author: Jim Hogan date: 2015-01-08 transition: fade incremental: false
http://github.com/brianhigh/research-computing
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Some terms may be meaningful to you yet, but in this session we'll cover material in 5 main areas:
- Part 1: Some philosophical foundations of information security
- Part 2: Risk assessment
- Part 3: Security controls
- Part 4: Encryption
- Part 5: Security best practices
The most common framework in Information Security, or, "InfoSec"is CIA.
- Confidentiality
- Integrity
- Availability
Failure to adhere to CIA? What could happen?
Possible results of a failure?:
-
Confidentiality: Unintended disclosure. Harm to study subjects, lawsuits against the sponsoring institution, et cetera
-
Integrity: Data iscorrupt, incorrect, inconsistent, invalid. Harm? Incorrect conclusions, damage to scientific literature, loss of funding, damage to reputations.
-
Availability: What good are confidentiality and integrity if your study data is lost in a fire or theft?
"He who defends everything defends nothing."
How do you decide where to spend your finite, Limited resources and time to protect your data and information?
Risk Management is a cornerstone of good information security practices.
Risk Assessment and Managemnt covers a lot of turf and is very diverse.
An example of a formulaic method is SLE or Single Loss Expectancy. SLE is calculated in the formula:
Calculate the asset values and the so-called "exposure factor" (How much of this stuff is at risk?)
- Asset Value = Laptop ($2000) + TV ($1200)
- Exposure? Laptop, YES. TV, NO.
- Exposure Factor = 0.625
- Single Loss Expectancy = $2000
"Exposure" is not limited to a specific object, but can be an expression of likelihoods and probabilities.
To paraphrase conflicting definitions, "Security controls are safeguards or countermeasures to avoid, counteract, minimize and/or recover from risks and threats related to security".
– administrative (for example written policies that are enforced) – logical (required computer accounts are the most common example) – physical (door locks and access cards for example)
- preventative
- corrective or mitigating
- restorative
Some domestic burglary risk management.
A guard dog?
An alarm sign?
A real alarm?
-
No silver bullet
-
Multi-facted approach mandatory
-
"Layered Defense"
-
Remember that an asset can be a risk
-
Hard to say "typical"
-
Much of modern-day risk revolves around the Internet and World-Wide Web
Let's quickly revies a number of common threats and terms:
- Social Engineering
- Trojans
- Phishing
- Spear Phishing
- Brute Force Attack
- Escalation of Privilege
- Advance Persistent Threat
- Zero-Day Exploits
- SQL Injection
- DoS/DDoS
This refers to using psychological mean to manipulate people into performing certain actions or divulging confidential information. It is the crux of many gumshoe detective novels and is not confined to information security in the computing and systems sense. Think of a detective telling a receptionist "Your boss said I need to fix his telephone right away!" when really all the detective wants is to look in boss man's file cabinet for evidence. It is a lynchpin of man other threats and techniques.
A Trojan (from Trogan Horse) is a exploit most commonly delivered over a network (bit not always. USB keys have been used). The key to a Trojan is that it does something different than what you might be made to believe and it requires an action on the part of the recipient to open the hatch, more or less, and let all of the Greeks out.
This should be familiar. The technique of sending formatted emails made to look like they are from an institution like a bank. All in order to trick people into divulging personal information like passwords and credit card number. You've seen them: emails saying that your checking account at Wells Fargo is being shut down unless you CLICK HERE. But you don't have a Wells Fargo account!
Spear Phishing is a variation that is much more targeted. Where the perpetrators know that a group of people have certain assets, positions or information and craft a much more customized message with more realism. An example might be an email to all of the stockbrokers at Bank X from the bank president inviting to sign up for the annual meeting in Hawaii (which does exist).
Threats can also be mixed. like Spear phishing emails that also bear a trojan.
Imagine you forgot the 4-digit code to the bathrooms in Roosevelt. Everyone else has gone home. So you start entering a sequnce of 4 digit codes as fast as you can to see if one matches. That is brute force. Thankfully, brute force attacks can often be spotted and mitigated, but not so when they are used off-line to try to discover actual passwords from encrypted password hashes
This is the technique, often exploratory in nature, by which a perpetrator gains increased privileges on a computer system over time. We've made an analogy for this in a separate short feature.
An APT is a combination of sophisticated techniques being used in an attack to the point that the threat elements persist on the system after an initial attack and may be difficult or even impossible to remove.
A so-called "zero-day" is an exploit against software and/or systems that becomes know to the word at large before the author, publisher, or manufacturer has even one day to try to fix it and issue a patch. So, a zero-day
"Sequel" injection is an attack method aimed specifically at relational database systems and most often through forms on Web sites that ise a SQL-based data story. They work when an poorly-designed/coded Web page or form allow an attacker to append SQL commands to a Web site URL such that the injected query gets processed. This is just one of a number of Web-specific attacks, but perhaps the most common.
These stand for Denial of Service and Distributed Denial of Service. The latter has become increasingy common, whereby a large number of computers are employed to overload another computer by sending vast numbers of requests to that computer over an internet.
-
Access Control
- Physical/logical/network
- Software
- Anti-Virus
- Browser configuration and add-ins
-
Alarm Systems and Monitoring
- Intrusion Detection (physical and logical)
- Server hardware health
- Environmental conditions (temp, smoke, fire)
-
Redundancy and Backups
- Identification
- Authentication
- Authorization
-
Some controls can operate in different realms, sometimes at the same time.
-
Consider:
- Backups
- Archives
- Got snapshots?
- Version control
Wikipedia says "In cryptography, encryption is the process of encoding messages or information in such a way that only authorized parties can read it." That sounds about right.
Cryptography itself goes back in some form to ancient times but "crypto" and encryption based on sophisticated mathematical algorithms really started to emerge in the 20th century. Late in that century the emergence of the Internet helped propel the use of ecryption and standards for its use.
Modern cryptography is based on so-called keys of differing types.
Here's an example of a pretty much randomly generated key:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,568B9A3A3399B91F
tE+eI4cCX5iAHL34MEnTV+AmA+iWmRx+RRUWF5aJ4EX+A/zWNnIexwJEL0aWecA/ PQzqkEj5b22MGD/Y4sVmuQPMaJFpEGwHpn1voT+uUhAzC5ne3njCQtaPZF6XIRh6 36tTELNI6uJfd6o/VNC+ya4HfvI3iQlMZn6IP0wrEMSDk/1a3dc90POXFXERgkS0 N020tQ69zRkJnw1IMGAkIXqOOjMlkBARFMW94HWkfiZ0vA+v6mg34MdUQqln0ibc y9xLaI2XakyIZN65z+ZzU3VPqAnDSN/vOUPuzr6PJSLg1UkKL6u8oxaZZZgUEIyB G1TYbA9sLrScONJF8eBW/fI+7yK/a0wWnzsCJ59zNeno6Dg+6jFasJmjMhYpWOjm uX99QJWhIaE4evI75h0vGSc/psTw2X4ppYyj6TnbORc2+HiIoNpKyeq3ovcRpPmN x97fGBYI6GzaCF1u7q2EN85IVaydCCNLzA4p3NJPriw0M21sGu+MXrqPKKtd46O6 t27pYf/9Gm1QtOkwpOyKn2pVVEKGZoFfxKi+gYxyrJFUBtVpuhs+jW35IA7mCUeo IS/0vtPU0vlQs4xsz7yOv4h4iozPCmzKSXvQ0J4Az6z/rsrwjcoS3f6bwWVLzMaM kYqQpT4h0PdCtHBygBQFpPnoc6ocsZmGIkzibOJ3z0EVncMFTKHTtMKMYqFuJRgo Xq+WsYqlOrBfusGLt1ReGJ0fVPQmWAbCDvoEn4BSfv8nQZqwFFxH1ev1YD1E/nYg e84JT4dnzAzZ/k1I9TlZOvzAn3+2qP33CWXgMoful1bqr9oSvSX9Pw== -----END RSA PRIVATE KEY-----
All keys appear to be this meaningless!
These uses genrally fall into two main classes:
- Encryption of data in motion - in transport "streams"
- Encryption that is more or less file-based
- Protocols and tools like SSH, SFTP (SSL/TLS)
- Secure Web using SSL and represented by Lock Symbol
- Digital Certificates mostly for Web sites but also applications
- Negotiation
- 7-Zip
- TrueCrypt
- PGP
- Codes/cyphers: the mathematics continue to evolve to defeat code breakers
- Keys: Length is a "key" factor in strength
- Standards include NIST standards like
- DES
- 3DES
- AES
A breakthrough in cryptography led to the technology referred to a Public Key Encryption. A diagram shows how users can make available their public key available to a friend or the whole world while retaining the complementary private key that is required to crypt and decrypt.
PGP is a popular software that employs this public key method.
-
Security on personal computers and devices is easily subverted.
-
Internet-connected devices are under attack day and night.
-
Anti-virus software is not updated fast enough to keep up.
Least Privilege
Defaul Deny-All Policies and explicit permissions
Characterize and understand the baseline security environment and leverage it. Don't reinvent and risk possibly making things more complicated.
Subscribe to relevant security announcement lists
Use widely adopted industry standards like OWASP
- [Web application security: OWASP Top 10] (https://www.owasp.org/index.php/Top_10_2013-Top_10)
Safeguard private keys!
- Krebs on Security Blog
- Wikipedia "History of Cryptography
- Wikipedia on Single Loss Expectancy
- [DDoS on GitHub](http://arstechnica.com/security/2015/03/massive-denial-of-service-attack-on-github-tied-to-chinese-government/]
- Purchase Uber Logins Online!
- [UW Professor encounters Ransomwear (in class)]