Securing an Information Securing an Information Resource Management Resource Management

SystemSystem

OverviewOverviewSecurity issues of an information resource Security issues of an information resource

management systemmanagement systemSecure physical networkSecure physical network

Standards and protocols used in information Standards and protocols used in information securitysecurity

Management tools used to implement that Management tools used to implement that systemsystem

Information Security in SocietyInformation Security in SocietyHomeland DefenseHomeland Defense

Homeland Defense as an information security Homeland Defense as an information security systemsystem

Need to communicate sensitive information Need to communicate sensitive information efficiently in a crisisefficiently in a crisis

Information Security in SocietyInformation Security in SocietyHD Secretary Tom Ridge and Strategic HD Secretary Tom Ridge and Strategic

Communications Resources (SECURE) Communications Resources (SECURE) InitiativeInitiativeFive new HD officers per stateFive new HD officers per state

Secure telephones and video conferencing for Secure telephones and video conferencing for the Governors officethe Governors office

Information Security in SocietyInformation Security in Society Information based industryInformation based industry

Potential lossPotential loss

New information technology = New information technology = New vulnerabilitiesNew vulnerabilities

The First StepThe First Step

Secure Information Network Secure Information Network Physical ArchitecturesPhysical Architectures

Homeland exampleHomeland exampleTelephony equipmentTelephony equipmentEmergency Operations CenterEmergency Operations Center

FIPS 140-2FIPS 140-2FIPS 140-2(Federal Information FIPS 140-2(Federal Information

Processing Standard)Processing Standard)

Crypto-modulesCrypto-modules tests hardware, software, firmwaretests hardware, software, firmwarecrypto algorithmscrypto algorithmskey-generationkey-generation

Secure EnvironmentsSecure EnvironmentsSecure Environments:Secure Environments:

authorized personnelauthorized personnel

placing servers locallyplacing servers locally

disconnected information networksdisconnected information networks

Smart CardsSmart Cards Used in combination with other id-securing Used in combination with other id-securing

methodsmethods PortablePortable SecureSecure

Difficult to replicate, useless to stealDifficult to replicate, useless to steal Appearance; gold-contactsAppearance; gold-contacts MicroprocessorMicroprocessor Also can be used to facilitate secure Also can be used to facilitate secure

communicationscommunications

Smart CardsSmart CardsLittle interoperability between software and Little interoperability between software and

hardware of different vendorshardware of different vendorsDifficult implementation and maintenanceDifficult implementation and maintenance

NIST (National Institute of Standards and NIST (National Institute of Standards and Technology) Technology)

NIST is working on guidlines/specifications NIST is working on guidlines/specifications (as we’ll see in the next section)(as we’ll see in the next section)

FirewallsFirewalls

Located on routers or serversLocated on routers or servers

Blocks specific communications and Blocks specific communications and allows specific communicationallows specific communication

FirewallsFirewallsLocated on routers or serversLocated on routers or servers

Blocks specific communications and Blocks specific communications and allows specific communicationallows specific communication

useful in preventing virusesuseful in preventing viruses

Connected NetworksConnected Networks

Can be physically isolated to provide Can be physically isolated to provide securitysecurity

Controlled communication access pointsControlled communication access points

VLANSVLANS

By remote login, a server can make it By remote login, a server can make it appear as though the user is on a networkappear as though the user is on a network

Secure tunnelingSecure tunneling

WIFIWIFIWi-Fi (short for "wireless fidelity")Wi-Fi (short for "wireless fidelity")

Ever-growing WiFI networksEver-growing WiFI networks

WIFIWIFIWi-Fi (short for "wireless fidelity")Wi-Fi (short for "wireless fidelity")

Ever-growing WiFI networksEver-growing WiFI networks

UnsecuredUnsecured

WIFIWIFICurrent business trends Demand Robust Current business trends Demand Robust

Security Networks (RSNs) on WiFi:Security Networks (RSNs) on WiFi:

RSNRSNDependableDependableSecureSecureVersatileVersatile

WIFIWIFI

WIFI products need toWIFI products need toProvide securityProvide securityMulti-vendor interoperabilityMulti-vendor interoperabilityLong security lifecycle to lengthen usabilityLong security lifecycle to lengthen usabilitySupport hotspots connectivitySupport hotspots connectivity

WIFI and FIPS 140-2WIFI and FIPS 140-2 802.11b IEE standard802.11b IEE standard

Minimal securityMinimal security

FIPS 140-2 and 802.11 and Bluetooth standard FIPS 140-2 and 802.11 and Bluetooth standard (for WiFi)(for WiFi)

IEEE, IETF, NIST working to create effective IEEE, IETF, NIST working to create effective standardsstandards Theory: higher level crypto protocols, like IPSec (next Theory: higher level crypto protocols, like IPSec (next

section)section)

WIFIWIFI Interim methods to minimizing WIFI Interim methods to minimizing WIFI

losses:losses:

Detailed wireless topologyDetailed wireless topology Inventory of devicesInventory of devicesFrequent back-upsFrequent back-upsRandom security audits of WiFi infrastructureRandom security audits of WiFi infrastructureMonitor WIFI technology changesMonitor WIFI technology changes

Universals Standards/ProtocolsUniversals Standards/Protocols

Different technology vendors and Different technology vendors and universals standards/protocolsuniversals standards/protocols

Standards and ProtocolsStandards and Protocols Information security standards/protocols Information security standards/protocols

are also policyare also policy

Standards and ProtocolsStandards and ProtocolsCongress and the Gramm Leach-Bliley Act Congress and the Gramm Leach-Bliley Act

Bank security policiesBank security policies Information security standards Information security standards Protect customer info Protect customer info Protect other nonpublic infoProtect other nonpublic infoSafe, secure, and reliable transactionsSafe, secure, and reliable transactions

Standards and ProtocolsStandards and Protocols

ISO 17799, ISF, NIST:ISO 17799, ISF, NIST: Guidelines that have standards for information Guidelines that have standards for information

securitysecurity

Security communication protocolsSecurity communication protocols Cryptographic standardsCryptographic standards

What are common cryptographic standards?What are common cryptographic standards?

Cryptographic StandardsCryptographic StandardsCommon cryptographic standardsCommon cryptographic standards

IntegrityIntegrityAuthenticityAuthenticityAuthorization/access control modelAuthorization/access control modelNon-repudationNon-repudation

Cryptographic StandardsCryptographic StandardsDefinition: block cipherDefinition: block cipher

Definition: cipher textDefinition: cipher text

Definition: stream cipherDefinition: stream cipher

Definition: symmetric block cipherDefinition: symmetric block cipheralgorithm to encrypt and decrypt block textalgorithm to encrypt and decrypt block text

Cryptographic StandardsCryptographic Standards

Digital Signature Standard (DSS)Digital Signature Standard (DSS)Authentication and IntegrityAuthentication and IntegrityDigital Signature Algorithm (DSA): public-Digital Signature Algorithm (DSA): public-

private keys schemes (discussed later)private keys schemes (discussed later)

DSADSAHashingHashing

Definition: message digestDefinition: message digest

Digest encrypted with DSADigest encrypted with DSA

DSADSAFIPS 180-1 (FIPS Hashing standard)FIPS 180-1 (FIPS Hashing standard)

SHA-1, SHA-256 blocks <2^64 bitsSHA-1, SHA-256 blocks <2^64 bitsSHA-384, SHA-512 blocks <2^128 bitsSHA-384, SHA-512 blocks <2^128 bits

changes to a message results in a changes to a message results in a different digest (high probability)different digest (high probability)

also used with stored dataalso used with stored data

KeysKeysSecret keysSecret keys

KeysKeysPublic-Private KeysPublic-Private Keys

KeysKeysKey certificatesKey certificates

Key lifecycleKey lifecycle

KeysKeysKey-substitution vulnerabilityKey-substitution vulnerability

KeysKeysKey-destruction vulnerabilityKey-destruction vulnerability

KeysKeysControlling the key lifecycleControlling the key lifecycle

Crypto-periodsCrypto-periods

PKIPKIPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI)

Certificate AuthoritiesCertificate AuthoritiesElectronic transportElectronic transportManual key transportManual key transport

TrustTrust

Lets look at some examplesLets look at some examples

IPSECIPSEC IPSEC uses keysIPSEC uses keysWorks on the Transport LayerWorks on the Transport Layer

IPSECIPSECTunnelingTunneling

IPSecIPSec Internet Key Exchange (IKE)Internet Key Exchange (IKE)

Serial authentication accessSerial authentication accessConfidentialityConfidentialityTransmissions and key crypto periodsTransmissions and key crypto periods

IPSecIPSecEncapsulating Security Payload (ESP)Encapsulating Security Payload (ESP)

Double-encryption schemeDouble-encryption schemeEncrypts dataEncrypts dataEncrypts header (source/destination invisible)Encrypts header (source/destination invisible)

NISTNISTNIST (National Institute of Standards and NIST (National Institute of Standards and

Technology)Technology)

Information security standards for Information security standards for government and industrygovernment and industry

NISTNISTBusiness metrics and standardsBusiness metrics and standards

Supports DSS and public key encryptionsSupports DSS and public key encryptions

The MAIDS standardThe MAIDS standard

The AES standardThe AES standard

NISTNISTThe MAIDS standard:The MAIDS standard:Mobile Agent Intrusion Detection and Mobile Agent Intrusion Detection and

SecuritySecurityAutonomous software entitiesAutonomous software entities

Security threatsSecurity threatsMAIDS prevents unauthorized accessMAIDS prevents unauthorized access

ensures secure communication with mobile ensures secure communication with mobile agentsagents

NISTNIST Advanced Encryption Standard (AES)Advanced Encryption Standard (AES)

Keys of 128, 192, 256 bits/ 16, 24, 32 character long Keys of 128, 192, 256 bits/ 16, 24, 32 character long encryption blocksencryption blocks

Symmetric block cipher Symmetric block cipher

Federal Information Processing Standard approved Federal Information Processing Standard approved (FIPS)(FIPS)

AES and IPSEC work with modification of the IKE AES and IPSEC work with modification of the IKE exchangeexchange

AES/IPSEC protocol works at the IP layerAES/IPSEC protocol works at the IP layer

Poisoned dagger: Poisoned dagger:

the human element.the human element.

Personnel and Management Objectives in a Personnel and Management Objectives in a Secure Information EnvironmentSecure Information Environment

Business MindsetBusiness Mindset

““Quite frequently, the risk and the solutions are Quite frequently, the risk and the solutions are seen as part of the IT universe, while business seen as part of the IT universe, while business leaders want to concentrate on product leaders want to concentrate on product development, sales and revenue, and customer development, sales and revenue, and customer care. To change this mindset and to recognize care. To change this mindset and to recognize IS as a business issue, the CISO has to inform, IS as a business issue, the CISO has to inform, educate, and influence his or her business educate, and influence his or her business counterparts:”counterparts:”

--Robert Garigue, Information Systems--Robert Garigue, Information Systems

CIO and the CISO's tasks:CIO and the CISO's tasks:

Describe:Describe:Environmental factors (industry related Environmental factors (industry related

threats)threats)New/developing standardsNew/developing standardsDefenses of digital assets takenDefenses of digital assets takenExisting security incidentsExisting security incidentsFinancial impact of those breachesFinancial impact of those breachesNew/developing metrics the CEO can useNew/developing metrics the CEO can use

CIO and the CISO's tasks:CIO and the CISO's tasks:

Educate:Educate:List risks factors to the bottom lineList risks factors to the bottom lineNew technologies and their risksNew technologies and their risksPotential impact of breachesPotential impact of breachesHow people participate in information How people participate in information

securitysecurity

CIO and the CISO's tasks:CIO and the CISO's tasks:

Influence:Influence:Priorities and resource allocationPriorities and resource allocation Involving security specialists early in new Involving security specialists early in new

projectsprojectsDeciding on organizational structures with Deciding on organizational structures with

information efficiency as a goalinformation efficiency as a goal

CIO and the CISO's tasks:CIO and the CISO's tasks: information risk analysisinformation risk analysis

Measures bottom line impactMeasures bottom line impactTypes of information lossTypes of information lossMalicious useMalicious usePredictive SystemsPredictive Systems36% chance; 10-20 bill. in lost $36% chance; 10-20 bill. in lost $

CIO and the CISO's tasks:CIO and the CISO's tasks:Security certificationSecurity certificationUse common business metrics (activity Use common business metrics (activity

reports) to measure the effect information reports) to measure the effect information breaches )breaches )

Are we secure?Are we secure?Directly lead to budget decisionsDirectly lead to budget decisions

Communicating Security PolicyCommunicating Security Policy Is the policy being followed?Is the policy being followed? Inform employees and management ofInform employees and management of

Security objectivesSecurity objectivesOrganizational accountabilityOrganizational accountabilityStandards and proceduresStandards and proceduresAvailable guidelines supporting the policyAvailable guidelines supporting the policy

Communicating Security PolicyCommunicating Security Policy Awareness metricsAwareness metrics Is the training effective?Is the training effective? Intranet websiteIntranet website

Access managementAccess management Policy, politics, and technologyPolicy, politics, and technology RBACRBAC

Access based on identity vs. roleAccess based on identity vs. role Operations with the objectOperations with the object

Ongoing defenseOngoing defenseSecurity testsSecurity testsUpgradesUpgradesCommunication monitoringCommunication monitoringComputer forensicsComputer forensics

A state of necessityA state of necessity