conditions set forth in the standard. Tailoring activities include:
(i) the application of scoping guidance;
(ii) the specification of compensating controls;
(iii) the specification of agency-defined parameters in the security controls, where allowed.
The system security plan should document all tailoring activities.