Securing an Information Resource Management System

1
Securing an Information Resource Management System
2
Overview

• Security issues of an information resource
  management system
• Secure physical network
• Standards and protocols used in information
  security
• Management tools used to implement that system

3
Information Security in Society

• Homeland Defense
• Homeland Defense as an information security
  system
• Need to communicate sensitive information
  efficiently in a crisis

4
Information Security in Society

• HD Secretary Tom Ridge and Strategic
  Communications Resources (SECURE) Initiative
• Five new HD officers per state
• Secure telephones and video conferencing for the
  Governors office

5
Information Security in Society

• Information based industry
• Potential loss
• New information technology
• New vulnerabilities

6
The First Step
7
Secure Information Network Physical Architectures

• Homeland example
• Telephony equipment
• Emergency Operations Center

8
FIPS 140-2

• FIPS 140-2(Federal Information Processing
  Standard)
• Crypto-modules
• tests hardware, software, firmware
• crypto algorithms
• key-generation

9
Secure Environments

• Secure Environments
• authorized personnel
• placing servers locally
• disconnected information networks

10
Smart Cards

• Used in combination with other id-securing
  methods
• Portable
• Secure
• Difficult to replicate, useless to steal
• Appearance gold-contacts
• Microprocessor
• Also can be used to facilitate secure
  communications

11
Smart Cards

• Little interoperability between software and
  hardware of different vendors
• Difficult implementation and maintenance
• NIST (National Institute of Standards and
  Technology)
• NIST is working on guidlines/specifications (as
  well see in the next section)

12
Firewalls

• Located on routers or servers
• Blocks specific communications and allows
  specific communication

13
FIREWALL
Telnet
SSH
Web Browsing
FTP
SFTP
14
Firewalls

• Located on routers or servers
• Blocks specific communications and allows
  specific communication
• useful in preventing viruses

15
Connected Networks

• Can be physically isolated to provide security
• Controlled communication access points

16
VLANS

• By remote login, a server can make it appear as
  though the user is on a network
• Secure tunneling

17
(No Transcript)
18
WIFI

• Wi-Fi (short for "wireless fidelity")
• Ever-growing WiFI networks

19
(No Transcript)
20
WIFI

• Wi-Fi (short for "wireless fidelity")
• Ever-growing WiFI networks
• Unsecured

21
WIFI

• Current business trends Demand Robust Security
  Networks (RSNs) on WiFi
• RSN
• Dependable
• Secure
• Versatile

22
WIFI

• WIFI products need to
• Provide security
• Multi-vendor interoperability
• Long security lifecycle to lengthen usability
• Support hotspots connectivity

23
WIFI and FIPS 140-2

• 802.11b IEE standard
• Minimal security
• FIPS 140-2 and 802.11 and Bluetooth standard (for
  WiFi)
• IEEE, IETF, NIST working to create effective
  standards
• Theory higher level crypto protocols, like IPSec
  (next section)

24
WIFI

• Interim methods to minimizing WIFI losses
• Detailed wireless topology
• Inventory of devices
• Frequent back-ups
• Random security audits of WiFi infrastructure
• Monitor WIFI technology changes

25
Oregano Break!
26
Universals Standards/Protocols

• Different technology vendors and universals
  standards/protocols

27
Standards and Protocols

• Information security standards/protocols are also
  policy

28
Standards and Protocols

• Congress and the Gramm Leach-Bliley Act
• Bank security policies
• Information security standards
• Protect customer info
• Protect other nonpublic info
• Safe, secure, and reliable transactions

29
Standards and Protocols

• ISO 17799, ISF, NIST
• Guidelines that have standards for information
  security
• Security communication protocols
• Cryptographic standards
• What are common cryptographic standards?

30
Cryptographic Standards

• Common cryptographic standards
• Integrity
• Authenticity
• Authorization/access control model
• Non-repudation

31
Cryptographic Standards

• Definition block cipher
• Definition cipher text
• Definition stream cipher
• Definition symmetric block cipher
• algorithm to encrypt and decrypt block text

32
Cryptographic Standards

• Digital Signature Standard (DSS)
• Authentication and Integrity
• Digital Signature Algorithm (DSA) public-private
  keys schemes (discussed later)

33
DSA

• Hashing
• Definition message digest
• Digest encrypted with DSA

34
(No Transcript)
35
DSA

• FIPS 180-1 (FIPS Hashing standard)
• SHA-1, SHA-256 blocks lt264 bits
• SHA-384, SHA-512 blocks lt2128 bits
• changes to a message results in a different
  digest (high probability)
• also used with stored data

36
Keys

• Secret keys

37
Secret Key
Original Key
Copy Key
38
(No Transcript)
39
Keys

• Public-Private Keys

40
Secret Key
Private Key
41
Message
Encrypted Message
Decrypted Message
42
Keys

• Key certificates
• Key lifecycle

43
(No Transcript)
44
Keys

• Key-substitution vulnerability

45
Keys

• Key-destruction vulnerability

46
Keys

• Controlling the key lifecycle
• Crypto-periods

47
PKI

• Public Key Infrastructure (PKI)
• Certificate Authorities
• Electronic transport
• Manual key transport
• Trust

48

• Lets look at some examples

49
IPSEC

• IPSEC uses keys
• Works on the Transport Layer

50
(No Transcript)
51
IPSEC

• Tunneling

52
(No Transcript)
53
IPSec

• Internet Key Exchange (IKE)
• Serial authentication access
• Confidentiality
• Transmissions and key crypto periods

54
IPSec

• Encapsulating Security Payload (ESP)
• Double-encryption scheme
• Encrypts data
• Encrypts header (source/destination invisible)

55
NIST

• NIST (National Institute of Standards and
  Technology)
• Information security standards for government and
  industry

56
NIST

• Business metrics and standards
• Supports DSS and public key encryptions
• The MAIDS standard
• The AES standard

57
NIST

• The MAIDS standard
• Mobile Agent Intrusion Detection and Security
• Autonomous software entities
• Security threats
• MAIDS prevents unauthorized access
• ensures secure communication with mobile agents

58
NIST

• Advanced Encryption Standard (AES)
• Keys of 128, 192, 256 bits/ 16, 24, 32 character
  long encryption blocks
• Symmetric block cipher
• Federal Information Processing Standard approved
  (FIPS)
• AES and IPSEC work with modification of the IKE
  exchange
• AES/IPSEC protocol works at the IP layer

59
N'Sync Break!
60

• Poisoned dagger
• the human element.

61
Personnel and Management Objectives in a Secure
Information Environment
62

• Business Mindset
• Quite frequently, the risk and the solutions are
  seen as part of the IT universe, while business
  leaders want to concentrate on product
  development, sales and revenue, and customer
  care. To change this mindset and to recognize IS
  as a business issue, the CISO has to inform,
  educate, and influence his or her business
  counterparts
• --Robert Garigue, Information Systems

63
CIO and the CISO's tasks

• Describe
• Environmental factors (industry related threats)
• New/developing standards
• Defenses of digital assets taken
• Existing security incidents
• Financial impact of those breaches
• New/developing metrics the CEO can use

64
CIO and the CISO's tasks

• Educate
• List risks factors to the bottom line
• New technologies and their risks
• Potential impact of breaches
• How people participate in information security

65
CIO and the CISO's tasks

• Influence
• Priorities and resource allocation
• Involving security specialists early in new
  projects
• Deciding on organizational structures with
  information efficiency as a goal

66
CIO and the CISO's tasks

• information risk analysis
• Measures bottom line impact
• Types of information loss
• Malicious use
• Predictive Systems
• 36 chance 10-20 bill. in lost

67
CIO and the CISO's tasks

• Security certification
• Use common business metrics (activity reports) to
  measure the effect information breaches )
• Are we secure?
• Directly lead to budget decisions

68
Communicating Security Policy

• Is the policy being followed?
• Inform employees and management of
• Security objectives
• Organizational accountability
• Standards and procedures
• Available guidelines supporting the policy

69
Communicating Security Policy

• Awareness metrics
• Is the training effective?
• Intranet website
• Access management
• Policy, politics, and technology
• RBAC
• Access based on identity vs. role
• Operations with the object

70
Ongoing defense

• Security tests
• Upgrades
• Communication monitoring
• Computer forensics

71
A state of necessity