Principles of Information Security:Unit -I Sanjay Rawat Sanjay_r@vnrvjiet.in
Introduction • Text book: • Principles of Information Security : Michael E. Whitman, Herbert J. Mattord, CENGAGE Learning, 4th Ed. • History of IS: ARPANET -> ETHENET -> INTERNET • To read (optional): Protection Analysis: Final Report, Richard Biswey & Dennis Hollingworth
What is Security? • State of being secure, protected. • Elusion? • Being safe until someone finds a vulnerability to exploit.. • CIA – ONLY intended actors can: • Know -> confidentiality • Modify -> integrity • Have access ->availability • Too coarse.. Access, Assets, Risk, Threat….
High-level View All alone in the world -> no security? Access control, network security etc. Physical security software security etc.
Contemporary whole picture Access control outbound Internet LAN AV Routing tables simple ACL Crypto router ID/PS AV Access control inbound DMZ HTTP, SMTP, FTP WAN
Definitions • CONTROL SPHERE: a set of resources and behaviors that are accessible to a single actor, or a group of actors. • SECURITY POLICY: a specification by the product or user that defines one or more control spheres for one or more actors • PROTECTION MECHANISM: a behavior or set of behaviors that helps to enforce an intended security policy for the product
Definitions conti… • ATTACK: an attempt by an actor to violate the intended security policy. • ATTACKER: an actor who attempts an attack. • WEAKNESS: a type of behavior that has the potential for allowing an attack. • VULNERABILITY: a set of one or more related weaknesses within a specific software product or protocol that allows an actor to access resources or behaviors that are outside of that actor's control sphere.
CNSS Model • CNSS = Committee on National Security Systems • McCumberCube – Cubes-inside-cube detailed model for planning and implementing security across organization. • It emphasizes issues beyond CIA); • Context dependent security risk evaluation; • Context dependent measurements to address those issues.
Components of IS • Software: ever changing -> difficult to secure . Low-level bugs etc. • Hardware: Relates to physical security aspect • Data: ultimate target • People: unpredictable • Procedures/Policies • Networks: Eluding physical security?
Balancing Security and Access (usability) • No security -> complete access • Complete security -> no access • Optimal Security AND required access
Few more terms (~ CIA connection) • Accuracy: Property of being unmodified? • Authenticity: is it genuine? • Utility: Is data/information remained useful? • Possession: Information is in safe hands?
Security Implementation Approaches • Bottom-Up approach: low-level to top • Top-Down approach: higher management to low-level (people who really work ) Project!!
Software Development Life Cycle • Investigation : What problem is being solved? • Analysis: Step 1 vs. current status of the organization’s environment. • Logical Design: blue print of the desired solution. Emphasis is on “how the proposed system will solve the problem at hand”. • Physical Design: Proof of concept. • Implementation: Real product is created and tested along with supporting doc etc. • Maintenance and Change: support and patch.
SecSDLCPrevention is better than cure • Investigation: outlines the implementation of a security program within the organization. • Analysis: Risk analysis, security and privacy issues (legal, e.g. HIPAA). • Logical Design: develops the blueprints for information security e.g. BCP & DR. • Physical Design: evaluates the information security technology needed to support the blueprint. • Implementation: security solutions are acquired, tested, implemented. • Maintenance: keep evaluating after the deployment and do remediation.
SecSDLCconti… “… computer security is more than mechanisms and mathematics. It includes being able to analyze a situation to figure out what constitutes security, being able to specify those requirements, being able to design a system or program to meet those requirements, being able to implement the system or program correctly, and being able to make configuration and maintenance simple.” – Matt Bishop, UC, Davis, US.
SecSDCLPrevention is better than cure • To read: Security Considerations in the System Development Life Cycle - NIST http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf • Microsoft SDL: