Upload
karthikeyan-dhayalan
View
867
Download
15
Embed Size (px)
Citation preview
Confidentiality
- Anything that needs to be protected
- Safeguard against unauthorized access, notice, use
- Protecting data at each stage (storage, processing, transit)
Threats
• Capturing network traffic
• Unauthorized access to network
• Password dump stealing
• Dumpster diving
• Social engineering
• Port scanning
• Eavesdropping
Countermeasures
• Encryption
• Authentication to systems
• Access control
• Network traffic padding
• Data classification
• End-user training
Confidentiality Concepts• Sensitivity
• Quality of information that could cause harm or damage if released• Nuclear facility
• Discretion• Showing prudence or self-restraint when dealing with data of interest
• Public release of military operations• Criticality
• The level to which the information is critical• HIGH Critical
• Concealment• Act of hiding or preventing disclosure
• Steganography• Secrecy
• Act of keeping information confidential• Coke formula
• Privacy• Keeping information about a person under safe custody
• PII/PHI• Seclusion
• Storing something in an out-of-the way location• Storage Vault
• Isolation• Act of keeping something separated from the rest
• DMZ, ODC
Integrity
• The capability to maintain the veracity and be intentionally modified only by authorized individuals
• Enforces Accuracy• Provides Assurance• Prevent unauthorized modifications• Prevent unauthorized modifications
by authorized users• Maintain internal and external
consistency of objects
Threats
• Virus
• Logic bombs
• Errors
• Malicious modifications
• Intentional replacement
• System back door
Countermeasures
• Activity logging
• Access control
• Authentication
• Hashing
• Encryption
• Intrusion detection systems
Integrity is dependent on Confidentiality
AvailabilityThreats
• Device failure
• Software error
• Natural calamity
• Power
• Human error
• oversight
Countermeasures
• RAID
• Redundant systems
• Clustering
• Access control
• BCP/DR
• Fault tolerance
• Provisioning un-interrupted and timely access to authorized subjects
• Offers high level of assurance that data shall be available to authorized subjects
• It includes• Usability• Accessibility• Timeliness
Availability is dependent on both Integrity and confidentiality
Security concepts
Identification
Subject professes identity
First step in AAA process Username, smart card,
speaking a phrase, biometric, user ID
Without identity there can be no authentication
Authentication
Verification of the
claimed Identity
Verifies identity by
comparing against one
or more factors stored
in the database
Identification and
authentication are
always together
Authorization
Comparing the subject,
object and the intended
activity to authorize
actions
Identification/
Authentication are all or
nothing model, while
Authorization can have
wide range of options
Auditing
Means by which
subjects actions as
well as system
operations are logged
and monitored
Helps detect un-
authorized or
abnormal activities
Accountability
Capability to prove a
subject’s identity and track
their activities.
Established by linking a
human to the activities of
an online identity
Ultimately dependent on
the strength of
Authentication factor
Nonrepudiation
Ensures the subject of an activity cannot deny the action
Can be established via digital certs, session identifiers, transaction logs
Security Control Concepts
Also known as defense
in depth
Multiple controls are
applied in series
Layering should be
applied in series and
not parallel
Layering
Putting similar
elements in groups,
classes or roles that
are assigned security
controls
Used for efficiency
Includes definition of
object and subject
Abstraction
Preventing data from
being discovered
Some forms include –
restricting visibility to
high critical application
from low level subjects
Data Hiding
Hiding the meaning
or intent of a
communication
It is an important
element in security
controls
Encryption
Security Management Plan
• SMP should use a top-down approach• Senior management is responsible for initiating and defining policies;
• Middle management is responsible for releasing standards, baselines, guidelines in relation to the policy
• Operations management/IT teams implement the controls defined above
• End-users must comply with all the functions of the organization
• SMP should have Approval from Senior Management before we start to engage.
Security Management Plan Types
SMP Type Description
Strategic Plan
Long term planDefines the organization’s security postureUseful for at least 5 years. Reviewed annuallyHelps understand security function and align it with businessShould include Risk Assessment
Tactical Plan Mid-term plan developed to provide more detailed goalUsually for an year or twoMore technology orientedEg: Project plans, acquisition plan, budget plan, hiring plan
OperationalPlan
Short-term planHighly-detailed planMust be updated often (monthly, quarterly)Spell-out how to accomplish various goalsEg: resource allotment, budgetary allocation, training plans
Change Management
• Goal – Ensure any change does not lead to compromised or reduced security
• Purpose – Make all changes subject to detailed documentation, auditing, review and scrutiny by management
• Helps• Implement changes in a controlled and orderly manner
• Formalized testing process
• Back out or roll back procedures
• Users are informed before the change
• Effects of change are systematically analysed
• Negative impact is minimized
• Changes are reviewed and approved by CAB
Data Classification
- It is the process of organizing items, objects, subjects into groups, categories or collections with similarities
- Primary means for data protection
- Used to determine how much effort, money and resources are allocated to protect the data and control access to it
Benefits
• Benefits
• Demonstrates organization’s commitment to protecting assets
• Assists in identifying assets that are critical for the organization
• Lends credence to the selection of protection mechanisms
• Required for regulatory compliance
• Helps define access levels
• Helps with data life-cycle management
Criteria
• Usefulness
• Timeliness
• Value
• Maturity or age of data
• Life time of the data
• Association with personal
• Disclosure damage assessment
• Modification damage
• National security
• Authorized access to data
• Restriction from the data
• Maintenance and monitoring
• Storage
7 Step Classification scheme
Identify owner and define
Responsibility
Specify evaluation criteria
Classify and label each resource
Document any exceptions to the
classification policy
Select the security controls that will be
applicable
Specify declassification
procedures
Create awareness program
Classification Scheme
•Top Secret
•Secret
•Confidential
•Sensitive
•Unclassified
Confidential/Private
Sensitive
Public
Go
vern
men
t/M
ilita
ry
Co
mm
ercial/Bu
siness
In Military, Classified is used to denote any data that is ranked above the unclassified level
Security roles• Ultimately responsible for security
• Must signoff all policy issues
• All activities must be approved
• Will be held responsible for overall security success/failure
• Responsible for due care and due diligence
Senior Management
• Responsible for following the directives mandated by SM
• Has the functional responsibility for security
• They are not decision makersSecurity Professional
• Responsible for classifying information
• Ultimately responsible for the data they own
• Typically high level management representativeData Owner
• Responsible for tasks of implementing the prescribed protection defined by Data owner
• Responsibilities include, preforming/testing backups, validating data integrity, deploying security solutions and managing data storage based on classification
Data Custodian
• Has access to the secure system
• Responsible for understanding and upholding the security policyUser
• Responsible for reviewing and verifying the security policy implementation
• Produces compliance and effectiveness reportsAuditor
Due Care and Due Diligence
Due Care• Taking reasonable care in protecting the organization
• It’s a legal term – it pertains to the legal duty of the organization
• Lack of due care is considered negligence
Due Diligence• Practicing the activities that maintain the due care effort
• Pertains to best practices that a company should follow
• It might not be legally liable
Security Policy
- Strategic plan for implementing security
- Defines the scope of security needed for the organization
- Defines the main security objectives and outlines the security framework
- Identifies major functional areas of data processing
- Broadly outlines the security goals and practices that should be employed
- Its is used to assign responsibilities, define roles, specify audit requirements, outline enforcement process, indicate compliance requirements, and define acceptable risk levels
It’s a compulsory document
Typ
es
Organizational Security policy –
focuses on issues relevant to every aspect of the organization
Issue-specific policy –
focuses on specific service, department, function that is distinct from the organization as a whole
System-specific policy –
Focuses on individual systems
Security Categories
Regulatory
• Required whenever industry or legal standards are applicable to your organization
Advisory
• Discusses behaviors and activities are acceptable and defines consequences of violation
Informative
• Designed to provide information or knowledge about a specific subject
• Not enforceable
Standard/Baseline/Guideline/Procedure
Standard
• Define compulsory requirements
• Provides a course of action for uniform deployment of technology
• Tactical documents
Baseline
• Defines minimum level of security that every system must meet
• System-specific
• Establishes common secure state
Guideline
• Offers recommendations on implementation
• Servers as an operating guide
• Flexible – can be customized for each unique system
Procedure
• Final element of the formalized security policy structure
• Detailed step-by-step document describes actions necessary to implement security mandates
• System and software specific
• Purpose is to ensure integrity of business process
Threat Modelling
- A process where potential threats are identified, categorized, and analysed
- Can be performed both pro-actively as well as reactively- Two goals of threat modelling
- Reduce the number of security related coding and design defects
- Reduce the severity of remaining defects
Proactive Approach- Also known as defensive approach- Takes place during early stages of systems development- Based on predicting threats and design specific counter
measures during the coding and crafting process
Reactive Approach- Also known as adversarial approach- Takes place after a product has been created and
deployed- This is the core concept behind ethical hacking, PT,
source code review and Fuzz testing
Threat Modelling Steps
Identifying Threats
Determining and Diagramming
Potential attacks
Performing Reduction Analysis
Prioritization and Response
Identifying Threats – STRIDE approach
Microsoft Threat categorization scheme
SPOOFING
TAMPERING
REPUDIATION
INFORMAITON DISCLOSURE
DENIAL OF SERICE
ELEVATION OF PRIVILEGES
Determining and Diagramming Potential Attacks
• Post identifying threats, the next step is to determine the potential attack concepts that could materialize
• Often accomplished by data flow diagrams, privilege boundaries, and elements involved
• Once diagram has been crafted, identify all the technologies involved.
• Identify attacks that could be targeted at each element of the diagram
• Attacks should include all forms – logical, physical, social
Perform Reduction Analysis• Involves decomposing the application, system or environment• Purpose of this process is to get a greater understanding on the purpose of
the product and its interactions with external entities• Each element should be evaluated to understand inputs, processing,
security, data management, storage and output• 5 key concepts to be aware of
• Trust Boundaries – location where the level of trust changes• Data flow paths – movement of data between locations• Input points – locations where external input is received• Privilege Operations – Activity that requires greater privileges• Security stance and approach – Declaration of the security policy,
security foundation and security assumptions
Prioritization and Response
• Document the threat – define the means, target and consequences of a threat
• After documentation, rank or rate the threats• DREAD Rating System
• Damage potential
• Reproducibility
• Exploitability
• Affected Users
• Discoverability