The document discusses key concepts in information security including the security trinity of confidentiality, integrity, and availability. It outlines the four As of security - account management, authentication controls, authorization/access controls, and audit controls. The document then explains how various security controls protect confidentiality, integrity, and availability. It concludes with outlining a risk-driven security process of identifying assets, risks, impacts, and controls to defend assets within an organization's security budget and objectives.
2. Introduction
Plain Talk about Security04/02/2015 2
• Security is not just a matter of opinion
• even though everybody has an opinion about security
• Security is not a wasted effort
• even though it may seem like any determined attacker will get
through your defenses
• Security is a logic, a calculation, and a profession
• logic: “you can’t protect assets you don’t know about”
• calculation: “the value of a risk to an asset is equal to the value of
the asset times the probability that the risk will occur”
• profession: “An occupation doesn’t need society’s recognition to be
a profession (CISSP). It only needs the actions and activities
among its members to cooperate to serve a certain ideal
(Security)” – (ISC)2
• Information Security has its counterparts in physical security
3. The Security Trinity (CIA)
Plain Talk about Security04/02/2015 3
Confidentiality
Integrity Availability
Keep the asset
secret!
Ensure intended
users can always
access asset!
Prevent
unauthorized
change to asset!
4. Start with a Good Secure Architecture
Plain Talk about Security04/02/2015 4
Physical Security Information Security
• A good architecture
• Form facilitates function
• Modular
• Adaptable
• Scalable
• A secure architecture
• Facilitates organizational
mission & objectives
• Provides granular segmentation
• Provides situational awareness
• Defends its assets
Internet
Dev &
QA
DMZ
Users Prod
SOC &
NOC
C
C C
C
C
C
Public
Confi-
dential
Top
Secret
C
C
5. Four A’s of Security: #1 Account Management
Plain Talk about Security04/02/2015 5
Physical Security Information Security
• User Accounts: represent interactive humans
• Service Accounts: represent batch processes
• Role-based Accounts: represent groups of accounts with similar profiles & needs
admins
services
employees
customers
suppliers
hackers
6. Four A’s of Security: #2: Authentication Controls
Plain Talk about Security04/02/2015 6
Physical Security Information Security
• One Factor Authentication: What you know (password)
• Two Factor Authentication: What you have (token) + what you know
• Three Factor Authentication: What you are (biometric) + what you
have + what you know
STOP!
Identify
yourself!
Show me
your pass!
You don’t
look like the
commander!
Password
token
Biometric
Hand Scanner“Digital Signatures and Certificates
also provide User, Host, Software,
Message, and Data Authentication
Controls!”
7. Four A’s of Security: #3 Authorization (Access) Controls
Plain Talk about Security04/02/2015 7
Physical Security Information Security
• Who/what is allowed to do what to a resource (asset)
• Resources are assets that are allowed to be used
• Minimum Privilege: the least privileges required to perform a job (role) = Granularity
• Strong Access Controls require Strong Authentication Controls!
General
Prod
$
$$
$$$
C
C
Confidential
Prod
Top Secret
Prod
Confidential
Clearance
Top Secret
ClearanceGeneral
Clearance
“Encryption also
provides a Presentation
Layer Access Control!”
8. SQL WS TS Srvr Rtr SW
Four A’s of Security: #4 Audit Controls
Plain Talk about Security04/02/2015 8
Physical Security Information Security
• Logs (Running) & Monitoring (Real-Time): ad hoc record of alerts and events
• Audit: formal documentation of who did what when and where compared to a framework
• Report: statistical (and possibly graphic) view of historical data and trends
• Evidence: documentation proving compliance with a security control or standard
FW IPS A/V SSL DLP CA
NNM
MoM
SIEM
MoM
SQL
EM
WS
EM
TS
EM
Srvr
EM
Rtr
EM
SW
EM
FW
EM
IPS
EM
A/V
EM
SSL
EM
DLP
EM
CA
EM
“Digital Signatures and trusted
Certificates can provide non-
repudiation for business or legal
transactions!”
9. Confidentiality
Plain Talk about Security04/02/2015 9
Physical Security Information Security
• Protects an asset or person from unauthorized viewing or exposure by:
• Access Controls
• Encryption
• Symmetric
• Asymmetric
Shredder
Symmetric Keys Public & Private Keys
“Considering Moore’s Law, you’d
better add another bit to the
encryption key length every 18
months!”
Bob Alice
E D
KG
key key
Hi! Hi!
@#
$^
Bob Alice
E D
KG
Public
key
Private
key
Hi! Hi!
@#
$^
10. Integrity
Plain Talk about Security04/02/2015 10
Physical Security Information Security
• Protects an asset from unauthorized modification by:
• Access Controls
• Digital Signature
• Hash
• Encryption
“Digital Signature, Hash, &
Encryption also provide Presentation
Layer Access Controls!”
General
Prod
$
$$
$$$
C
C
Important
Prod
Critical
Prod
Medium Integrity
Clearance
High Integrity
ClearanceGeneral
Clearance
11. Site #1 Site #2
Availability
Plain Talk about Security04/02/2015 11
Physical Security Information Security
• Ensures an resource will always be available for authorized use
• High-Availability services shouldn’t have Single Points of Failure (SPoF)
• Recovery Point Objective (RPO): how much data a service can afford to lose
• Recovery Time Objective (RTO): how much time a service can afford to be shut down
S1
SW1
S2
SW2
c1 c2
LB1 LB2
S1
SW1
S2
SW2
c1 c2
LB1 LB2
R1 R2
DNS
1
DNS
2
Internet
c3
12. A Risk-Driven Security Process
Plain Talk about Security04/02/2015 12
• Identify your major assets
• Identify the risks to those assets
• Measure the impacts ($) and probabilities (%)
of those risks
• Decide what levels of impacts and probabilities
of risks are acceptable
• Allocate a security budget equal to the
difference between the maximum risk (impact x
probability) and the acceptable risk level
• Create or modify the policies, standards,
procedures, and controls to defend those
assets while achieving business missions and
objectives
• Assess residual risks
• Review effectiveness of those policies,
standards, procedures, and controls
ID Assets
ID Risks
Calc Impact &
Probability
Decide
Acceptable
Levels
Budget
Security
Plan Defenses
Assess
Residual Risks
Review
Effectiveness