Information Security

1
Information Security

• By
• Jeremy Parker
• Josh Perez
• Fred Duarte
• Alex Harrell

2
What will we cover?

• What is information?
• What does information security mean?
• Why is information security important?
• How is information security implemented?
• Key factors for determining its success
• Managements responsibility

3
What is Information?

• The most unique asset
• Two primary characteristics
• 1)It is intangible
• 2)It comes without a price tag which makes it
  hard for management to assess its value
• If an asset cant be placed on a shelf, it is
  easily overlooked by management

4
Information Resources

• Information systems infrastructure
• Information and knowledge
• Proprietary knowledge
• Technical skills of information technology staff
• End users of the information systems
• Relationship between information technology and
  business managers
• Business processes

5
What does it mean?

• There are three primary goals of information
  security
• Known as the CIA Triad
• Confidentiality
• Integrity
• Availability

6
CIA Triad

• Confidentiality
• Assures the privacy of the data
• Only the intended/ authorized recipients are able
  to possess the data
• Integrity
• No unauthorized changes or alterations
• Not authenticity or accuracy, just ensures that
  the date arrives, right or wrong, just the way it
  left
• Availability
• Protection against anything or anyone that could
  hinder a users access to the information

7
Additional Goals

• Authentication
• User must know where the information has come
  from
• Is it from the expected or appropriate source?
• Can it be relied upon?
• Nonrepudiation
• Provides a record of who sent what information
• Prevents someone from sending an electronic
  transmission and subsequently denying it

8
Why is Information Security Important?

• So many threats could damage, steal or destroy
  information
• Both intentionally and accidentally
• There is just as much threat internally as
  externally, if not more

9
External Threats

• Hackers Crackers
• Illegally access to tamper with information
• Script Kiddies
• Low skill, seek to just create havok
• Cyberterrorists
• Radicals, out to promote their beliefs

10
How?

• Denial of Service Attack
• Prevents access to information
• Buffer Overflow Attack
• Altering programming code
• Malware
• Worms, Trojan horses, viruses
• Social Engineering
• Contacting employees directly, get password
• Brute Force
• Attempting to crack a password

11
Internal Threats

• Employees have much greater access to information
  resources than outsiders
• Without proper knowledge training employees
  could
• Unknowingly divulge company secrets
• Fall victim to a social engineering attack
• Management must set the tone for info. security,
  emphasize training education

12
Implementation

• Baselining
• Risk Analysis
• Determine appropriate action
• Training
• Evaluate Effectiveness
• Continuous Risk Assessment
• Complete action plans

13
Alternative Control Tools

• Hardware System Security
• Firewalls
• Cryptography

14
Alternative Control Tools

• Network and Software Security
• Server and Browser Software
• Network Operating System Software (NOS)
• Security Information Management (SIM)

15
Alternative Control Tools

• Broadcast Medium Security
• Labeling and Rating Software
• Filtering and Blocking Software

16
Internal Controls

• Preventing Insider Threats
• Enforce password and remote access policies
• Use of configuration management techniques
• Follow procedures for system logging and
  monitoring
• Create internal processes for reporting concerns
  about employee behavior

17
Measuring Success

• Effective Assessment Program
• Factual - Value directly observable
• Adaptable - Measures fit the circumstance
• Meaningful - Outcomes understandable
• Quantitative Measures
• Consistent Measures

18
Key Factors to Ensure IS Success

• Clear Strategy
• What needs to be protected
• Risk Management
• Security Policy

19
Risk Management

• Risk Analysis Group of procedures that foresee
  what/how attacks may occur
• Allows the company to be ready for the worst
  case scenario
• Computer Security Incident Response Team (CSIRT)

20
Risk Management CSIRT

• Team consisting of experts in law, computer
  security and computer forensics

21
CSIRT Methodology

• Pre-incident preparation
• Detection of Incidents (helix, knoppix, etc)
• Formulate Response Strategy
• Investigate the Incident
• Reporting
• Resolution

22
Security Policy

• Drives the IS infrastructure
• Detailed but easy to follow set of rules that
  explain how management and employees should all
  work together to ensure IS

23
Security Policy Accessibility

• Remember, communication is the heart and soul of
  human relations
• One of the main challenges in creating this type
  of policy is ensuring that it doesn't become
  overburdened with rules that could become
  insurmountable barriers
• Catherine Paquet and Warren Saxe
• Book Business Case for Network Security, The
  Advocacy, Governance, and ROI

24
Management Responsibilities

• Teach employees how important Information is,
  good practices, how an attack could impact their
  job profoundly, teach them how to work with IS in
  mind

25
Management Responsibilities

• Agree on what IS goals are, how much money to
  invest on it.
• Security is a learned behavior and team effort.
• Stay up to date with current technologies,
  government policies, regulations and agencies

26
Real World Example
27
UTHSC-H Background

• Established in 1972 for Graduate Education In
  Health Sciences
• Located in Texas Medical Center, largest in world
  (5.2 mil patient visits in 2004)
• In 2004 received 150 mil in research grants (UCF
  received 103 mil in 2004)
• Information Technology Security Department (ITS)
  responsible for network / data security

28
UTHSC-H Network

• Divided into 4 main zones
• Public Extranet
• Secure Extranet
• General Intranet
• Secure Intranet

29
UTHSC-H Public Extranet

• Accessible by General Public
• Low risk of data loss
• No confidential or sensitive information
• Servers must be in secure location
• Cannot have any outgoing connections to any other
  zone
• Example Web server

30
UTHSC-H Secure Extranet

• Where confidential information is gathered or
  distributed to the public
• Requires authentication and encryption
• Confidential/sensitive information can only be
  stored on a temporary basis
• Medium risk security breach could compromise
  sensitive data, break laws
• Servers must be in secure location
• Example Mail Server

31
UTHSC-H General Intranet

• Most workstations/laptops/PDAs located here as
  well as dedicated research computers/servers,
  network printers, application servers, internal
  web servers
• No publicly accessible servers
• All protected information must be encrypted
• Hosts dispersed throughout campus
• Only authenticated connections are allowed in
  (VPN, etc)
• High-risk area, sensitive data could be
  compromised

32
UTHSC-H Secure Intranet

• Where centralized confidential, sensitive and
  vital information stored
• Vital internal apps (PeopleSoft)
• Servers are in no way acessibly by the public,
  must be in secure location
• Considered High-Risk, security breack could not
  only compromise sensitive data, break fed/state
  laws, but could also jeopardize financial
  resources

33
UTHSC-H Security Policies

• Can be broken up into four main parts
• Network Security
• Physical Security
• Host Configurations
• Incident Handling and Response

34
Network Security

• Applies to all network zones
• All network access points maintain same level of
  security
• Firewalls for different zones differ based on
  need
• All network appliances must be authorized by ITS
• Only ITS controlled devices can perform functions
  such as DNS, DHCP, NTP or dynamic routing

35
Network Security

• All devices connected to the network must meet
  the Host Configuration specifications
• All remote links into or out of network must be
  registered and approved with ITS
• Logs of dates/times of access must also be kept
  and reviewed weekly
• Network actively monitored for unauthorized
  traffic including penetration attempts, DOS
  attacks

36
Network Security

• Only authorized users are allowed to use packet
  sniffers, protocol/keystroke analyzers
• Any continuous streaming of large files
  considered very suspicious, ITS will trace
  computer and investigate user/machine.
• All data transmitted outside of the internal
  zones or sent via is encrypted

37
Physical Security

• Equipment in all zones (except General Intranet)
  are mandated to be in Geographically Restricted
  Areas (GRAs)
• Designed to provide secure and limited access to
  network/information resources.
• Includes environmental features, access/control
  mechanisms, disaster recovery/ information backup
  plans

38
Physical Security

• Building independent temperature / humidity
  controlled environment fully supported by
  emergency power
• Perimeter walls extending from the structural
  floor to structural ceiling
• Physical mechanisms to control site access
• Electronic locks
• Access control list
• Log containing names of persons, date and times
  they enter and leave the facility
• Video surveillance of the GRA, with surveillance
  media maintained, archived on video tape. Video
  tapes will be stored in a different location than
  the GRA.
• Self closing, locked and alarmed access doors

39
Physical Security

• Remotely monitored alarms
• Uninterruptible power supply adequate to supply
  100 of system power for a 30 minute duration
• Facility disaster recovery plan detailing
  emergency procedures
• Fire detection and suppression system
• Documented risk assessment and facility security
  plan
• Locked and fire resistant cabinet space to enable
  on-site media storage
• Mandatory personnel behavior policies (no
  smoking, no liquids, and trash removal)
• Under no circumstances will the GRA be located in
  the basement or first floor of a structure
• The GRA will be equipped with an adequately rated
  emergency power generator

40
Physical Security

• Recommended Features
• A location chosen to maximize physical security
• No overhead water or sewer pipes
• Disarmed sprinkler system

41
Physical Security

• Computing resources available during regular
  business hours
• Owners of computing resources must assign a
  system administrator or steward to
  oversee/maintain the resource
• Only authorized persons are able to access GRAs,
  visitors must be logged and escorted
• All equipment in the GRAs must be entered into
  the firewall database with all required info (IP
  addresses, MAC addresses, etc.)
• Access log kept of each visit

42
Physical Security

• Data Backup
• Must have documented backup plan
• Must be tested to allow timely data recovery in
  event of a loss
• Data Storage
• All confidential/sensitive data must be kept in a
  GRA
• Must follow the Records Retention Schedule

43
Physical Security

• Media Disposal
• Pertains to all media that contains or has in the
  past contained sensitive data
• Magnetic media degaussed
• Permanent media (CDs, disks, paper files)
  physically destroyed

44
Physical Security

• Media Accountability
• If media contains sensitive information, must be
  marked as such including owner name, date of
  creation and serial number
• Must have warning label
• Hard copies must be stores in locked filing
  cabinet or desk

45
Physical Security

• Disaster Recovery and Maintenance
• Must be a disaster recover plan
• Updated and tested annually
• Maintenance logs must be kept including
• date and time
• reason for maintenance
• person performing maintenance
• actions taken

46
Host Configuration

• Host guidelines differ for General Intranet and
  all other zones (GRA Restricted zones)
• All zones must have virus scanners that
  automatically update
• Password protection that is enabled after 10
  minutes being idle

47
Host Configuration

• General Intranet requirements
• Must have boot-up authentication
• Restricts what data can be stored
• Defines what data has to be encrypted
• Laptops must have drive encryption enabled
• All PDAs bust be password protected and backed up
  on computer

48
Host Configuration

• Configuration for hosts in GRA zones
• Three steps
• Must meet 6 security requirements
• Must pass 5 part auditing and configuration
  approval process
• Ongoing documentation process

49
Host Configuration

• 6 security requirements
• Approved host-based intrusion detection system
• System logging enabled, sent real-time to central
  syslog server
• Clocks updated every 60 minutes off central NTP
  server
• Must be located within a GRA
• Online maintenance record kept including OS and
  patch level, firewall exceptions, IPs, MAC
  address(es), ports that are listening
• Host based virus scanner with auto-updates

50
Host Configuration

• System Auditing/Configuration Approval
• Physical security of system checked
• Ports scanned and open ports verified
• All applications installed verified for necessity
• Maintenance logs reviewed for completeness and
  accuracy
• OS and patch levels reviewed to look for any
  known vulnerabilities

51
Host Configuration

• Ongoing Documentation
• Tests server anytime update occurs such as ports
  being opened, application being installed
• Annual inspection of security of system and
  verification of accuracy of maintenance logs

52
Incident Handling and Response

• Broken into 2 categories
• Network Incident Handling and Response
• Host Incident Handling and Response

53
Incident Handling and Response

• Network
• Detected by looking at log discrepancies and
  unusual traffic patterns
• Host
• Detected by looking at unsuccessful logon
  attempts, log discrepancies, new executable or
  unfamiliar files, modifications to file
  lengths/dates, changes in system files, etc.

54
Incident Handling and Response

• Same 4 step general procedure for resolution
• Detect
• Contain
• Resolve
• Prevent

55
Incident Handling and Response

• Step 1 Detect
• Look for indications / discrepancies listed above
• Investigate/evaluate to determine if incident is
  a problem or not

56
Incident Handling and Response

• Step 2 Contain
• Depending on nature of incident, host might be
  disabled, shutdown or removed to prevent further
  loss or damage to the resource or other resources
  on the network

57
Incident Handling and Response

• Step 3 Resolve
• Notify host owners / IT Security department
• Determine scope and impact of incident
• Solve the problem the incident has caused

58
Incident Handling and Response

• Step 4 Prevent incident from reoccurring
• Report incident to IT Security department with
  full documentation of
• How it occurred
• Why it occurred
• How it was resolved
• IT Security department will keep record of all
  events and resolutions for future use

59
Incident Handling and Response

• Step 4 continued
• Sanctions may be put in place depending on
  severity
• If due to carelessness of a user, user forbidden
  from using resource, or trained, or otherwise
  reprimanded
• Any loopholes documented and closed

60
Incident Handling and Response

• Step 4 continued
• Meeting takes place to
• Define the problem
• How it happened
• How it can be prevented
• How the response was handled
• How the response can be improved
• Determine if changes to the Security Policies
  need to be made

61
In Conclusion

• Information is one of the most valuable resources
  an organization possesses
• Information must be protected from threats, both
  internal and external, intentional or accidental
• CIA Triad maintained
• Confidentiality
• Integrity
• Availability

62
In Conclusion

• IS policies should be implemented and reviewed on
  a regular basis to help protect information
  resources
• Security and control tools can be put in place to
  aid in protection
• Locking cabinets
• Encryption
• Password protection
• Security Information Management Systems
• Trend Analysis

63
In Conclusion

• Success of IS implementation should be assessed
• What needs to be protected?
• How well are those areas currently protected?
• Risk Analysis
• Assess/Develop risk management procedures
• Create security policies, review periodically
• Managers determine responsibilities, implement
  changes

64
Funny (or sad)

• Computer technician accidentally wipes out info
  on Alaska's 38 billion fund
• Reformats primary data, and backup data
• Third line of defense (magnetic tape backups)
  unreadable
• Had to resort to files in 300 cardboard boxes
• Cost over 220,000 to get back to normal

Source Associated Press
65
Questions or Comments?

• Anyone have any major data losses at their
  company?
• How did it happen?
• How was it resolved?
• How did it change procedures?
• See possible future problems at your work?

66
Thanks!
References Harrington, Jan L. Network Security.
Dhillon, Gurpreet. Principals of Information
Systems Security. Kevin Mandia, Chris Prosise
Matt Pepe. Incident Response and Computer
Forensics. Catherine Paquet Warren Saxe.
Business Case for Network Security, The
Advocacy, Governance, and ROI http//en.wikipedia
.org/wiki/Information_security http//www.ccert.e
du.cn/education/cissp/hism/ewtoc.html http//www.
sans.org/reading_room/whitepapers/auditing/1204.ph
p?portala08e9afacbce0d3c7c35997e75779c5a http//
www.niser.org.my/isms/docs/publications/isms_roles
_and_responsibilities.pdf http//www.sans.org/san
sfire07/description.php?cid1042 http//www.compt
echdoc.org/independent/security/recommendations/se
cattacks.html http//www.esecurityplanet.com/aler
ts/article.php/3666046 http//www.uth.tmc.edu/its
ecurity/