A Framework for Security

1
A Framework for Security

• K778 Security, Privacy and Trust
• Michael Bliemel
• February 26, 2002

2
Outline

• Security In the Past and Today
• Themes and Dimensions for Security
• Security Policies
• Management of Security
• Example of a Security Policy
• Framework for Security

3
Medieval Security
Threats spies, thieves, assassins, and invading
armies laying siege Physical Defenses Walls,
gates, cisterns, and towers Protection
personnel Guards, food-tasters, and
watch-men Rules for entry and conduct Codes
and seals for communication
4
Security Today

• Threats
• Hackers, spies, kiddies, activists, employees
• Stealing, spying, destructive actions, DoS
  attacks
• Viruses
• Accidents, internal misuse of information
• Disasters (fire, earthquakes, floods, bugs)
• Protection through technologies, procedures and
  policies

5
Threats and Protections we have covered so far

• Interception
• Symmetric Encryption, PKI
• Impersonation and authentication
• Passwords, challenge-response, certificates and
  signatures, tokens, biometrics
• Login attacks and passwords
• Client and server security, firewalls, intrusion
  detection
• Denial of Service Attacks
• Server updates, response procedures
• Virus
• Antivirus
• Social Engineering
• User education, logging

6
Different Themes for Security
Source http//www.ecom.or.jp/ecom_e/latest/ecomjo
urnal_no2/wg_s1_e02.htm
7
Security Measures
Source http//www.ecom.or.jp/ecom_e/latest/ecomjo
urnal_no2/wg_s1_e02.htm
8
Practical Security Dimensions

• Physical security
• Pertains to the well being of the hardware,
  software, data, and network infrastructure
• Host security
• Protection of the server operations and the
  prevention of unauthorized access to the network
• Applications security
• Ensuring that applications function only as they
  were intended to, protecting data in applications
  from unwanted access and modification

9
Security Conceptualization

• Multi-dimensional definition that is user
  dependent e.g. banks and universities have
  different issues
• Suggestion by Wang Wulf Security is a function
  of ltf1(confidentiality), f2(integrity),
  f3(availability)gt
• Confidentiality
• Prevention of unauthorized disclosure of
  information
• Integrity
• Prevention of unauthorized modification of
  information
• Availability
• Prevention of the unauthorized withholding of
  information

10
Practical and Conceptual Dimensions of Security
11
Security through Obscurity

• Making names of files containing password and
  other critical information unrecognizable to
  outsiders. (357207.wsx instead of Passwords.dat)
  
• Hiding scripts, and IP addresses
• Good Business Ethics avoid becoming a target
  for vigilantes

12
Policy Development Process

• Identify information assets
• Identify hardware and software assets
• Assess risks and costs
• Decide on trade-offs between security and
  accessibility
• Develop practices and procedures
• Implement technologies
• Educate Users
• Monitor security lt-gt accessibility and refine
  policies

13
Assessing Security Cost and Risk

• Financial costs
• Hardware, software, personnel
• Performance costs
• SSL, encrypted databases, employees and
  customers time
• Risk identification
• Procedural risks, intrusion risks
• Risk assessment
• Financial, customer service, and business
  continuity impact

14
Security Policy Inclusions

• Access control policies
• Software installation policies
• Regulating the use of sniffers and data scopes
• Regulating the use of live data for testing
  applications
• Data classification schemes (e.g. top secret)
• Procedures and actions for auditing incidents
• Allocating responsibilities and procedures for
  security updates
• External communication policies (email, fax)
• Employee, partner and customer tracking policies

15
Security Policies in Action
IT area analysis
Business area analysis
Security Policy
Policy Enforcement
Risk analysis
User Feedback / incidence reporting
Source E-Commerce Systems Architecture and
Applications, W.E. Rajput (2000)
16
Security Management
Source http//www.ecom.or.jp/ecom_e/latest/ecomjo
urnal_no2/wg_s1_e02.htm
17
Policy Example

• Visa CISP (Cardholder Information Security
  Policy)
• Purpose to reduce the costs of security breaches
  at the client (e-Business) side.
• Costs come from replacing cards, less business
  from reduced trust in online transaction security
  and lost image
• Require large online vendors to comply with
  policy
• Auditing and security consulting, in the worst
  cases termination of business agreements

18
Example VISAs Cardholder Information Security
Program

• Install and maintain a working network firewall
  to protect data accessible via the Internet.
• Keep security patches up-to-date.
• Encrypt stored data accessible from the Internet.
  
• Encrypt data sent across public networks.
• Use and regularly update anti-virus software.
• Restrict access to data on a "need-to-know"
  basis.
• Assign a unique ID to each person with access to
  data.
• Do not use vendor-supplied defaults for system
  passwords and other security parameters.
• Track access to data by unique user ID.
• Test security systems and processes regularly.
• Maintain a policy that addresses information
  security for employees and contractors.
• Restrict physical access to cardholder
  information.

19
Components of the Security Framework by Intel
feedback
Technologies
Policies and planning
Source http//www.intel.com/eBusiness/technology/
implement/2/hi15012.htm
20
Security Framework
Firewalls
Policies
Technology
Risk Management
Encryption
Access
Education
Auditing
Authentication
Updates
Enforcement
New Problems
Training
21
Conclusion

• Security is dynamic and becoming increasingly
  complex through continuous developments in the
  security arms race between security technology
  providers and hackers
• Security tries to be Proactive by preventing
  against breaches and security risks
• Security is Reactive, as new weaknesses become
  apparent
• Key to sound security management is to be good at
  the proactive element through policies,
  technologies,and contingency planning as well as
  reacting quickly to new developments