Foundations of Information Security: A Straightforward Introduction - Jason Andress
1. Introduction
McCumber Cybersecurity Model: Protect information in transmission, in storage, while processing. Includes technology, policies & practices, and education.
Information Security Triad:
- Confidentiality
- Integrity
- Availability
Risk Management Process:
- Identify Assets
- Identify Threats
- Assess Vulnerabilities
- Assess Risks
- Mitigate Risks
2. Identification and Authentication
Need to verify identities, so that we can ensure that only authorized users can see or modify data.
ID factors:
- What you know: password, PIN, answer to secret question
- What you have: ATM card, cell phone, smart token
- What you are: biometrics (more on this later)
- What you do: keystroke patterns, voice patterns, signature recognition
- Where you are: at a specific location, using a specific device (trusted path)
3. Authorization and Access Control
Controlled access: which subjects (human users) have access (read/write/execute) to which objects (files, directories)?
Windows access control lists vs. Linux chmod
Rule-based vs. role-based access control
Multilevel security models:
- Bell-LaPadula (BLP) Model (most influential)
- Biba Integrity Model
- Brewer and Nash model (Chinese Wall Model)
4. Auditing Accountability
Accountability: All actions of an entity can be traced uniquely to that entity. I.e. keeping accurate records of who did what and when they did it.
Auditing: the (periodic) process of reviewing an organization’s records or information.
5. Cryptography
Cryptography: The discipline that embodies the principles, means, and methods for the transformation of data in order to hide their semantic content, prevent their unauthorized use, or prevent their undetected modification.
Cryptographic system: Associated information assurance items interacting to provide a single means of encryption or decryption.
Plaintext: Data input to the Cipher or output from the Inverse Cipher.
Ciphertext: Data output from the Cipher or input to the Inverse Cipher.
Cipher: Any cryptographic system in which arbitrary symbols or groups of symbols, represent units of plain text, or in which units of plaintext are rearranged, or both.
Encryption (encode, encipher): Conversion of plaintext to ciphertext through the use of a cryptographic algorithm.
Decryption (decode, decipher): Conversion of ciphertext to plaintext through the use of a cryptographic algorithm.
Cryptology: The science that deals with hidden, disguised, or encrypted communications. It includes communications security and communications intelligence.
Cryptanalysis: The study of mathematical techniques for attempting to improve or defeat cryptographic techniques and information-system security. This includes the process of looking for errors or weaknesses in the implementation of an algorithm or in the algorithm itself.
Block vs. stream ciphers
Asymmetric vs. symmetric-key cryptography
Diffie-Helman key exchange
6. Compliance
Compliance: satisfying the requirements of laws, regulations or contracts.
Can be internally (source code, trade secrets) or externally (HIPAA, FERPA, GDPR) defined
Controls: physical, administrative, or technical; key vs. compensating controls
7. Operations Security
Holistic approach to Operation Security:
- Identify critical information. can be internally defined (source code, trade secret, etc.) or external (HIPAA, FERPA, GDPR, etc.)
- Threat analysis
- Vulnerability analysis
- Risk assessment
- Apply countermeasures
Laws of OpSec:
- Know the threats
- Know what to protect
- Protect the information
8. Human Security
Password attacks: brute-force vs. dictionary attacks
Social engineering: phishing, spam, pretexting, tailgating, shoulder-surfing
9. Physical Security
Protect the data by protecting people, equipment, and facilities.
Major sources of physical threats:
- Extreme temperature - extreme heat or cold
- Gases – includes humidity or dry air, gases, suspended particles
- Liquids – includes water, chemicals
- Living organisms – viruses, bacteria, animals, insects
- Projectiles – powered objects
- Movement – shaking, collapse, slide, vibrating
- Energy anomalies - electrical surge, static electricity, radiation
- People
- Toxins
- Smoke and fire
Physical security controls:
- Deterrent controls - discourage people from violating the security controls.
- Detective controls - sense and report undesirable events.
- Preventive controls - physical means to keep unauthorized entities from breaching your physical security.
10. Network Security
ISO/OSI Reference Model - Provides a common basis for coordination of standards. Based on a hierarchical model:
- Application Layer
- Presentation Layer
- Session Layer
- Transport Layer
- Network Layer
- Data Link Layer
- Physical Layer
Network attacks:
- Distributed denial of service
- Port scanning
- Interception
- Replay
- Spoofing/Masquerading
- Hijacking
Mitigation:
- Remove non-essential services
- See netstat
- Keep systems updated
- Use a firewall: ** Packet filtering ** Stateful packet inspection ** Deep packet inspection
- Use a Proxy
- Use a DMZ
- Install Intrusion Detection System
- Use a VPN
11. Operating System Security
Operating System: mediates between user/applications and computer hardware; manages resources and permissions.
OS Hardening:
- Remove unnecessary software
- Remove unneeded services
- Alter or remove default accounts
- Use principles of least privilege
- Update software
- Implement logging and auditing
Center for Internet Security Benchmarks
12. Mobile, Embedded, and Internet of Things Security
Securing and managing mobile devices in a business context
Security concerns with: embedded systems, industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, Internet of Things devices
13a. Web Security
Web Bugs / Tracking Pixels
Clickjacking
Drive-By Downloading
Obtaining user or web site data:
- Dot-Dot-Slash
- Cross-Site Scripting
- SQL Injection
Prevention: sanitize your inputs!
13b. Software Security
Secure programming / design principles:
- Least privilege
- Fail-safe defaults
- Economy of mechanism
- Complete remediation
- Separation of privilege
- Open design
- Least common mechanism
- Least astonishment
Avoiding the Top 10 Software Security Design Flaws:
- Use an authentication mechanism that cannot be bypassed or tampered with
- Authorize after you authenticate
- External components change the attack surface
- Earn or give, but never assume trust
- Define an approach that ensures all inputs/data are explicitly validated
- Strictly separate data and control instructions, and never process control instructions from untrusted sources
- Identify sensitive data and how they should be handled
- Use cryptography correctly
- Always consider users
- Be flexible when considering future changes to objects and actors
Secure coding
- A style of programming that prevents abnormal termination or unexpected actions.
- Handles bad input gracefully
- Detects internal errors and handles them gracefully.
Defensive programming
- What could someone deliberately do to compromise your program?
- What could someone unintentionally do to compromise your program?
Buffer overflow + integer overflow attacks
Code auditing: code comprehension vs. candidate point strategies
Static code analysis with flawfinder
Fuzzing
14. Security Assessment
Vulnerability assessment: mapping and discovery
Infrastructure devices (servers) vs. end-user devices (desktops, mobile devices)
Unauthenticated (e.g. nmap) vs authenticated vulnerability scanning
Agent-based vs. application (e.g. Burpsuite) scans
Penetration testing:
- Scoping
- Reconnaissance
- Discovery
- Exploitation
- Reporting
Data Representation
Data Representation Overview - Youtube, ~20min.