Information Security - Introduction

Information Security

Introduction

1.      Introduction

The requirements of information security within an organization have undergone two major changes in the last several decades.

With the introduction of the computer, the need for automated tools for protecting files and other information stored on the computer became evident. This is especially the case for a shared system, such as a time-sharing system, and the need is even more acute for systems that can be accessed over a public telephone network, data network, or the Internet. The generic name for the collection of tools designed to protect data and to thwart hackers is computer security.

The second major change that affected security is the introduction of distributed systems and the use of networks and communications facilities for carrying data between terminal user and computer and between computer and computer. Network security measures are needed to protect data during their transmission. In fact, the term network security is somewhat misleading, because virtually all business, government, and academic organizations interconnect their data processing equipment with a collection of interconnected networks. Such a collection is often referred to as an Internet, and the term Internet security is used.

There are no clear boundaries between these two forms of security. For example, one of the most publicized types of attack on information systems is the computer virus. A virus may be introduced into a system physically when it arrives on an optical disk and is subsequently loaded onto a computer. Viruses may also arrive over an Internet. In either case, once the virus is resident on a computer system, internal computer security tools are needed to detect and recover from the virus.

1.1.      Computer Security Concepts

The NIST Computer Security Handbook [NIST95] defines the term computer security as

The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/ data, and telecommunications).

This definition introduces three key objectives that are at the heart of computer security.

·      Confidentiality: This term covers two related concepts:

o   Data confidentiality: Assures that private or confidential information is not made available or disclosed to unauthorized individuals.

o   Privacy: Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.

·      Integrity: This term covers two related concepts:

o   Data integrity: Assures that information and programs are changed only in a specified and authorized manner.

o   System integrity: Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.

Availability: Assures that systems work promptly and service is not denied to authorized users.
 

These three concepts form what is often referred to as the CIA triad. The three concepts embody the fundamental security objectives for both data and for information and computing services.

1.1.1.     Confidentiality

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information. Confidentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure.

Attackers can thwart confidentiality mechanisms by network monitoring, shoulder surfing, stealing password files, breaking encryption schemes, and social engineering. Users can intentionally or accidentally disclose sensitive information by not encrypting it before sending it to another person, by falling prey to a social engineering attack, by sharing a company’s trade secrets, or by not using extra care to protect confidential information when processing it.

Confidentiality can be provided by encrypting data as it is stored and transmitted, enforcing strict access control and data classification, and by training personnel on the proper data protection procedures.

1.1.2.     Integrity

Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information. Integrity is upheld when the assurance of the accuracy and reliability of information and systems is provided and any unauthorized modification is prevented. Hardware, software, and communication mechanisms must work in concert to maintain and process data correctly and to move data to intended destinations without unexpected alteration. The systems and network should be protected from outside interference and contamination.

When an attacker inserts a virus, logic bomb, or back door into a system, the system’s integrity is compromised. This can, in turn, harm the integrity of information held on the system by way of corruption, malicious modification, or the replacement of data with incorrect data. Strict access controls, intrusion detection, and hashing can combat these threats.

1.1.3.     Availability

Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system. Network devices, computers, and applications should provide adequate functionality to perform in a predictable manner with an acceptable level of performance. They should be able to recover from disruptions in a secure and quick fashion so productivity is not negatively affected. Necessary protection mechanisms must be in place to protect against inside and outside threats that could affect the availability and productivity of all business-processing components.

Ensuring the availability of the necessary resources within an organization sounds easier to accomplish than it really is. For example, Networks have so many pieces that must stay up and running (routers, switches, DNS servers, DHCP servers, proxies, firewalls). Software has many components that must be executing in a healthy manner (operating system, applications, antimalware software). There are environmental aspects that can negatively affect an organization’s operations (fire, flood, HVAC issues, electrical problems), potential natural disasters, and physical theft or attacks. An organization must fully understand its operational environment and its availability weaknesses so that the proper countermeasures can be put into place.

1.1.4.     Authenticity

Authenticity is the property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. This means verifying that users are who they say they are and that each input arriving at the system came from a trusted source.

1.1.5.     Accountability – Nonrepudiation

Accountability is the security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. Because truly secure systems are not yet an achievable goal, we must be able to trace a security breach to a responsible party. Systems must keep records of their activities to permit later forensic analysis to trace security breaches or to aid in transaction disputes.

The following provides a short list of some of these controls and how they map to the components of the CIA triad:

·      Confidentiality

o   Encryption for data at rest (whole disk, database encryption)

o   Encryption for data in transit (IPSec, SSL/TLS, PPTP, SSH)

o   Access control (physical and technical)

·      Integrity

o   Hashing (data integrity)

o   Configuration management (system integrity)

o   Change control (process integrity)

o   Access control (physical and technical)

o   Software digital signing

·      Availability

o   Redundant array of inexpensive disks (RAID)

o   Clustering

o   Load balancing

o   Redundant data and power lines

o   Software and data backups

o   Disk shadowing

o   Co-location and off-site facilities

o   Roll back functions

o   Fail over configurations

 

Lecture Reference:

W. Stallings, “Network Security Essentials: Applications and Standards, Fourth Edition.”