Defensive information warfare

773 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
773
On SlideShare
0
From Embeds
0
Number of Embeds
15
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • DIW is ralated with intentional attacks Unintentional threaths such as
  • Defensive information warfare

    1. 1. Defensive Information Warfare <ul><ul><li>ISQA 8560 </li></ul></ul><ul><ul><li>University of Nebraska – Omaha </li></ul></ul><ul><ul><li>James Peters </li></ul></ul><ul><ul><li>Sohel Imroz </li></ul></ul><ul><ul><li>Fizal Hosein </li></ul></ul><ul><ul><li>Date: 2/3/2004 </li></ul></ul>
    2. 2. Goals of Defensive Information Warfare <ul><li>Aims to protect information resources from three forms of attack: </li></ul><ul><ul><li>Increased availability to the Offense </li></ul></ul><ul><ul><li>Decreased availability to the Defense </li></ul></ul><ul><ul><li>Decreased Integrity </li></ul></ul>
    3. 3. Defensive Information Warfare <ul><li>Main Goal: </li></ul><ul><ul><li>Provide a defense that is cost effective without totally limiting the capabilities of the organization </li></ul></ul><ul><li>Value: </li></ul><ul><ul><li>Difficult to place a monetary value on information </li></ul></ul><ul><ul><ul><li>Market value </li></ul></ul></ul><ul><ul><ul><li>Exclusivity of information </li></ul></ul></ul><ul><ul><ul><li>Losses are difficult to measure </li></ul></ul></ul><ul><ul><ul><ul><li>Downtime </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Repairs </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Perception </li></ul></ul></ul></ul>
    4. 4. Defensive Information Warfare <ul><li>Offensive Operations = Bad Guys </li></ul><ul><ul><li>Threats come in the form of: </li></ul></ul><ul><ul><ul><li>Players </li></ul></ul></ul><ul><ul><ul><li>Group of Players </li></ul></ul></ul><ul><ul><ul><li>Methods Employed </li></ul></ul></ul><ul><ul><ul><li>Intentions </li></ul></ul></ul><ul><ul><li>Job of the Defense is to: </li></ul></ul><ul><ul><ul><li>Prepare </li></ul></ul></ul><ul><ul><ul><li>Prepare </li></ul></ul></ul><ul><ul><ul><li>Prepare </li></ul></ul></ul>
    5. 5. Defensive Playbook <ul><li>Defensive Information Warfare Areas </li></ul><ul><ul><li>Prevention </li></ul></ul><ul><ul><li>Deterrence </li></ul></ul><ul><ul><li>Indications and Warnings </li></ul></ul><ul><ul><li>Detection </li></ul></ul><ul><ul><li>Emergency Preparedness </li></ul></ul><ul><ul><li>Response </li></ul></ul>
    6. 6. Defensive Playbook <ul><li>Prevention </li></ul><ul><ul><li>Prevent an attack from occurring in the first place </li></ul></ul><ul><ul><ul><li>Information Hiding </li></ul></ul></ul><ul><ul><ul><li>Authentication </li></ul></ul></ul><ul><ul><ul><li>Access Controls </li></ul></ul></ul><ul><ul><ul><li>Vulnerability Assessments </li></ul></ul></ul><ul><ul><ul><li>Avoidance </li></ul></ul></ul>
    7. 7. Defensive Playbook <ul><li>Deterrence </li></ul><ul><ul><li>Make an attack unattractive </li></ul></ul><ul><ul><ul><li>Laws </li></ul></ul></ul><ul><ul><ul><li>Penalties </li></ul></ul></ul><ul><ul><ul><li>Retaliations </li></ul></ul></ul><ul><ul><li>Security Controls </li></ul></ul><ul><ul><ul><li>Keep the honest thieves out </li></ul></ul></ul>
    8. 8. Defensive Playbook <ul><li>Detection </li></ul><ul><ul><li>Monitors inside the system to recognize an attack after it has occurred </li></ul></ul><ul><ul><ul><li>Scan Media </li></ul></ul></ul><ul><ul><ul><li>Filter Messages </li></ul></ul></ul><ul><ul><ul><li>Audit Systems </li></ul></ul></ul><ul><ul><ul><li>Damage Prevention </li></ul></ul></ul>
    9. 9. Defensive Playbook <ul><li>Indications and Warnings </li></ul><ul><ul><li>Stay Current </li></ul></ul><ul><ul><li>Recognize Potential Threats </li></ul></ul><ul><ul><li>Understand Methods of Attacks </li></ul></ul>
    10. 10. Defensive Playbook <ul><li>Emergency Preparedness </li></ul><ul><ul><li>Recovery </li></ul></ul><ul><ul><li>Response </li></ul></ul><ul><li>Risk Management </li></ul><ul><ul><li>Define an acceptable level of risk </li></ul></ul>
    11. 11. Defensive Playbook <ul><li>Incident Response/Incident Handling </li></ul><ul><ul><li>When the poo hits the fan </li></ul></ul><ul><ul><ul><li>Steps taken after an attack </li></ul></ul></ul><ul><ul><ul><ul><li>Countermeasures </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Investigations </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Persecutions </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Retaliations </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Sanctions </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Cost Assessments </li></ul></ul></ul></ul>
    12. 12. Too Defensive ? <ul><li>Lost Opportunities </li></ul>
    13. 13. Information Security and Information Assurance <ul><li>Defensive Information Warfare </li></ul><ul><li>IS & IA Address </li></ul><ul><ul><li>Unintentional Threats </li></ul></ul><ul><ul><ul><li>Errors </li></ul></ul></ul><ul><ul><ul><li>Accidents </li></ul></ul></ul><ul><ul><ul><li>Natural Disaster </li></ul></ul></ul>
    14. 14. Perception Management <ul><li>Public Media Perception </li></ul><ul><ul><li>Perception is Reality </li></ul></ul><ul><ul><li>Bad Publicity </li></ul></ul><ul><ul><li>Public Confidence </li></ul></ul><ul><ul><li>Delegitimization of Nations </li></ul></ul>
    15. 15. CIA Model and Authorization <ul><li>Confidentiality </li></ul><ul><li>Integrity </li></ul><ul><li>Availability </li></ul><ul><ul><li>Availability to Offense </li></ul></ul><ul><ul><li>Availability to Defense </li></ul></ul>
    16. 16. CIA Model and Authorization <ul><li>Authorization </li></ul><ul><ul><li>Who is allowed to access what and in what manner </li></ul></ul><ul><ul><li>Who - any entity capable of taking action </li></ul></ul><ul><ul><li>What - any information resource in any media form </li></ul></ul><ul><ul><li>Access in what manner - what the entity is permitted to do with it. </li></ul></ul>
    17. 17. Authorization Organization <ul><li>Organized Authorization </li></ul><ul><ul><li>Impose restrictions on who sees what </li></ul></ul><ul><ul><ul><li>Top Secret </li></ul></ul></ul><ul><ul><ul><li>Secret </li></ul></ul></ul><ul><ul><ul><li>Confidential </li></ul></ul></ul>
    18. 18. The Notion of Privacy <ul><li>Country was built on notion of privacy </li></ul><ul><li>EU Data Protection Act of 1995 </li></ul><ul><ul><li>Gives legal rights to individuals regarding their personal data held by others </li></ul></ul><ul><li>Similar attempts, but industry pressure </li></ul>
    19. 19. Privacy and Secrets <ul><li>Secrets </li></ul><ul><ul><li>Exclusivity </li></ul></ul><ul><ul><li>Military </li></ul></ul><ul><ul><li>Political </li></ul></ul><ul><ul><li>Personal </li></ul></ul>
    20. 20. Privacy and Anonymity <ul><li>Benefits/Drawbacks of Anonymity </li></ul><ul><ul><li>Complete Anonymity </li></ul></ul><ul><ul><ul><li>Inability to distinguish on communication from another </li></ul></ul></ul><ul><ul><li>Pseudonymity </li></ul></ul><ul><ul><ul><li>Ability to distinguish and link communications from same pseudonym </li></ul></ul></ul><ul><ul><ul><ul><li>Cookies, IP addresses… </li></ul></ul></ul></ul>
    21. 21. Privacy and Anonymity <ul><li>Commercial Anonymity </li></ul><ul><ul><li>Customers want privacy but are they willing to pay for anonymity </li></ul></ul><ul><li>Medical Anonymity </li></ul><ul><ul><li>Very Important Stuff </li></ul></ul><ul><ul><li>Good Reasons/Bad Reasons </li></ul></ul><ul><ul><li>Balance Between Privacy and Access </li></ul></ul>
    22. 22. Authentication <ul><li>Authentication is about the continuity of relationships, knowing who to trust and who not to trust. (Schneier) </li></ul><ul><li>The verification of the identity of a person or process. In a communication system, authentication verifies that messages really come from their stated source. (hyperdictionary.com) </li></ul>
    23. 23. Authentication <ul><li>Authentication can be proven by: </li></ul><ul><ul><li>Type 1: Something you know </li></ul></ul><ul><ul><ul><li>password, pass phrase, PIN </li></ul></ul></ul><ul><ul><li>Type 2: Something you have </li></ul></ul><ul><ul><ul><li>photo id, magnetic card </li></ul></ul></ul><ul><ul><li>Type 3: Something you are </li></ul></ul><ul><ul><ul><li>fingerprint, retina pattern, hand geometry </li></ul></ul></ul>
    24. 24. Authentication <ul><li>Type 1: password, pass phrase, PIN </li></ul><ul><ul><li>Advantages: </li></ul></ul><ul><ul><ul><li>Simple to implement, users can have it anywhere </li></ul></ul></ul><ul><ul><ul><li>Can easily be changed </li></ul></ul></ul><ul><ul><ul><li>Hard to be lost or stolen </li></ul></ul></ul><ul><ul><ul><li>If non-dictionary word or number, it is difficult to crack. </li></ul></ul></ul><ul><ul><ul><li>Alpha 321,272,406 </li></ul></ul></ul><ul><ul><ul><li>Upper/lowercase alpha 20,158,268,676 </li></ul></ul></ul><ul><ul><ul><li>Numeric 1,111,110 </li></ul></ul></ul><ul><ul><ul><li>Upper/lowercase alpha + numeric 57,731,386,986 </li></ul></ul></ul><ul><ul><ul><li>Extended 1,108,378,656 </li></ul></ul></ul><ul><ul><ul><li>Upper/lowercase alpha + numeric + extended 742,912,017,120 </li></ul></ul></ul><ul><ul><ul><li>(Based on 1 to 6-char-length password) http://www.safescrypt.com/resources/PasswordWhitePaper.pdf </li></ul></ul></ul>
    25. 25. Authentication <ul><li>Type 1: password, pass phrase, PIN </li></ul><ul><ul><li>Advantages (cont.): </li></ul></ul><ul><ul><ul><li>Alpha 217,180,147,158 </li></ul></ul></ul><ul><ul><ul><li>Upper/lowercase alpha 54,507,958,502,660 </li></ul></ul></ul><ul><ul><ul><li>Numeric 111,111,110 </li></ul></ul></ul><ul><ul><ul><li>Upper/lowercase alpha + numeric 221,919,451,578,090 </li></ul></ul></ul><ul><ul><ul><li>Extended 1,134,979,744,800 </li></ul></ul></ul><ul><ul><ul><li>Upper/lowercase alpha + numeric + extended 6,704,780,954,517,120 </li></ul></ul></ul><ul><ul><ul><li>(Based on 1 to 8-char-length password) http://www.safescrypt.com/resources/PasswordWhitePaper.pdf </li></ul></ul></ul>
    26. 26. Authentication <ul><li>Type 1: password, pass phrase, PIN </li></ul><ul><ul><li>Disadvantages: </li></ul></ul><ul><ul><ul><li>Authentication information can be duplicated </li></ul></ul></ul><ul><ul><ul><li>They can be guessed, no special skill needed </li></ul></ul></ul><ul><ul><ul><li>Often broken by simple brute force guessing attack using automated methods </li></ul></ul></ul>
    27. 27. Authentication <ul><li>Few facts on passwords: </li></ul><ul><li>56% between 3-6 characters </li></ul><ul><li>86% lowercase only </li></ul><ul><li>High probability of 1 common password in every 20 passwords </li></ul><ul><li>In 20 years, average length of password has increased by 2 characters only </li></ul><ul><li>Common use of user names as passwords </li></ul><ul><li>Passwords are dictionary words </li></ul><ul><li>Same password on different systems </li></ul><ul><li>Source: http://www.safescrypt.com/resources/PasswordWhitePaper .pdf </li></ul>
    28. 28. Authentication <ul><li>Type 2: photo id, magnetic card, etc. </li></ul><ul><ul><li>Advantages: </li></ul></ul><ul><ul><ul><li>Difficult to duplicate </li></ul></ul></ul><ul><ul><ul><li>Made from special equipments that are generally unavailable. </li></ul></ul></ul><ul><ul><li>Disadvantages: </li></ul></ul><ul><ul><ul><li>More effort needed to guard from theft </li></ul></ul></ul><ul><ul><ul><li>Own carelessness </li></ul></ul></ul><ul><ul><ul><li>More expensive </li></ul></ul></ul><ul><ul><ul><li>Can be lost or stolen </li></ul></ul></ul>
    29. 29. Authentication <ul><li>Type 3: fingerprints, retina pattern, etc. </li></ul><ul><ul><li>Advantages: </li></ul></ul><ul><ul><ul><li>Provides more assurance than type 1 and 2 </li></ul></ul></ul><ul><ul><li>Disadvantages: </li></ul></ul><ul><ul><ul><li>Very expensive to implement </li></ul></ul></ul><ul><ul><ul><li>Not guaranteed to be infallible, example: identical twins cannot be identified by DNA readers </li></ul></ul></ul><ul><ul><ul><li>General public may be resistant to retina scanning than fingerprinting </li></ul></ul></ul>
    30. 30. Authentication <ul><li>Types of authentication: </li></ul><ul><ul><li>Session authentication </li></ul></ul><ul><ul><li>Transaction authentication </li></ul></ul>
    31. 31. Integrity <ul><li>Refers to validity of data. </li></ul><ul><li>Integrity vs. authentication </li></ul><ul><li>Integrity vs. accuracy </li></ul>
    32. 32. Integrity <ul><li>Integrity can be compromised by: </li></ul><ul><ul><li>System misconfiguration </li></ul></ul><ul><ul><li>Internal users </li></ul></ul><ul><ul><li>External threats </li></ul></ul><ul><ul><li>Theft </li></ul></ul><ul><ul><li>Fraud </li></ul></ul><ul><ul><li>Human error </li></ul></ul>
    33. 33. Integrity <ul><li>Preserve document integrity: </li></ul><ul><ul><li>For a given “document” a new small file (128 bit) is produced, representing the signature of the document. </li></ul></ul><ul><ul><li>Known as “hash digest”. </li></ul></ul><ul><ul><li>Hash digest can be reproduced. </li></ul></ul><ul><ul><li>Works in one-direction only. </li></ul></ul>
    34. 34. Audit <ul><li>Auditing checklist: </li></ul><ul><ul><li>Vulnerability assessment </li></ul></ul><ul><ul><li>Physical and site security </li></ul></ul><ul><ul><li>Communications access control </li></ul></ul><ul><ul><li>Network concerns </li></ul></ul>
    35. 35. Audit <ul><li>Vulnerability assessment: </li></ul><ul><ul><li>Analysis of exposure to the following dangers </li></ul></ul><ul><ul><ul><li>Hardware </li></ul></ul></ul><ul><ul><ul><li>Electro-mechanical device failure </li></ul></ul></ul><ul><ul><ul><li>CPU failure </li></ul></ul></ul><ul><ul><ul><li>Tape drive failure </li></ul></ul></ul><ul><ul><ul><li>Circuit failure </li></ul></ul></ul><ul><ul><ul><li>Faulty design </li></ul></ul></ul><ul><ul><ul><li>Viruses </li></ul></ul></ul><ul><ul><ul><li>Insufficient testing </li></ul></ul></ul>
    36. 36. Audit <ul><li>Physical and site security: </li></ul><ul><ul><li>Is the perimeter security adequate? </li></ul></ul><ul><ul><li>Is the building’s security adequate? </li></ul></ul><ul><ul><ul><li>Access control </li></ul></ul></ul><ul><ul><ul><li>Proper lighting </li></ul></ul></ul><ul><ul><ul><li>Alarm systems </li></ul></ul></ul><ul><ul><ul><li>Environmental control </li></ul></ul></ul><ul><ul><li>Is there sufficient ventilation around PCs? </li></ul></ul><ul><ul><li>Are the PCs placed away from water and steam pipes? </li></ul></ul>
    37. 37. Audit <ul><li>Environmental concerns: </li></ul><ul><ul><li>Housekeeping </li></ul></ul><ul><ul><li>Magnetic media handling </li></ul></ul><ul><ul><li>Electrical power </li></ul></ul><ul><ul><li>Hardware security </li></ul></ul><ul><ul><li>Documentation security </li></ul></ul><ul><ul><li>Data security and record management </li></ul></ul>
    38. 38. Audit <ul><li>Communications access control: </li></ul><ul><ul><li>Access control </li></ul></ul><ul><ul><li>Communications backup </li></ul></ul><ul><ul><li>Virus recovery </li></ul></ul>
    39. 39. Audit <ul><li>Network concerns: </li></ul><ul><ul><li>Network management </li></ul></ul><ul><ul><li>Server management </li></ul></ul><ul><ul><li>Software management </li></ul></ul><ul><ul><li>Data management </li></ul></ul><ul><ul><li>Data security </li></ul></ul><ul><li>For more information, please visit </li></ul><ul><li>http://www.tecrime.com/0secure.htm#PhysicalSiteSecurity </li></ul>
    40. 40. Proactive Solutions <ul><li>Fraud prevention: </li></ul><ul><ul><li>Traditionally been reactive </li></ul></ul><ul><ul><ul><li>Solution follows problem </li></ul></ul></ul><ul><ul><li>Needs to be proactive </li></ul></ul><ul><ul><ul><li>Prevent fraud before it happens </li></ul></ul></ul>

    ×