Guide to Firewalls and VPNs, 3rd Edition

Chapter One Introduction to Information Security

Objectives
Explain information security and network security Key terms and critical concepts Organizational roles of security professionals Business need for information and network security Identify the threats posed to information and network security, as well as the common attacks associated with those threats Differentiate threats to information within systems from attacks against information within systems
Guide to Firewalls and VPNs, 3rd Edition 2

Introduction
Network security
Critical activity for almost every organization

Perimeter defense
Cornerstone of most network security programs Effective firewall
Properly configured to be safe and efficient

Chapter 1
Overview of the entire field of information security How that broader field influences current trends in network security
Guide to Firewalls and VPNs, 3rd Edition 3

What Is Information Security?

Information security (InfoSec)
Protection of information and its critical elements, Includes the systems and hardware that use, store, and transmit that information

Unified process encompasses

Network security Physical security Personnel security Operations security Communications security
4

Guide to Firewalls and VPNs, 3rd Edition

What Is Information Security? (contd.)

C.I.A. triangle
Industry standard for computer security Based on the three characteristics of information that make it valuable to organizations:
Confidentiality Integrity Availability

Guide to Firewalls and VPNs, 3rd Edition

Critical Characteristics of Information

Availability Accuracy Authenticity Confidentiality Integrity Utility Possession
6

Guide to Firewalls and VPNs, 3rd Edition

CNSS Security Model

U.S. Committee on National Systems Security (CNSS) National Training Standard for Information Security Professionals NSTISSI No. 4011 McCumber Cube
3 x 3 x 3 cube, with 27 cells representing the various areas that must be addressed to secure todays information systems

Guide to Firewalls and VPNs, 3rd Edition

CNSS Security Model

Guide to Firewalls and VPNs, 3rd Edition

Balancing Information Security and Access

Information security
Process, not an end state

Balance protection of information and information assets with the availability of that information to authorized users Security must allow reasonable access
Yet protect against threats

Guide to Firewalls and VPNs, 3rd Edition

Business Needs First

Protect the organizations ability to function Enable the safe operation of applications implemented on the organizations IT systems Protect the data the organization collects and uses Safeguard the technology assets in use at the organization

Guide to Firewalls and VPNs, 3rd Edition

10

Security Professionals and the Organization

Wide range of professionals to support the complex information security program needed by a moderate or large organization Chief information officer (CIO)
Senior technology officer

Chief information security officer (CISO)

Responsible for the assessment, management, and implementation of information security in the organization

Guide to Firewalls and VPNs, 3rd Edition

11

Security Professionals and the Organization (contd.)

Information security project team
Champion Team leader Security policy developers Risk assessment specialists Security professionals Systems, network, and storage administrators End users

Guide to Firewalls and VPNs, 3rd Edition

12

Data Management
Data owners
Responsible for the security and use of a particular set of information

Data custodians
Responsible for the storage, maintenance, and protection of the information

Data users
Allowed by the data owner to access and use the information to perform their daily jobs

Guide to Firewalls and VPNs, 3rd Edition

13

Key Information Security Terminology

Security professional must be familiar with common terms
To effectively support any information security effort

Guide to Firewalls and VPNs, 3rd Edition

14

Threats and Attacks

Threat
Category of object, person, or other entity that poses a potential risk of loss to an asset

Asset
Anything that has value for the organization Can be physical or logical

Attack
Intentional or unintentional action that could represent the unauthorized modification, damage, or loss of an information asset
Guide to Firewalls and VPNs, 3rd Edition 15

Threats and Attacks (contd.)

Subject of an attack
Used as an active tool to conduct the attack

Object of an attack
Entity being attacked

Direct attack
Hacker uses a personal computer to break into a system

Indirect attack
System is compromised and used to attack other systems
Guide to Firewalls and VPNs, 3rd Edition 16

Vulnerabilities and Exploits

Threat agent
Specific instance of a general threat

Well-known vulnerabilities
Vulnerabilities that have been examined, documented, and published

Exploit
Threat agents attempt to exploit a system or information asset Specific recipe that an attacker creates to formulate an attack
Guide to Firewalls and VPNs, 3rd Edition 17

Vulnerabilities and Exploits (contd.)

Controls, safeguards, or countermeasures
Synonymous terms Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and generally improve the security within an organization

Guide to Firewalls and VPNs, 3rd Edition

18

Risk
State of being unsecure, either partially or totally, and thus susceptible to attack Described in terms of likelihood Risk management
Involves risk identification, risk assessment or analysis, and risk control

Risk appetite or risk tolerance

Amount of risk an organization chooses to live with

Guide to Firewalls and VPNs, 3rd Edition

19

Risk (contd.)
Residual risk
Amount of risk that remains after an organization takes precautions, implements controls and safeguards, and performs other security activities

To control risk:
Self-protection Risk transfer Self-insurance or acceptance Avoidance

Guide to Firewalls and VPNs, 3rd Edition

20

Security Perimeter and Defense in Depth

Security perimeter
Defines the boundary between the outer limit of an organizations security and the beginning of the outside network Perimeter does not protect against internal attacks Organization may choose to set up security domains

Defense in depth
Layered implementation of security

Redundancy
Implementing technology in layers
Guide to Firewalls and VPNs, 3rd Edition 21

Security Perimeter and Defense in Depth (contd.)

Guide to Firewalls and VPNs, 3rd Edition

22

Security Perimeter and Defense in Depth (contd.)

Guide to Firewalls and VPNs, 3rd Edition

23

Threats to Information Security

Table 1-1
Reveals how many organizations have experienced the listed types of attack or misuse

Table 1-2
12 categories that represent a clear and present danger to an organizations people, information, and systems

Guide to Firewalls and VPNs, 3rd Edition

24

Threats to Information Security (contd.)

Table 1-1 CSI/FBI Computer Crime and Security Survey (continues)

Guide to Firewalls and VPNs, 3rd Edition 25

Table 1-1 CSI/FBI Computer Crime and Security Survey (continues)

Guide to Firewalls and VPNs, 3rd Edition 26

Table 1-1 CSI/FBI Computer Crime and Security Survey (continues)

Guide to Firewalls and VPNs, 3rd Edition 27

Table 1-1 CSI/FBI Computer Crime and Security Survey (continued)

Guide to Firewalls and VPNs, 3rd Edition 28

Table 1-2 Threats to Information Security

Guide to Firewalls and VPNs, 3rd Edition

29

The TVA Triple

TVA Triple of Threat-Vulnerability-Asset
Use to prioritize your work T1-V1-A1Vulnerability 1 that exists between Threat 1 and Asset 1 T1-V2-A1Vulnerability 2 that exists between Threat 1 and Asset 1 T1-V1-A2Vulnerability 1 that exists between Threat 1 and Asset 2

Organize in a TVA worksheet

Guide to Firewalls and VPNs, 3rd Edition

30

Table 1-3 Sample TVA spreadsheet

Guide to Firewalls and VPNs, 3rd Edition

31

Other Ways to View Threats

Perspectives:
Intellectual property Software piracy Shoulder surfing Hackers Script kiddies Packet monkeys Cracker Phreaker Hacktivist or cyberactivist Cyberterrorist
32

Guide to Firewalls and VPNs, 3rd Edition

Other Ways to View Threats (contd.)

Malicious code, malicious software, or malware
Computer virus: macro virus, boot virus Worms Trojan horses Backdoor, trapdoor, maintenance hook Rootkit

Guide to Firewalls and VPNs, 3rd Edition

33

Other Ways to View Threats (contd.)

Power irregularities
Spike Surge Sag Brownout Fault Blackout

Guide to Firewalls and VPNs, 3rd Edition

34

Attacks on Information Assets

Attacks occur through a specific act that may cause a potential loss Each of the major types of attack used against controlled systems discussed

Guide to Firewalls and VPNs, 3rd Edition

35

Malicious Code
Malicious code
Includes viruses, worms, Trojan horses, and active Web scripts Executed with the intent to destroy or steal information

Polymorphic, multivector worm

Constantly changes the way it looks Uses multiple attack vectors to exploit a variety of vulnerabilities in commonly used software

Guide to Firewalls and VPNs, 3rd Edition

36

Malicious Code

Table 1-4 Attack Vectors

Guide to Firewalls and VPNs, 3rd Edition

37

Compromising Passwords
Bypass access controls by guessing passwords Cracking
Attempting to guess a password

Brute force attack

Application of computing and network resources to try every possible combination of options

Dictionary attack
Variation on the brute force attack Narrows the field by selecting specific target accounts and using a list of commonly used passwords
Guide to Firewalls and VPNs, 3rd Edition 38

Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS)

Denial-of-service (DoS) attack
Attacker sends a large number of connection or information requests to a target So many requests are made that the target system cannot handle them along with other, legitimate requests for service

Distributed denial-of-service (DDoS)

Coordinated stream of requests against a target from many locations at the same time

Any system connected to the Internet is a potential target for denial-of-service attacks
Guide to Firewalls and VPNs, 3rd Edition 39

Spoofing
Intruder sends messages to IP addresses that indicate to the recipient that the messages are coming from a trusted host

Guide to Firewalls and VPNs, 3rd Edition

40

Man-in-the-Middle
Attacker monitors (or sniffs) packets from the network
Modifies them using IP spoofing techniques Inserts them back into the network

Allows the attacker to eavesdrop, change, delete, reroute, add, forge, or divert data

Guide to Firewalls and VPNs, 3rd Edition

41

E-mail Attacks
E-mail
Vehicle for attacks rather than the attack itself

Spam
Used as a means to make malicious code attacks more effective

Mail bomb
Attacker routes large quantities of e-mail to the target system

Guide to Firewalls and VPNs, 3rd Edition

42

Sniffers
Sniffer
Program or device that can monitor data traveling over a network Used both for legitimate network management functions and for stealing information from a network

Impossible to detect Can be inserted almost anywhere Packet sniffers

Work on TCP/IP networks

Guide to Firewalls and VPNs, 3rd Edition

43

Social Engineering
Process of using social skills to convince people to reveal access credentials or other valuable information to the attacker People are the weakest link. You can have the best technology, [then] somebody call[s] an unsuspecting employee. Thats all she wrote, baby. They got everything
Kevin Mitnick

Guide to Firewalls and VPNs, 3rd Edition

44

Buffer Overflow
Application error
Occurs when more data is sent to a buffer than it can handle

Attacker can make the target system execute instructions Attacker can take advantage of some other unintended consequence of the failure

Guide to Firewalls and VPNs, 3rd Edition

45

Summary
Firewalls and network security
Essential components for securing the systems that businesses use

Information security
Protection of information and its critical elements

Information security is a process, not a goal Takes a wide range of professionals to support the information security program

Guide to Firewalls and VPNs, 3rd Edition

46

Summary (contd.)
Treat: object, person, or other entity that represents a constant danger to an asset Attack: act that takes advantage of a vulnerability to compromise a controlled system Organization must establish a functional and welldesigned information security program

Guide to Firewalls and VPNs, 3rd Edition

47