Guide to Firewalls and VPNs

Whitman/Mattord/Green
ISBN10: 1-111-13539-8, ISBN13: 978-1-111-13539-3
© 2012

Chapter One
Introduction to Information Security
 Objectives
 Explain the component parts of information
security in general and network security in
particular

 Define the key terms and critical concepts of

information and network security

 Describe the organizational roles of information

and network security professionals

 Discuss the business need for information and

network security

2
 Objectives (cont'd)
 Identify the threats posed to information and
network security, as well as the common attacks
associated with those threats

 Differentiate threats to information within systems

from attacks against information within systems

3
 Introduction
 Network Security
– Critical activity for almost every organization

 Perimeter Defense
– Cornerstone of most network security programs
– Effective firewall
• Properly configured to be safe and efficient
 Textbook Chapter 1
– Overview of the entire field of information security
– How that broader field influences current trends in
network security

4
 What Is Information Security?
 Information Security (InfoSec)
– Protection of information and its critical elements,
– Includes the systems and hardware that use, store,
and transmit that information

 Unified Process encompasses:

– Network Security
– Physical Security
– Personnel Security
– Operations Security
– Communications Security
5
 What Is Information Security? (cont'd)
 C.I.A. Triangle
– Industry standard for computer security
– Based on the three characteristics of information that
make it valuable to organizations, information security
sets its goal to ensure:
• Confidentiality: that information is not intentionally or
accidentally disclosed to unauthorized individuals

• Integrity: that information is not intentionally or accidentally

modified in such a way as to call into question its reliability

• Availability: that authorized individuals have both timely,

reliable, and secure access to data and other resources
when needed

6
 Critical Characteristics of Information
 Availability
– Information is accessible by authorized users

 Accuracy
– Information is free from mistakes or errors

 Authenticity
– Information is genuine or original

 Confidentiality
– Information is protected from disclosure or exposure

7
 Critical Characteristics of Information
(cont'd)
 Integrity
– Information remains whole, complete, and
uncorrupted

 Utility
– Information has value for some purpose or end

 Possession
– Information object or item is owned or controlled by
somebody

8
 CNSS Security Model
 U.S. Committee on National Systems Security
(CNSS) http://www.cnss.gov/

 National Training Standard for Information Security

(INFOSEC) Professionals, or NSTISSI No. 4011

 McCumber Cube
 3 x 3 x 3 cube, with 27 cells representing the various
areas that must be addressed to secure today’s
information systems

E-MAIL ASSIGNMENT DUE: COB JANUARY 13, 2012

9
CNSS Security Model

Figure 1-1 The McCumber Cube

@ Cengage Learning 2012

10
 CNSS IT Security Training Certifications
 NSTISSI-4011: National Training Standard for Information
Systems Security (INFOSEC) Professionals
 CNSSI-4012: National Information Assurance Training
Standard for Senior Systems Managers
 CNSSI-4013: National Information Assurance Training
Standard For System Administrators
 CNSSI-4014: Information Assurance Training Standard for
Information Systems Security Officers
 NSTISSI-4015: National Training Standard for Systems
Certifiers
 CNSSI-4016: National Information Assurance Training
Standard For Risk Analysts
11
Balancing Information Security and Access
 Information Security
– Process, not an end state
– Balances protection of information and information
assets with the availability of that information to
authorized users
– Must allow reasonable access, yet
– Must protect against threats and attacks

12
 Business Needs First
 Protect the organization’s ability to function

 Enable the safe operation of applications

implemented on the organization’s IT systems

 Protect the data the organization collects and uses

 Safeguard the technology assets in use at the

organization

13
 Security Professionals
and the Organization
 Wide range of professionals to support the
complex information security program needed by a
moderate or large organization
– Chief Information Officer (CIO)
– Senior Technology Officer

 Chief Information Security Officer (CISO)

– Responsible for the assessment, management, and
implementation of information security in the
organization

14
 Security Professionals and the
Organization (cont'd)
 Information Security Project Team
– Champion
– Team Leader
– Security Policy developers
– Risk Assessment Specialists
– Security Professionals
– Systems, Network, and Storage Administrators
– End Users

15
 Data Management
 Data Owners
– Responsible for the security and use of a particular
set of information

 Data Custodians
– Responsible for the storage, maintenance, and
protection of the information

 Data Users
– Allowed by the data owner to access and use the
information to perform their daily jobs

16
 Key Information Security Terminology
 Security Professionals must be thoroughly familiar
with common terms and their full meaning to
effectively support any information security effort

Threats and Attacks

 Threat
– Any object, person, or other entity that poses a
potential risk to an asset in terms of alteration,
damage, or loss
 Asset
– Anything that has value for the organization
– Can be physical or logical or intangible value
17
 Threats and Attacks (cont'd)
 Attack
– Intentional or unintentional action that could
represent the unauthorized modification, damage, or
loss of an information asset

 Indirect Attack
– A system is compromised and used to attack other
systems
 Subject of an Attack
– Used as an active tool to conduct the attack

 Object of an Attack
– Entity being attacked
18
 Threats and Attacks (cont'd)
 Direct Attack
– Hacker uses a personal computer to break into a
system
 Threat Agent
– Specific instance of a general threat

Vulnerabilities and Exploits

 Well-known Vulnerabilities
– Vulnerabilities that have been examined,
documented, and published

19
 Vulnerabilities and Exploits (cont’d)
 “Exploit”
– Threat agents attempt to exploit a system or
information asset
– Specific recipe that an attacker creates to formulate
an attack
 Controls, Safeguards, or Countermeasures
– Synonymous terms
– Security mechanisms (technologies: hardware,
software), policies, or procedures that can
successfully counter attacks, reduce risk, resolve
vulnerabilities, and generally improve the security
within an organization
20
 Risk
 State of being unsecure, either partially or totally,
and thus susceptible to attack
– Described in terms of likelihood

 Risk Management
– Involves risk identification, risk assessment or
analysis, and risk control

 Risk Appetite or Risk Tolerance

– Amount of risk an organization chooses to live with

21
 Risk (cont'd)
 Residual Risk
– Amount of risk that remains after an organization
takes precautions, implements controls and
safeguards, and performs other security activities

 To control risk:
– Self-protection
– Risk Transfer
– Self-insurance or Acceptance
– Avoidance

22
Security Perimeter and Defense in Depth
 Security Perimeter
– Defines the boundary between the outer limit of an
organization’s security and the beginning of the
outside network
– Perimeter does not protect against internal attacks
– Organization may choose to set up security domains

 Defense in Depth
– Layered implementation of security

 Redundancy
– Implementing technology in layers
23
Security Perimeter and Defense in Depth
(cont'd)

Figure 1-3 Security Perimeter

@ Cengage Learning 2012
24
Security Perimeter and Defense in Depth
(cont'd)

Figure 1-4 Defense in Depth

@ Cengage Learning 2012
25
Threats to Information Security

Table 1-1 CSI/FBI Computer Crime and Security Survey (continues)

26
Threats to Information Security (cont'd)

Table 1-1 CSI/FBI Computer Crime and Security Survey (continues)

27
Threats to Information Security (cont'd)

Table 1-1 CSI/FBI Computer Crime and Security Survey (continues)

28
Threats to Information Security (cont'd)

Table 1-1 CSI/FBI Computer Crime and Security Survey (continued)

29
 Threats to Information Security (cont'd)

Table 1-2 12 categories that represent a clear and present danger to an organization’s people, information, and systems 30
 The TVA Triple
 “TVA Triple” of Threat-Vulnerability-Asset
– Use to prioritize your work

– T1-V1-A1—Vulnerability 1 that exists between

Threat 1 and Asset 1

– T1-V2-A1—Vulnerability 2 that exists between

Threat 1 and Asset 1

– T1-V1-A2—Vulnerability 1 that exists between

Threat 1 and Asset 2

 Organize in a TVA worksheet

31
Table 1-3 Sample TVA Spreadsheet 32
 Other Ways to View Threats
 Perspectives:
– Intellectual Property
– Software Piracy
– Shoulder Surfing
– Hackers
– Script Kiddies
– Packet Monkeys
– Cracker
– Phreaker
– Hacktivist or Cyberactivist
– Cyberterrorist
33
 Other Ways to View Threats (cont'd)
 Malicious Code, Malicious Software, or Malware
– Computer Virus: Macro Virus, Boot Virus
– Worms
– Trojan Horses
– Backdoor, Trapdoor, Maintenance Hook
– Rootkit

34
 Other Ways to View Threats (cont'd)
 Power Irregularities
– Spike (momentary increase)

– Surge (prolonged increase)

– Sag (momentary decrease)

– Brownout (prolonged decrease)

– Fault (momentary complete loss)

– Blackout (prolonged complete loss)

35
 Attacks on Information Assets
 Attacks occur through a specific act that may
cause a potential loss, damage, alteration

 Each of the major types of attack used against

controlled systems discussed

36
 Malicious Code
 Malicious Code
– Includes Viruses, Worms, Trojan Horses, and active
Web Scripts
– Executed with the intent to destroy or steal
information

 Polymorphic, Multivector Worm

– Constantly changes the way it looks
– Uses multiple attack vectors to exploit a variety of
vulnerabilities in commonly used software

37
Malicious Code

Table 1-4 Attack Vectors

38
 Compromising Passwords
 Bypass access controls by guessing passwords
 Cracking
– Obtaining passwords from hash values

 Brute Force Attack

– Application of computing and network resources to
try every possible combination of characters

 Dictionary Attack
– Variation on the brute force attack
– Narrows the field by selecting specific target
accounts and using a list of commonly used
passwords
39
 Denial-of-Service (DoS) and
Distributed Denial-of-Service (DDoS)

 Denial-of-Service (DoS) Attack

– Attacker sends a large number of connection or
information requests to a target
– So many requests are made that the target system
cannot handle them along with other, legitimate
requests for service
 Distributed Denial-of-Service (DDoS) Attack
– Coordinated stream of requests against a target
from many locations at the same time
– Any system connected to the Internet is a potential
target for denial-of-service attacks
40
 Spoofing
 Intruder sends messages to IP addresses that
indicate to the recipient that the messages are coming
from a trusted host

Figure 1-6 IP Spoofing

@ Cengage Learning 2012
41
 Man-in-the-Middle
 Attacker monitors (or sniffs) packets from the
network
– Modifies them using IP spoofing techniques
– Inserts them back into the network

 Allows the attacker to eavesdrop, change, delete,

reroute, add, forge, or divert data

42
 E-mail Attacks
 E-mail
– Vehicle for attacks rather than the attack itself

 Spam
– Used as a means to make malicious code attacks
more effective

 Mail Bomb
– Attacker routes large quantities of e-mail to the
target system

43
 Sniffers
 Sniffer
– Program or device that can monitor data traveling
over a network
– Used both for legitimate network management
functions and for stealing information from a network

– Impossible to detect

– Can be inserted almost anywhere

– Packet Sniffers work on TCP/IP networks

44
 Social Engineering
 Process of using social skills to convince people to
reveal access credentials or other valuable
information to the attacker

 “People are the weakest link. You can have the best
technology, [then] somebody call[s] an unsuspecting
employee. That’s all she wrote, baby. They got
everything” – Kevin Mitnick*

* Kevin David Mitnick (b. 8/6/1963): Computer security consultant, author. In

the late 20th century, he was convicted of various computer and communica-
tions related crimes. At the time of his arrest, he was the most wanted
computer criminal in the United States.

45
 Buffer Overflow
 Application Error
– Occurs when more data is sent to a buffer than it can
handle

 Attacker can make the target system execute

instructions

 Attacker can take advantage of some other

unintended consequence of the failure

46
 Addendum Not in the Textbook

 Information States:
– Storage: Data at rest (DAR) in an information
system, such as that stored in memory or on a
magnetic tape or disk.

– Transmission: Transferring data between

information systems - also known as data in transit
(DIT).

– Processing: Performing operations on data in order

to achieve a desired objective.

47
Addendum Not in the Textbook (cont’d)

 Safeguards:
– Policy and Practices: Administrative controls, such
as management directives, that provide a foundation
for how information assurance is to be implemented
within an organization.
– Examples: acceptable use policies or incident
response procedures - also referred to as
―operations.‖

48
Addendum Not in the Textbook (cont’d)

 Safeguards (cont’d):
– Human Factors: Ensuring that the users of
information systems are aware of their roles and
responsibilities regarding the protection of
information systems and are capable of following
standards.

– Example: end-user training on avoiding computer

virus infections or recognizing social engineering
tactics - also referred to as ―personnel‖

49
 Addendum Not in the Textbook (cont’d)

 Safeguards (cont’d):
– Technology: Software and hardware-based solutions
designed to protect information systems

– Examples: anti-virus, firewalls, intrusion detection

systems, etc.

Addendum Not in the Textbook Source:

http://cobhomepages.cob.isu.edu/parkerkr/courses/CIS430/Fall10/presentations/security/clint_pres.html

50
Guide to Firewalls and VPNs
Whitman/Mattord/Green
ISBN10: 1-111-13539-8, ISBN13: 978-1-111-13539-3
© 2012

Chapter One
Introduction to Information Security