Title: CMGT 400
1CMGT 400
- Intro to Information Assurance Security
- Philip Robbins February 5, 2013 (Week 1)
- University of Phoenix Mililani Campus
2Agenda Week 1
- Introductions
- Course Syllabus
- Fundamental Aspects
- Information
- Information Assurance
- Information Security Services
- Risk Management, CND, and Incident Response
- Quiz 1
- Assignment
3Concepts
- Information
- What is it?
- Why is it important?
- How do we protect (secure) it?
4Why is this important?
- Information is valuable.
- therefore,
- Information Systems are valuable.
- etc
- Compromise of Information Security Services
(C-I-A) have real consequences (loss) - Confidentiality death, proprietary info,
privacy, theft - Integrity theft, loss of confidence, validity
- Availability lost productivity, disruption of
C2, defense, emergency services
5Concepts
- Information Systems
- Systems that store, transmit, and process
information. -
- Information Security
- The protection of information.
- _______________________________________________
- Information Systems Security
- The protection of systems that store, transmit,
and process information.
6Fundamental Concepts
- What is Information Assurance (IA)?
- Our assurance (confidence) in the protection of
our information / Information Security Services. - What are Information Security Services (ISS)?
- Confidentiality Making sure our information is
protected from unauthorized disclosure. - Integrity Making sure the information we
process, transmit, and store has not been
corrupted or adversely manipulated. - Availability Making sure that the information
is there when we need it and gets to those who
need it.
7Private vs. Military Requirements
- Which security model an organization uses depends
on its goals and objectives. - Military is generally concerned with
CONFIDENTIALITY - Private businesses are generally concerned with
AVAILABILITY (ex. Netflix, eBay etc) OR INTEGRITY
(ex. Banks). - Some private sector companies are concerned with
CONFIDENTIALITY (ex. hospitals). - Which ISS do you believe is most important?
8Fundamental Concepts
- Progression of Terminology
Computer Security (COMPUSEC)
Legacy Term (no longer used).
Information Security (INFOSEC)
Legacy Term (still used).
Information Assurance (IA)
Term widely accepted today with focus on
Information Sharing.
Cyber Security
Broad Term quickly being adopted.
9Fundamental Concepts
- What is Cyberspace?
- Term adopted by the USG
- The virtual environment of information and
interactions between people. - Telecommunication Network infrastructures
- Information Systems
- The Internet
10Review of Fundamental Concepts
- What is the Defense in Depth Strategy?
- Using layers of defense as protection.
- People, Technology, and Operations.
Onion Model
11Defense-in-Depth
Links in the Security Chain Management,
Operational, and Technical Controls
- Risk assessment
- Security planning, policies, procedures
- Configuration management and control
- Contingency planning
- Incident response planning
- Security awareness and training
- Security in acquisitions
- Physical security
- Personnel security
- Security assessments and authorization
- Continuous monitoring
- Access control mechanisms
- Identification authentication mechanisms
- (Biometrics, tokens, passwords)
- Audit mechanisms
- Encryption mechanisms
- Boundary and network protection devices
- (Firewalls, guards, routers, gateways)
- Intrusion protection/detection systems
- Security configuration settings
- Anti-viral, anti-spyware, anti-spam software
- Smart cards
Adversaries attack the weakest linkwhere is
yours?
12Review of Fundamental Concepts
Information Assurance Services (IAS)
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
Source Cieslak, Randall (Dec 2011). Cyber
Fundamentals. USPACOM Chief Information Officer.
13Review of Fundamental Concepts
14Challenges
- Fixed Resources
- Sustainable strategies reduce costs
15Information Systems Security Privacy
- Defined the protection and proper handling of
sensitive personal information - - Requires proper technology for protection
- - Requires processes and controls for
appropriate handling
16Personally Identifiable Information (PII)
- Name
- SSN
- Phone number
- Driver's license number
- Credit card numbers
- etc
17Concept 1 Info Security Assurance
- You leave your job at ACME, Inc. to become the
new Information Systems Security Manager (ISSM)
for University of University College (UUC). - The Chief Information Officer (CIO) of UUC
drops by your office to let you know that they
have no ISS program at UUC! - A meeting with the Board of Directors is
- scheduled and you are asked by the CIO to
- attend.
- The Board wants to hear your considerations
- on how to start the new ISS program spanning
- all national and international networks.
18Concept 1 Info Security Assurance
- - What would you tell the Board?
- - As an ISSM, what would you consider first?
- - What types of questions would you ask the Board
and/or to the CIO?
19Concept 2 Physical Logical ISS
- First day on the job and you find yourself
already meeting with the local Physical Security
and IT Services Managers at UUC. - You introduce yourself as the new ISSM and both
managers eagerly ask you what can we do to help?
20Concept 2 Physical Logical ISS
- - What do you tell these Managers?
- - What types of questions would you ask the
Managers? - - As an ISSM, what are some IT, computer, and
network security issues you consider important to
a new ISS program at UUC? - - What about your meeting with the Board of
Directors earlier? How does it apply here?
21Concept 3 Risk
- After a month on the job, as an ISSM, you
decide to update the CIO on the progress of the
UUC ISS program via email when all of a sudden
the entire internal network goes down! - Your Computer Network Defense Team is able to
determine the source of the disruption to an
unknown vulnerability that was exploited on a
generic perimeter router. - The CIO calls you into his office and indicates
to you that he is concerned about the Risk to
the networks at UUC and wants a risk assessment
conducted ASAP.
22Concept 3 Risk
- - What does the CIO mean by Risk to the networks
at UUC? - - As an ISSM, how would you conduct a risk
assessment for the CIO? - - What are some of the elements of risk?
- - How is risk measured and why is it important?
23Risk Management
- Information Systems Risk Management is the
process of identifying, assessing, and mitigating
(reducing) risks to an acceptable level. - - Why is this important?
- There is no such thing as
- 100 security.
- - Can risk ever be eliminated?
24Risk Management
- Risks MUST be identified, classified and analyzed
to asses potential damage (loss) to company. - Risk is difficult to measure and quantify,
however, we must prioritize the risks and attempt
to address them!
25Risk Management
- Identify assets and their values
- Identify Vulnerabilities and Threats
- Quantify the probability of damage and cost of
damage - Implement cost effective countermeasures!
- ULTIMATE GOAL is to be cost effective. That is
ensure that your assets are safe, at the same
time dont spend more to protect something than
its worth
26Who is ultimately responsible for risk?
- MANAGEMENT!!!
- Management may delegate to data custodians or
business units that shoulder some of the risk. - However, it is senior management that is
ultimately responsible for the companies health -
as such they are ultimately responsible for the
risk.
27Computer Network Defense
- Defending against unauthorized actions that would
compromise or cripple information systems and
networks. - Protect, monitor, analyze, detect, and respond to
network attacks, intrusions, or disruptions.
28Incident Response
- Responding to a Security Breach
- - Incident Handling
- - Incident Management
- - Eradication Recovery
- - Investigation (Forensics / Analysis)
- - Legal, Regulatory and Compliance Reporting
- - Documentation
29Break
30Chapter 1 Introduction and Security Trends
- The Morris Worm
- - Robert Morris
- - 1988
- - First Large scale attack on
- the Internet
- - No malicious payload (benign)
- - Replicated itself
- - Infected computer system could no longer run
any other programs
31Chapter 1 Introduction and Security Trends
- Kevin Mitnick
- - Famous Hacker
- - 1995
- - Wire and computer fraud
- - Intercepting wire communication
- - Stole software and email accounts
- - Jailed 5 years.
32Chapter 1 Introduction and Security Trends
- The Melissa Virus
- - David Smith
- - 1999
- - Infected 1 million computers
- - 80 million
- - Payload list.doc with macro
- - Clogged networks generated
- by email servers sending
- Important Messages from
- your address book
33Chapter 1 Introduction and Security Trends
- The I Love You Virus
- - Melissa Variation
- - 2000
- - 45 million computers
- - 10 billion
- - Payload .vbs (script)
- - Released by a student in the Phillipines (not
a crime)
34Chapter 1 Introduction and Security Trends
- The Code Red Worm
- - 2001
- - 350 million computers
- - 2.5 billion
- - Payload benign
- - Takes control of computers
- - DoS attacks targeted White House website
35Chapter 1 Introduction and Security Trends
- The Conficker Worm
- - 2008-2009
- - Payload benign
- - Bot network
- - Very little damage
- - Blocks antivirus updates
36Chapter 1 Introduction and Security Trends
- Stuxnet
- - 2010
- - First Cyber Weapon
- - Affected SCADA
- systems within IRANs
- Nuclear Enrichment
- Facilities
- - Uses 4 Zero Day
- Vulnerabilities
-
37Chapter 1 Introduction and Security Trends
- What is Malware?
- - Malicious Software
- - Includes Viruses Worms
- - Protect using Anit-virus software System
Patching -
38Chapter 1 Introduction and Security Trends
- Intruders, Hackers, and Threat Agents
-
39Chapter 1 Introduction and Security Trends
- Network Interconnection
- - More connections
- - From large mainframes to smaller connected
systems - - Increased threat vulnerabilities
- - Single point failures?
- - Critical Infrastructure
- - Information Value
- - Information Warfare
-
40Chapter 1 Introduction and Security Trends
- Steps in an Attack
- - Ping Sweeps (ping/whois) identify target
- - Port Scans (nmap) exploit service
-
-
41Chapter 1 Introduction and Security Trends
- Steps in an Attack
- - Bypass firewall
- - Bypass IDS IPS Avoid detection / logs
- - Infect system (either Network or Physical)
- - Pivot systems (launch client-side attacks)
-
-
42Chapter 1 Introduction and Security Trends
43Chapter 1 Introduction and Security Trends
- Types of Attacks
- - Denial of Service (DoS)
- - Distributed Denial of Service (DDoS)
- - Botnets (IRC)
- - Logic Bombs
- - SQL Injection
- - Scripting
- - Phishing Emails
- - HTTP session hijacking (Man in the Middle)
- - Buffer Overflows
-
-
44Chapter 1 Introduction and Security Trends
45Chapter 1 Introduction and Security Trends
- Types of Attacks Redirection (Fake Sites)
46Chapter 1 Introduction and Security Trends
47Chapter 1 Introduction and Security Trends
- Types of Attacks Fake Antivirus
48Chapter 1 Introduction and Security Trends
- Types of Attacks Keyloggers (Remote Stealth
Keystroke Dump)
49Chapter 1 Introduction and Security Trends
- Types of Attacks USB Keys (Autorun infection)
Found a bunch of USB keys in a parking lot?
Would you stick one of them into your PC?
50Chapter 1 Introduction and Security Trends
- Types of Attacks Spam Email (Storm Worms)
51Chapter 1 Introduction and Security Trends
- Types of Attacks Spear Phishing Emails
52Chapter 1 Introduction and Security Trends
- Types of Attacks SQL injection
53Chapter 1 Review Questions
54Question 1
Which of the following is an attempt to find
and attack a site that has hardware or software
that is vulnerable to a specific exploit? A.
Target of opportunity attack B. Targeted
attack C. Vulnerability scan attack D.
Information warfare attack
55Question 1
Which of the following is an attempt to find
and attack a site that has hardware or software
that is vulnerable to a specific exploit? A.
Target of opportunity attack B. Targeted
attack C. Vulnerability scan attack D.
Information warfare attack
56Question 2
Which of the following threats has not grown over
the last decade as a result of increasing numbers
of Internet users? A. Viruses B. Hackers C.
Denial-of-service attacks D. All of the above
57Question 2
Which of the following threats has not grown over
the last decade as a result of increasing numbers
of Internet users? A. Viruses B. Hackers C.
Denial-of-service attacks D. All of the above
58Question 3
The rise of which of the following has
greatly increased the number of individuals who
probe organizations looking for vulnerabilities
to exploit? A. Virus writers B. Script
kiddies C. Hackers D. Elite Hackers
59Question 3
The rise of which of the following has
greatly increased the number of individuals who
probe organizations looking for vulnerabilities
to exploit? A. Virus writers B. Script
kiddies C. Hackers D. Elite Hackers
60Question 4
Which of the following is generally viewed as
the first Internet worm to have caused
significant damage and to have brought the
Internet down? A. Melissa B. I LOVE YOU C.
Morris D. Code Red
61Question 4
Which of the following is generally viewed as
the first Internet worm to have caused
significant damage and to have brought the
Internet down? A. Melissa B. I LOVE YOU C.
Morris D. Code Red
62Question 5
The act of deliberately accessing
computer systems and networks without
authorization is generally known as? A.
Computer intrusions B. Hacking C. Cracking D.
Probing
63Question 5
The act of deliberately accessing
computer systems and networks without
authorization is generally known as? A.
Computer intrusions B. Hacking C. Cracking D.
Probing
64Question 6
Warfare conducted against the information
and information processing equipment used by
an adversary is known as? A. Hacking B. Cyber
terrorism C. Information Warfare D. Network
Warfare
65Question 6
Warfare conducted against the information
and information processing equipment used by
an adversary is known as? A. Hacking B. Cyber
terrorism C. Information Warfare D. Network
Warfare
66Question 7
Which of the following is not described as
a critical infrastructure? A. Electricity
(Power) B. Banking (Finance) C.
Telecommunications D. Retail Stores
67Question 7
Elite hackers dont account for more than
what percentage of the total number of
individuals conducting intrusive activity on the
Internet? A. Electricity (Power) B. Banking
(Finance) C. Telecommunications D. Retail Stores
68Question 8 (Last one)
Elite hackers dont account for more than
what percentage of the total number of
individuals conducting intrusive activity on the
Internet? A. 1-2 percent B. 3-5 percent C.
7-10 percent D. 15-20 percent
69Question 8 (Last one)
Elite hackers dont account for more than
what percentage of the total number of
individuals conducting intrusive activity on the
Internet? A. 1-2 percent B. 3-5 percent C.
7-10 percent D. 15-20 percent
70Break
71Chapter 2 General Security Concepts
- Computer Security (COMPUSEC)
- - Ensure computer systems are secure
- Network Security
- - Protection of multiple connected (networked)
computer systems - Information Assurance (IA) Security
- - Emphasis on the data Our assurance
(confidence) in the protection of our
information / Information Security Services. -
-
72Chapter 2 General Security Concepts
- CIA Triad (Information Security Services)
-
-
73Chapter 2 General Security Concepts
- Operational Model of Computer Security
- Protection Prevention Detection Response
-
-
74Chapter 2 General Security Concepts
- Least Privilege (Need to Know)
- - Users should have only the necessary
(minimum) rights, privileges, or information to
perform their tasks (no additional permissions). - Implicit Deny
- - Deny all authorization and access
(blacklisted) unless specifically allowed (white
list). - - Default security rule for firewalls, routers,
etc -
-
75Chapter 2 General Security Concepts
- Separation of Duties
- - Ensures tasks are broken down and
are accomplished / involve by more than one
individual. - - Check balance system.
- Job Rotation
- - Rotation individuals through jobs / tasks.
- - Organization does not become dependent on a
single employee. -
-
76Chapter 2 General Security Concepts
Be sure to understand the difference
between Least Privilege vs. Implicit Deny
Separation of Duties vs. Job Rotation
77Chapter 2 General Security Concepts
- Layered Security
- - Defense in Depth
- - Redundancy
- - No single point of
- failure
-
-
-
78Chapter 2 General Security Concepts
79Chapter 2 General Security Concepts
- Security Through Obscurity
- - Approach of protecting something by hiding it.
- - Generally not a good idea.
- - Steganography
- - Reverse engineering.
-
-
80Chapter 2 General Security Concepts
Be sure to understand the difference
between Layered Security vs. Security Through
Obscurity
81Chapter 2 General Security Concepts
- Access
- - Control what a subject can perform or what
objects the subject can interact with. - - i.e. Access Control Lists (ACLs)
- Authentication
- - Verify the identity of a subject. (Who You
Are) - - Involves identification
- - Passwords, cards, biometrics (fingerprints),
etc. - Digital certificates -
-
82Chapter 2 General Security Concepts
- Authorization
- - Verifies what a subject is authorized to do.
- Be sure to understand the difference between
- Access vs. Identification
- vs.
- Authentication vs. Authorization
-
-
83Chapter 2 General Security Concepts
- Social Engineering
- - Talk individuals into
- divulging information that
- they normally would never
- have.
- - Used to gain information
- on identities, access, or
- authorization.
- - Data aggregation.
-
-
84Chapter 2 General Security Concepts
- Policies
- Constraints of behavior on systems and people
- Specifies activities that are required, limited,
and forbidden - Example
- Information systems should be configured to
require good security practices in the selection
and use of passwords
85Chapter 2 General Security Concepts
- Requirements
- Required characteristics of a system or process.
- Often the same as or similar to the policy
- Specifies what should be done, not how to do it.
- Example
- Information systems must enforce password quality
standards.
86Chapter 2 General Security Concepts
- Guidelines define how to support a policy
- Example As a guideline passwords should not
be dictionary words, dont write passwords down,
etc
87Chapter 2 General Security Concepts
- Standards what products, technical methods will
be used to support policy. - Example
- All fiber optic cables must be ACME brand
- Passwords must be at least 8 characters, contain
2 upper and lower case chars - Procedures step by step instructions
88Chapter 2 General Security Concepts
- Classification of Information
- - Sensitivity / Confidentiality
- Example
- Unclassified (UNCLASS)
- For Official Use Only (FOUO)
- Confidential
- Secret (S)
- Secret Releasable (S//REL)
- Top Secret (TS)
-
-
89Chapter 2 General Security Concepts
- Acceptable Use Policy (AUP)
- - Outline of what the organization considers to
be - the appropriate / inappropriate use of
- company resources.
- - Do you have a right to privacy when using a
- companys system / network resources?
-
-
90Chapter 2 General Security Concepts
- Service Level Agreement (SLA)
- - Contractual agreements between entities that
- describe specified levels of service.
-
- Example
- Bandwidth allocation
- Download / Upload Speeds
- Uptime
- Support Maintenance
- Data Restoration / Backup
-
-
91Chapter 2 General Security Concepts
- Bell-LaPadula Confidentiality Security Model
- - Principle 1 Simple Security (No Read Up)
Rule - No subject can read from an object with a
security - classification higher than possessed by the
subject. - - Principle 2 - property (No Write Down)
Rule - Allows a subject to write to an object of equal
or greater security classification. - Why wouldnt you be able to write down?
-
-
92Chapter 2 General Security Concepts
- Biba Integrity Security Model
- - Policy 1 Low-Water-Mark
- Prevents unauthorized modification of data
subjects writing to objects of a higher
integrity label. - - Policy 2 Ring
- Allows a subject to read any object without
regard to the - objects level of integrity and without lowering
the subjects - integrity level.
-
-
93Chapter 2 Review Questions
94Question 1
What is the most common form of
authentication used? A. Smart Cards B.
Tokens C. Username / Password D. Biometrics
95Question 1
What is the most common form of
authentication used? A. Smart Cards B.
Tokens C. Username / Password D. Biometrics
96Question 2
- The CIA of security includes
- Confidentiality, integrity, authentication
- Confidentiality, integrity, availability
- Certificates, integrity, availability
- Confidentiality, inspection, authentication
97Question 2
- The CIA of security includes
- Confidentiality, integrity, authentication
- Confidentiality, integrity, availability
- Certificates, integrity, availability
- Confidentiality, inspection, authentication
98Question 3
- The security principle used in the Bell-LaPadula
- security model that states that no subject can
- read from an object with a higher security
- classification is the
- Simple Security Rule
- Ring policy
- Mandatory access control
- -property
99Question 3
- The security principle used in the Bell-LaPadula
- security model that states that no subject can
- read from an object with a higher security
- classification is the
- Simple Security Rule
- Ring policy
- Mandatory access control
- -property
100Question 4
- Which of the following concepts requires users
- and system processes to use the minimal amount of
permission necessary to function? - Layer Defense
- Diversified Defense
- Simple Security Rule
- Least Privilege
101Question 4
- Which of the following concepts requires users
- and system processes to use the minimal amount of
permission necessary to function? - Layer Defense
- Diversified Defense
- Simple Security Rule
- Least Privilege
102Question 5
- Which of the following is an access control
- method based on changes at preset intervals?
- Simple Security Rule
- Job Rotation
- Two-man rule
- Separation of Duties
103Question 5
- Which of the following is an access control
- method based on changes at preset intervals?
- Simple Security Rule
- Job Rotation
- Two-man rule
- Separation of Duties
104Question 6
- The Bell-LaPadula security model is an example
- of a security model that is based on
- The integrity of the data
- The availability of the data
- The confidentiality of the data
- The authenticity of the data
105Question 6
- The Bell-LaPadula security model is an example
- of a security model that is based on
- The integrity of the data
- The availability of the data
- The confidentiality of the data
- The authenticity of the data
106Question 7
- The term used to describe the requirement that
- different portions of a critical process must be
- performed by different people is
- Least privilege
- Defense in Depth
- Separation of Duties
- Job Rotation
107Question 7
- The term used to describe the requirement that
- different portions of a critical process must be
- performed by different people is
- Least privilege
- Defense in Depth
- Separation of Duties
- Job Rotation
108Question 8
- Hiding information to prevent disclosure is an
- example of
- Security through obscurity
- Certificate-based security
- Discretionary data security
- Defense in depth
109Question 8
- Hiding information to prevent disclosure is an
- example of
- Security through obscurity
- Certificate-based security
- Discretionary data security
- Defense in depth
110Question 9 (Last one)
- The concept of blocking an action unless it is
- specifically authorized is
- Implicit deny
- Least privilege
- Simple Security Rule
- Hierarchical defense model
111Question 9 (Last one)
- The concept of blocking an action unless it is
- specifically authorized is
- Implicit deny
- Least privilege
- Simple Security Rule
- Hierarchical defense model
112Quiz Week 1
113IDV Assignment due Week 2
- Paper No. 1
- Review fundamentals of information assurance.
- Pick a company.
- How is their information considered an asset?
- How is their information being protected?
- Which Information Security Service is most
important to the company? - Are there specific information security
requirements (regulations, policy, standards,
etc.) that the company needs to abide to?