information security : is it an art or a science

1

Information Security : Is it an Art or a Science ?

by Pankaj RaneResearch Associate(IDRBT)

2

AGENDA

What is Security ? What is Information Security ? Brief History : Information Security Present Day : InfoSec Why InfoSec is important ? What is Information Assurance ? Security Services Information States Security Countermeasures Prevention , Detection , Response References

3

WHAT IS SECURITY ?

“The quality or state of being secure to be free from danger”

To be protected from adversaries A successful organization should have

multiple layers of security in place: Physical securityPersonal security Operations security Communications security Network security

4

Fig.1 Spheres of security

5

WHAT IS INFORMATION SECURITY ?

The protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information

Tools, such as policy, awareness, training,

education, and technology are necessary

The C.I.A. triangle was the standard based on Confidentiality, Integrity, and Availability

6C.I.A. Triangle

7

BRIEF HISTORY OF INFORMATION SECURITY

Computer security began immediately after the first mainframes were developed

Groups developing code-breaking computations during World War II created the first modern computers

Physical controls were needed to limit access to authorized personnel to sensitive military locations

Only limited controls were available to defend against physical theft, espionage, and sabotage

8

The "Enigma" machines, which scramble messages into codes, were best known for their use by the German military during WWII.

Many models were made and there were complex additions to the machines during the war, but British code breakers managed to crack the "Enigma" code.

9

PRESENT DAY : INFORMATION SECURITY

The Internet has brought millions of computer networks into communication with each other – many of them unsecured

Ability to secure each now influenced by the security on every computer to which it is connected

10

WHY INFORMATION SECURITY IS IMPORTANT ?

Governments, commercial businesses, and individuals are all storing information electronically compact, instantaneous transfer, easy access

Ability to use information more efficiently has resulted in a rapid increase in the value of information

Information stored electronically faces new and potentially more damaging security threats can potentially be stolen from a remote location much easier to intercept and alter electronic

communication than its paper-based predecessors

11

WHAT IS INFORMATION ASSURANCE ?

The act of ensuring that data is not lost when critical issues arise.

These issues include natural disasters, computer/server malfunction, physical theft, or any other instance where data has the potential of being lost. 

Common method of providing information assurance is to have an off-site backup of the data in case one of the mentioned issues arise.

12

SECURITY SERVICES :

WHAT TYPES OF PROBLEMS CAN OCCUR?

Confidentiality Integrity Availability Authentication Non Repudiation

13

CONFIDENTIALITY“the assurance that information is not disclosed to unauthorized persons, processes or devices.”

INTEGRITY

“the assurance that data can not be created, changed, or deleted without proper authorization”

AVAILABILITY

“Timely, reliable access to data and information services for authorized users.”

AUTHENTICATION

“Designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual’s authorizations to receive specific categories of information”

14

NON-REPUDIATION “The assurance the sender of the data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data”

Examples where non-repudiation is lacking include:

- An online shopper purchases and downloads a software package, but later claims he never downloaded it.

- An online shopper purchases and downloads a software package that he later finds out was corrupted, but he later finds out the seller was not who he expected, but instead was a “man in the middle”.

15

INFORMATION STATES :

WHERE IS THE DATA?

Transmission Storage Processing

16

TRANSMISSION

Time in which the data is in transit between processing/process steps.

STORAGE

Time during which data is on a persistent medium such as a hard drive or tape.

PROCESSING

Time during which the data is actually in the control of a processing step.

17

Fig.NSTISSC Security Model

18

SECURITY COUNTERMEASURES :

WHO CAN ENFORCE /CHECK SECURITY?

People Policy and Practice Technology

19

PEOPLE

The heart and soul of secure systems. Awareness, literacy, training, education in

sound practice. Must follow policy and practice or the

systems will be compromised no matter how good the design!

Both strength and vulnerability.

20

POLICY AND PRACTICE

System users System administrators Software conventions Trust validation

21

TECHNOLOGY

Evolves rapidly

Crypto systems

Hardware

Software

Network Firewalls Routers Intrusion detection Other….

Platform Operating systems Transaction monitoring Other….

Especially vulnerable to misconfiguration and other “human” errors.

22

PREVENTION

Establishment of policy and access control who: identification, authentication, authorization what: granted on “need-to-know” basis

Implementation of hardware, software, and services users cannot override, unalterable (attackers

cannot defeat security mechanisms by changing them)

examples of preventative mechanisms passwords - prevent unauthorized system access firewalls - prevent unauthorized network access encryption - prevents breaches of confidentiality physical security devices - prevent theft

Maintenance

23

PREVENTION IS NOT ENOUGH!

Bruce Schneier,Counterpane Internet Security, Inc.

Prevention systems are never perfect.

No bank ever says: "Our safe is so good, we don't need

an alarm system."

No museum ever says: "Our door and window locks are

so good, we don't need night watchmen.“

Detection and response are how we get security in the real world, and they're the only way we can

possibly get security in the cyberspace world.

24

DETECTION

Determine that either an attack is underway or has occurred and report it

Real-time monitoring or, as close as possible monitor attacks to provide data about their

nature, severity, and results Intrusion verification and notification

intrusion detection systems (IDS) typical detection systems monitor various

aspects of the system, looking for actions or information indicating an attack example: denial of access to a system when user

repeatedly enters incorrect password

25

RESPONSE

Stop/contain an attack must be timely!

incident response plan developed in advance

Assess and repair any damage Resumption of correct operation Evidence collection and preservation

very important identifies vulnerabilities strengthens future security measures

26

REFERENCES[1] http://www.informit.com/isapi/articles/index.asp {InformIT

Reference Guides}

[2]http://www.cs.duke.edu/courses/summer04/cps001/lectures/Lecture15.ppt

[3]http://www.acc.ncku.edu.tw/chinese/faculty/shulc/courses/cas/Whitman/chap01.ppt

[4] http://en.wikipedia.org/wiki/Information_security

[5] http://en.wikipedia.org/wiki/NSTISSC

27

THANK YOU !!!

28

QUERIES ???