Introduction to security

1
Introduction to security
2
Some confusion

• Safety Säkerhet Security
• ???
• Security
• measures taken to guard against espionage or
  sabotage, crime, attack, or escape Miriam
  Webster Online Dictionary
• Safety
• to protect against failure, breakage, or
  accidentMiriam Webster Online Dictionary

3
What is Computer Security?

• Security is keeping anyone from doing things you
  do not want them to do to, with, on, or from your
  computers or any peripheral devices
• Cheswick and Bellovin
• The purpose of information security is to ensure
  business continuity and minimize business damage
  by preventing and minimizing the impact of
  security incidents It has three basic
  components confidentiality, integrity, and
  availability.
• BS 7799 1995, British Standards Institute

4

• Is information security really a topic ?

5
Widely Known Threats

• Viruses and Worms
• spreading worldwide in a matter of hours
• Access Control and Data Theft
• breaking into computer systems
• OS, Databases and Applications
• poor coding and flawed protocol design
  implementation

6
CERT - Statistics
Incidents
7
CERT - Statistics
Vulnerabilities
8
Type of Breaches and Costs
Source DTI, Information Security Breach Survey,
2002
9

• Is information security really a topic ?

10
Security Services

• Confidentiality
• means that the assets of a computing system are
  accessible only by authorized parties
• Integrity
• means that assets can be modified only by
  authorized parties or only in authorized ways
• Availability
• means that assets are accessible to authorized
  parties

11
ISO 13335-1 OSI Security Services

• Confidentiality
• Integrity
• Availability
• Authentication
• Access Control
• Non-repudiation

International Organization for Standardization
Open System Interconnection
12
Trust Approach

• Security is about trust.
• Trust encompasses
• Correctness
• Reliability
• Privacy
• Safety
• Survivability
• Secrecy
• Availability

13
Scope

• IT security
• Dealing with technical parts of security
• Information System Security
• The whole information processing system is of
  interest
• Information security
• All information is of interest

14
Security is Multidimensional
15
House of security

• Standards Applying standards
• Technical Standards
• Evaluation Standards
• Process Standards

16

• The management processincludes
• Commitment
• Control
• Steering

17
Policy
RiskAna.
Risk analysis Learning the risks the information
face Policy Define guidelines regarding security
18
Policy
RiskAna.
Analysis
Realization

• Analysis What kind of security needs to be
  realized
• Technical
• Organizational
• Realization Enforce the security mechanisms
• Implementation
• Documentation

19
Policy
RiskAna.
Analysis
Realization
Maintenace

• Maintenance Keeping the system secure by means
  of
• Improving security
• Applying patches

20
Policy
RiskAna.
Analysis
Audit
Realization
Maintenace

• Audit Verification of security
• Technical Security
• Organizational Security
• Planning Security

21
Policy
RiskAna.
Analysis
Audit
Realization
Maintenace
But security can only work if all components are
working together and an awareness for the
problems is given.
22
The Big Picture
Countermeasures
Vulnerabilities
Threats
Assets
impact
Risk Analysis
these slides are based on USP slides from Cintia
B. Margi and Prof. Wilson V. Ruggiero
23
Terminology

• Asset
• Anything with value and in need for protection
• Threat
• An action or potential action with the prosperity
  to cause damage
• Vulnerability
• Circumstances that have the potential of causing
  loss
• Countermeasure
• Controls protecting for protecting the assets

24
Assets

• What is an asset?
• tangible assets
• data
• hard floppy disks
• network equipment
• tapes, manuals, etc
• intangible assets
• public image
• reputation, etc
• a very broad scope from people to
  hardware and data

these slides are based on USP slides from Cintia
B. Margi and Prof. Wilson V. Ruggiero
25
Assets

• Assets may be classified according to
• software and hardware assets
• data assets
• communication assets
• administrative assets
• human resources assets
• A list of assets that shall be protected is
  essential for risk analysis

these slides are based on USP slides from Cintia
B. Margi and Prof. Wilson V. Ruggiero
26
Threats

• Threats to the system may come from
• someone
• e.g. a spy, a hacker, a criminal or an
  ill-intended employee
• something
• e.g. hardware or software failure
• an event
• e.g. fire, power shortage, flooding, earthquake
• Threats can be classified in 3 groups
• natural or physical threats
• non-intentional threats
• intentional threats

these slides are based on USP slides from Cintia
B. Margi and Prof. Wilson V. Ruggiero
27
Natural or Physical Threats

• Every kind of equipment or facilities are exposed
  to
• e.g. fire, flooding, power shortages
• Usually very hard to prevent, but easy to detect
• It is possible to minimize the amount

these slides are based on USP slides from Cintia
B. Margi and Prof. Wilson V. Ruggiero
28
Non-Intentional Threats

• Threats that are caused by ignorance
• a user or a system administrator poorly trained
• someone who hadnt read the system documentation
  manuals
• someone who hadnt understood the importance of
  security rules
• damage is caused by ignorance

these slides are based on USP slides from Cintia
B. Margi and Prof. Wilson V. Ruggiero
29
Intentional Threats

• Security products are designed to prevent
  intentional threats those are the ones
  that make news
• Two types of adversaries internal and external
• external villains include
• criminals
• hackers
• terrorists
• other enterprises

these slides are based on USP slides from Cintia
B. Margi and Prof. Wilson V. Ruggiero
30
Intentional Threats

• External villains can try to have access to a
  system by
• breaking in, forging ID cards, through networks
  or even bribery and/or coercion of internal staff
• The focus of security tools is usually external
  villains, but a great part of security problems
  is due to internal villains
• the enemy is already inside - and we hired
  them!

these slides are based on USP slides from Cintia
B. Margi and Prof. Wilson V. Ruggiero
31
Impact groups
32
Information security Layer model
Information
33
Some Countermeasures

• Security techniques
• Cryptography
• Firewalls
• Software mechanisms
• Secure development
• Operating system protection
• Internal program mechanism
• Hardware mechanisms

34
Countermeasures

• Management Activities
• Rules and Routines for Awareness
• Policy
• Security Management
• Physical Security

35
Malicious Who?

• Misbehaving Users
• mostly unintentional damage out of curiosity
• Amateurs
• reading about computer abuse and want to
  experience
• Hackers
• proving that it is possible and earning
  popularity/acceptance
• usually divided into Black Hats and White Hats
• Criminals
• earn money with computer abuse (theft, espionage,
  ...)

likelihood
worse
36
Method, Opportunity, Motivewhat must a malicious
attacker have?

• Method
• means to conduct the attack skills, knowledge,
  tools ...
• Opportunity
• time and access to accomplish the attack
• Motive
• a reason to do it

37
Stakeholder

• Regular Users
• They want to use the system
• IT Staff Security Manager
• They want to supply a working system
• Business Manager
• They want productivity because of IT use
• Asset Owner
• Their resources are in danger or they want to
  earn money
• Public bodies
• Want orderly behavior and a prospering economy
• ...

38
Remark
Information Security is a parasit on the
profitsGerald Kovachic

• Information Security is
• a business enabler it can be sold or enalbes
  the business
• an insurance resources under risk and downtime
  means not realized profit

39
Questions ?