CMGT 400 Intro to Information Assurance & Security Philip Robbins – February 5, 2013 (Week 1) University of Phoenix Mililani Campus
Agenda: Week 1 • Introductions • Course Syllabus • Fundamental Aspects • Information • Information Assurance • Information Security Services • Risk Management, CND, and Incident Response • Quiz #1 • Assignment
Concepts • Information • What is it? • Why is it important? • How do we protect (secure) it?
Why is this important? • Information is valuable. therefore, • Information Systems are valuable. • etc… • Compromise of Information Security Services (C-I-A) have real consequences (loss) • Confidentiality: death, proprietary info, privacy, theft • Integrity: theft, loss of confidence, validity • Availability: lost productivity, disruption of C2, defense, emergency services
Concepts • Information Systems • Systems that store, transmit, and process information. + • Information Security • The protection of information. _______________________________________________ • Information Systems Security • The protection of systems that store, transmit, and process information.
Fundamental Concepts • What is Information Assurance (IA)? • Our assurance (confidence) in the protection of our information / Information Security Services. • What are Information Security Services (ISS)? • Confidentiality: Making sure our information is protected from unauthorized disclosure. • Integrity: Making sure the information we process, transmit, and store has not been corrupted or adversely manipulated. • Availability: Making sure that the information is there when we need it and gets to those who need it.
Private vs. Military Requirements • Which security model an organization uses depends on it’s goals and objectives. • Military is generally concerned with CONFIDENTIALITY • Private businesses are generally concerned with AVAILABILITY (ex. Netflix, eBay etc) OR INTEGRITY (ex. Banks). • Some private sector companies are concerned with CONFIDENTIALITY (ex. hospitals). • Which ISS do you believe is most important?
Fundamental Concepts • Progression of Terminology • Computer Security • (COMPUSEC) • Legacy Term (no longer used). • Information Security • (INFOSEC) • Legacy Term (still used). • Information Assurance • (IA) • Term widely accepted today with focus on Information Sharing. • Cyber Security • Broad Term quickly being adopted.
Fundamental Concepts • What is Cyberspace? • Term adopted by the USG • The virtual environment of information and interactions between people. • Telecommunication Network infrastructures • Information Systems • The Internet
Review of Fundamental Concepts • What is the Defense in Depth Strategy? • Using layers of defense as protection. • People, Technology, and Operations. • Onion Model
Defense-in-Depth Links in the Security Chain: Management, Operational, and Technical Controls • Risk assessment • Security planning, policies, procedures • Configuration management and control • Contingency planning • Incident response planning • Security awareness and training • Security in acquisitions • Physical security • Personnel security • Security assessments and authorization • Continuous monitoring • Access control mechanisms • Identification & authentication mechanisms (Biometrics, tokens, passwords) • Audit mechanisms • Encryption mechanisms • Boundary and network protection devices (Firewalls, guards, routers, gateways) • Intrusion protection/detection systems • Security configuration settings • Anti-viral, anti-spyware, anti-spam software • Smart cards Adversaries attack the weakest link…where is yours?
Review of Fundamental Concepts Information Assurance Services (IAS) ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü Source: Cieslak, Randall (Dec 2011). Cyber Fundamentals. USPACOM Chief Information Officer.
Challenges • Fixed Resources • Sustainable strategies reduce costs
Information Systems Security: Privacy • Defined: the protection and proper handling of sensitive personal information - Requires proper technology for protection - Requires processes and controls for appropriate handling
Personally Identifiable Information (PII) • Name • SSN • Phone number • Driver's license number • Credit card numbers • etc…
Concept 1: Info Security & Assurance • You leave your job at ACME, Inc. to become the new Information Systems Security Manager (ISSM) for University of University College (UUC). • The Chief Information Officer (CIO) of UUC drops by your office to let you know that they have no ISS program at UUC! • A meeting with the Board of Directors is • scheduled and you are asked by the CIO to • attend. • The Board wants to hear your considerations • on how to start the new ISS program spanning • all national and international networks.
Concept 1: Info Security & Assurance • - What would you tell the Board? • - As an ISSM, what would you consider first? • - What types of questions would you ask the Board and/or to the CIO?
Concept 2: Physical & Logical ISS • First day on the job and you find yourself already meeting with the local Physical Security and IT Services Managers at UUC. • You introduce yourself as the new ISSM and both managers eagerly ask you “what can we do to help?”
Concept 2: Physical & Logical ISS • - What do you tell these Managers? • - What types of questions would you ask the Managers? • - As an ISSM, what are some IT, computer, and network security issues you consider important to a new ISS program at UUC? • - What about your meeting with the Board of Directors earlier? How does it apply here?
Concept 3: Risk • After a month on the job, as an ISSM, you decide to update the CIO on the progress of the UUC ISS program via email when all of a sudden the entire internal network goes down! • Your Computer Network Defense Team is able to determine the source of the disruption to an unknown vulnerability that was exploited on a generic perimeter router. • The CIO calls you into his office and indicates to you that he is “concerned about the Risk to the networks at UUC” and ‘wants a risk assessment conducted’ ASAP.
Concept 3: Risk • - What does the CIO mean by “Risk to the networks at UUC”? • - As an ISSM, how would you conduct a risk assessment for the CIO? • - What are some of the elements of risk? • - How is risk measured and why is it important?
Risk Management • Information Systems Risk Management is the process of identifying, assessing, and mitigating (reducing) risks to an acceptable level. - Why is this important? • There is no such thing as 100% security. - Can risk ever be eliminated?
Risk Management • Risks MUST be identified, classified and analyzed to asses potential damage (loss) to company. • Risk is difficult to measure and quantify, however, we must prioritize the risks and attempt to address them!
Risk Management • Identify assets and their values • Identify Vulnerabilities and Threats • Quantify the probability of damage and cost of damage • Implement cost effective countermeasures! • ULTIMATE GOAL is to be cost effective. That is: ensure that your assets are safe, at the same time don’t spend more to protect something than it’s worth*
Who is ultimately responsible for risk? • MANAGEMENT!!! • Management may delegate to data custodians or business units that shoulder some of the risk. • However, it is senior management that is ultimately responsible for the companies health - as such they are ultimately responsible for the risk.
Computer Network Defense • Defending against unauthorized actions that would compromise or cripple information systems and networks. • Protect, monitor, analyze, detect, and respond to network attacks, intrusions, or disruptions.
Incident Response • Responding to a Security Breach - Incident Handling - Incident Management - Eradication & Recovery - Investigation (Forensics / Analysis) - Legal, Regulatory and Compliance Reporting - Documentation
Break • Let’s take a break…
Chapter 1: Introduction and Security Trends • The Morris Worm - Robert Morris - 1988 - First Large scale attack on the Internet - No malicious payload (benign) - Replicated itself - Infected computer system could no longer run any other programs
Chapter 1: Introduction and Security Trends • Kevin Mitnick - Famous Hacker - 1995 - Wire and computer fraud - Intercepting wire communication - Stole software and email accounts - Jailed: 5 years.
Chapter 1: Introduction and Security Trends • The Melissa Virus - David Smith - 1999 - Infected 1 million computers - $80 million - Payload: “list.doc” with macro - Clogged networks generated by email servers sending “Important Messages” from your address book
Chapter 1: Introduction and Security Trends • The “I Love You” Virus - Melissa Variation - 2000 - 45 million computers - $10 billion - Payload: .vbs (script) - Released by a student in the Phillipines (not a crime)
Chapter 1: Introduction and Security Trends • The “Code Red” Worm - 2001 - 350 million computers - $2.5 billion - Payload: benign - Takes control of computers - DoS attacks: targeted “White House” website
Chapter 1: Introduction and Security Trends • The “Conficker” Worm - 2008-2009 - Payload: benign - Bot network - Very little damage - Blocks antivirus updates
Chapter 1: Introduction and Security Trends • Stuxnet - 2010 - First Cyber Weapon - Affected SCADA systems within IRAN’s Nuclear Enrichment Facilities - Uses 4 “Zero Day” Vulnerabilities
Chapter 1: Introduction and Security Trends • What is Malware? - Malicious Software - Includes “Viruses” & “Worms” - Protect using Anit-virus software & System Patching
Chapter 1: Introduction and Security Trends • Intruders, Hackers, and Threat Agents
Chapter 1: Introduction and Security Trends • Network Interconnection - More connections - From large mainframes to smaller connected systems - Increased threat & vulnerabilities - Single point failures? - Critical Infrastructure - Information Value - Information Warfare
Chapter 1: Introduction and Security Trends • Steps in an Attack - Ping Sweeps (ping/whois) – identify target - Port Scans (nmap) – exploit service
Chapter 1: Introduction and Security Trends • Steps in an Attack - Bypass firewall - Bypass IDS & IPS: Avoid detection / logs - Infect system (either Network or Physical) - Pivot systems (launch client-side attacks)
Chapter 1: Introduction and Security Trends • Types of Attacks - Denial of Service (DoS) - Distributed Denial of Service (DDoS) - Botnets (IRC) - Logic Bombs - SQL Injection - Scripting - Phishing Emails - HTTP session hijacking (Man in the Middle) - Buffer Overflows
Chapter 1: Introduction and Security Trends • Types of Attacks: Botnets
Chapter 1: Introduction and Security Trends • Types of Attacks: Redirection (Fake Sites)
Chapter 1: Introduction and Security Trends • Redirection (Fake Sites)
Chapter 1: Introduction and Security Trends • Types of Attacks: Fake Antivirus
Chapter 1: Introduction and Security Trends • Types of Attacks: Keyloggers (Remote Stealth Keystroke Dump)
Chapter 1: Introduction and Security Trends • Types of Attacks: USB Keys (Autorun infection) Found a bunch of USB keys in a parking lot? Would you stick one of them into your PC?
Chapter 1: Introduction and Security Trends • Types of Attacks: Spam Email (Storm Worms)