information security foundations - harvard university
TRANSCRIPT
Information Security Foundations
This 4-hour workshop describes the fundamentals of information security
Designed for all IT employees at Harvard
Welcome to Information Security Foundations!
2
Be familiar with the principles of information security
Understand terminology used in information security
Integrate information security into every IT role and function at Harvard
Relate security principles to sample situations
Hypothesize security design flaws that enabled recently reported breaches; identify lessons learned for Harvard
Course Objectives
3
Information Security & The T Shaped Professional
T-shaped Professional
The T Shaped model is about depth & breadth of expertise
₋ Keep up with changing technologies and their impact on higher education
₋ Maintain a service mindset and trusted advisor relationships
Information Security is a core practice
₋ Cuts across all disciplines – Impacts the “what and the how” of IT services
Breaks and End time
Electronics – Please mute
Restrooms and Fire Exits
Administrative Notes
5
Name
Where you work
Your role within information security
What you hope to get out of today’s course
Introductions
6
Information Security Principles ₋ Information Security’s role
₋ Threats, vulnerabilities, and risks
₋ Policy and standards to manage risk
Secure by Design ₋ Data Security
₋ System and Application Security
₋ Cloud Considerations
Information Security Case Studies
Agenda
7
Information security ensures authorized people and systems will have access to
reliable data when they need it.
Data
“It’s not like a secure version of Microsoft Word is
any better at spell checking or formatting your
document. It’s about the stuff that doesn’t
happen.”
Stephen Chong
Associate professor of computer science
Trusting the system: Innovations for an insecure world
http://www.seas.harvard.edu/topics/topics-fall-2015/trusting-system-innovations-for-insecure-world
What are examples of things gone wrong?
Security, Privacy, and Trust: Access to Electronic Information
http://hwpi.harvard.edu/files/provost/files/policy_on_access_to_
electronic_ information.pdf
https://youtu.be/9nTpN97KYaM?t=683
IT Professional Code of Conduct
http://huit.harvard.edu/it-professional-code-conduct-protect-electronic-information
Being a Trusted Advisor
1. We only obtain the information we need to perform our job or which we
have been directed to obtain by proper University or legal authorities.
2. We only use the information gathered for the purpose for which it was
obtained, properly protect the information while in our possession, and
dispose of it properly once it is no longer needed for business
purposes.
3. We will not peruse or examine user’s electronic information for any
purpose other than to address a specific issue.
4. We understand any failure to meet the Code of Conduct is considered
a violation of trust and is grounds for disciplinary action up to and
including dismissal.
5. We will sign a yearly acknowledgment that we have received, read, and
understood this Code of Conduct.
The “Big Four” Behaviors for Everyone
11
Click
wisely
Apply
updates
Use strong
passwords
Know
your data
You help keep Harvard secure.
http://security.harvard.edu
InfoSec Professionals Keep the Lights On!
Business goal: illuminate room using energy-efficient LED bulbs in ceiling fixtures
Attacker: defeat goal! (Suggest 10 methods)
InfoSec professional: consider reasonable controls to reduce vulnerabilities
Threats, Vulnerabilities, and Risks
Threat Agent Exploits a vulnerability Resulting in a risk
Cyber criminal Unrestricted domain admin account
Exfiltration or destruction of research data – lost
grant $
Employee SSNs never purged despite records retention policy
Privacy breach is 4x larger than active record base
Hacktivism group Unpatched WordPress or ColdFusion on website
Defaced website causes public embarrassment
Emerging technology
Coursework not accessible on new tablet OS
Students create insecure app that leaks student data
For any risk – consider the probability and impact
if the threat and vulnerability come together.
Security seeks to balance the cost of controls
against potential losses and gains,
to keep the business successful.
Data Classification and Handling: A Risk-Based Approach
14
Do you know
the data you
work with?
Does the data
owner?
Policy.security.harvard.edu
15
Workbook Quiz: What is the risk level?
Financial Aid Application Detail
Course Catalog
Pre-Publication Research Report
Ukraine Protesters’ Twitter Accounts
Vendor Contract
Break: 10 minutes
Secure by Design: Part 1
Secure by Design: Part 1
Common Design Errors
Identification & Authentication
Authorization
Owner-Defined Authorization
Identity & Access Administration
Data Integrity and Confidentiality (Hashing and Encryption)
Small Group Activity: Protect De-Identified Research Data
Data
Secure by Design: Common Errors
Identification & Authentication
…because we can’t ALL be Spartacus
Identification: a method of ensuring a subject (i.e. user, process, or program) is the entity it claims to be.
Authentication: positive proof of an identity through a recognized credential, e.g., password, token, or code.
2-Step (aka 2-Factor) Authentication: required presentation of two types of credentials from the following:
• Something you know (e.g., password)
• Something you have (e.g., code sent to your smartphone)
• Something you are (e.g., fingerprint)
Identification & Authentication
Which access accounts/methods are risky and may need stronger authentication?
Where do you use these methods?
Authorization: Specific Allowed Actions
Group Authorization: 18+ = can be in night club
21+ = can drink alcohol
Criteria-based: no specific request process
Individual Authorization: A manager can view certain records and
conduct specific transactions
Authorization = rights and privileges associated with a
subject to access specified resources and perform certain
actions.
Least Privilege: the practice of limiting access to the minimal level that will allow normal functioning. ₋ This can be applied to accounts associated with people, processes
and programs.
Segregation of Duties: an internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task.
Authorization: Guiding Practices
Where do “least privilege” and “segregation of
duties” fit into the club and PeopleSoft examples?
25
Owner-Defined Authorization = Error-Prone
If everyone can set audience and authorization levels…
…then everyone IS
responsible for a data
protection project!
ALL organizations struggle with
this cycle.
Why is Identity and Access Management difficult? • Things change over time
• Organizations tend to be good about provisioning; not as good at de-provisioning access
• Enforcement requires governance
How is this a phishing risk?
Have any accounts that require a separate password? What are the challenges with managing access to
these types of accounts?
Federated Identity Services Organize the Chaos
Encryption: method of transforming original data – plaintext or cleartext – into a form that appears to be random and unreadable – ciphertext. ₋ Decryption requires the secret/private “key”
to reverse this process.
₋ No key = cleartext not available
Data Integrity & Confidentiality
e.g. HTTPS over the Internet
One-Way Hashing: function that takes a variable-length string, and compresses and transforms it into a fixed-length value that represents the data, called a message digest or hash value.
Data Integrity & Confidentiality
₋ The hashing algorithm is reused – by data recipients or other systems – to produce their own message digest for that data to compare against the original message digest for a match (like a fingerprint).
What’s the main security goal of
one-way hashing?
Should You Hash or Encrypt?
Purpose Hashing Encryption
Compare two blobs of data for matching
Check if stored data has changed at all
Send or store data so it can be read only by specific individuals or machines
Make original plaintext data irretrievable
Guidance Key
Hash or Encrypt?
Verify an eSignature is authentic
Send personally identifiable data over the Internet
Check that a critical file/data element hasn’t changed
Store PCI/PHI on a server
Store a password
Protect De-Identified Research Data
Help a principal investigator to maintain “anonymity”
of her research participants and the accuracy of
the research data.
Advise the investigator how to implement controls to protect against:
Anyone else having access to both PII and data (re-identification)
Someone altering any of the captured research data
Research data being unavailable when needed
Secure by Design: Part 2
Secure by Design: Part 2
System Hardening
Application Security
Vulnerability Scanning and Management
Logging & Monitoring
Security in the Cloud
System hardening addresses all four!
-How?
System Hardening
SYSTEM HARDENING
Configure and
manage user
privileges
Employ password
complexity & policies
Patch all
known
vulnerabilities
Remove
unused user
accounts
Remove
unused
services
Close unused
network ports
The Top 10 Most Critical Web Application Security Risks
A1: SQL Injection – Illustrated
37
Fire
wal
l
Hardened OS
Web Server
App Server
Fire
wal
l
Dat
abas
es
Lega
cy S
yste
ms
Web
Ser
vice
s
Dir
ecto
ries
Hu
man
Res
rcs
Bill
ing
Custom Code
APPLICATION ATTACK
Net
wo
rk L
ayer
A
pp
licat
ion
Lay
er
Acc
ou
nts
Fin
ance
Ad
min
istr
atio
n
Tran
sact
ion
s
Co
mm
un
icat
ion
Kn
ow
led
ge M
gmt
E-C
om
mer
ce
Bu
s. F
un
ctio
ns
HTTP
request
SQL
query
DB Table
HTTP
response
"SELECT * FROM
accounts WHERE
acct=‘’ OR 1=1--
’"
1. Application presents a form to the attacker
2. Attacker sends an attack in the form data
3. Application forwards attack to the database in a SQL query
Account Summary
Acct:5424-6066-2134-4334
Acct:4128-7574-3921-0192
Acct:5424-9383-2039-4029
Acct:4128-0004-1234-0293
4. Database runs query containing attack and sends encrypted results back to application
5. Application decrypts data as normal and sends results to the user
Do not trust user-supplied input
• Convert user input to “acceptable” formats and strings
• Use parameterized queries or stored procedures
• Reject anything that doesn’t fit your model
• Display generic/sanitized error messages – don’t leak data
Remember: the system will function as designed
Design security into your applications!
Injection Example – Key Takeaways
Vulnerability Scanning & Management
A. In 2014, what percentage of all
successful exploits attacked
vulnerabilities for which
patches/fixes had been available for
more than a year?
1. 30%
2. 50%
3. 75%
4. 99.9%
B. In 2014, what percentage of new
vulnerabilities (in 2014) were
successfully attacked within two
weeks of their announcement and
patch availability?
1. 30%
2. 50%
3. 75%
4. 99.9%
What makes a particular vulnerability popular?
Source: 2015 Verizon Data Breach Investigations Report
Risk factors: prevalence, discoverability, ease of exploit, impact
Partnership Spiral (Service Mindset)
Are you clear about who is responsible for patching which layers? Have you discussed and agreed?
Make a patching plan and stick to it!
Logging and Monitoring
Natural causes, error, or suspicious activity? • Behavior/pattern recognition for systems, employees, students...
• Network and system “health” – blockages, inhibitors, viruses, etc.
• Regulatory compliance (HRCI data access logs!)
• Cyber investigation forensics
Workbook Exercise: What
might a bank choose to
monitor as “unusual”
account activity?
Who Manages Security in the Cloud?
SaaS Model
Your Responsibility
Their Responsibility
Who Manages Security in the Cloud?
PaaS Model
Your Responsibility
Their Responsibility
Who Manages Security in the Cloud?
IaaS Model
Your Responsibility
Their Responsibility
Considerations for Cloud Computing
Legal issues – intellectual property when subpoenas request all data on a server (co-location risk). Would we even know?
Confidentiality – vendor administrators with access to data
Server hardening - spinning up new servers is quick and configurable, so use a template vetted by Information Security
Logging – do we have enough detail for investigations?
Failover/Back-ups – does data cross international borders?
45
BREAK - 10 minutes
Case Studies: Part 3
Security Breakdowns
Case 1: BankMuscat ATM No-Limit Withdrawals
Case 2: Target POS Compromise
Case 3: NYTimes.com Website Hijacking
Workshop Summary
Information security ensures authorized people and systems will have access to reliable data when they need it
For any risk – consider the probability and impact if the threat and vulnerability come together
Identification, Authentication and Authorization work together to enable appropriate access to data and applications
Whenever possible, leverage Harvard’s federated identity service and two-step authentication
System hardening provides an environment that has fewer opportunities for exploits
49
Workshop Summary
Do not trust user-supplied input in your applications
Make a patching plan and stick to it
Know how your system is supposed to work
so you can identify unusual behavior to log and monitor
Just because it’s “in the Cloud” doesn’t mean you’re no longer responsible for it
Integrate information security into the service you deliver; the stuff that doesn’t happen is equally important!
50
Information Security Foundations