Defensive information warfare

Defensive Information Warfare

ISQA 8560University of Nebraska – Omaha

James PetersSohel ImrozFizal Hosein

Date: 2/3/2004

Goals of Defensive Information Warfare

Aims to protect information resources from three forms of attack: Increased availability to the Offense Decreased availability to the Defense Decreased Integrity

Defensive Information Warfare

Main Goal: Provide a defense that is cost effective without

totally limiting the capabilities of the organization

Value: Difficult to place a monetary value on

information Market value Exclusivity of information Losses are difficult to measure

Downtime Repairs Perception

Defensive Information Warfare

Offensive Operations = Bad Guys Threats come in the form of:

Players Group of Players Methods Employed Intentions

Job of the Defense is to: Prepare Prepare Prepare

Defensive Playbook

Defensive Information Warfare Areas Prevention Deterrence Indications and Warnings Detection Emergency Preparedness Response

Defensive Playbook

Prevention Prevent an attack from occurring in

the first place Information Hiding Authentication Access Controls Vulnerability Assessments Avoidance

Defensive Playbook

Deterrence Make an attack unattractive

Laws Penalties Retaliations

Security Controls Keep the honest thieves out

Defensive Playbook

Detection Monitors inside the system to

recognize an attack after it has occurred Scan Media Filter Messages Audit Systems Damage Prevention

Defensive Playbook

Indications and Warnings Stay Current Recognize Potential Threats Understand Methods of Attacks

Defensive Playbook

Emergency Preparedness Recovery Response

Risk Management Define an acceptable level of risk

Defensive Playbook

Incident Response/Incident Handling When the poo hits the fan

Steps taken after an attack Countermeasures Investigations Persecutions Retaliations Sanctions Cost Assessments

Too Defensive ?

Lost Opportunities

Information Security and Information Assurance

Defensive Information WarfareIS & IA Address Unintentional Threats

Errors Accidents Natural Disaster

Perception Management

Public Media Perception Perception is Reality Bad Publicity Public Confidence Delegitimization of Nations

CIA Model and Authorization

ConfidentialityIntegrity Availability Availability to Offense Availability to Defense

CIA Model and Authorization

Authorization Who is allowed to access what and in

what manner Who - any entity capable of taking

action What - any information resource in

any media form Access in what manner - what the

entity is permitted to do with it.

Authorization Organization

Organized Authorization Impose restrictions on who sees what

Top Secret Secret Confidential

The Notion of Privacy

Country was built on notion of privacyEU Data Protection Act of 1995 Gives legal rights to individuals

regarding their personal data held by others

Similar attempts, but industry pressure

Privacy and Secrets

Secrets Exclusivity Military Political Personal

Privacy and Anonymity

Benefits/Drawbacks of Anonymity

Complete Anonymity Inability to distinguish on communication

from another Pseudonymity

Ability to distinguish and link communications from same pseudonym

Cookies, IP addresses…

Privacy and Anonymity

Commercial Anonymity Customers want privacy but are they

willing to pay for anonymity

Medical Anonymity Very Important Stuff Good Reasons/Bad Reasons Balance Between Privacy and Access

Authentication

Authentication is about the continuity of relationships, knowing who to trust and who not to trust. (Schneier)

The verification of the identity of a person or process. In a communication system, authentication verifies that messages really come from their stated source. (hyperdictionary.com)

Authentication

Authentication can be proven by: Type 1: Something you know

password, pass phrase, PIN Type 2: Something you have

photo id, magnetic card Type 3: Something you are

fingerprint, retina pattern, hand geometry

Authentication

Type 1: password, pass phrase, PIN Advantages:

Simple to implement, users can have it anywhere Can easily be changed Hard to be lost or stolen If non-dictionary word or number, it is difficult to crack.

Alpha 321,272,406Upper/lowercase alpha 20,158,268,676Numeric 1,111,110Upper/lowercase alpha + numeric 57,731,386,986Extended 1,108,378,656Upper/lowercase alpha + numeric + extended 742,912,017,120

(Based on 1 to 6-char-length password) http://www.safescrypt.com/resources/PasswordWhitePaper.pdf

Authentication

Type 1: password, pass phrase, PIN Advantages (cont.):

Alpha 217,180,147,158

Upper/lowercase alpha 54,507,958,502,660Numeric 111,111,110Upper/lowercase alpha + numeric 221,919,451,578,090Extended

1,134,979,744,800Upper/lowercase alpha + numeric + extended 6,704,780,954,517,120

(Based on 1 to 8-char-length password) http://www.safescrypt.com/resources/PasswordWhitePaper.pdf

Authentication

Type 1: password, pass phrase, PIN Disadvantages:

Authentication information can be duplicated They can be guessed, no special skill needed Often broken by simple brute force guessing

attack using automated methods

Authentication

Few facts on passwords:• 56% between 3-6 characters• 86% lowercase only• High probability of 1 common password in every 20 passwords• In 20 years, average length of password has increased by 2 characters

only• Common use of user names as passwords• Passwords are dictionary words• Same password on different systems

Source: http://www.safescrypt.com/resources/PasswordWhitePaper.pdf

Authentication

Type 2: photo id, magnetic card, etc. Advantages:

Difficult to duplicate Made from special equipments that are generally

unavailable. Disadvantages:

More effort needed to guard from theft Own carelessness More expensive Can be lost or stolen

Authentication

Type 3: fingerprints, retina pattern, etc. Advantages:

Provides more assurance than type 1 and 2 Disadvantages:

Very expensive to implement Not guaranteed to be infallible, example:

identical twins cannot be identified by DNA readers

General public may be resistant to retina scanning than fingerprinting

Authentication

Types of authentication: Session authentication Transaction authentication

Integrity

Refers to validity of data.

Integrity vs. authenticationIntegrity vs. accuracy

Integrity

Integrity can be compromised by: System misconfiguration Internal users External threats Theft Fraud Human error

Integrity

Preserve document integrity: For a given “document” a new small file (128 bit)

is produced, representing the signature of the document.

Known as “hash digest”. Hash digest can be reproduced. Works in one-direction only.

Audit

Auditing checklist: Vulnerability assessment Physical and site security Communications access control Network concerns

Audit

Vulnerability assessment: Analysis of exposure to the following dangers

Hardware Electro-mechanical device failure CPU failure Tape drive failure Circuit failure Faulty design Viruses Insufficient testing

Audit

Physical and site security: Is the perimeter security adequate? Is the building’s security adequate?

Access control Proper lighting Alarm systems Environmental control

Is there sufficient ventilation around PCs? Are the PCs placed away from water and steam

pipes?

Audit

Environmental concerns: Housekeeping Magnetic media handling Electrical power Hardware security Documentation security Data security and record management

Audit

Communications access control: Access control Communications backup Virus recovery

Audit

Network concerns: Network management Server management Software management Data management Data security

For more information, please visithttp://www.tecrime.com/0secure.htm#PhysicalSiteSecurity

Proactive Solutions

Fraud prevention: Traditionally been reactive

Solution follows problem Needs to be proactive

Prevent fraud before it happens