Introduction to information security management

1. 95752:1-1
95-752 Introduction to Information
Security Management
Tim Shimeall, Ph.D.
tjs@cert.org
412-268-7611
Office Hours by Appointment
Course website: http://www.andrew.cmu.edu/course/95-752

2. 95752:1-2
Course Covers
Introduction/Definitions
Physical security
Access control
Data security
Operating system security
Application security
Network security

3. 95752:1-3
Student Expectations
• Grading:
– 2 Homeworks
– Midterm
– Paper/project
• All submitted work is sole effort of student
• Students are interested in subject area
• Students have varied backgrounds

4. 95752:1-4
Information Revolution
• Information Revolution as pervasive at the
Industrial Revolution
• Impact is Political, Economic, and Social as well
as Technical
• Information has an increasing intrinsic value
• Protection of critical information now a critical
concern in Government, Business, Academia

5. 95752:1-5
A Different Internet
• Armies may cease to march
• Businesses may be bankrupted
• Individuals may lose their social identity
• Threats not from novice teenagers, but
purposeful military, political, and criminal
organizations

6. 95752:1-6
Computer Terms (1)
Computer – A collection of the following:
Central Processing Unit (CPU): Instruction-
processing
Memory(RAM) : Transient storage for data
Disk: More permanent storage for data
Monitor: Display device
Printer: Hard copy production
Network card: communication circuitry

7. 95752:1-7
Computer Terms (2)
Software: Instructions for a computer
Operating System: interaction among
components of computer
Application software: common tasks (e.g.,
email, word processing, program
construction, etc.)
API/Libraries: Support for common tasks

8. 95752:1-8
Vulnerability (2001)
Out-of-the-box Linux PC hooked to Internet, not announced:
[30 seconds] First service probes/scans detected
[1 hour] First compromise attempts detected
[12 hours] PC fully compromised:
– Administrative access obtained
– Event logging selectively disabled
– System software modified to suit intruder
– Attack software installed
– PC actively probing for new hosts to intrude
• Clear the disk and try again!

9. 95752:1-9
Why is Security Difficult
• Managers unaware of value of
computing resources
• Damage to public image
• Legal definitions often vague or non-
existent
• Legal prosecution is difficult
• Many subtle technical issues

10. 95752:1-10
Objectives of Security
• Privacy – Information only available to
authorized users
• Integrity – Information retains intended
content and semantics
• Availability – Information retains access
and presence
Importance of these is shifting, depends on
organization

11. 95752:1-11
Security Terms
Exposure - “actual harm or possible harm”
Vulnerability - “weakness that may be
exploited”
Attack - “human originated perpetration”
Threat - “potential for exposure”
Control - “preventative measure”

12. 95752:1-12
Classes of Threat
• Interception
• Modification
• Masquerade
• Interruption
Most Security Problems Are People
Related

13. 95752:1-13
Software Security Concerns
• Theft
• Modification
• Deletion
• Misplacement

14. 95752:1-14
Data Security Concerns
• Vector for attack
• Modification
• Disclosure
• Deletion
“If you have a $50 head, buy a $50 helmet”

15. 95752:1-15
Network Security Concerns
• Basis for Attack
• Publicity
• Theft of Service
• Theft of Information
Network is only as strong as its weakest link
Problems multiply with number of nodes

16. 95752:1-16
Motivations to Violate Security
• Greed
• Ego
• Curiosity
• Revenge
• Competition
• Political/Idiological

17. 95752:1-17
People and Computer Crime
• Most damage not due to attacks
“Oops!”
“What was that?”
• No clear profile of computer criminal
• Law and ethics may be unclear
“Attempting to apply established law in the fast
developing world of the Internet is somewhat
like trying to board a moving bus” (Second
Circuit, US Court of Appeals, 1997)

18. 95752:1-18
Theory of Technology Law
• Jurisdiction:
– subject matter – power to hear a type of case
– Personal – power to enforce a judgment on a defendant
• Between states: Federal subject matter
• Within state: State/local subject matter
• Criminal or Civil
– Privacy/obscenity covered now
– intellectual property covered later

19. 95752:1-19
Privacy Law
• Common law:
– Person’s name or likeness
– Intrusion
– Disclosure
– False light
• State/Local law: Most states have computer
crime laws, varying content
• International law: patchy, varying content

20. 95752:1-20
Federal Privacy Statutes
• ECPA (communication)
• Privacy Act of 1974 (Federal collection/use)
• Family Educational Rights & Privacy Act (school records)
• Fair Credit Reporting Act (credit information)
• Federal Cable Communications Privacy Act (cable
subscriber info)
• Video Privacy Act (video rental information)
• HIPAA (health cared information)
• Sarbanes-Oxley Act (corporate accounting)
• Patriot Act (counter-terrorism)
Plus state law in more the 40 states, and local laws

21. 95752:1-21
Federal Obscenity Statues
• Miller tests (Miller v. California, 1973):
– Average person applying contemporary community
standards find appeals prurient interest
– Sexual content
– Lack of literary, artistic, political or scientific value
• Statues:
– Communications Decency Act (struck down)
– Child Online Protection Act (struck down)
– Child Pornography Protection Act (struck down –
virtual child porn; live children still protected)

22. 95752:1-22
Indian Trust Funds
• Large, developing, case: Cobell vs. Norton
– http://www.indiantrust.com/
• Insecure handling of entrusted funds
• Legal Internet disruption
• Criminal contempt proceedings
• Judicial overstepping

23. 95752:1-23
Three Security Disciplines
• Physical
– Most common security discipline
– Protect facilities and contents
• Plants, labs, stores, parking areas, loading areas,
warehouses, offices, equipment, machines, tools,
vehicles, products, materials
• Personnel
– Protect employees, customers, guests
• Information
– The rest of this course

24. 95752:1-24
How Has It Changed?
• Physical Events Have Cyber Consequences
•Cyber Events Have Physical Consequences

25. 95752:1-25
Why Physical Security?
• Not all threats are “cyber threats”
• Information one commodity that can be stolen
without being “taken”
• Physically barring access is first line of defense
• Forces those concerned to prioritize!
• Physical Security can be a deterrent
• Security reviews force insights into value of what
is being protected

26. 95752:1-26
Layered Security
• Physical Barriers
• Fences
• Alarms
• Restricted Access Technology
• Physical Restrictions
• Air Gapping
• Removable Media
• Remote Storage
• Personnel Security Practices
• Limited Access
• Training
• Consequences/Deterrence

27. 95752:1-27
Physical Barriers
• Hardened Facilities
• Fences
• Guards
• Alarms
• Locks
• Restricted Access Technologies
– Biometrics
– Coded Entry
– Badging
• Signal Blocking (Faraday Cages)

28. 95752:1-28
Outer Protective Layers
• Structure
– Fencing, gates, other barriers
• Environment
– Lighting, signs, alarms
• Purpose
– Define property line and discourage trespassing
– Provide distance from threats

29. 95752:1-29
Middle Protective Layers
• Structure
– Door controls, window controls
– Ceiling penetration
– Ventilation ducts
– Elevator Penthouses
• Environment
– Within defined perimeter, positive controls
• Purpose
– Alert threat, segment protection zones

30. 95752:1-30
Inner Protective Layers
• Several layers
• Structure
– Door controls, biometrics
– Signs, alarms, cctv
– Safes, vaults
• Environment
– Authorized personnel only
• Purpose
– Establish controlled areas and rooms

31. 95752:1-31
Other Barrier Issues
• Handling of trash or scrap
• Fire:
– Temperature
– Smoke
• Pollution:
– CO
– Radon
• Flood
• Earthquake

32. 95752:1-32
Physical Restrictions
• Air Gapping Data
• Limits access to various security levels
• Requires conscious effort to violate
• Protects against inadvertent transmission
• Removable Media
• Removable Hard Drives
• Floppy Disks/CDs/ZIP Disks
• Remote Storage of Data
• Physically separate storage facility
• Use of Storage Media or Stand Alone computers
• Updating of Stored Data and regular inventory

33. 95752:1-33
Personnel Security Practices
• Insider Threat the most serious
• Disgruntled employee
• Former employee
• Agent for hire
• Personnel Training
• Critical Element
• Most often overlooked
• Background checks
• Critical when access to information required
• Must be updated
• CIA/FBI embarrassed

34. 95752:1-34
Activities or Events
• Publications, public releases, etc.
• Seminars, conventions or trade shows
• Survey or questionnaire
• Plant tours, “open house”, family visits
• Governmental actions: certification,
investigation
• Construction and Repair

35. 95752:1-35
NISPOM
National Industrial Security Program
Operating Manual
• Prescribes requirements, restrictions and other
safeguards for information
• Protections for special classes of information:
• National Security Council provides overall policy
direction
• Governs oversight and compliance for 20
government agencies

36. 95752:1-36
Methods of Defense
Overlapping controls
– Authentication
– Encryption
– Integrity control
– Firewalls
– Network configuration
– Application configuration
– Policy