1 / 26

CS5038: The Electronic Society

CS5038: The Electronic Society. Security 2: Concepts of Security. Outline. Types of security: physical, information, hybrid Concepts of information security Declarative Operational Applicability of concepts to physical and hybrid security. Management issues.

keene
Download Presentation

CS5038: The Electronic Society

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS5038: The Electronic Society Security 2: Concepts of Security

  2. Outline • Types of security: physical, information, hybrid • Concepts of information security • Declarative • Operational • Applicability of concepts to physical and hybrid security. • Management issues. • Security Economics: What’s it worth? • Policy, compliance, and trust

  3. Physical Security • Primarily about access control • Ensuring that people are kept within specified zones of buildings, countries, etc.; for example, library access, immigration, clubs • Also about integrity • Ensuring that necessary properties of specified zones are maintained; for example, no sharp objects in the aircraft cabin, no landside liquids airside

  4. Information Security • Concerned with • Classically conceived as being about the following three declarative components: • Confidentiality: about secrecy, who’s allowed • Integrity: about soundness, accuracy • Availability: about accessibility (to those allowed)

  5. Hybrid Security • Somehybrid attacks: • Steal computer with unencrypted hard-drive • Server room/fire alarm • Engine management system firmware (have been hacked via wireless connections).

  6. Declarative and Operational Concepts • Declarative concepts express what we want to achieve: • Confidentiality • Integrity • Availability • Investment • Operational concepts are the mechanisms used to achieve these things: • Access control • Authentication • Education/training • Policies, regulation

  7. Investments in (Information) Security • Organizations have limited resources (time, money, etc.) to invest in security • Priorities expressed in terms of the declarative confidentiality, integrity, and availability • Invest in policies, processes, and technologies − i.e., operational entities − to address these priorities

  8. Example Types of Organizations, 1: Government Security Agency • Top priority is usually confidentiality • State secrets to protect • Gathered intelligence to protect • High concern for integrity • Important to base actions on uncorrupted information • Limited concern for availability • Often would be prepared to disconnect systems to protect I and A, but not always

  9. Example Types of Organizations, 2: Online Retailer • Very high concern for availability • Loss of website or back-end for an hour costs a lot of money • Loss for a week might mean the business fails • Some concern for confidentiality • Credibility may depend on never having has a credit card compromised • Compare Amazon and eBay • Limited concern for integrity • An online retailer might, for example, indicate how many copies of a book are in stock • The actual number doesn’t need to be accurate, just need to give a reliable indication of whether any given order can be fulfilled

  10. Example Types of Organizations, 3: Academic Medical Research Organization • Very high concern for integrity • Critical that experiments and conclusions based on accurate data • Some concern for availability • Some experiments will be time-critical • Limited concern for confidentiality • Data all anonymized anyway • May be part of mission to make it widely available

  11. Exercise • Think about some more organizations and what their security priorities might be • For example • Banks • Schools, Colleges, and Universities • Environmental charities • Oil & Gas companies • To what extent is the level of financial constraint significant?

  12. Applicability of Concepts • In fact, information security concepts are applicable to physical security. • Consider airport security/customs/immigration: • Boarding card check is access control (confidentiality, in effect) • Security scanners are about integrity • Think about other examples

  13. Security Management • For large organizations, security is a management as well as a technological problem. Involves various things • Asset management (investment, capital (IT infrastructure)), physical sec., HR • Formulation of policy, choice of controls, operational IT security of network • Risk assessment and risk analysis (inc. threats) • Compliance with regulations (e.g. PCI standards) • Must have a management system for all of the above. • Must comply with standards (e.g. ISO27001) • Deming cycle, Plan-Do-Check-Act

  14. Management and Economic Decisions • How to value security and decide what investments to make? • Management accountancy model: • E.g., return-on-investment(ROI) • Do we expect returns to grow linearly with inv.? • What are good metrics? • High impact, low probability events (long tail) • Rapidly changing threat environment • Intelligent opponents • Need to protect against threats that don’t emerge • Pressure to save on balance sheet, right now.

  15. Sophisticated Economic Decisions • Use models that account for behaviour of system and environment, and preferences of stakeholders. Find/calculate best choice of control based on preferences over resulting outcomes. • Behaviour: equational models of systems, executable simulations, using probabilities • Preferences: often using a utility function to score how much stakeholder likes choice.

  16. Sophisticated Economic Decisions . Various kinds of model. • Micro-economic decisions: model detailed interactions of stakeholder preferences. • Macro-economic model: focus on whole large-scale system via aggregate variables. • E.g., Impulse-response models: how does IT system (and wider business) respond after security shock.

  17. Utility Functions • Idea: express, mathematically, how much the manager cares about deviations from targets for C, I, A, and investment, K • Use weights wi− corresponding to the relative importance above − to capture the managers’ preferences: U(C, I, A, K, t) = w1 f1(C – C*) + w2 f2(I – I*) + w3 f3(A – A*) + w4 f4(K – K*) • C = … , I = … , A = … , K = … , all functions of time, t, and of control variables, reflecting configuration under exploration. • Explore equations analytically or experimentally (simulations).

  18. Shock and Restore

  19. Notes on the Graphs • The model above comes from Investments and Trade-offs in the Economics of Information Security, David Pym, Christos Ioannidis and Julian Williams, Proc. Financial Cryptography and Data Security 2009, LNCS 5628: 148-162, Springer, 2009. • Key points: • Just look at the upper graphs (the lower ones are a technicality) • See how when a shock to confidentiality (i.e., a security breach) hits the system, the characteristics of the system respond • All governed by carefully formulated utility functions of the kind described • Targets for all of C, I, and A are 0. When the shock hits, C (blue) is way below target. This causes spend (red) to go way above target, and system availability to go way below target; that is, the system’s operations have to be curtailed and money spent to fix the problem; with these actions taken, all of C, I, and A begin to return to nominal. • Notice the difference between the left and right graphs: the left is for the configuration/preferences of a deep-state organization like a government security agency, whereas the right is for something like an online retailer. • The graphs show that the agency is much more willing to sacrifice availability than the retailer.

  20. Policy, Compliance, and Trust • These things are all inter-related • If an organization has a security policy, how should it be implemented? • Forced compliance? • Employees/students/ … trusted to comply? • What about penalties? • As before, different solutions are appropriate for different environments. • Deep interaction of social and psychological phenomena with technical mechanisms (and management sitting in the middle).

  21. Example • Policy: unencrypted laptops may not be taken out of the building • Enforced compliance: search and inspect on exit: • Intrusive, causes resentment • Slow and expensive • Encourages avoidance strategies • Trusted compliance: • Trust employees to comply, but impose very heavy penalty (e.g., fire, prosecute) if found not in compliance

  22. USB Sticks Study • Research study part of a project, called ‘Trust Economics’, partly funded by the UK’s Technology Strategy Board. Involved HP Labs, UCL, Aberdeen, Bath, and Newcastle Universities, and Merrill Lynch • City of London investment bank • Policy & implementation for USB stick security • Why is this important?

  23. The bank’s staff all work in several different locations: • The office, inside the firewall • At clients’ offices • At home • In transit • These locations all have different security characteristics: different threats, different levels of protection, different consequences

  24. The Problem • USB sticks are used for good, practical reasons: convenient way to move information around the different locations, to work on it, share it, use it for client presentations • But USB sticks expose information to lots of risks: at home, in transit, at the client; for example: • Corruption/theft of data • Loss of stick • Accidental archiving

  25. What’s the Solution? • Encryption? It’s the obvious policy solution • How to implement? • Technological enforcement? • Policy enforcement? • What are the barriers? • The major problem, identified by extensive empirical study (structured interviews, etc.) is a social one: • Bankers don’t like being embarrassed in front of clients, , losing face and maybe losing business and they get embarrassed when they forget their passwords • Policies and implementations must take account of these things if they are to be effective • In this case, it was concluded that enforced encryption would be the best option only if the bank’s staff included ‘traitors’ actively trying to leak information • Very often, education and training, backed up with sanctions, works best.

  26. Summary • Types of security: physical, information, hybrid • Concepts of information security • Declarative • Operational • Applicability of concepts to physical and hybrid security. • Management issues. • Security Economics: What’s it worth? • Policy, compliance, and trust

More Related