Ave Maria College

COLLEGE OF INFORMATION TECHNOLOGY

HEI Unique Institutional Identifier: 09077
PC 8_IAS 312: Information Assurance and Security 1

LESSON I:
1. BASIC SECURITY CONCEPTS, PRINCIPLES AND STRATEGY

A. Basic Security Concepts and Principles

Introduction
A total IA program extends beyond mere regulations. It is based on the concept that security
begins as a state of mind. The program must be designed to develop an appreciation of the need
to protect information vital to the interests of the organization and to foster the development of a
level of awareness that will make security more than routine compliance with regulations.
The application of security to any organization, facility, or IT system must be based on
certain accepted concepts and principles. These are foundational to the development of the
organization’s IA policies and critical to dispensing consistent technical security guidance or
deliberating sound security judgment calls. Everyone within the organization must understand
applicable security policies. However, good security awareness is more than simply ensuring that
everyone knows and obeys the rules; it involves knowing the reasoning behind the rules.

Security practices and procedures sometimes cause personal inconvenience. Security is

often perceived as regulatory, restrictive, and bureaucratic because often it is all those things.
Simply knowing and obeying the rules is not always sufficient. It is natural to want to know why
we must comply. An explanation of “because I said so” is not a good response; users want and
deserve valid reasons for security policies. One of the best ways to explain the purpose of a given
security policy is to help others understand its underlying security principles. A working
knowledge of basic security concepts and principles will help equip us to meet this challenge.
The goal of any IA program should be to instill within people a knowledge and awareness that
goes far beyond rote compliance. Knowing the basic security principles on which good security
practices are built will foster an appreciation for the need for IA. Knowing security tenets will
also enable us to make sound security judgments in the absence of specific written guidance.

Information Assurance Supports the Mission of the Organization

The purpose of IA is to protect an organization’s valuable information, as well as the
facilities, systems, and networks that process, store, and transmit that information. Protecting
information can be as important as protecting other organizational resources, such as money and
personnel.
Information is an expensive, sensitive, and perishable resource that represents a substantial
investment, but how we protect the information depends on the form it takes and the attribute(s)
it possesses. Although the concept of information is intangible, information can assume various
forms:
• Thoughts and speech
• Hardcopy (originals, copies, transparencies, faxes)
• Softcopy (stored on removable and non-removable media)
• Personal knowledge
• Technical skills
• Corporate knowledge
2
 • Formal and informal meetings
• Telephone conversations
• Video teleconferences

When it is all boiled down, information can be represented in mental thought and speech,
written documentation, and electronic communications/computer formats. Information also
comes in three states, analogous to the three states of water—liquid (water); solid (ice); or gas
(steam). Similarly, at any given moment, information is being transmitted, processed, or stored.
This happens irrespective of the medium in which it resides (McCumber, 1994).

Threats to these states of information basically fall into three categories: compromise by
unauthorized disclosure; corruption through unauthorized modification; and unavailability
through a denial of service. Regardless of its format, information that is worth protecting will
possess one or more critical attributes that will dictate what kind of safeguards are required to
adequately provide protection against these threats.

1. Security Requires Auditability and Accountability

Security controls must produce reliable, indisputable evidence that they are working
correctly. The evidence can take the form of audit trails, system logs, alarms or other overt or
covert notification.
Identification tells the system which user is accessing the system; authentication
confirms to the system that the user is who he says he is. Think of your Automated Teller
Machine (ATM) card as a kind of identification and authentication (I&A) mechanism.
Information coded on your card lets the system know which account to access while your PIN
number verifies that it is really you doing the accessing.
In the same way, a user account name identifies the user to the system, for access and
accountability purposes. For this reason, the identifier must normally be unique. Group,
shared, or anonymous accounts should not be permitted when accountability for access must
be controlled by weak authentication (i.e., static passwords). Additionally, the naming
convention for user IDs must distinguish each individual user in order to provide the level of
attribution necessary to enforce accountability. Without individual accountability, audits are
going to be of little value since system use (or misuse) can be only attributed to an individual
through circumstantial evidence.

(a) Information you possess.

Passwords are still the most familiar and widely used form of authentication. A password
known only to the owner of the user ID verifies to the system that he or she is actually the
account owner. However, passwords are considered weak authentication because they are
often shared among friends; easily broken by guessing or public domain cracking programs;
or stolen from watching the user type in the password or from finding it written down.

(b) Objects you possess.

The use of objects such as digital signatures, electronic keys, tokens, and smart cards is
considered strong authentication because of the low probability of breaking the encryption
used to protect these objects. As with passwords, it is assumed that the possessor is the
owner; yet the possibility of loss, theft, sharing, duplication, or spoofing exists.

(c) Features you possess.

The field of biometrics—measurable physiological and/or behavioral characteristics—is a
fascinating growth area that offers the strongest and most irrefutable authentication.
3
 Behavioral characteristics include verification of voice, keystrokes, or signatures.
Physiological characteristics include recognition of palm, fingerprint, finger image, finger or
hand geometry, iris or retina, vascular patterns, ear shape, and even body odor.

Biometrics also presents three challenges:

1. High number of false negatives—although it won’t allow a non-owner access, it may
reject the true owner based on a false reading.

2. User acceptance—some methods of authentication such as retina scanning are considered

uncomfortable by many users. Less intrusive methods such as iris scanning, facial feature, or
thumbprint recognition are proving more acceptable.

3. Physical limitations—a retina scan won’t work with users who are blind or have cataracts;
finger or hand recognition would not be practical in an environment that required protective
gloves; voice recognition may be affected by throat problems.

To ensure that individuals are held accountable for their actions, auditing and monitoring of
the information system must be accomplished in a way that, consistent with applicable laws
and regulations, assesses the adequacy of security features and generates an audit trail of
security-relevant events for all users.

2. Security Requires Access Control

Access controls limit access to information or information assets. By using access control
services, we can prevent a user from seeing or using unauthorized information. We can also
prevent the unauthorized modification or disclosure of that information. Access controls may
be technical or nontechnical in nature.

There are two basic approaches to applying access controls within systems and networks: one
is to permit anything that is not explicitly denied; the second is to deny anything that is not
explicitly permitted. In other words, either open up all access to everyone, denying access
only by exception, or else turn off all access to everyone by default, opening up access only
by exception. The former is called the “Default Permit” stance; the latter approach is known
as the principle of minimalism, or the “Default Deny” stance.

Other access control principles include:

Access Control System allows you to decide who goes through which doors in a building
and at what times. The access range starts with a simple system for up to two doors and moves
through to sophisticated Multi-site systems. Whether the need is for a basic wall-mounted
proximity card reader, a sophisticated Biometric or combination PIN, card swipe and
fingerprint reader, ASM has the most comprehensive range of access control and biometric
products along with the largest number of identification systems within a coherent setup.

Benefits:
• Access control for the entire facility or specified areas.
• Limited access to areas by date/time and individual cardholder.
• Controlled access to elevators and parking facilities.
• Supports multiple access technologies.
• Utilizes existing system investment.

4
Features and Options:
• Local or wide area network connectivity
• Remote access software
• Graphical user interface
• CCTV integration
• Video badging

Separation of functions: The principle of separating roles or functions provides a form of

security checks and balances by ensuring that no one individual owns all the processes;
controls all the security features; or possesses unrestricted access to all the information.
The concept is that, by compartmentalizing the functions or roles within the system, the
risk is reduced that one person will totally compromise the confidentiality, integrity, or
availability of the information or the system.

Independence of control and subject: “The person charged with designing, implementing,
and/or operating a control should not be the same person who is to be controlled thereby”
(Wood, 1990, p. 17). In any system, it is good practice to ensure independence between the
person charged with designing a security control and the person(s) who are to be controlled
by it. Likewise, those responsible for enforcing security controls must be empowered and
autonomous to perform unbiased reviews and objective evaluations. The individual
responsible for overseeing the security management of information systems, for example,
should not report directly to the audit department or the systems operations department in
order to eliminate any real or perceived conflict of interest.

Least privilege: Considered by many “the most fundamental principle of security (any kind
of security, not just computer and network security),” the least privilege principle requires
that each individual be granted the most restrictive set of privileges or accesses needed for
the performance of authorized tasks (Chapman and Zwicky, 1995, p. 45). Users are given
just the access or privileges they need to do their jobs, but no more than required. For
example, normal users are granted only the subset of privileges necessary to perform
normal user functions. A system administrator may require a much larger subset of all
privileges, or in some cases, the full set of privileges available. Enforcement of least
privilege is often easier said than done, particularly when it comes to operating systems that
are not designed to enforce separation of functions.

Control: Control is the nontechnical principle that all access to the system must be
regulated. No one should gain access to an organization’s information system(s) without
the explicit knowledge and authorization of a control officer (e.g., Information Systems
Security Officer).

Discretionary Access Controls (DAC): DAC are a technical means of restricting access to
objects (e.g., files, directories, data entities) based on the identity and need-to-know of
users or processes and/or the groups to which the object belongs. For example, access can
be regulated or mediated by comparing file types to predefined rules or access lists. The
controls are discretionary in the sense that a subject with certain access permission is
capable of directly or indirectly passing that permission on to another user or process. DAC
roughly equate to Identity-Based Access Control (IBAC) within international standards.

Mandatory Access Controls (MAC): Unlike DAC, MAC prevent this ability to pass on
permissions. Instead, they require formal authorization (i.e., clearance, formal access, need-
5
 to-know verification) and restrict access to objects based on the sensitivity of the objects
(e.g., via object labeling), focusing on data confidentiality. In these cases, access is
regulated/mediated by comparing file contents (e.g., based on data labels) to a predefined
rule set for each classification level. Within international standards, MAC roughly equate
to Rule-Based Access Control (RBAC).

3. Security Requires Confidentiality

Confidentiality services provide the protection of information, both stored and communicated,
from unauthorized disclosure. In this respect, they are a subset of access control since the
objective is to technically or non-technically control the information, ensuring that those who
need to see the information can read it and precluding its disclosure to those who are not
authorized. This information may be in the form of system- or network-generated data, as well
as traditional information.

All information is not equal: organizations typically possess multiple levels of information
sensitivity. Some information has no confidentiality requirement; it is deemed public domain
and represents an organization’s contribution to the universe of information available to
everyone. Other information is more tightly controlled and only shared among organizational
allies. Still other information is deemed so sensitive that it only may be made accessible to a
small subset of individuals within the organization.

Organizations—both private and public—know the value of protecting the confidentiality of

information. Private industries are investing heavily in the protection of information from
nondisclosure and forcing employees to sign agreements restricting their postemployment
competitiveness (Armour, 2000, p. 1). Businesses understand that leaked proprietary
information can mean the loss of competitive edge. Public organizations have long depended
on the confidentiality of their information as a means of protecting the sources and methods
for obtaining that information and for maintaining information superiority over their enemies.

Normally, the nontechnical protection of the confidentiality of information is based on a

combination of some kind of classification scheme plus enforcement of the need-to-know
principle. Classifications distinguish the information that must be protected from information
that is expendable. They also represent the level of protection that must be applied to the
information based on established guidance.

B. Basic Security Strategy

Approaches to Applying Security Principles
An organization has three fundamental strategies for developing and implementing a program to
protect its IA baseline and the Critical Objects that are necessary for its survival, coexistence,
and growth. Each of the strategies will be separately described.

a. Security by Obscurity Strategy

The basis of the first fundamental strategy is stealth. That is, if no one knows that an
organization’s IA baseline and Critical Objects exist, they would not be subject to threats. The
intent is that sufficient security can be achieved by hiding an organization’s automated
capabilities and the access to these capabilities or at least not advertising their existence. IA
does involve the use of stealth to a certain extent. However, the current and growing extent to
which organizations have been using their automated capabilities to interact with customers
and potential customers does make the strategy option not very practical and realistic.

6
 b. The Perimeter Defense Strategy
This strategy is more of a concentrated effort of defense and is predominantly technical in
nature. Also, this strategy basically focuses on threats from those that are outside the bounds
of authorized users to the organization’s IA baseline and Critical Objects. The organization’s
IA capabilities are primarily located within a “zone” or “border” of defense between the
“insiders” and the “outsiders.” This strategy has been compared to the “Maginot Line” that
existed as a defensive perimeter or border between the allied nations and Germany during
World War I. An example of this concentrated strategy involves a firewall device that is
connected to both the Internet (i.e., outside) side of an organizational border and what is
considered to be the organization’s own trusted internal network. A public access server is
connected to the cables above the firewall and a Web proxy server is connected to the cable
below the firewall. The term “demilitarized zone (DMZ)” has been used to describe the
defensive perimeter that includes these three devices. The intent of this perimeter is to control
the flow of information between the organization’s internal trusted network and the untrusted
external Internet.

The Perimeter Defense Strategy has two critical weaknesses. First, this strategy does very
little or nothing to protect an organization’s internal systems from an attack by an authorized
inside user such as an employee or contractor. Second, if the perimeter defenses (e.g.,
firewalls and routers) fail, then the organization’s internal systems are open to attack.

c. Defense in Depth Strategy

The Defense in Depth strategy takes a much broader approach by defining a number of
operationally interoperable and complementary technical and nontechnical IA layers of
defense. The critical fact is that the totality of these layers is what provides a cohesive and
integrated process for defense in the same way that the seven layers of the Open Systems
Interconnection (OSI) Basic Reference Model provide a process for communications. The
Defense in Depth strategy recognizes that, because of the highly interactive nature of the
various systems and networks, any single system cannot be adequately secured unless all
interconnected systems are adequately secured. An IA solution for any system must be
considered within the context of this shared risk environment. Therefore, layers of protection
are needed to accomplish IA needs. Also, there is a complementary aspect to a Defense in
Depth strategy. Multiple layers offset weaknesses of other layers.

The Defense in Depth strategy does not imply that protection is required at every possible
point in the IA baseline. The allocation of the IA capabilities can be focused, based on the
unique needs of an organization’s threats. Further, adopting a layered approach can allow
lower assurance solutions (which are generally more cost effective and more user friendly) to
be used in many environments, permitting the applications of higher assurance solutions at
critical locations (e.g., network boundaries). The implementation of a Defense in Depth
strategy is complicated by the fact that many organizations employ multiple types of external
network connections through the enclave boundary. These include encrypted connections to
other enclaves, connections to access data on hostile networks (such as the Internet),
connections to remote dial-in users, and, if required, connections to other local networks
operating at different classification levels. There is a requirement for different types of
solutions for each of these connections that satisfy both operational and IA requirements.

Recommended Strategy: Defense in Depth

Every organization that has defined IA needs must address the fundamental issue of what
strategy it will use to accomplish its IA needs. We believe that the ever increasing organizational
7
dependency on automated capabilities for survival, coexistence, and growth requires the broader
and more integrated strategy that is inherent in Defense in Depth.

Four reasons will be cited to support this conclusion, although it is recognized that many other
justifications could be cited.

First, the use of electronic commerce (e-commerce) provides both an opportunity for the
organization and some inherent risks. E-commerce could affect every application and database
within the organization. The security of the Web server host within the DMZ is not sufficient to
address the risks posed by e-commerce transactions. One such risk is that the Web server could
start opening sessions to other servers within the organization, thereby providing paths into
organizational enclaves. Also, hackers could gain access to the internal organizational network
and traverse all internal segments at will.
There may be a belief that sufficient defenses exist beyond the firewall within the
organizational enclaves. However, the architecture of internal organizational enclaves has been
driven by several factors: historical accident (we needed it, we added it), performance (based on
user complaints, we moved the servers to their own internal segment), and/or reliability
(someone will get fired if there’s a problem with this application, so we’ll buy two of
everything). E-commerce is an example of an application that requires the same degree of
security behind the firewall as is traditionally applied to the DMZ. This requires an expansion of
the depth of the defense to within the organization.

Second, traditionally, the threats to the confidentiality, integrity, availability, authentication,

and nonrepudiation of organizational information have been perceived as existing outside the
physical and logical boundaries of the organization.

Third, the Open System Interconnection (OSI) Basic Reference Model represents the process
of communications based on layers. These layers, from the lowest layer to the highest layer,
involve the Physical, Data Link, Network, Transport, Session, Presentation, and Application
Layers. Each layer represents a task within the communication process required for the
movement of information between information systems that are connected to a network.

Fourth, there are many possible types of attacks that could be used to exploit organizational
information systems. The following represents examples of these possible types of attacks:

Passive intercepts and attacks on the wide-area network (WAN): These attacks include network
traffic analysis, monitoring of unprotected (plain-text) communications, decrypting weakly
encrypted communications, and capturing identification numbers and passwords.

WAN-based attacks: WAN-based attacks include attempts to circumvent or break security

features, introduce malicious code, or steal data. These can include attacks mounted against the
network backbone; exploitation of data in transit; electronic penetrations into an enclave or local-
area network (LAN) through the boundary protection devices (including an enclave’s remote
access entry point); or attacks on an authorized remote user when he or she attempts to connect
to the enclave. Insider attacks:

Insider attacks are performed by a person who is authorized to be within the physical boundaries
of the information system security processing system and/or has direct access to the information
security processing system.

8
Hardware/software distribution attacks: This type of attack focuses on modifications of
hardware or software at the factory, or modifications or substitutions during distribution.
Malicious code can be easily imported into a protected enclave through shrink-wrapped
software, users swapping media with machines outside the enclave, or other paths that are
implemented to import information from outside a protected network. The hardware/software
distribution attack refers to the potential for malicious modifications of hardware or software
between the time it is produced by a developer and the time it is installed and used. If a user has
a remote access capability, these attacks could occur while the remote user’s computer is being
configured, if it is left unattended (i.e., without proper physical security), or while software is
passed to it either over the network or via physical means (e.g., floppy disks).

Implementing Defense in Depth

Physical and virtual boundaries are described. The virtual boundary includes the necessity of
defending the network infrastructure, the enclave boundary, and the computing environment.
The remaining chapters of this book provide a means of implementing a Defense in Depth
strategy for protecting the physical and virtual boundaries of the organization. Figure below
is a model that depicts the layers of the Defense in Depth strategy. The core of the strategy is
information that the organization requires for its survival, coexistence, and growth and the IA
baseline that collects, inputs, processes, stores, outputs, and communicates that
information. The organization should define its IA needs concerning its information and IA
baseline relative to confidentiality, integrity, and availability.
The IA posture provides a means of measuring how successfully the organization is
achieving its IA needs. The IA policies (Layer 1) need to be formulated to define the actions
and behavior required to accomplish the defined IA needs of the organization. An IA
management structure (Layer 2) will need to be formally established to monitor and control
the implementation of the IA policy. Layers 3 to 11 involve the technical and nontechnical
implementations of the IA policies. An IA architecture (Layer 3) provides the infrastructure
of technical security services and security mechanisms and a basis for their allocation within
the organization’s IA baseline. Layers 4–11 provide the infrastructure of nontechnical
functions. Each of the eight nontechnical functions of these layers (operational security
administration, configuration management, life-cycle security, and so forth) provides an
infrastructure of integrated support to the IA Architecture. The successful integration of both
the technical and nontechnical layers produces the Defense in Depth strategy that maximizes
the protection of the organization’s IA baseline and Critical Objects.

9
10