Managing Information Managing Information System Security: PrinciplesSystem Security: Principles
GP DhillonGP Dhillon
Associate ProfessorAssociate Professor
Virginia Commonwealth UniversityVirginia Commonwealth University
Shocking newsShocking news
25% of the organizations did not have an 25% of the organizations did not have an internal auditinternal audit
50% of the organizations did not have 50% of the organizations did not have computer audit skillscomputer audit skills
60% of the organizations had no security 60% of the organizations had no security awarenessawareness
80% of the organizations did not conduct 80% of the organizations did not conduct a risk analysisa risk analysis
General StatisticsGeneral Statistics
CERT/CC: Incidents CERT/CC: Incidents ReportedReported1991 – 4061991 – 4061993 – 1,3341993 – 1,3341995 – 2,4121995 – 2,4121997 – 2,1341997 – 2,1341999 – 9,8591999 – 9,8592001 – 52,6582001 – 52,6582003 – 137,5292003 – 137,529
Common MythsCommon Myths
““Why should I care, I have nothing to hide.”Why should I care, I have nothing to hide.” ““Why does anyone care about my computer?”Why does anyone care about my computer?” ““It’s too difficult to get access to my computer or It’s too difficult to get access to my computer or
personal information…”personal information…” ““If someone tries to [insert malicious activity If someone tries to [insert malicious activity
here], I will notice!”here], I will notice!” ““Ignorance is bliss!”Ignorance is bliss!”
Are you at risk?Are you at risk?
Using the following puts you at risk:Using the following puts you at risk: ComputersComputers Credit CardsCredit Cards BanksBanks AirlinesAirlines AutomobilesAutomobiles ……many more…many more…
CIACIA – the building blocks – the building blocks
ConfidentialityConfidentiality
AvailabilityAvailabilityIntegrityIntegrity
ConfidentialityConfidentiality
Ensures privacy.Ensures privacy. Applies to both data Applies to both data
on disks and network on disks and network communication.communication.
Accomplished Accomplished through encryption:through encryption: https://https:// s/mimes/mime pgppgp ssh and ipsecssh and ipsec
ConfidentialityConfidentiality
IntegrityIntegrity
Develops trust of the Develops trust of the network and network and computer systems.computer systems.
Applies to both data Applies to both data on disks and network on disks and network communication.communication.
Integrity is increased Integrity is increased by proper data and by proper data and system management.system management.
IntegrityIntegrity
AvailabilityAvailability
Another catalyst for Another catalyst for trust.trust.
Required for data on Required for data on disk and network disk and network
Prevents Denial o Prevents Denial o Service attacks, etc.Service attacks, etc.
AvailabilityAvailability
Defending with Defending with technologytechnology
Defending with Defending with technologytechnology
Start with the basicsStart with the basics
Basic computer security is Basic computer security is through technology is easy; through technology is easy; use…use… A firewall,A firewall, Anti-Virus Software,Anti-Virus Software, Patch your computer Patch your computer
quickly, when required,quickly, when required, Strong passwords!Strong passwords!
FirewallsFirewalls
The most useful tool in your bag The most useful tool in your bag of defenses.of defenses.
Prevents intruders from accessing Prevents intruders from accessing services on your computer.services on your computer.
Validates/normalizes network Validates/normalizes network traffic.traffic.
May provide reports and trend May provide reports and trend analysis.analysis.
Available for all major operating Available for all major operating systems – usually for free!systems – usually for free!
Anti-virus softwareAnti-virus software
Stops viruses and worms sent Stops viruses and worms sent by email, attachments, by email, attachments, downloads, etc.downloads, etc.
Detects malicious software Detects malicious software through intelligent heuristics.through intelligent heuristics.
Available for all major desktop Available for all major desktop and and server operating systems.server operating systems.
A requirement; not an option.A requirement; not an option.
PatchesPatches
(Usually) free updates to your computer; (Usually) free updates to your computer; can be downloaded can be downloaded from the Internet. from the Internet.
Available before most Available before most exploits surface.exploits surface.
Automated, usually.Automated, usually.CriticalCritical to overall security. to overall security. Chant:Chant: “We Must Patch, We Must “We Must Patch, We Must
Patch…”Patch…”
Strong passwordsStrong passwords
Keeps you on-target with best Keeps you on-target with best practices.practices.
Is composed of 8 or more Is composed of 8 or more characters and includes letters, characters and includes letters, numbers and 2 special characters, numbers and 2 special characters, including !@#$%^&.-+-=|]{}:”.including !@#$%^&.-+-=|]{}:”.
Not based on any dictionary word Not based on any dictionary word from any language.from any language.
Changes regularly; not shared.Changes regularly; not shared.
Behavioral changesBehavioral changesBehavioral changesBehavioral changes
What technology doesn’t solveWhat technology doesn’t solve
Security technologies adapt Security technologies adapt as threats appear. They are as threats appear. They are not able to (easily) combat:not able to (easily) combat: Threats,Threats, Hoaxes,Hoaxes, Scams,Scams, The behavior of others.The behavior of others.
The clue factorThe clue factor
Education and awarenessEducation and awareness
Education and awareness are Education and awareness are key to increasing the security key to increasing the security posture of the University, and posture of the University, and global Internet.global Internet. Dispells the FUD (fear, uncertainty, Dispells the FUD (fear, uncertainty,
doubt).doubt). Addresses problems before they Addresses problems before they
exist.exist. Extends the radius of clue.Extends the radius of clue. Creates inclusion in the entire Creates inclusion in the entire
infosecurity effort.infosecurity effort.
Self-educationSelf-education
You can increase your own You can increase your own awareness of security awareness of security related issues.related issues. Subscribe to mailing lists for Subscribe to mailing lists for
security notifications.security notifications. Visit security related websites.Visit security related websites. Voice your concern on Voice your concern on
security related issues, security related issues, helping raise awareness in helping raise awareness in others.others.
Test your effortsTest your efforts
Remember: security is Remember: security is about sharing about sharing knowledgeknowledge and and contactscontacts, not , not technology.technology.
The ‘RITE’ principlesThe ‘RITE’ principles
RResponsibility esponsibility (and knowledge of (and knowledge of Roles)Roles)
IIntegrity ntegrity (as requirement of Membership)(as requirement of Membership)
TTrust rust (as distinct from Control)(as distinct from Control)
EEthicality thicality (as opposed to Rules)(as opposed to Rules)
““Total” securityTotal” security
CIA + RITECIA + RITE
Conceptualizing controlsConceptualizing controls
Pragmatic controls
Formal controls
Technical controls
Principle #1Principle #1
Principle 1: Education, training and Principle 1: Education, training and awareness, although important, are awareness, although important, are not sufficient conditions for not sufficient conditions for managing information security. A managing information security. A focus on developing a security focus on developing a security culture goes a long way in culture goes a long way in developing and sustaining a secure developing and sustaining a secure environment. environment.
Principle #2Principle #2
Principle 2: Responsibility, integrity, Principle 2: Responsibility, integrity, trust and ethicality are the trust and ethicality are the cornerstones for maintaining a secure cornerstones for maintaining a secure environment.environment.
Principle #3Principle #3
Principle 3: Establishing a boundary Principle 3: Establishing a boundary between what can be formalized and between what can be formalized and what should be norm based is the basis what should be norm based is the basis for establishing appropriate control for establishing appropriate control measures.measures.
Principle #4Principle #4
Principle 4: Rules for managing Principle 4: Rules for managing information security have little information security have little relevance unless they are relevance unless they are contextualized.contextualized.
Principle #5Principle #5
Principle 5: In managing the security of Principle 5: In managing the security of technical systems a rationally planned technical systems a rationally planned grandiose strategy will fall short of grandiose strategy will fall short of achieving the purpose.achieving the purpose.
Principle #6Principle #6
Principle 6: Formal models for Principle 6: Formal models for maintaining the confidentiality, maintaining the confidentiality, integrity and availability (CIA) of integrity and availability (CIA) of information cannot be applied to information cannot be applied to commercial organizations on a grand commercial organizations on a grand scale. Micro-management for scale. Micro-management for achieving CIA is the way forward. achieving CIA is the way forward.