IAS102 - PRELIM (copy)

it means that assets are accessible to authorized parties at appropriate times

Availability

is the assurance that the information is trustworthy and accurate

Integrity

is a set of rules that limits access to information

Confidentiality

is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes

Information Assurance

is a branch of computer technology known as information security as applied to computers and networks

Computer Security

means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction

Information Security

is about building systems to remain dependable in the face of malice, error, or mischance

Enterprise Security

a computer network defense mechanism which included response to actins and critical infrastructure protection and information assurance for organizations, government entities and other possible networks

Cyber Defense

Enterprise Security Analysis Framework

Policy

Incentives

Mechanism

Assurance

Threat and risk analysis
Network security
Robustness and vulnerability scans
QM assessment and qualification
Product testing and certification
Workshop and training

Cyber security in industrial automation

A business-driven approach to enterprise security architecture means that security is about enabling the objective of an organization by controlling operational risk.

Enterprise Security Architecture: Establishing the Business Context

BANK
MILITARY BASE
HOSPITAL
HOME

Enterprise Security Architecture: Establishing the Business Context samples

taken from the structural analog that slows the spread of fire in a building.

Firewall

a combination of hardware and software used to implement a security policy governing the network traffic between two or more networks, some of which may be under your administrative control (e.g., your organization’s networks) and some of which may be out of your control (e.g., the Internet).

Firewall

makes filtering decisions based solely on the contents of the packet it is inspecting. will review the following fields in a TCP or UDP IP datagram (where applicable):

Stateless packet filter

takes stateless packet filtering one step further by maintaining a connection table. The table is used to monitor the state or context of a communication session by attempting to match up outgoing and incoming packets.

Stateful Packet Filtering

They often do so based on characteristics of the packet itself. Each packet that the firewall inspects is tested against the filtering “triggers” in the firewall’s ruleset.

How Firewalls Make Packet Filtering Decisions

Pros - There are a number of good things to be gained by implementing firewalls and network access controls, including the following:

-Lots of places to do access control
-Intrusion Prevention capabilities
-Multi-layer functionality

Pros of Firewall and Network Access Controls

Cons - However, the added security which comes from these technologies is not without a price. Some potential drawbacks include the following:

-False sense of security

-Encryption issues

-Single point of failure (SPOF)

Cons of Firewall and Network Access Controls

-Firewalls for network packet filtering

-Service and application ACLs

-“Wrappers” like TCP Wrappers or IPSec

-Proxy Filters

Many places for network access control and filtering

essentially a network burglar alarm, similar to the alarms placed on doors and windows of a building.

intrusion detection system

detects security-related events and reports them to a central collector.

Sensor

a server that is responsible for accepting and aggregating alerts from the various sensors deployed throughout each network segment.

Collector

refers to any permanent storage (e.g., a database) in which alerts generated by the sensors are stored for analysis.

Data Store

the user interface to the alerts stored in the database.

Analysis Engine

Sensor
Collector
Data store
Analysis Engine

four main components of intrusion analysis system

Signature based IDS
Anomaly based IDS
Host based IDS
Network based IDS

Types of IDS: Signature and Anomaly

signature-based
anomaly-based

two basic analysis types for intrusion detection systems:

takes hash values of all of the important system files on the host.

signature-based HIDS

creates a statistical baseline representation of normal and acceptable network traffic over a representative period of time and then compares all future traffic to that baseline.

anomaly-based NIDS

a small, lightweight open source IDS written by Marty Roesch which has become the most widely used IDS. It is capable of performing real-time traffic analysis and packet logging on IP networks.

Snort

IDScenter
ACID
PureSecure
SnortCenter
SnortSnarf
Barnyard
Swatch
SnortSam
SnortFE
RazorBack
HenWen

Snort Add-Ons and Plug-Ins

was written by Roman Danyliw, an analyst at the CERT Coordination Center of the

Software Engineering Institute.is a set of PHP scripts designed to function as a conduit between a Web browser and the SQL database storing Snort alerts and is designed to show attack patterns and trends by organizing the alerts according to queries initiated by the user.

Analysis Console for Intrusion Databases (ACID)

IA includes computer and information security, but more besides. According to Blyth and Kovacich, IA can be thought of as protecting information at three distinct levels:

-physical: data and data processing activities in physical space;

-informationinfrastructure: information and data manipulation abilities in cyberspace;

-perceptual: knowledge and understanding in human decision space.

Another View: Components of Information Assurance(IA)

The lowest level focus of IA : computers, physical networks, telecommunications and supporting systems such as power, facilities and environmental controls. Also at this level are the people who manage the systems.

Desired Effects: to affect the technical performance and the capability of physical systems,to disrupt the capabilities of the defender.

Attacker’s Operations: physical attack and destruction, including: electromagnetic attack, visual spying, intrusion, scavenging and removal, wiretapping, interference, and eavesdropping.

Defender’s Operations: physical security, OPSEC, TEMPEST.

IA Levels: The Physical

The second level focus of IA. This covers information and data manipulation ability maintained in cyberspace, including: data structures, processes and programs, protocols, data content and databases.

Desired Effects: to influence the effectiveness and performance of information functions supporting perception, decision making, and control of physical processes.

Attacker’s Operations: impersonation, piggybacking, spoofing, network attacks, malware,authorization attacks, active misuse, and denial of service attacks.

Defender’s Operations: information security technical measures such as: encryption and key management, intrusion detection, anti-virus software, auditing, redundancy, firewalls, policies and standards.

IA Levels: Infrastructure

The third level focus of IA, also called social engineering. This is abstract and concerned with the management of perceptions of the target, particularly those persons making security decisions.

Desired Effects: to influence decisions and behaviors.

Attacker’s Operations: psychological operations such as: deception, blackmail, bribery and corruption, social engineering, trademark and copyright infringement, defamation, diplomacy, creating distrust.

Defender’s Operations: personnel security including psychological testing, education, and screening such as biometrics, watermarks, keys, passwords.

IA Levels: Perceptual

COMPSEC: computer security;
COMSEC: communications and network security;
ITSEC: (which includes both COMPSEC and COMSEC);
OPSEC: operations security.

IA includes aspects of:

news of possible sign of life in a martian meteorite called:

ALH84001

The flip side of Information Assurance is Information Warfare (IW). In fact, one can think of the offensive part of IW as “information operations,” and the defensive part as information assurance.

Type I involves managing an opponent’s perception through deception and psychological operations. In military circles, this is called Truth Projection.

Type II involves denying, destroying, degrading, or distorting the opponent’s information flows to disrupt their ability to carry out or co-ordinate operations.

Type III gathers intelligence by exploiting the opponent’s use of information systems.
IW can be carried out against individuals, corporations, or nations.

The Information Warfare Spin on IA

Insiders
Hackers
Criminals
Corporations
Governments
Terrorists

Nature of the Threat in the world of IW come in six types:

“While experts may disagree on the definition of cyber war, there is significant evidence that nations around the world are developing, testing and in some cases using or encouraging cyber means as a method of obtaining political advantage”.

McAfee Virtual Criminology Report 2009

“A plausible worst-case worm could cause $50 billion or more in direct economic damage by attacking widely used services in Microsoft Windows and carrying a highly destructive payload.”

Nicholas Weaver and Vern Paxson, 6/14/04

“America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration that will take office in January 2009. ... It is a battle we are losing. Losing this struggle will wreak serious damage on the economic health and national security of the United States”.

CSIS report on Securing Cyberspace for the 44th Presidency, Dec. 2008

“worldwide interconnection of communication networks, computers, databases, and consumer electronics that make vast amounts of information available to users.”

Global Information Infrastructure

those within or serving the U.S., for government, commerce and research.

National Information Infrastructure

those within or serving the DoD (e.g. nodes on SIPRNET and NIPRNET).

Defense Information Infrastructure

Presidential Decision Directive (PDD-63) of 1998:

-Civilian systems are “essential to the minimum operations o f the economy and government”

-Examples: telecommunications, energy, banking, transportation and emergency services

Critical Infrastructure Protection

Committee on National Security Systems (CNSS)
National Security Agency (NSA)
National Institute of Standards and Technology (NIST)

Federal Organization Defining Information Assurance

is the resource being protected, including:

-physical assets: devices, computers,people;

-logical assets: information, data (intransmission, storage, or processing), andintellectual property;
-system assets: any software, hardware,data, administrative, physical,communications, or personnel resourcewithin an information system.

What is Assets and its types

Often a security solution/policy is phrased in terms of the following three categories:

-Objects: the items being protected by the system (documents,files, directories, databases, transactions, etc.)

-Subjects: entities (users, processes, etc.) that execute activitiesand request access to objects.

-Actions: operations, primitive or complex, that can operate onobjects and must be controlled.

Subjects and Objects

Both subjects and objects have associated attributes. The security mechanisms may operate in terms on the attributes and manipulation of the attributes can be used to subvert security.

Attributes

availability
accuracy

authenticity

confidentiality

integrity

utility

possession

Critical Aspects

a category of entities, or a circumstance, that poses a potential danger to an asset (through unauthorized access, destruction, disclosure, modification or denial of service).

threat

is a specific instance of a threat, e.g. a specifichacker, a particular storm, etc.

threat actor

is a weakness or fault in a system that exposes information to attack.

bug in a computer program is a very common vulnerability in computer security (e.g. buffer overflow situation).

vulnerability

is a method for taking advantage of a known vulnerability.

exploit

is one for which there is no known threat(vulnerability is there but not exploitable).

dangling vulnerability

is one that does not pose a danger as there is novulnerability to exploit (threat is there, but can’t do damage).

dangling threat

is an attempt to gain access, cause damage to or otherwise compromise information

and/or systems that support it.

Attacks

an attack in which the attacker observes interaction with the system.

Passive attack

an attack in which the attacker directly interacts with the system.

Active attack

an attack where there is not a deliberate goal of misuse

Unintentional attack

the active entity, usually a threat actor, that interacts with the system.

Attack subject

the targeted information system asset.

Attack object

is an instance when the system is vulnerable to attack.

Exposure

is a situation in which the attacker has succeeded.

compromise

is the outcome of an attack.

Consequences

technical

policy, procedures and practices

education, training and awareness

cover and deception (camouflage)

human intelligence (HUMINT), e.g. disinformation

monitoring of data and transmissions

surveillance countermeasures that detect or neutralize sensors,e.g. TEMPEST

assessments and inspections.

Countermeasures