1 / 59

Designing Information Security

Designing Information Security. Security Planning Susan Lincke. Objectives. Student should know: Define information security principles: need-to-know, least privilege, segregation of duties, privacy

ritaayala
Download Presentation

Designing Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Designing Information Security Security Planning Susan Lincke

  2. Objectives Student should know: Define information security principles: need-to-know, least privilege, segregation of duties, privacy Define information security management positions: data owner, data custodians, security administrator Define access control techniques: mandatory, discretionary, role-based, physical, single sign-on Define authentication combination: single factor, two factor, three factor multifactor Define Biometric: FRR, FAR, FER, EER Define elements of BLP: read down, write up, tranquility principle, declassification Define military security policy: level of trust, confidentiality principle Define backup rotation, incremental backup, differential backup, degauss, audit trail, audit reduction, criticality classification, sensitivity classification Develop an information security classification scheme that addresses confidentiality and availability

  3. Information Security Goals Confidentiality CIA Triad Integrity Availability Conformity to Law & Privacy Requirements

  4. Information Security Principles Need-to-know: Persons should have ability to access data sufficient to perform primary job and no more Least Privilege: Persons should have ability to do tasks sufficient to perform primary job and no more Segregation of Duties: Ensure that no person can assume two roles: Origination, Authorization, Distribution, Verification Privacy: Personal/private info is retained only when a true business need exists: Privacy is a liability • Retain records for short time Personnel office should change permissions as jobs change

  5. Review: State Breach Law Protects… Restricted data generally includes: Social Security Number Driver’s license # or state ID # Financial account number (credit/debit) and access code/password DNA profile (Statute 939.74) Biometric data Some states & HIPAA protects: Health status, treatment, or payment

  6. President Chief Privacy Officer Protect customer & employee rights Business Executive Chief Info Sec. Officer Creates and maintains a sec. program Chief Sec. Officer Physical Security Data Owner Responsible for security of data Process Owner Responsible for security of process Security AdminAdministrates computer & network security IS Auditor Independent assurance of sec. objectives & controls Security Architect Design/ impl. policies & procedures Chief Info. OfficerManages Info. Technology Data CustodianMaintains and protects data: Backup/restore/ monitor/test Some positions may be merged

  7. Information Owneror Data Owner Is responsible for the data within business (mgr/director - not IS staff) Determines who can have access to data and may grant permissions directly OR Gives written permission for access directly to security administrator, to prevent mishandling or alteration Periodically reviews authorization to restrict authorization creep

  8. Other Positions Data Custodian • IS (security or IT) employee who safeguards the data • Performs backup/restore • Verifies integrity of data • Documents activities • May be System Administrator Security Administrator • Allocates access to employees based on written documentation • Monitors access to terminals and applications • Monitors invalid login attempts • Prepares security reports

  9. Criticality Classification Critical $$$$: Cannot be performed manually. Tolerance to interruption is very low Vital $$: Can be performed manually for very short time Sensitive $: Can be performed manually for a period of time, but may cost more in staff Nonsensitive ¢: Can be performed manually for an extended period of time with little additional cost and minimal recovery effort

  10. Proprietary: Strategic Plan Confidential: Salary & Health Info Private: Product Plans Public Product Users Manual near Release Sensitivity Classification(Example) Internal

  11. Sensitivity ClassificationWorkbook

  12. Data Classification How do we mark classified information? How do we determine which data should be classified to which class? How do we store, transport, handle, archive classified information? How do we dispose of classified data? What does the law say about handling this information? Who has authority to determine who gets access, and what approvals are needed for access?

  13. Handling of Sensitive Data

  14. Storage & Destruction of Confidential Information Repair Remove memory before sending out for repair Disposing of Media Meet record-retention schedules Reformat disk Use “Secure wipe” tool ****If highly secure***** Degauss = demagnetize Physical destruction Storage Encrypt sensitive data Avoid touching media surface Keep out of direct sunlight Keep free of dust & liquids – in firm container best Avoid magnetic, radio, or vibrating fields Use anti-static bags for disks Avoid spikes in temperature for disks; bring to room temperature before use Write protect floppies/magnetic media Store tapes vertically

  15. Permission types Read, inquiry, copy Create, write, update, append, delete Execute, check Access Matrix Model (HRU)

  16. Information Asset Inventory Work book

  17. Question The person responsible for deciding who should have access to a data file is: • Data custodian • Data owner • Security administrator • Security manager

  18. Question Least Privilege dictates that: • Persons should have the ability to do tasks sufficient to perform their primary job and no more • Access rights and permissions shall be commensurate with a person’s position in the corporation: i.e., lower layers have fewer rights • Computer users should never have administrator passwords • Persons should have access permissions only for their security level: Confidential, Private or Sensitive

  19. Question A concern with personal or private information is that: • Data is not kept longer than absolutely necessary • Data encryption makes the retention of personal information safe • Private information on disk should never be taken off-site • Personal data is always labeled and handled as critical or vital to the organization

  20. Question The person responsible for restricting and monitoring permissions is the: • Data custodian • Data owner • Security administrator • Security manager

  21. Path Access Authentication: Login/Password, Biometrics Remote Access Authentication & Access Control

  22. Security: Defense in Depth Border Router Perimeter firewall Internal firewall Intrusion Detection System Policies & Procedures & Audits Authentication Access Controls

  23. Four Layers of Logical Security System 1 System 2 Database App1 App2 Two layers of general access to Networks and Systems Two layers of granularity of control to Applications and Databases

  24. Password Rules One-way encrypted using a strong algorithm Never displayed (except ***) Never written down and retained near terminal or in desk Passwords should be changed every 30 days, by notifying user in advance A history of passwords should prevent user from using same password in 1 year Passwords should be >= 8 (better 12) characters, including 3 of: alpha, numeric, upper/lower case, and special characters Passwords should not be identifiable with user, e.g., family member or pet name

  25. Authentication Combinations • Single Factor: Something you know • Login & Password • Multifactor Authentication: Using two or more authentication methods. • Two Factor: Add one of: • Something you have: Card or ID • Something you are or do: Biometric • Three Factor: Uses all three: e.g., badge, thumb, pass code

  26. Biometrics Equal Error Rate EER: FRR = FAR FAR increases FRR increases Biometrics: Who you are or what you do • Susceptible to error False Rejection Rate (FRR): Rate of users rejected in error False Acceptance Rate (FAR): Rate of users accepted in error Failure to Enroll Rate (FER): Rate of users who failed to successfully register

  27. Biometrics with Best Response & Lowest EER CISA Review Manual 2009

  28. Biometric Info Mgmt & Security Policy Identification & authentication procedures Backup authentication Safe transmission/storage of biometric data Security of physical hardware Validation testing Auditors should ensure documentation & use is professional

  29. Single Sign On Advantages • One good password replaces lots of passwords • IDs consistent throughout system(s) • Reduced admin work in setup & forgotten passwords • Quick access to systems Disadvantages • Single point of failure -> total compromise • Complex software development due to diverse OS • Expensive implementation Secondary Domains App1 DB2 App3 Enter Password Primary Domain (System)

  30. Recommended Password Allocation User Security Admin First time login: change password User allocated random password or sent email w. link Subsequent Logins Account [unlocked] [Forgot Password] [Invalid password Attempts] Account [locked] Inform user in controlled manner Enter 5 invalid passwords [Manual] [Auto Timeout] Notify Security Verify user ID (e.g., email) System automatically unlocks Account [unlocked]

  31. Admin & Login ID Rules Restrict number of admin accounts Admin password should only be known by one user Admin accounts should never be locked out, whereas others are Admin password can be kept in locked cabinet in sealed envelope, where top manager has key Login IDs should follow a confidential internal naming rule Common accounts: Guest, Administrator, Admin should be renamed Session time out should require password re-entry

  32. Access Control Techniques Mandatory Access Control Discretionary Access Control File User Group Permi… A John Mgmt rwx, r x B June Billing , r C May Factory r x, r x D Al Billing E Don Billing John A, B, C, D, E, F June A, B, C May D, E, F Role-Based Access Control Login Role Permission John Mgr A, B,C,D,E,F June Acct. A,B,C Al Acct. A,B,C May Factory D,E,F Pat Factory D,E,F Al A, B Don B, C Pat D, F Tom E, F Tim E

  33. Access Control Techniques Mandatory Access Control: General (system-determined) access control Discretionary Access Control: Person with permissions controls access Role-Based Access Control: Access control determined by role in organization Physical Access Control: Locks, fences, biometrics, badges, keys

  34. Workbook:Role-Based Access Control

  35. System Access Control Establish rules for access to information resources Create/maintain user profiles Allocate user IDs requiring authentication (per person, not group) Notify users of valid use and access before and upon login Ensure accountability and auditability by logging user activities Log events Report access control configuration & logs

  36. Application-Level Access Control • Create/change file or database structure • Authorize actions at the: • Application level • File level • Transaction level • Field level • Log network & data access activities to monitor access violations

  37. Which Computer Do You Trust?You plan to make a purchase on-line… A library or college computer? Your office computer? Your children’s computer?

  38. Trusted Computing Base (TCB) Trusted app has Horizontal dependencies: operating system, hardware Vertical dependencies: server applications, network, authentication server, … Trusted App 1 Trusted App 2 Trusted App 3 Trusted Service 1 Trusted Service 2 Trusted Service 3 Trusted Operating System Trusted Operating System Trusted Hardware Trusted Hardware Trusted network

  39. Processing requires Dependencies Vertical Dependencies: Secret App requires Secret-level database Secret-level OS Secret-level hardware Horizontal Dependencies: Secret App requires: Secret-level servers Secret-level communications Secret-level authentication

  40. Trusted Computing Base (TCB) TCB Subset: Verified security policy, provides reliability Encapsulated security implementation provides rapid implementation Security Policy Trusted App 1 Trusted App 2 Trusted App 3 Trusted Service 1 Trusted Service 2 Trusted Service 3 Trusted OS Encapsulated security impl. Trusted OS Encapsulated security impl. Trusted Hardware Trusted Hardware Trusted network

  41. Bell and La Padula Model (BLP) Property of Confinement: • Read Down: if Subject’s class is >= Object’s class • Write Up: if Subject’s class is <= Object’s class Tranquility Principle: Object’s class cannot change Declassification: Subject can lower his/her own class write read & write read read Joe => (Secret)

  42. Military Security Policy (Secret, Eng) (Confid., Finance) • Person has an Authorization Level or Level of Trust • (S,D) = (sensitivity, domain) for Subject (potentially Project) • Object has a Security Class • Confidentiality Property: Subject can access object if it dominates the object’s classification level

  43. BIG Data Blacklist: Not stored Or access via permission Whitelist: Permitted to see Anonomize: Alter via statistical distribution Options include: • Encryption, access control, firewall, security intelligence • Obfuscate: Make data unclear • Distribute data across multiple locations • No single location has useful data (e.g., RAID)

  44. IS Auditor Verifies… Written Policies & Procedures are professional & implemented Access follows need-to-know Security awareness & training implemented Data owners & data custodians meet responsibility for safeguarding data Security Administrator provides physical and logical security for IS program, data, and equipment Authorization is documented and consistent with reality See CISA Review Manual for specific details

  45. Question A form of biometrics that is considered invasive by users is: • Retina • Iris • 3D hand • Signature

  46. Question A form of biometrics that is not prone to error is • Retina • Voice • Finger • Signature

  47. Question Julie is a Data Owner. She configures permissions in the database to enable users to access the forms she thinks they should be able to access. This technique is known as Bell and La Padula Model Mandatory Access Control Role-Based Access Control Discretionary Access Control

  48. Question John has a security clearance of (Engineering, Confidential). Using Bell and La Padula Model, John can write to: Confidential Top Secret, Secret, and Confidential Confidential and Unclassified Unclassified

  49. Audit Trails

  50. Audit Trail • Audit trail tracks responsibility • Who did what when? • Periodic review will help to find excess-authority access, login successes & failures, and track fraud • Attackers often want to change the audit trail (to hide tracks) • Audit trail must be hard to change: • Write-once devices • Digital signatures • Security & systems admins and managers may have READ-only access to log • Audit trail must be sensitive to privacy • Personal information may be encrypted

More Related