Information Security Methodology

Sunil Paudelsunilpaudel@gmail.com

Need of Information Security An Information System (IS) is much more than computer

hardware; it is the entire set of software, hardware, data, people, and procedures necessary to use information as a resource in the organization

The value of information comes from the characteristics it possesses. Availability Accuracy Authenticity Confidentiality Integrity

AIC Traid Confidentiality - Is the concept

of protecting the secrecy and privacy of information

Integrity - Is the concept of protecting the “accuracy” of information processing and data from improper modification.

Availability - Is the concept of ensuring that the systems and data can be accessed when required.

CNSS Security Model

• Intersection of information states (x-axis)• Key objectives of C.I.A. (y-axis), and• Three primary means to implement (policy, education and technology).

Securing the Components

The computer can be either or both the subject of an attack and/or the object of an attack

When a computer is the subject of an attack, it is used as an active

tool to conduct the attack the object of an attack, it is the entity being

attacked

Subject and Object of Attack

Balancing Security and Access

It is impossible to obtain perfect security - it is not an absolute; it is a process

Security should be considered a balance between protection and availability

To achieve balance, the level of security must allow reasonable access, yet protect against threats

Balancing Security and Access

Threats to Information Security

Malware Summary

Code Type Characteristics

Virus Attaches itself to program and copies to other program

Trojan Horse Contains unexpected, additional functionality

Logic Bomb Triggers action when condition occurs

Time Bomb Triggers action when specified time occurs

Trapdoor Allows unauthorized access to functionality

Worm Propagates copies of itself through the network

Root Kit Hooks standard OS calls to hide data

• Malware covers all kinds of intruder software

Why we have so much malware?

• Users are ill-educated, resulting in distribution as Trojans and viruses– Because computers are fast-changing and still

relatively new

• Software has vulnerabilities, resulting in distribution of worms and viruses– Because it is badly written or badly designed– Because the designers have historically favoured

user convenience over security

• The PC is an open platform– Users can install software, in contrast with (old

fashioned) mobile phones, mp3 players, set-top boxes, embedded computers, etc.

Anti-virus software detects malware and can destroy it before any damage is done

Install and maintain anti-virus and anti-spyware software

Be sure to keep anti-virus software updatedMany free and pay options exist

13National Information Technology Center

Password Types Password that contain only letters Password that contain only numbers Password that contain only special characters Password that contain letters and numbers Password that contain only letters and special characters Password that contain only special characters and

numbers Password that contain letters, special characters and

numbers

Guessable Password Passwords can sometimes be guessed by humans with knowledge of the

user's personal information. Examples of guessable passwords include:• blank (none)• the words "password", "passcode", "admin" and their derivatives• a row of letters from the qwerty keyboard -- qwerty itself, asdf, or

qwertyuiop)• the user's name or login name• the name of their significant other, a friend, relative or pet• their birthplace or date of birth, or a friend's, or a relative's• their automobile license plate number, or a friend's, or a relative's• their office number, residence number or most commonly, their

mobile number.• a name of a celebrity they like• a simple modification of one of the preceding, such as suffixing a

digit, particularly 1, or reversing the order of the letters.• a swear word. • and so, extensively, on.

Types of password AttacksDictionary attackBrute force attackSocial engineeringShoulder surfingDumpster diving

What is a Digital Signature

Public-key CryptographyEach person’s public key is published while the

private key is kept secretCommunications involve only the public keys,

and no private key is ever transmitted or shared.The public keys are associated with their users

in a trusted manner

What is a Digital SignatureA person having the initial message and the

singer’s public key can accurately determine Whether the transformation was created using the

private key that corresponds to the signer’s public key Whether the initial message has been altered since

the transformation was made

A Digital Signature is: Intended by the party using it to have the same force and

effect as the use of a manual signature Unique to the party using it Capable of verification Under the sole control of the party using it Linked to data in such a manner that it is invalidated if

the data is changed In conformity with rules adopted by Office of Controller of

Certification (a Certificate Authority) pursuant to this act

Certificate AuthorityThe Certificate Authority is an individual

organization that acts as a notary to authenticate the identity of users of a public-key encryption

A Certificate Authority is used to: 1) Associate a pair of keys with a person 2) Publishing the public keys in a directory 3) Maintain functions associated with the keys

Digital Signature Creation

Message HashFunction

MessageDigest

SignatureFunction

Digital Signature

Message

Signature Private Key

Digital Signature Verification

Message Hash Function MessageDigest

Digest Signature

SignatureFunction

MessageDigest

If the message

digest are identical,

the signature is valid.

If they are different,

the signature is not

valid.

Signer’s Public Key

Access ControlIdentification, Authentication, and Authorization are

distinct functions. Identification

• Method of establishing the subject’s (user, program, process) identity.

Authentication• Method of proving the identity.

Authorization• Determines that the proven identity has some set of

characteristics associated with it that gives it the right to access the requested resources.

24

Authentication MethodsThere are 3 primary authentication methods.

Sensitive or critical information should be protected by employing at least two of them (two-or three-factor authentication). Knowledge-Something you know, such as a

password, passphrase or PIN. Ownership-For example, tokens and Smart cards. Characteristics-Biometrics are digitized

representations of physical features (such as fingerprints) or physical actions (such as signatures).

25

Access Control ModelsDiscretionary Access Control (DAC)

Access control is at the discretion of the owner.Mandatory Access Control (MAC)

Users have security clearances and resources have security labels that contain data classifications.

This model is used in environments where information classification and confidentiality is very important (e.g., the military).

Role Based Access Control Models Role Based Access Control (RBAC) uses a centrally

administered set of controls to determine how subjects and objects interact.

26

Disaster Recovery

Thunderstorms Tornadoes Lightning Earthquakes Volcanoes Tsunami Landslides Floods, droughts Epidemics

Acts of people Technological

system failures Hazardous materials Environmental Nuclear Aviation, railways Fires, collapse

Workplace violence Civil disobedience

- Labor riots- Political riots

Terrorism Weapons of mass

destruction

27

Benefits from DR centerSignificantly reducing the impact of sales,

financial, and customer losses during unforeseen interruptions to the business operations

DR Site selection:• US : 40 miles (64Km, out of the same influence of

the hurricane)• Japan : on a different tectonic plate, a different

seismic activity zone• EU : 5~10Km (against bombing attack)• Korea : similar to the situation in EU, usually

+30km away

28

Information System Audit

IS Audit: Any audit that wholly or partially evaluates automated information processing system, related non-automated processes, & their interfaces

Reviewinternal control

Prepare & present report

Simplified Audit Process

Plan audit & gather info.

Perform tests

Concluding remarksAssign accountability for security Implement a thorough security policy Conduct a security awareness program Install anti-virus software and update it regularly Limit access to sensitive information Develop and communicate an incident response

process Perform security audits on an ongoing basis

30