95 752 introduction to information security management l.
Skip this Video
Loading SlideShow in 5 Seconds..
95-752 Introduction to Information Security Management PowerPoint Presentation
Download Presentation
95-752 Introduction to Information Security Management

Loading in 2 Seconds...

play fullscreen
1 / 36

95-752 Introduction to Information Security Management - PowerPoint PPT Presentation

  • Uploaded on

95-752 Introduction to Information Security Management. Tim Shimeall, Ph.D. tjs@cert.org 412-268-7611 Office Hours by Appointment Course website: http://www.andrew.cmu.edu/course/95-752. Course Covers. Introduction/Definitions Physical security Access control Data security

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '95-752 Introduction to Information Security Management' - emily

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
95 752 introduction to information security management

95-752 Introduction to Information Security Management

Tim Shimeall, Ph.D.



Office Hours by Appointment

Course website: http://www.andrew.cmu.edu/course/95-752

course covers
Course Covers


Physical security

Access control

Data security

Operating system security

Application security

Network security

student expectations
Student Expectations
  • Grading:
    • 2 Homeworks
    • Midterm
    • Paper/project
  • All submitted work is sole effort of student
  • Students are interested in subject area
  • Students have varied backgrounds
information revolution
Information Revolution
  • Information Revolution as pervasive at the Industrial Revolution
  • Impact is Political, Economic, and Social as well as Technical
  • Information has an increasing intrinsic value
  • Protection of critical information now a critical concern in Government, Business, Academia
a different internet
A Different Internet
  • Armies may cease to march
  • Businesses may be bankrupted
  • Individuals may lose their social identity
  • Threats not from novice teenagers, but purposeful military, political, and criminal organizations
computer terms 1
Computer Terms (1)

Computer – A collection of the following:

Central Processing Unit (CPU): Instruction-processing

Memory(RAM) : Transient storage for data

Disk: More permanent storage for data

Monitor: Display device

Printer: Hard copy production

Network card: communication circuitry

computer terms 2
Computer Terms (2)

Software: Instructions for a computer

Operating System: interaction among components of computer

Application software: common tasks (e.g., email, word processing, program construction, etc.)

API/Libraries: Support for common tasks

vulnerability 2001
Vulnerability (2001)

Out-of-the-box Linux PC hooked to Internet, not announced:

[30 seconds] First service probes/scans detected

[1 hour] First compromise attempts detected

[12 hours] PC fully compromised:

    • Administrative access obtained
    • Event logging selectively disabled
    • System software modified to suit intruder
    • Attack software installed
    • PC actively probing for new hosts to intrude
  • Clear the disk and try again!
why is security difficult
Why is Security Difficult
  • Managers unaware of value of computing resources
  • Damage to public image
  • Legal definitions often vague or non-existent
  • Legal prosecution is difficult
  • Many subtle technical issues
objectives of security
Objectives of Security
  • Privacy – Information only available to authorized users
  • Integrity – Information retains intended content and semantics
  • Availability – Information retains access and presence

Importance of these is shifting, depends on organization

security terms
Security Terms

Exposure - “actual harm or possible harm”

Vulnerability - “weakness that may be exploited”

Attack - “human originated perpetration”

Threat - “potential for exposure”

Control - “preventative measure”

classes of threat
Classes of Threat
  • Interception
  • Modification
  • Masquerade
  • Interruption

Most Security Problems Are People Related

software security concerns
Software Security Concerns
  • Theft
  • Modification
  • Deletion
  • Misplacement
data security concerns
Data Security Concerns
  • Vector for attack
  • Modification
  • Disclosure
  • Deletion

“If you have a $50 head, buy a $50 helmet”

network security concerns
Network Security Concerns
  • Basis for Attack
  • Publicity
  • Theft of Service
  • Theft of Information

Network is only as strong as its weakest link

Problems multiply with number of nodes

motivations to violate security
Motivations to Violate Security
  • Greed
  • Ego
  • Curiosity
  • Revenge
  • Competition
  • Political/Idiological
people and computer crime
People and Computer Crime
  • Most damage not due to attacks“Oops!”“What was that?”
  • No clear profile of computer criminal
  • Law and ethics may be unclear

“Attempting to apply established law in the fast developing world of the Internet is somewhat like trying to board a moving bus” (Second Circuit, US Court of Appeals, 1997)

theory of technology law
Theory of Technology Law
  • Jurisdiction:
    • subject matter – power to hear a type of case
    • Personal – power to enforce a judgment on a defendant
  • Between states: Federal subject matter
  • Within state: State/local subject matter
  • Criminal or Civil
    • Privacy/obscenity covered now
    • intellectual property covered later
privacy law
Privacy Law
  • Common law:
    • Person’s name or likeness
    • Intrusion
    • Disclosure
    • False light
  • State/Local law: Most states have computer crime laws, varying content
  • International law: patchy, varying content
federal privacy statutes
Federal Privacy Statutes
  • ECPA (communication)
  • Privacy Act of 1974 (Federal collection/use)
  • Family Educational Rights & Privacy Act (school records)
  • Fair Credit Reporting Act (credit information)
  • Federal Cable Communications Privacy Act (cable subscriber info)
  • Video Privacy Act (video rental information)
  • HIPAA (health cared information)
  • Sarbanes-Oxley Act (corporate accounting)
  • Patriot Act (counter-terrorism)

Plus state law in more the 40 states, and local laws

federal obscenity statues
Federal Obscenity Statues
  • Miller tests (Miller v. California, 1973):
    • Average person applying contemporary community standards find appeals prurient interest
    • Sexual content
    • Lack of literary, artistic, political or scientific value
  • Statues:
    • Communications Decency Act (struck down)
    • Child Online Protection Act (struck down)
    • Child Pornography Protection Act (struck down – virtual child porn; live children still protected)
indian trust funds
Indian Trust Funds
  • Large, developing, case: Cobell vs. Norton
    • http://www.indiantrust.com/
  • Insecure handling of entrusted funds
  • Legal Internet disruption
  • Criminal contempt proceedings
  • Judicial overstepping
three security disciplines
Three Security Disciplines
  • Physical
    • Most common security discipline
    • Protect facilities and contents
      • Plants, labs, stores, parking areas, loading areas, warehouses, offices, equipment, machines, tools, vehicles, products, materials
  • Personnel
    • Protect employees, customers, guests
  • Information
    • The rest of this course
how has it changed
How Has It Changed?
  • Physical Events Have Cyber Consequences
  • Cyber Events Have Physical Consequences
why physical security
Why Physical Security?
  • Not all threats are “cyber threats”
  • Information one commodity that can be stolen without being “taken”
  • Physically barring access is first line of defense
  • Forces those concerned to prioritize!
  • Physical Security can be a deterrent
  • Security reviews force insights into value of what is being protected
layered security
Layered Security
  • Physical Barriers
      • Fences
      • Alarms
      • Restricted Access Technology
  • Physical Restrictions
      • Air Gapping
      • Removable Media
      • Remote Storage
  • Personnel Security Practices
      • Limited Access
      • Training
      • Consequences/Deterrence
physical barriers
Physical Barriers
  • Hardened Facilities
      • Fences
      • Guards
      • Alarms
      • Locks
      • Restricted Access Technologies
        • Biometrics
        • Coded Entry
        • Badging
      • Signal Blocking (Faraday Cages)
outer protective layers
Outer Protective Layers
  • Structure
    • Fencing, gates, other barriers
  • Environment
    • Lighting, signs, alarms
  • Purpose
    • Define property line and discourage trespassing
    • Provide distance from threats
middle protective layers
Middle Protective Layers
  • Structure
    • Door controls, window controls
    • Ceiling penetration
    • Ventilation ducts
    • Elevator Penthouses
  • Environment
    • Within defined perimeter, positive controls
  • Purpose
    • Alert threat, segment protection zones
inner protective layers
Inner Protective Layers
  • Several layers
  • Structure
    • Door controls, biometrics
    • Signs, alarms, cctv
    • Safes, vaults
  • Environment
    • Authorized personnel only
  • Purpose
    • Establish controlled areas and rooms
other barrier issues
Other Barrier Issues
  • Handling of trash or scrap
  • Fire:
    • Temperature
    • Smoke
  • Pollution:
    • CO
    • Radon
  • Flood
  • Earthquake
physical restrictions
Physical Restrictions
  • Air Gapping Data
      • Limits access to various security levels
      • Requires conscious effort to violate
      • Protects against inadvertent transmission
  • Removable Media
      • Removable Hard Drives
      • Floppy Disks/CDs/ZIP Disks
  • Remote Storage of Data
      • Physically separate storage facility
      • Use of Storage Media or Stand Alone computers
      • Updating of Stored Data and regular inventory
personnel security practices
Personnel Security Practices
  • Insider Threat the most serious
      • Disgruntled employee
      • Former employee
      • Agent for hire
  • Personnel Training
      • Critical Element
      • Most often overlooked
  • Background checks
      • Critical when access to information required
      • Must be updated
      • CIA/FBI embarrassed
activities or events
Activities or Events
  • Publications, public releases, etc.
  • Seminars, conventions or trade shows
  • Survey or questionnaire
  • Plant tours, “open house”, family visits
  • Governmental actions: certification, investigation
  • Construction and Repair

National Industrial Security Program Operating Manual

  • Prescribes requirements, restrictions and other safeguards for information
  • Protections for special classes of information:
  • National Security Council provides overall policy direction
  • Governs oversight and compliance for 20 government agencies
methods of defense
Methods of Defense

Overlapping controls

  • Authentication
  • Encryption
  • Integrity control
  • Firewalls
  • Network configuration
  • Application configuration
  • Policy