Introduction to Information

Security Management
 Course Covers
Introduction/Definitions
Physical security
Access control
Data security
Operating system security
Application security
Network security
 Student Expectations
• Grading:
– 2 Homeworks
– Midterm
– Paper/project
• All submitted work is sole effort of student
• Students are interested in subject area
• Students have varied backgrounds
95752:1-
 Information Revolution
• Information Revolution as pervasive at the
Industrial Revolution

• Impact is Political, Economic, and Social as well

as Technical

• Information has an increasing intrinsic value

• Protection of critical information now a critical

concern in Government, Business, Academia
 A Different Internet
• Armies may cease to march
• Businesses may be bankrupted
• Individuals may lose their social identity
• Threats not from novice teenagers, but
purposeful military, political, and criminal
organizations
 Computer Terms (1)
Computer – A collection of the following:
Central Processing Unit (CPU): Instruction-
processing
Memory(RAM) : Transient storage for data
Disk: More permanent storage for data
Monitor: Display device
Printer: Hard copy production
Network card: communication circuitry
 Computer Terms (2)
Software: Instructions for a computer
Operating System: interaction among
components of computer
Application software: common tasks (e.g.,
email, word processing, program
construction, etc.)
API/Libraries: Support for common tasks

95752:1-7
 Vulnerability (2001)
Out-of-the-box Linux PC hooked to Internet, not announced:
[30 seconds] First service probes/scans detected
[1 hour] First compromise attempts detected
[12 hours] PC fully compromised:
– Administrative access obtained
– Event logging selectively disabled
– System software modified to suit intruder
– Attack software installed
– PC actively probing for new hosts to intrude

• Clear the disk and try again!

 Why is Security Difficult
• Managers unaware of value of
computing resources
• Damage to public image
• Legal definitions often vague or non-
existent
• Legal prosecution is difficult
• Many subtle technical issues
 Objectives of Security
• Privacy – Information only available to
authorized users
• Integrity – Information retains intended
content and semantics
• Availability – Information retains access
and presence
Importance of these is shifting, depends on
organization
 Security Terms
Exposure - “actual harm or possible harm”
Vulnerability - “weakness that may be
exploited”
Attack - “human originated perpetration”
Threat - “potential for exposure”
Control - “preventative measure”
 Classes of Threat
• Interception
• Modification
• Masquerade
• Interruption

Most Security Problems Are People

Related
 Software Security Concerns
• Theft
• Modification
• Deletion
• Misplacement
 Data Security Concerns
• Vector for attack
• Modification
• Disclosure
• Deletion

“If you have a $50 head, buy a $50 helmet”

 Network Security Concerns
• Basis for Attack
• Publicity
• Theft of Service
• Theft of Information

Network is only as strong as its weakest link

Problems multiply with number of nodes
95752:1-15
 Motivations to Violate Security
• Greed
• Ego
• Curiosity
• Revenge
• Competition
• Political/Idiological
 People and Computer Crime
• Most damage not due to attacks
“Oops!”
“What was that?”
• No clear profile of computer criminal
• Law and ethics may be unclear
“Attempting to apply established law in the fast
developing world of the Internet is somewhat
like trying to board a moving bus” (Second
Circuit, US Court of Appeals, 1997)
95752:1-17
 Theory of Technology Law
• Jurisdiction:
– subject matter – power to hear a type of case
– Personal – power to enforce a judgment on a defendant
• Between states: Federal subject matter
• Within state: State/local subject matter
• Criminal or Civil
– Privacy/obscenity covered now
– intellectual property covered later
 Privacy Law
• Common law:
– Person’s name or likeness
– Intrusion
– Disclosure
– False light
• State/Local law: Most states have computer
crime laws, varying content
• International law: patchy, varying content
 Federal Privacy Statutes
• ECPA (communication)
• Privacy Act of 1974 (Federal collection/use)
• Family Educational Rights & Privacy Act (school records)
• Fair Credit Reporting Act (credit information)
• Federal Cable Communications Privacy Act (cable
subscriber info)
• Video Privacy Act (video rental information)
• HIPAA (health cared information)
• Sarbanes-Oxley Act (corporate accounting)
• Patriot Act (counter-terrorism)
Plus state law in more the 40 states, and local laws
 Federal Obscenity Statues
• Miller tests (Miller v. California, 1973):
– Average person applying contemporary community
standards find appeals prurient interest
– Sexual content
– Lack of literary, artistic, political or scientific value
• Statues:
– Communications Decency Act (struck down)
– Child Online Protection Act (struck down)
– Child Pornography Protection Act (struck down –
virtual child porn; live children still protected)
 Indian Trust Funds
• Large, developing, case: Cobell vs. Norton
– http://www.indiantrust.com/
• Insecure handling of entrusted funds
• Legal Internet disruption
• Criminal contempt proceedings
• Judicial overstepping
 Three Security Disciplines
• Physical
– Most common security discipline
– Protect facilities and contents
• Plants, labs, stores, parking areas, loading areas,
warehouses, offices, equipment, machines, tools,
vehicles, products, materials
• Personnel
– Protect employees, customers, guests
• Information
– The rest of this course
 How Has It Changed?
• Physical Events Have Cyber Consequences

•Cyber Events Have Physical Consequences

Why Physical Security?

• Not all threats are “cyber threats”

• Information one commodity that can be stolen
without being “taken”
• Physically barring access is first line of defense
• Forces those concerned to prioritize!
• Physical Security can be a deterrent
• Security reviews force insights into value of what
is being protected
 Layered Security
• Physical Barriers
• Fences
• Alarms
• Restricted Access Technology

• Physical Restrictions
• Air Gapping
• Removable Media
• Remote Storage

• Personnel Security Practices

• Limited Access
• Training
• Consequences/Deterrence
 Physical Barriers
• Hardened Facilities
• Fences
• Guards
• Alarms
• Locks
• Restricted Access Technologies
– Biometrics
– Coded Entry
– Badging
• Signal Blocking (Faraday Cages)
 Outer Protective Layers

• Structure
– Fencing, gates, other barriers
• Environment
– Lighting, signs, alarms
• Purpose
– Define property line and discourage trespassing
– Provide distance from threats
 Middle Protective Layers

• Structure
– Door controls, window controls
– Ceiling penetration
– Ventilation ducts
– Elevator Penthouses
• Environment
– Within defined perimeter, positive controls
• Purpose
– Alert threat, segment protection zones
 Inner Protective Layers
• Several layers
• Structure
– Door controls, biometrics
– Signs, alarms, cctv
– Safes, vaults
• Environment
– Authorized personnel only
• Purpose
– Establish controlled areas and rooms
 Other Barrier Issues
• Handling of trash or scrap
• Fire:
– Temperature
– Smoke
• Pollution:
– CO
– Radon
• Flood
• Earthquake
 Physical Restrictions
• Air Gapping Data
• Limits access to various security levels
• Requires conscious effort to violate
• Protects against inadvertent transmission
• Removable Media
• Removable Hard Drives
• Floppy Disks/CDs/ZIP Disks
• Remote Storage of Data
• Physically separate storage facility
• Use of Storage Media or Stand Alone computers
• Updating of Stored Data and regular inventory
 Personnel Security Practices
• Insider Threat the most serious
• Disgruntled employee
• Former employee
• Agent for hire
• Personnel Training
• Critical Element
• Most often overlooked
• Background checks
• Critical when access to information required
• Must be updated
• CIA/FBI embarrassed
 Activities or Events
• Publications, public releases, etc.
• Seminars, conventions or trade shows
• Survey or questionnaire
• Plant tours, “open house”, family visits
• Governmental actions: certification,
investigation
• Construction and Repair
 NISPOM
National Industrial Security Program
Operating Manual
• Prescribes requirements, restrictions and other
safeguards for information
• Protections for special classes of information:
• National Security Council provides overall policy
direction
• Governs oversight and compliance for 20
government agencies
 Methods of Defense
Overlapping controls
– Authentication
– Encryption
– Integrity control
– Firewalls
– Network configuration
– Application configuration
– Policy