Unit 2: Design Principles

Pintu R Shah

In this unit..
Various Security attacks Method of defense Design Principles

Security policies
Types of security policies

Pintu R Shah MPSTME SVKM's NMIMS

Threat
Threat: an object, person, or other entity that represents a

constant danger to an asset

Management must be informed of the different threats facing

the organization
By examining each threat category, management effectively

protects information through policy, education, training, and technology controls

Pintu R Shah MPSTME SVKM's NMIMS

Threats to Information Security

1. Potential Acts of Human Error or Failure 2. Compromises to Intellectual Property 3. Deliberate Acts of Espionage or Trespass 4. Deliberate Acts of Information Extortion 5. Deliberate Acts of Sabotage or Vandalism 6. Deliberate Acts of Theft 7. Deliberate Software Attacks 8. Forces of Nature 9. Potential Deviations in Quality of Service from Service Providers 10. Technical Hardware Failures or Errors 11. Technical Software Failures or Errors 12. Technological Obsolescence
4 Pintu R Shah MPSTME SVKM's NMIMS

Classification of Security Attacks

Passive attacks-eavesdropping on, or monitoring of,

transmissions to:

obtain message contents, or monitor traffic flows

Active attacksmodification of data stream to: masquerade of one entity as some other replay previous messages modify messages in transit denial of service

Pintu R Shah MPSTME SVKM's NMIMS

Passive Attack: release of message contents

Pintu R Shah MPSTME SVKM's NMIMS

Passive Attack: traffic analysis

Pintu R Shah MPSTME SVKM's NMIMS

Active Attack: replay

Pintu R Shah MPSTME SVKM's NMIMS

Active Attack: denial of service

Pintu R Shah MPSTME SVKM's NMIMS

Examples of security attacks

Social engineering

10

Pintu R Shah MPSTME SVKM's NMIMS

Examples of security attacks

Impersonation

11

Pintu R Shah MPSTME SVKM's NMIMS

Phishing

"Reproduced with permission. Please visit www.SecurityCartoon.com for more material." Pintu R Shah MPSTME SVKM's NMIMS 12

Spoofing

"Reproduced with permission. Please visit www.SecurityCartoon.com for more material."

13 Pintu R Shah MPSTME SVKM's NMIMS

Web spoofing

"Reproduced with permission. Please visit www.SecurityCartoon.com for more material."

14 Pintu R Shah MPSTME SVKM's NMIMS

Web spoofing

"Reproduced with permission. Please visit www.SecurityCartoon.com for more material." 15 Pintu R Shah MPSTME SVKM's NMIMS

Email Spoofing

"Reproduced with permission. Please visit www.SecurityCartoon.com for more material." Pintu R Shah MPSTME SVKM's NMIMS 16

Malware
Pest on your PC

"Reproduced with permission. Please visit www.SecurityCartoon.com for more material." 17 Pintu R Shah MPSTME SVKM's NMIMS

Other examples
Botnet DoS Net Threats

Losing your data

Drive by downloads Misleading Applications

Under ground economy

18

Pintu R Shah MPSTME SVKM's NMIMS

Methods of Defense
Five basic approaches to defense of computing systems
Prevent attack Block attack / Close vulnerability Deter attack Make attack harder (cant make it impossible ) Deflect attack Make another target more attractive than this target

Detect attack During or after

Recover from attack

19

Pintu R Shah MPSTME SVKM's NMIMS

Common Security Principles

Information security is not new, many principles come

from military and commercial fields

Separation of Privileges Principle Least Privilege Principle Defense in Depth Principle Security through Obscurity Fail safe defaults Economy of mechanism Complete mediation Psychological Acceptability

20

Pintu R Shah MPSTME SVKM's NMIMS

Separation of Privileges Principle

No single person should have enough authority to cause a critical

event to happen Many examples from outside of computing, e.g., two keys needed to launch a missile Tradeoff between security gained and manpower required to achieve it CIO should not have access to all systems DBA should not have access to encryption key Example:
Accountant with privilege to write check as well as balance the businesses account is potential for abuse

21

Pintu R Shah MPSTME SVKM's NMIMS

Least Privilege Principle

An individual should have only the minimum level of

access controls necessary to carry out job functions A common violation of this principle occurs because of administrator inattention
Users are placed in groups that are too broad
Another common violation occurs because of privilege

creep

Users are granted new privileges when they change roles without reviewing existing privileges

22

Pintu R Shah MPSTME SVKM's NMIMS

Defense in Depth Principle

Defenses should be layered Layers begin with points of access to a network and continue

with cascading security at bottleneck points

23

Pintu R Shah MPSTME SVKM's NMIMS

Defense in Depth

24

Pintu R Shah MPSTME SVKM's NMIMS

Security through Obscurity

In early days of computing, administrators depended upon

secrecy about the security that was in place No longer very effective in most cases because so much information is freely available

25

Pintu R Shah MPSTME SVKM's NMIMS

Fail safe defaults

This principles states that unless a subject is given explicit

access to an object, it should be denied access to that object

26

Pintu R Shah MPSTME SVKM's NMIMS

Economy of mechanism
Economy of mechanism states that security mechanism

should be as simple as possible

27

Pintu R Shah MPSTME SVKM's NMIMS

Complete mediation
Complete mediation requires that all accesses to objects be

checked to ensure that they are allowed

28

Pintu R Shah MPSTME SVKM's NMIMS

Psychological acceptability
Psychological acceptability states that security mechanism

should not make the difficult to access than if the security mechanisms were not present.

29

Pintu R Shah MPSTME SVKM's NMIMS

Least common mechanism

Least common mechanism principle states that mechanism

used to access resources should not be shared.

30

Pintu R Shah MPSTME SVKM's NMIMS

Considering Security Tradeoffs

Security can be looked at as a tradeoff between risks and

benefits

Cost of implementing the security mechanism and the amount of damage it may prevent
Tradeoff considerations are security, user convenience,

business goals, and expenses

31

Pintu R Shah MPSTME SVKM's NMIMS

Considering Security Tradeoffs (continued)

An important tradeoff involves user convenience Between difficulty of use and willingness of users If users wont use a system because of cumbersome security mechanisms, there is no benefit to having security If users go out of their way to circumvent security, the system may be even more vulnerable

32

Pintu R Shah MPSTME SVKM's NMIMS

Policy and Education

Cornerstone of a security effort is to Implement proper policies Educate users about those policies Information security policies should be Flexible enough not to require frequent rewrites Comprehensive enough to ensure coverage of situations Available to all members of the organization Readable and understandable

33

Pintu R Shah MPSTME SVKM's NMIMS

What Are Information Security Policies?

Documented, High-level Management Instructions Formal Way To Say "This Is How We Do It Here" Generalized Requirements Statements to minimize risk

Higher Level Than Standards & Procedures

Policy attributes include the following:
Require compliance (mandatory)

Failure to comply results in disciplinary action

Focus on desired results, not on means of implementation Further defined by standards and guidelines

34

Pintu R Shah MPSTME SVKM's NMIMS

A Standard
A mandatory action or rule designed to support and conform

to a policy. A standard should make a policy more meaningful and effective. A standard must include one or more accepted specifications for hardware, software, or behavior.

35

Pintu R Shah MPSTME SVKM's NMIMS

A guideline
General statements, recommendations, or administrative

instructions designed to achieve the policys objectives by providing a framework within which to implement procedures. A guideline can change frequently based on the environment and should be reviewed more frequently than standards and policies. A guideline is not mandatory, rather a suggestion of a best practice. Hence guidelines and best practice are interchangeable
36 Pintu R Shah MPSTME SVKM's NMIMS

Relation between policies, standards and Guidelines

Policies Standards

Guideline
37 Pintu R Shah MPSTME SVKM's NMIMS

Policy Analogy
Think of a company that builds cabinet and has hammer

policy

38

Pintu R Shah MPSTME SVKM's NMIMS

Policy
All boards must be nailed together using company issues

hammers to ensure end product consistency and worker safety.

39

Pintu R Shah MPSTME SVKM's NMIMS

Standard
Eleven inch fiberglass hammers will be used. Only hardened-

steel nails will be used with the hammers. Automatic hammers are to be used for the repetitive jobs that are > 1 hr.

40

Pintu R Shah MPSTME SVKM's NMIMS

Guideline
To avoid splitting the wood, a pilot hole should be drilled

first.

41

Pintu R Shah MPSTME SVKM's NMIMS

Procedure
Position the nail in the upright position on the board. Strike nail with full swing of hammer Repeat until nail is flush with board

If the thumb is caught between the nail and board, see Nail

First Aid procedure

42

Pintu R Shah MPSTME SVKM's NMIMS

Policies are NOT

Not Systems Settings For Firewalls & Other Security Gear Unlike Guidelines, Policies Are Not Optional Unlike Architectures, Policies Are Product Independent

43

Pintu R Shah MPSTME SVKM's NMIMS

Security Policy Drivers

44

Pintu R Shah MPSTME SVKM's NMIMS

Characteristics of Effective Information Security Policies

Complete - Address all critical areas of information risk. Organized Policies based on a recognized standard or

frameworks (ISO 27002) Documented Written and maintained with clear ownership and version history. Updated Periodically reviewed for updates based on the latest risks. Communicated Policies are read and understood by all people in the organization.

45

Pintu R Shah MPSTME SVKM's NMIMS

Types of security policies

According to NIST, security policies are of following types
Program policy is used to create an organization's computer

security program.
Issue-specific policies address specific issues of concern to the

organization.
System-specific policies focus on decisions taken by management to

protect a particular system. (Source: http://csrc.nist.gov/publications/nistpubs/80012/800-12-html/chapter5.html)

46 Pintu R Shah MPSTME SVKM's NMIMS

Program-Level Policies
Establish a security program Assign program management responsibilities

State an organization-wide computer security

purpose and objectives Establish a basis for policy compliance

47

Pintu R Shah MPSTME SVKM's NMIMS

Program level policies

Components of program level policy are
Purpose includes the objectives of the program, such as: Improved recovery times Reduced costs or downtime due to loss of data Reduction in errors for both system changes and operational activities Regulatory compliance Management of overall confidentiality, integrity, and availability Scope provides guidance on whom and what are covered by the policy.

Coverage may include: Facilities, Lines of business, Employees or departments ,Technology, Processes Responsibilities for the implementation and management of the policy are assigned in this section. Organizational units or individuals are potential assignment candidates. Compliance provides for the policy's enforcement. Describe oversight activities and disciplinary considerations clearly. But the contents of this section are meaningless unless an effective awareness program is in place.

48

Pintu R Shah MPSTME SVKM's NMIMS

Examples
Business continuity planning (BCP) framework Physical security requirements framework for

data centers Application development security framework

49

Pintu R Shah MPSTME SVKM's NMIMS

Example: Application Development Policy

Application development process
Methodology Development environment Access to program source library Business requirements Risk assessment Installation process Restriction on changes to software packages Software acquisistion User procedure and training

50

Pintu R Shah MPSTME SVKM's NMIMS

Example (cont)
System business requirements

Design Design exceptions Input validation Control of internal processing Message authentication Output validation Application auditing / logging Application review Acceptance testing criteria User acceptance testing Post implementation review Protection of System test data

Application testing

51

Pintu R Shah MPSTME SVKM's NMIMS

Issue specific security Policies

Addresses specific areas of technology Requires frequent updates Contains a statement on the organizations position on a

specific issue Examples:

Email policy Backup policy Wireless device policy Use of telecommunication policy

52

Pintu R Shah MPSTME SVKM's NMIMS

Issue-Specific Policies
Basic components Issue statement defines a security issue, along with any relevant terms, distinctions, and conditions Statement of the organizations position clearly states an organizations position on the issue Applicability clearly states where, how, when, to whom, and to what a particular policy applies Roles and responsibilities assigns roles and responsibilities to the issue Compliance gives descriptions of the infractions and states the corresponding penalties Points of contact and supplementary information lists the names of the appropriate individuals to contact for further information and lists any applicable standards or guidelines
53 Pintu R Shah MPSTME SVKM's NMIMS

Acceptable Use Policy

Defines allowable uses of an organizations information resources Must be specific enough to guide user activity but flexible enough to cover unanticipated situations Should answer key questions

What activities are acceptable? What activities are not acceptable? Where can users get more information as needed? What to do if violations are suspected or have occurred?

54

Pintu R Shah MPSTME SVKM's NMIMS

Backup Policy
Data backups protect against corruption and loss of data To support the integrity and availability goals of security Backup policy should answer key questions What data should be backed up and how? Where should backups be stored? Who should have access? How long should backups be retained? How often can backup media be reused?

55

Pintu R Shah MPSTME SVKM's NMIMS

Confidentiality Policy
Outlines procedures used to safeguard sensitive information Should cover all means of information dissemination including

telephone, print, verbal, and computer Questions include

How is confidential information released?

What data is confidential and how should it be handled? What happens if information is released in violation of the policy?

Employees may be asked to sign nondisclosure agreements

56

Pintu R Shah MPSTME SVKM's NMIMS

Data Retention Policy

Defines categories of data Different categories may have different protections under the policy For each category, defines minimum retention time Time may be mandated by law, regulation, or business needs, e.g., financial information related to taxes must be retained for 7 years For each category, defines maximum retention time This time may also be mandated by law, regulation, or business needs Common in personal privacy areas

57

Pintu R Shah MPSTME SVKM's NMIMS

Wireless Device Policy

Includes mobile phones, PDAs, palm computers Users often bring personal devices to the workplace Policy should define Types of equipment that can be purchased by the organization Type of personal equipment that may be brought into the facility Permissible activities Approval authorities for exceptions

58

Pintu R Shah MPSTME SVKM's NMIMS

System-Specific Policies
State security objectives of a specific system Define how the system should be operated to achieve

objectives Specify how the protections and features of the technology used to support or enforce the security objectives Examples : ACL
Who is allowed to read or modify data in the system? Under what conditions can data be read or modified? Are users allowed to dial into the computer system from home

or while on travel?

59

Pintu R Shah MPSTME SVKM's NMIMS

Exercise

60

Pintu R Shah MPSTME SVKM's NMIMS