Information Security: The Big Picture – Part I

Information Security: The Big Picture - SANS GIAC © 2000 1Information Security: The Big Picture – Part I Stephen Fried Hello, and welcome to Information Security: The Big Picture.. Info

Information Security: The Big Picture - SANS GIAC © 2000 1

Information Security:

The Big Picture – Part I

Stephen Fried

Hello, and welcome to Information Security: The Big Picture My name is Stephen Fried, and over

the course of the next six hours I will be guiding you on a tour of the world of information security

This course provides an introduction into the area of computer and network security As more and

more people and companies connect to the Internet, the incidence of hacker attacks, break-ins, and

vandalism continues to increase With this comes an increasing need for trained professionals to

understand and combat this growing threat This course will teach you the basics you need to begin

securing your systems against threats from both inside and outside your organization

The course takes a high-level approach, touching on many different topics in an overview style The

information here is presented in plain English, not technical jargon, so students from all backgrounds

can understand the material and begin to apply the concepts immediately Technical concepts (e.g

communications technology, networking, protocols) are explained thoroughly in an

easy-to-understand manner, allowing even non-technical students to easy-to-understand these areas We rely heavily

on real-world examples and common-sense descriptions, enabling students to take their own “real

world” experiences and apply them to the information security arena

So, without further ado, let’s get started

Information Security: The Big Picture - SANS GIAC © 2000 2

Preface

• Course is designed to give a broad

introduction to information security

• Use of real-world analogies to explain

security concepts

• Will not go into too much technical depth

• Some technical descriptions may be

oversimplified

• Use of sample data – not “real”

As stated before, this course is designed to give the student an introduction to the broad spectrum of topics

that are covered under the umbrella of Information Security To completely and thoroughly discuss all the

possible topics that could be housed under that term would really take several weeks of in-depth study

Unfortunately, we only have six hours so we are going to take a more practical approach We will touch on

a variety of areas, giving explanations of each and diving into a few in more detail, but we will refrain from

diving too deep into any one topic

As much as possible, I will try to use real-world examples to illustrate different terms and concepts I have

found, over the years, that many issues in information security are really the same ones that arise in our

everyday lives By applying those experiences to this new area, I hope to better explain the terms, concepts,

and topics we will be discussing

This course does not go into a great deal of technical detail It is designed for people who do not

necessarily have a technical background but need to know more about security We won’t be discussing

much about bit patterns, dissecting the mathematical algorithms used in cryptography, and we’ll stay pretty

clear of discussion or dissection of hardware and software That is not to say that the course does not have

technical content, it’s just that I’ve tried to limit it as much as possible

Which brings me to my next point Some of the topics we cover are, in actuality, highly technical and to

completely understand them does take a certain amount of technical explanation So, in order to allow

non-geek regular folks to understand and enjoy the topics I have had to simplify some of the more esoteric

technical details and descriptions My apologies in advance if my simplification goes a little far Please

know that it was all for the sake of reaching as wide an audience as possible

Finally, I use many examples of sample data in this course – Social Security numbers, network addresses,

people and company names, etc I have tried my best to make as much of this up as possible Any

resemblance between the example data and any persons, companies, or groups, living or dead, is purely

coincidental

Information Security: The Big Picture - SANS GIAC © 2000 3

• World Wide Web Security

• Information Secrecy & Privacy

• Identification and Access Control

• Programmatic Security

• Conclusion

Our first topic is a General Security Introduction

In this section we introduce you to some basic terms, concepts, and definitions you will need to begin

understanding information security

Information Security: The Big Picture - SANS GIAC © 2000 4

What Is “Security”?

• “Freedom from risk or danger”*

• The application of safeguards to

prevent loss

• A subjective measurement of

preparedness for risk

• A feeling of safety

*The American Heritage Dictionary of the English Language

I suppose the best way to start talking about information security is to examine the term “security” itself

What is “security?” I looked it up in my handy dictionary and found that the definition of Security is

“freedom from risk or danger.” So, by extension, this would mean that information security would be

the science of keeping information free from risk or danger Well, that sounds good, and is certainly a

worthy goal, but as we shall see over the span of this course, it is not a very realistic one Why? Because

in today’s world, particularly in today’s on-line world, you can never be completely free from risk or

danger There is just too much danger going around So there will always be some risk But that means

we can never be secure…

I guess I am talking in circles here, somewhat intentionally Let’s start at the beginning You can never

be completely free from risk When we get to the section on risk and risk analysis we will see how this

is true But for now, suffice to say that you can never completely prepare for all the bad things that will

happen So you have to pick and choose the dangers you want to protect against You put your energy

into preparing for those that you think are the most threatening and spend less time on those that you

think are more remote So here we see that security becomes subjective If you have prepared against

your own personal top ten threats, you feel secure But, your top threats might be different than someone

else’s top threats Given your list of preparations, someone else might not feel as secure

There are no absolutes in security, no quick measurement to say definitively if you are secure or not So

you can never be sure that you have covered all the bases But, if you do your homework, define your

goals and threats, and make the proper preparations and install the proper safeguards, you will be more

secure than if you had done nothing And, in the end, maybe that’s what security is really all about – a

feeling of safety The notion that you feel better about your efforts to protect yourself and your assets

Perhaps we’ve started off a bit philosophically Don’t worry, we’ll get back into the meat of things

quickly, but I wanted to start you out with a feel of what security people face every day Security is part

art, part science, part technical, part philosophy, and all very interesting

Information Security: The Big Picture - SANS GIAC © 2000 5

The Consequences of Inadequate Security

• Loss of company assets

• Loss of revenue/market share

• Loss of intellectual property

• Loss of privacy

• Damage to reputation

We will spend the rest of the course talking about the importance of security, risk and threats, and the steps you can take to improve

the security of your organization However, I believe the best way to start out the course is a brief discussion about the

consequences of bad security What would happen if you didn’t pay attention to security at all? Perhaps answering this question will

get you in a frame of mind to think seriously about your security efforts

There are many consequences of bad security, and the list probably varies from organization to organization, but this slide shows

the five major consequences The first is loss of company assets This the most obvious, as it deals with real, definable losses –

damage to computers, loss of data, service disruptions on your network, etc When most people think of security consequences they

think of these types of issues However, there are other consequences that can be just as damaging, but do not immediately come to

mind

One of these is loss of revenue or market share When an attacker comes in and defaces your web site, there will be time and

expenses associated with repairing the damage Those are the direct losses However, the organization may also lose money because

customers can’t get to the web site to order the company’s products or services The longer the site takes to rebuild, the more

potential revenue will be lost Another indirect loss is market share Depending on the type of business, a short-term loss is usually

recoverable from a customer service perspective Customers on the web today are used to short-term outages – annoyed, but used to

it However, if the outage lasts past a certain comfort level, customers will begin looking elsewhere for competing products If the

outage is long enough, a serious loss of market share may be the result

An organization that does not pay proper attention to security can be risking its intellectual property These represent the

knowledge, experience, and research that the organization has developed, and can sometimes be so valuable to the organization that

dollar figures can not even be placed on it These are the types of assets that are most worthy of protection, since their loss might

mean irreparable harm to the organization’s product development or financial outlook

A serious breach in security might mean the loss of privacy for your business or your customers Privacy, particularly privacy of

customer information, has become quite a hot topic over the past several years We’ll discuss privacy issues in depth later in the

course, but consumers and employees are coming to expect that their personal and financial information will be secured against

unauthorized disclosure or theft If an organization does not protect this information heavily and allows it to get in the hands of

attackers, the loss to personal privacy may be irreparable

Finally, a great deal of e-commerce today is based on trust – trust in the vendor, trust in the vendor’s ability to perform as

advertised, trust that information about yourself and your business will be kept confidential A successful attack on your network or

web site can cause that trust to be lost Your organization’s reputation is based partly on the fact that it is perceived to be well run,

treats business partners with respect, and that it takes the due care necessary to protect itself and its customers As any

businessperson knows, reputation can be as important as the balance sheet to a well-run business Protecting your systems and

Information Security: The Big Picture - SANS GIAC © 2000 6

Basic Security Management

Confidentiality

Information Security is generally said to rest on three fundamental pillars: Confidentiality, Integrity,

and Availability These three functions are commonly referred to as the C-I-A Triad.

Confidentiality refers to the areas affecting the need to keep information private or secret and to

prevent disclosure of information to those who do not need to see it Confidentiality can be achieved

through the use of encryption, by selective use of access controls, or by keeping sensitive

information apart from publicly-available information

Integrity is the notion that information should be complete and unaltered as it is used and that any

changes are made only by authorized people and properly recorded Altering account balances in a

financial system or modifying log records to hide a computer attack are examples of integrity

attacks

Availability refers to the need to have information available for use when it is needed and in a form

that is usable Crashing a computer system or large-scale virus attacks are examples of availability

attacks

These three elements - Confidentiality, Integrity, and Availability - are often interrelated For

instance, you can use encryption to handle both confidentiality and integrity issues Alteration of a

system’s information, generally considered an integrity issue, can also have availability

consequences as well Or, you may determine that for a particular environment or application, you

need to pay less attention to one area or another A web server that holds catalog or brochure

information for a company may require high availability, but lower confidentiality, since the

information is public anyway Systems that handle bank wire transfers are usually concerned more

with integrity than confidentiality or availability

However, in any review of overall security you will need to take all three of these issues into

account

Information Security: The Big Picture - SANS GIAC © 2000 7

How Secure is Secure

Enough? (1)

• Three fundamental questions

–What are you protecting?

–What is it worth to you?

–What is it worth to someone else?

Information security practitioners often wrestle with the problem of determining how much security is

considered “enough” for a particular application Unfortunately, there is no single correct answer to this

question The best place to start is by answering what I call the three fundamental questions about

information security:

First, what are you trying to protect? You need to define clearly what is the thing you have that is worth time

and effort and energy to keep it safe from harm Is it a web site? A business plan? A patented formula? An

accounting system? You need to define as specifically as possible the object that needs protection, and

without knowing this, you can go no further Many security efforts go awry because they fail to answer this

one basic question

Second, you need to determine what the object is worth to you What is the intrinsic value this thing has that

makes it worth protecting? It may be a monetary value For instance, the amount of revenue an e-commerce

site brings into your company Or it may be more of a symbolic or subjective value For instance, the amount

your company’s reputation will suffer if its network gets hacked In any case, you need to have a good idea

of the value of the object, since that will lead you to determine how much effort you will put into protecting

it If the object is the cafeteria’s lunch menu for the week, you probably won’t put a lot of effort or money

into protecting it If, however, the object is the secret formula to your best-selling perfume, that is probably

worth a lot more money to your company and worth putting extra resources into protecting it

Finally, how valuable the thing might be to someone else If it is valuable to you, you can bet that there are

others that will be willing to put effort into getting it as well How much money could your top competitor

make if they got hold of that secret formula? If word leaked out that your system for holding customer credit

card numbers got attacked, would your customers move to your business rival? The value of your

information to others may factor into how much you put into security

You need to address these three questions early on in your security planning Until you have answered them

to your satisfaction, do not go any further, because you will be putting money and resources into an

ill-defined goal

Information Security: The Big Picture - SANS GIAC © 2000 8

How Secure is Secure

Enough? (2)

• Dealing with motivations

• Raising the effort bar

• Making yourself less “attractive”

• Security “lifetime”

There are other factors to consider as well when determining how much security is “enough”

Conventional wisdom has it that you need to make security hard enough to break so that eventually an attacker will give up and go

somewhere else This is because it may become too expensive for an attacker to continue, or they may fear that additional time spent

risks getting caught, or they may just get bored and go elsewhere Much of this goes to the motivation of the attacker Why are they

trying to attack you? What do you have that they want? Unfortunately, the answer may not be so obvious Sure, you may have

something immediately identifiable like a product or money that they want But you may be getting attacked because of who you are

(like a government or a big, mean, oppressive multinational corporation) You may be getting attacked because of association with

something you represent, like a particular industry (e.g fur trading or a tobacco company) Or you may be attacked because your

name popped into the head of the attacker as someone that might be “cool” to break into The problem is that you may never know

why you are getting hit Without knowing the motivation, how do you determine how much security to apply?

One of the best strategies is to raise the effort bar, so to speak You need to apply enough security so that the level of effort required is

greater than you think most attackers will be able to apply You do this by applying the Defense in Depth strategy we will discuss

shortly Each layer of defense will hopefully serve to deter the attacker from going further in his attack so that eventually he will give

up without getting to the “prize.” In this way, only the most determined, well funded, and experienced criminals will be able to get

through all your defenses You may never be able to completely secure your systems against all attacks, as that might be too

expensive or resource intensive But you can raise the effort level high enough for your own comfort

You can also make an effort to make yourself less “attractive” to a potential attacker I know people in my neighborhood that put up

“Beware of Dog” signs even if they don’t have a dog, or put burglar alarm company stickers in their windows even though they don’t

have an alarm, or light up their house like a Christmas tree at night, all in an effort to deter burglars from trying to break into their

house You can apply the same concept with your systems and networks Let people (both inside and outside your company) know

you use a strong firewall system, or that you monitor and check all transactions that go through your web site, or that you actively

prosecute attackers These are the system equivalents of dog signs and flood lights This may be enough to deter some would-be

attackers from even attempting to break into your systems Be careful, though If you brag too much about your defenses you may

actually encourage someone who wants to prove they are better than you

Finally, you want to make your security efforts commensurate with the useful lifetime of your information For example, if you are

trying to protect the revenue projections for your next quarter, you only really need to protect them until they are made public

Devising a system that will protect the secret for the next 50 years will not only be expensive, it may be overkill

Information Security: The Big Picture - SANS GIAC © 2000 9

Who Are The Threats?

• Hackers?

• Vandals?

• Espionage?

• Insiders

When looking at the possible sources that threaten your organization’s systems, you have to look at several

types The first group is the “hacker.” I use hacker in quotes because the real definition of hacker has changed

so much over the years By hacker I mean a person that uses computers and networks to inflict damage (either

real or threatened) upon your environment (Editor’s note: some people use the term ‘hacker’ simply to refer to

someone who is interested in computers and in finding out how they work This is in contrast with the work

‘cracker’, which refers to someone with malicious intent – JEK) Hackers have certainly gotten a large amount

of press in recent years and for good reason But they are not necessarily your only threat, nor are they the

biggest

Vandals are a sub-class of hackers Whereas hackers may or may not be out to steal or disrupt your information,

more often than not they will attempt to cover their tracks, at least initially And, if they are really good, you

may never know they have been in your systems Vandals, on the other hand, are out to do visible damage to

your systems They will deface your web pages, erase your files, anything they can do to disrupt or damage your

systems You will know instantly when a vandal has been in your computer

Hackers and vandals present a real threat to your systems, but for the most part, they may not be out to get you

directly You are just a symbol or an object to them However, practitioners of espionage are out to target you

specifically They will try to get your intellectual property, try to disrupt your operations or communications,

and wreak havoc on your environment They will be backed by your competitors or by a foreign government,

and in some respects represent the most dangerous of all outside threats They are generally well financed, well

trained, and have a valuable goal in mind

Finally, one of the largest threats to any environment is insiders Studies have repeatedly shown that insiders

represent the largest cause of security incidents year after year The reasons are obvious These people are

already in a position of trust, they know their way around the systems, and they know what security controls are

in place and usually how they can be defeated Whether it is through bribery, disgruntled employees, outsourced

personnel, or someone with personal financial hardship, you need to be as mindful of the security impact of your

insiders as you do of outsiders

Information Security: The Big Picture - SANS GIAC © 2000 10

Who Do You “Trust?”

• System will operate in ways that

Central to all discussions about information security is the concept of trust In the real world, trust is an

intangible concept that can be difficult to define but is readily understood You trust someone based on your

experiences with them, their reputation, your preferences, your ability to reach agreements with them, etc

These are all intangible properties, and there is no real way to measure trust

Computer and network security also uses the concept of trust and in many of the same ways However, unlike

real life, trust in the security sense has a precise definition and a set of measurable criteria In order to have trust

in a system, it must operate in ways that can be predicted, according to specifications, allowing only authorized

activities, and can contain no undocumented information paths or features Let’s look at each one of those

criteria individually

The system will operate in ways that can be predicted If you give input into a computer, given the same

runtime environment, it should give you the exact same output every time There should be no variation in the

way the system operates For example, if you install a building card access system, you need to know that every

time a person holds their card up to the reader, the system will give an accurate response If there is any

variability in the system, if it sometimes allows unauthorized people in or prevents entry to authorized people,

the system is of no use

The system must run according to specifications This means that the system must have a formal

specification of its operation and can not deviate from that specification Like operating in predictable ways,

operating according to specifications eliminates any random elements in the system’s operation

The system should only allow authorized activities This means that every action taken by and within the

system must be authorized by the system, and any users must be authorized both for access to the system itself

as well as any activities they may perform while on the system

There must be no undocumented features in the system One of the more common causes of security

problems is the discovery of undocumented or hidden features Once these features are discovered, they can be

used to manipulate the system in unpredictable ways, thus violating the trust of the system

We should also make a distinction here between “trust” and “security” As we have seen, trust refers to the

dependability of a system to perform as expected within certain parameters Security, on the other hand, is the

sum total of issues relating to the confidentiality, integrity, and availability of systems and information Trust is

an important part of security, but it is only one part

Information Security: The Big Picture - SANS GIAC © 2000 11

Security Strategies

• Separation/Rotation of duties

• Security Perimeter

• Defense in Depth

There are as many different security configurations, practices, and approaches as there are security

practitioners One of the great things about security is that there can be many different ways to accomplish a

task that will give you many different levels of security, depending on your goals and values However, there

are some basic tenets of security that you should be aware of and apply as often as possible

The first is separation and rotation of duties Separation of duties refers to the practice of not relying on a

single person or process to accomplish a task that has high security impact For example, safe deposit boxes at a

bank require two keys The manager of the bank holds one and the customer holds the other Another example

is that two separate controls must be operated simultaneously by separate people to launch a nuclear missile A

third example is when each person knows a small piece of information to complete a task, but all the pieces

must be brought together in order for the task to be completed This requires that more than one person need to

plot together to commit a crime Rotation of duties helps detect a crime Rotation of duties involves having

people rotate jobs occasionally Doing this allows the new person at a task to discover frauds being committed

by the previous person

The security perimeter is a boundary around your network, service, or process that represents the distinction

between the “safe” or “trusted” inside and the big, bad outside Sometimes a security perimeter can be physical,

like a large gate or a network firewall, or it can be imaginary, like security levels in an operating system In

either case, the perimeter is an important concept to know and understand

Finally is the concept of defense in depth Defense in depth takes the concept of a security perimeter one step

further by introducing the use of multiple perimeters, one inside of the other, for a greater level of safety At

each level there is another protection mechanism At the network level this might be a firewall When an

intruder somehow gets past the firewall and starts to attack a host on the network, he will meet up against any

host security that is in place If he breaks through that defense he will need to get past any application-level

security that is in place, and so on Defense in Depth provides more security by making it harder for an attacker

to get at anything valuable The harder it is, the more likely they will go elsewhere

Information Security: The Big Picture - SANS GIAC © 2000 12

Defense In Depth

Info

Application

Host Network

This diagram shows a pictorial representation of the Defense In Depth concept At the center of the

diagram is your information However, the center can be anything you value, or the answer to the

question “What are you trying to protect?” Around that center you build successive layers of

protection In the diagram, the protection layers are shown as blue rings In this example, your

information is protected by your application The application is protected by the security of the host

it resides on, and so on In order to successfully get your information, an attacker would have to

penetrate through your network, your host, your application, and finally your information protection

layers

Using a Defense in Depth strategy does not make it impossible to get to your core resources – the

resource at the center of the diagram For example, your defense layers might be trivial or easy to

compromise However, a well-thought-out Defense in Depth strategy, utilizing the strongest

protections feasibly possible at each layer, present a formidable defense against would-be attackers

Information Security: The Big Picture - SANS GIAC © 2000 13

Computer Crime is Not That

Hard to Do!

• Openly displayed information

• Easily available tools

• Dumpster Diving

• Shoulder Surfing

Most people outside of the computer security industry believe that to commit computer crime requires highly technical skills and

extensive knowledge of computers However, the plain fact is that most of the activities involved in computer crime are not that

complicated at all In fact, that is part of the reason that the incidence of computer crime continuously rises each year Let’s look in

more detail why computer crime is not that hard to do

One of the biggest problems is that there is a great deal of so-called “sensitive” information that is left openly displayed for all to see

How many people do you know have their computer passwords written on yellow sticky-notes attached to their monitors? If you walk

past any open printer or fax machine in your office, I bet you can find lots of sensitive company information lying around because

somebody forgot to pick it up And if you walk through any office building after hours you will see literally piles of sensitive

information left lying out on people’s desks Information that is sensitive or confidential should not be displayed openly for anyone to

see and should not be left out available to anyone who happens to walk by

The tools and techniques needed to commit computer crime are getting increasingly easier to use and are becoming commonly

available on the Internet In today’s computer criminal world, only the first person to commit a new type of attack needs to be the

smart one He then distributes the tools used in the attack around the Internet where it is picked up by young hacker wanna-bes The

wanna-bes use the tools to commit the crime without really knowing how it works because they don’t have to Rather than the criminal

rising to the skill set needed for the crime, the skill set for the crime has now lowered itself to the criminal

Dumpster diving is a common “sport” among computer criminals Dumpster diving refers to the practice of rummaging around the

trash of a company to see what valuable information can be obtained You’d be surprised at the sensitive documents that people will

just throw into the trash System printouts, password lists, phone lists, drafts of financial reports, you name it All sitting there in the

bin waiting to be taken away This information can be extremely valuable to competitors If you have sensitive or proprietary

information, make sure it is shredded or otherwise destroyed before being put into the trash

Shoulder surfing is another common sport used to get important information Shoulder surfing is the name given to the act of looking

over somebody’s shoulder as they handle information Shoulder surfing is most common in the phone credit card industry where card

number thieves wait near public pay phones waiting for someone to enter a credit card number into the phone When they do, the

thieves write it down and sell the number for lots of money Shoulder surfing can also apply to other areas as well You can watch

someone as they type their user ID and password into a computer If you fly on airplanes regularly, you may see some people working

on their laptop computers Unfortunately, if you do this, the person in the seat next to you or behind you will be able to see everything

you are working on, including sensitive company information As I am writing this, I am on an airplane and the man in the seat next to

me is constantly looking over reading what I am writing The rules of polite society do not apply when a thief wants to get at your

information