Design Principles in Information Security

8/13/2019 Design Principles in Information Security

1/60

Pintu R Shah

Unit 2: Design Principles


2/60

In this unit..

Pintu R Shah MPSTME SVKM's NMIMS2

Various Security attacks

Method of defense

Design Principles

Security policies Types of security policies


3/60

Threat


Threat: an object, person, or other entity that represents aconstant danger to an asset

Management must be informed of the different threats facing

the organization

By examining each threat category, management effectively

protects information through policy, education, training, and

technology controls


4/60

Threats to Information Security


1. Potential Acts of Human Error or Failure2. Compromises to Intellectual Property3. Deliberate Acts of Espionage or Trespass4. Deliberate Acts of Information Extortion5. Deliberate Acts of Sabotage or Vandalism6. Deliberate Acts of Theft7. Deliberate Software Attacks8. Forces of Nature9. Potential Deviations in Quality of Service from Service

Providers10. Technical Hardware Failures or Errors11. Technical Software Failures or Errors12. Technological Obsolescence


5/60

Classification of Security Attacks


Passive attacks-eavesdropping on, or monitoring of,transmissions to:obtain message contents, or

monitor traffic flows

Active attacksmodification of data stream to:masquerade of one entity as some other

replay previous messages

modify messages in transit

denial of service


6/60

Passive Attack: release of messagecontents



7/60

Passive Attack: traffic analysis



8/60

Active Attack: replay



9/60

Active Attack: denial of service



10/60

Examples of security attacks


Social engineering


11/60

Examples of security attacks


Impersonation


12/60

Phishing


"Reproduced with permission. Please visit www.SecurityCartoon.comfor more material."
http://localhost/var/www/apps/conversion/tmp/BtechIS/IS201011/resources/YouTube%20%20%20%20%20%20%20%20-%20Symantec%20Guide%20to%20Scary%20Internet%20Stuff%20-%20Phishing.wmvhttp://www.securitycartoon.com/http://www.securitycartoon.com/http://localhost/var/www/apps/conversion/tmp/BtechIS/IS201011/resources/YouTube%20%20%20%20%20%20%20%20-%20Symantec%20Guide%20to%20Scary%20Internet%20Stuff%20-%20Phishing.wmv


13/60

Spoofing


http://www.securitycartoon.com/http://www.securitycartoon.com/


14/60

Web spoofing




15/60

Web spoofing




16/60


17/60

Malware


Pest on your PC

http://localhost/var/www/apps/conversion/tmp/BtechIS/IS201011/resources/YouTube%20%20%20%20%20%20%20%20-%20Symantec%20Guide%20to%20Scary%20Internet%20Stuff%20-%20Pests%20on%20your%20PC.wmvhttp://www.securitycartoon.com/http://www.securitycartoon.com/http://localhost/var/www/apps/conversion/tmp/BtechIS/IS201011/resources/YouTube%20%20%20%20%20%20%20%20-%20Symantec%20Guide%20to%20Scary%20Internet%20Stuff%20-%20Pests%20on%20your%20PC.wmv


18/60

Other examples


Botnet

DoS

Net Threats

Losing your data Drive by downloads

Misleading Applications

Under ground economy
http://localhost/var/www/apps/conversion/BtechIS/IS201011/resources/YouTube%20%20%20%20%20%20%20%20-%20Symantec%20Guide%20to%20Scary%20Internet%20Stuff%20-%20Botnets.wmvhttp://localhost/var/www/apps/conversion/BtechIS/IS201011/resources/YouTube%20%20%20%20%20%20%20%20-%20Symantec%20Guide%20to%20Scary%20Internet%20Stuff%20-%20Denial%20of%20Service%20Attacks.wmvhttp://localhost/var/www/apps/conversion/BtechIS/IS201011/resources/YouTube%20%20%20%20%20%20%20%20-%20Symantec%20Guide%20to%20Scary%20Internet%20Stuff%20-%20Net%20Threats.wmvhttp://localhost/var/www/apps/conversion/BtechIS/IS201011/resources/YouTube%20%20%20%20%20%20%20%20-%20Symantec%20Guide%20to%20Scary%20Internet%20Stuff%20-%20Losing%20your%20data.wmvhttp://localhost/var/www/apps/conversion/BtechIS/IS201011/resources/YouTube%20%20%20%20%20%20%20%20-%20Symantec%20Guide%20to%20Scary%20Internet%20Stuff%20-%20No%204%20Drive-by%20downloads.wmvhttp://localhost/var/www/apps/conversion/BtechIS/IS201011/resources/YouTube%20%20%20%20%20%20%20%20-%20Symantec%20Guide%20to%20Scary%20Internet%20Stuff%20-%20No%205%20Misleading%20Applications.wmvhttp://localhost/var/www/apps/conversion/BtechIS/IS201011/resources/YouTube%20%20%20%20%20%20%20%20-%20Symantec%20Guide%20to%20Scary%20Internet%20Stuff%20-%20Underground%20Economy.wmvhttp://localhost/var/www/apps/conversion/BtechIS/IS201011/resources/YouTube%20%20%20%20%20%20%20%20-%20Symantec%20Guide%20to%20Scary%20Internet%20Stuff%20-%20Underground%20Economy.wmvhttp://localhost/var/www/apps/conversion/BtechIS/IS201011/resources/YouTube%20%20%20%20%20%20%20%20-%20Symantec%20Guide%20to%20Scary%20Internet%20Stuff%20-%20No%205%20Misleading%20Applications.wmvhttp://localhost/var/www/apps/conversion/BtechIS/IS201011/resources/YouTube%20%20%20%20%20%20%20%20-%20Symantec%20Guide%20to%20Scary%20Internet%20Stuff%20-%20No%204%20Drive-by%20downloads.wmvhttp://localhost/var/www/apps/conversion/BtechIS/IS201011/resources/YouTube%20%20%20%20%20%20%20%20-%20Symantec%20Guide%20to%20Scary%20Internet%20Stuff%20-%20Losing%20your%20data.wmvhttp://localhost/var/www/apps/conversion/BtechIS/IS201011/resources/YouTube%20%20%20%20%20%20%20%20-%20Symantec%20Guide%20to%20Scary%20Internet%20Stuff%20-%20Net%20Threats.wmvhttp://localhost/var/www/apps/conversion/BtechIS/IS201011/resources/YouTube%20%20%20%20%20%20%20%20-%20Symantec%20Guide%20to%20Scary%20Internet%20Stuff%20-%20Denial%20of%20Service%20Attacks.wmvhttp://localhost/var/www/apps/conversion/BtechIS/IS201011/resources/YouTube%20%20%20%20%20%20%20%20-%20Symantec%20Guide%20to%20Scary%20Internet%20Stuff%20-%20Botnets.wmv


19/60

Methods of Defense


Five basic approaches to defense of computing systems Preventattack

Block attack / Close vulnerability

Deterattack Make attack harder (cant make it impossible)

Deflectattack Make another target more attractive than this target

Detectattack During or after

Recover from attack


20/60

Common Security Principles


Information security is not new, many principles comefrom military and commercial fields Separation of Privileges Principle

Least Privilege Principle Defense in Depth Principle Security through Obscurity Fail safe defaults Economy of mechanism

Complete mediation Psychological Acceptability


21/60

Separation of Privileges Principle


No single person should have enough authority to cause a criticalevent to happen

Many examples from outside of computing, e.g., two keys needed

to launch a missile Tradeoff between security gained and manpower required to

achieve it

CIO should not have access to all systems

DBA should not have access to encryption key

Example:Accountant with privilege to write check as well as balance the businesses

account is potential for abuse


22/60

Least Privilege Principle


An individual should have only the minimum level ofaccess controls necessary to carry out job functions

A common violation of this principle occurs because of

administrator inattentionUsers are placed in groups that are too broad Another common violation occurs because of privilege

creepUsers are granted new privileges when they change roles

without reviewing existing privileges


23/60

Defense in Depth Principle


Defenses should be layered

Layers begin with points of access to a network and continue

with cascading security at bottleneck points


24/60

Defense in Depth



25/60

Security through Obscurity


In early days of computing, administrators depended upon

secrecy about the security that was in place

No longer very effective in most cases because so much

information is freely available


26/60

Fail safe defaults


This principles states that unless a subject is given explicitaccess to an object, it should be denied access to that object


27/60

Economy of mechanism


Economy of mechanism states that security mechanismshould be as simple as possible


28/60

Complete mediation


Complete mediation requires that all accesses to objects bechecked to ensure that they are allowed


29/60

Psychological acceptability


Psychological acceptability states that security mechanismshould not make the difficult to access than if the security

mechanisms were not present.


30/60

Least common mechanism


Least common mechanism principle states that mechanismused to access resources should not be shared.


31/60

Considering Security Tradeoffs


Security can be looked at as a tradeoff between risks andbenefits

Cost of implementing the security mechanism and the amount

of damage it may prevent Tradeoff considerations are security, user convenience,

business goals, and expenses


32/60

Considering Security Tradeoffscontinued)


An important tradeoff involves user convenience

Between difficulty of use and willingness of users

If users wont use a system because of cumbersome security

mechanisms, there is no benefit to having security

If users go out of their way to circumvent security, the system

may be even more vulnerable


33/60

Policy and Education


Cornerstone of a security effort is toImplement proper policies

Educate users about those policies

Information security policies should beFlexible enough not to require frequent rewrites

Comprehensive enough to ensure coverage of situations

Available to all members of the organization

Readable and understandable


34/60

What Are Information Security Policies?


Documented, High-level Management Instructions Formal Way To Say "This Is How We Do It Here"

Generalized Requirements Statements to minimize risk

Higher Level Than Standards & Procedures Policy attributes include the following:

Require compliance (mandatory)

Failure to comply results in disciplinary action

Focus on desired results, not on means of implementation Further defined by standards and guidelines


35/60

A Standard


A mandatory action or rule designed to support and conformto a policy.

A standard should make a policy more meaningful and

effective.

A standard must include one or more accepted specifications

for hardware, software, or behavior.


36/60

A guideline


General statements, recommendations, or administrativeinstructions designed to achieve the policys objectives by

providing a framework within which to implement

procedures.

A guideline can change frequently based on the environmentand should be reviewed more frequently than standards and

policies.

A guideline is not mandatory, rather a suggestion of a best

practice. Hence guidelines and best practice are

interchangeable


37/60

Relation between policies, standards

and Guidelines


Policies

Standards

Guideline


38/60

Policy Analogy


Think of a company that builds cabinet and has hammerpolicy


39/60

Policy


All boards must be nailed together using company issueshammers to ensure end product consistency and worker

safety.


40/60

Standard


Eleven inch fiberglass hammers will be used. Only hardened-steel nails will be used with the hammers. Automatic

hammers are to be used for the repetitive jobs that are > 1

hr.


41/60


42/60

Procedure


Position the nail in the upright position on the board. Strike nail with full swing of hammer

Repeat until nail is flush with board

If the thumb is caught between the nail and board, see NailFirst Aid procedure


43/60

Policies are NOT


Not Systems Settings For Firewalls & Other Security Gear Unlike Guidelines, Policies Are Not Optional

Unlike Architectures, Policies Are Product Independent


44/60

Security Policy Drivers


C f ff f


45/60

Characteristics of Effective Information

Security Policies


Complete - Address all critical areas of information risk. OrganizedPolicies based on a recognized standard or

frameworks (ISO 27002)

DocumentedWritten and maintained with clear

ownership and version history. UpdatedPeriodically reviewed for updates based on

the latest risks.

CommunicatedPolicies are read and understood by allpeople in the organization.


46/60

Types of security policies


According to NIST, security policies are of following typesProgram policyis used to create an organization's computer

security program.

Issue-specific policiesaddress specific issues of concern to theorganization.

System-specific policiesfocus on decisions taken by management to

protect a particular system. (Source: http://csrc.nist.gov/publications/nistpubs/800-

12/800-12-html/chapter5.html)


47/60

Program-Level Policies

47

Establish a security program

Assign program management responsibilities

State an organization-wide computer securitypurpose and objectives

Establish a basis for policy compliance

Pintu R Shah MPSTME SVKM's NMIMS


48/60

Program level policies


Components of program level policy are Purposeincludes the objectives of the program,

such as: Improved recovery times

Reduced costs or downtime due to loss of data

Reduction in errors for both system changes and operational activities

Regulatory compliance

Management of overall confidentiality, integrity, and availability Scopeprovides guidance on whom and what are covered by the policy.

Coverage may include: Facilities, Lines of business, Employees ordepartments ,Technology, Processes

Responsibilitiesfor the implementation and management of the policy areassigned in this section. Organizational units or individuals are potential

assignment candidates. Complianceprovides for the policy's enforcement. Describe oversight

activities and disciplinary considerations clearly. But the contents of thissection are meaningless unless an effective awareness program is in place.


49/60

Examples

49

Business continuity planning (BCP) frameworkPhysical security requirements framework for

data centers

Application development security framework


E l A li ti D l t


50/60

Example: Application Development

Policy


Application development process Methodology

Development environment

Access to program source library

Business requirements

Risk assessment

Installation process

Restriction on changes to software packages

Software acquisistion

User procedure and training


51/60

Example (cont)


System business requirements Design Design exceptions Input validation Control of internal processing Message authentication Output validation Application auditing / logging

Application testing Application review Acceptance testing criteria

User acceptance testing Post implementation review Protection of System test data


52/60

Issue specific security Policies


Addresses specific areas of technology

Requires frequent updates

Contains a statement on the organizations position on aspecific issue

Examples: Email policy

Backup policy

Wireless device policy

Use of telecommunication policy


53/60

Issue-Specific Policies

53

Basic components Issue statementdefines a security issue, along with any relevant terms,

distinctions, and conditions

Statement of the organizations positionclearly states anorganizations position on the issue

Applicabilityclearly states where, how, when, to whom, and to what aparticular policy applies

Roles and responsibilitiesassigns roles and responsibilities to the issue

Compliancegives descriptions of the infractions and states thecorresponding penalties

Points of contact and supplementary informationlists the namesof the appropriate individuals to contact for further information and listsany applicable standards or guidelines

http://localhost/var/www/apps/conversion/tmp/scratch_7/resources/Acceptable_Use_Policy.pdfhttp://localhost/var/www/apps/conversion/tmp/scratch_7/resources/Acceptable_Use_Policy.pdfhttp://localhost/var/www/apps/conversion/tmp/scratch_7/resources/Acceptable_Use_Policy.pdfhttp://localhost/var/www/apps/conversion/tmp/scratch_7/resources/Acceptable_Use_Policy.pdf


54/60

Acceptable Use Policy


Defines allowable uses of an organizations informationresources

Must be specific enough to guide user activity but flexible

enough to cover unanticipated situationsShould answer key questions What activities are acceptable? What activities are not acceptable? Where can users get more information as needed? What to do if violations are suspected or have occurred?
http://localhost/var/www/apps/conversion/tmp/scratch_7/resources/Acceptable_Use_Policy.pdfhttp://localhost/var/www/apps/conversion/tmp/scratch_7/resources/Acceptable_Use_Policy.pdfhttp://localhost/var/www/apps/conversion/tmp/scratch_7/resources/Acceptable_Use_Policy.pdfhttp://localhost/var/www/apps/conversion/tmp/scratch_7/resources/Acceptable_Use_Policy.pdf


55/60

Backup Policy


Data backups protect against corruption and loss of data To support the integrity and availability goals of security

Backup policy should answer key questions

What data should be backed up and how? Where should backups be stored? Who should have access? How long should backups be retained? How often can backup media be reused?


56/60

Confidentiality Policy


Outlines procedures used to safeguard sensitive information

Should cover all means of information dissemination includingtelephone, print, verbal, and computer

Questions include What data is confidential and how should it be handled?

How is confidential information released?

What happens if information is released in violation of the policy?

Employees may be asked to sign nondisclosure agreements


57/60

Data Retention Policy


Defines categories of data Different categories may have different protections under the policy

For each category, defines minimum retention time Time may be mandated by law, regulation, or business needs, e.g., financial

information related to taxes must be retained for 7 years

For each category, defines maximum retention time This time may also be mandated by law, regulation, or business needs

Common in personal privacy areas


58/60

Wireless Device Policy


Includes mobile phones, PDAs, palm computers

Users often bring personal devices to the workplace

Policy should define

Types of equipment that can be purchased by the organizationType of personal equipment that may be brought into the

facilityPermissible activitiesApproval authorities for exceptions


59/60

System-Specific Policies

59

State security objectives of a specific system Define how the system should be operated to achieve

objectives

Specify how the protections and features of the technology

used to support or enforce the security objectives

Examples : ACL

Who is allowed to read or modify data in the system?

Under what conditions can data be read or modified?

Are users allowed to dial into the computer system from homeor while on travel?



60/60

Exercise

Pi R Sh h MPSTME SVKM' NMIMS

Documents

Design Principles in Information Security