Security Fundamentals

Predict – Preempt – Protect

Karthikeyan Dhayalan

CIA - Triade

Confidentiality

- Anything that needs to be protected

- Safeguard against unauthorized access, notice, use

- Protecting data at each stage (storage, processing, transit)

Threats

• Capturing network traffic

• Unauthorized access to network

• Password dump stealing

• Dumpster diving

• Social engineering

• Port scanning

• Eavesdropping

Countermeasures

• Encryption

• Authentication to systems

• Access control

• Network traffic padding

• Data classification

• End-user training

Confidentiality Concepts• Sensitivity

• Quality of information that could cause harm or damage if released• Nuclear facility

• Discretion• Showing prudence or self-restraint when dealing with data of interest

• Public release of military operations• Criticality

• The level to which the information is critical• HIGH Critical

• Concealment• Act of hiding or preventing disclosure

• Steganography• Secrecy

• Act of keeping information confidential• Coke formula

• Privacy• Keeping information about a person under safe custody

• PII/PHI• Seclusion

• Storing something in an out-of-the way location• Storage Vault

• Isolation• Act of keeping something separated from the rest

• DMZ, ODC

Integrity

• The capability to maintain the veracity and be intentionally modified only by authorized individuals

• Enforces Accuracy• Provides Assurance• Prevent unauthorized modifications• Prevent unauthorized modifications

by authorized users• Maintain internal and external

consistency of objects

Threats

• Virus

• Logic bombs

• Errors

• Malicious modifications

• Intentional replacement

• System back door

Countermeasures

• Activity logging

• Access control

• Authentication

• Hashing

• Encryption

• Intrusion detection systems

Integrity is dependent on Confidentiality

AvailabilityThreats

• Device failure

• Software error

• Natural calamity

• Power

• Human error

• oversight

Countermeasures

• RAID

• Redundant systems

• Clustering

• Access control

• BCP/DR

• Fault tolerance

• Provisioning un-interrupted and timely access to authorized subjects

• Offers high level of assurance that data shall be available to authorized subjects

• It includes• Usability• Accessibility• Timeliness

Availability is dependent on both Integrity and confidentiality

Security concepts

Identification

Subject professes identity

First step in AAA process Username, smart card,

speaking a phrase, biometric, user ID

Without identity there can be no authentication

Authentication

Verification of the

claimed Identity

Verifies identity by

comparing against one

or more factors stored

in the database

Identification and

authentication are

always together

Authorization

Comparing the subject,

object and the intended

activity to authorize

actions

Identification/

Authentication are all or

nothing model, while

Authorization can have

wide range of options

Auditing

Means by which

subjects actions as

well as system

operations are logged

and monitored

Helps detect un-

authorized or

abnormal activities

Accountability

Capability to prove a

subject’s identity and track

their activities.

Established by linking a

human to the activities of

an online identity

Ultimately dependent on

the strength of

Authentication factor

Nonrepudiation

Ensures the subject of an activity cannot deny the action

Can be established via digital certs, session identifiers, transaction logs

Security Control Concepts

Also known as defense

in depth

Multiple controls are

applied in series

Layering should be

applied in series and

not parallel

Layering

Putting similar

elements in groups,

classes or roles that

are assigned security

controls

Used for efficiency

Includes definition of

object and subject

Abstraction

Preventing data from

being discovered

Some forms include –

restricting visibility to

high critical application

from low level subjects

Data Hiding

Hiding the meaning

or intent of a

communication

It is an important

element in security

controls

Encryption

Security Management Plan

• SMP should use a top-down approach• Senior management is responsible for initiating and defining policies;

• Middle management is responsible for releasing standards, baselines, guidelines in relation to the policy

• Operations management/IT teams implement the controls defined above

• End-users must comply with all the functions of the organization

• SMP should have Approval from Senior Management before we start to engage.

Security Management Plan Types

SMP Type Description

Strategic Plan

Long term planDefines the organization’s security postureUseful for at least 5 years. Reviewed annuallyHelps understand security function and align it with businessShould include Risk Assessment

Tactical Plan Mid-term plan developed to provide more detailed goalUsually for an year or twoMore technology orientedEg: Project plans, acquisition plan, budget plan, hiring plan

OperationalPlan

Short-term planHighly-detailed planMust be updated often (monthly, quarterly)Spell-out how to accomplish various goalsEg: resource allotment, budgetary allocation, training plans

Change Management

• Goal – Ensure any change does not lead to compromised or reduced security

• Purpose – Make all changes subject to detailed documentation, auditing, review and scrutiny by management

• Helps• Implement changes in a controlled and orderly manner

• Formalized testing process

• Back out or roll back procedures

• Users are informed before the change

• Effects of change are systematically analysed

• Negative impact is minimized

• Changes are reviewed and approved by CAB

Data Classification

- It is the process of organizing items, objects, subjects into groups, categories or collections with similarities

- Primary means for data protection

- Used to determine how much effort, money and resources are allocated to protect the data and control access to it

Benefits

• Benefits

• Demonstrates organization’s commitment to protecting assets

• Assists in identifying assets that are critical for the organization

• Lends credence to the selection of protection mechanisms

• Required for regulatory compliance

• Helps define access levels

• Helps with data life-cycle management

Criteria

• Usefulness

• Timeliness

• Value

• Maturity or age of data

• Life time of the data

• Association with personal

• Disclosure damage assessment

• Modification damage

• National security

• Authorized access to data

• Restriction from the data

• Maintenance and monitoring

• Storage

7 Step Classification scheme

Identify owner and define

Responsibility

Specify evaluation criteria

Classify and label each resource

Document any exceptions to the

classification policy

Select the security controls that will be

applicable

Specify declassification

procedures

Create awareness program

Classification Scheme

•Top Secret

•Secret

•Confidential

•Sensitive

•Unclassified

Confidential/Private

Sensitive

Public

Go

vern

men

t/M

ilita

ry

Co

mm

ercial/Bu

siness

In Military, Classified is used to denote any data that is ranked above the unclassified level

Security roles• Ultimately responsible for security

• Must signoff all policy issues

• All activities must be approved

• Will be held responsible for overall security success/failure

• Responsible for due care and due diligence

Senior Management

• Responsible for following the directives mandated by SM

• Has the functional responsibility for security

• They are not decision makersSecurity Professional

• Responsible for classifying information

• Ultimately responsible for the data they own

• Typically high level management representativeData Owner

• Responsible for tasks of implementing the prescribed protection defined by Data owner

• Responsibilities include, preforming/testing backups, validating data integrity, deploying security solutions and managing data storage based on classification

Data Custodian

• Has access to the secure system

• Responsible for understanding and upholding the security policyUser

• Responsible for reviewing and verifying the security policy implementation

• Produces compliance and effectiveness reportsAuditor

Due Care and Due Diligence

Due Care• Taking reasonable care in protecting the organization

• It’s a legal term – it pertains to the legal duty of the organization

• Lack of due care is considered negligence

Due Diligence• Practicing the activities that maintain the due care effort

• Pertains to best practices that a company should follow

• It might not be legally liable

Security Policy

- Strategic plan for implementing security

- Defines the scope of security needed for the organization

- Defines the main security objectives and outlines the security framework

- Identifies major functional areas of data processing

- Broadly outlines the security goals and practices that should be employed

- Its is used to assign responsibilities, define roles, specify audit requirements, outline enforcement process, indicate compliance requirements, and define acceptable risk levels

It’s a compulsory document

Typ

es

Organizational Security policy –

focuses on issues relevant to every aspect of the organization

Issue-specific policy –

focuses on specific service, department, function that is distinct from the organization as a whole

System-specific policy –

Focuses on individual systems

Security Categories

Regulatory

• Required whenever industry or legal standards are applicable to your organization

Advisory

• Discusses behaviors and activities are acceptable and defines consequences of violation

Informative

• Designed to provide information or knowledge about a specific subject

• Not enforceable

Standard/Baseline/Guideline/Procedure

Standard

• Define compulsory requirements

• Provides a course of action for uniform deployment of technology

• Tactical documents

Baseline

• Defines minimum level of security that every system must meet

• System-specific

• Establishes common secure state

Guideline

• Offers recommendations on implementation

• Servers as an operating guide

• Flexible – can be customized for each unique system

Procedure

• Final element of the formalized security policy structure

• Detailed step-by-step document describes actions necessary to implement security mandates

• System and software specific

• Purpose is to ensure integrity of business process

Threat Modelling

- A process where potential threats are identified, categorized, and analysed

- Can be performed both pro-actively as well as reactively- Two goals of threat modelling

- Reduce the number of security related coding and design defects

- Reduce the severity of remaining defects

Proactive Approach- Also known as defensive approach- Takes place during early stages of systems development- Based on predicting threats and design specific counter

measures during the coding and crafting process

Reactive Approach- Also known as adversarial approach- Takes place after a product has been created and

deployed- This is the core concept behind ethical hacking, PT,

source code review and Fuzz testing

Threat Modelling Steps

Identifying Threats

Determining and Diagramming

Potential attacks

Performing Reduction Analysis

Prioritization and Response

Identifying Threats – STRIDE approach

Microsoft Threat categorization scheme

SPOOFING

TAMPERING

REPUDIATION

INFORMAITON DISCLOSURE

DENIAL OF SERICE

ELEVATION OF PRIVILEGES

Determining and Diagramming Potential Attacks

• Post identifying threats, the next step is to determine the potential attack concepts that could materialize

• Often accomplished by data flow diagrams, privilege boundaries, and elements involved

• Once diagram has been crafted, identify all the technologies involved.

• Identify attacks that could be targeted at each element of the diagram

• Attacks should include all forms – logical, physical, social

Perform Reduction Analysis• Involves decomposing the application, system or environment• Purpose of this process is to get a greater understanding on the purpose of

the product and its interactions with external entities• Each element should be evaluated to understand inputs, processing,

security, data management, storage and output• 5 key concepts to be aware of

• Trust Boundaries – location where the level of trust changes• Data flow paths – movement of data between locations• Input points – locations where external input is received• Privilege Operations – Activity that requires greater privileges• Security stance and approach – Declaration of the security policy,

security foundation and security assumptions

Prioritization and Response

• Document the threat – define the means, target and consequences of a threat

• After documentation, rank or rate the threats• DREAD Rating System

• Damage potential

• Reproducibility

• Exploitability

• Affected Users

• Discoverability

Karthikeyan Dhayalan