Information Security Foundations

This 4-hour workshop describes the fundamentals of information security

Designed for all IT employees at Harvard

Welcome to Information Security Foundations!

2

Be familiar with the principles of information security

Understand terminology used in information security

Integrate information security into every IT role and function at Harvard

Relate security principles to sample situations

Hypothesize security design flaws that enabled recently reported breaches; identify lessons learned for Harvard

Course Objectives

3

Information Security & The T Shaped Professional

T-shaped Professional

The T Shaped model is about depth & breadth of expertise

₋ Keep up with changing technologies and their impact on higher education

₋ Maintain a service mindset and trusted advisor relationships

Information Security is a core practice

₋ Cuts across all disciplines – Impacts the “what and the how” of IT services

Breaks and End time

Electronics – Please mute

Restrooms and Fire Exits

Administrative Notes

5

Name

Where you work

Your role within information security

What you hope to get out of today’s course

Introductions

6

Information Security Principles ₋ Information Security’s role

₋ Threats, vulnerabilities, and risks

₋ Policy and standards to manage risk

Secure by Design ₋ Data Security

₋ System and Application Security

₋ Cloud Considerations

Information Security Case Studies

Agenda

7

Information security ensures authorized people and systems will have access to

reliable data when they need it.

Data

“It’s not like a secure version of Microsoft Word is

any better at spell checking or formatting your

document. It’s about the stuff that doesn’t

happen.”

Stephen Chong

Associate professor of computer science

Trusting the system: Innovations for an insecure world

http://www.seas.harvard.edu/topics/topics-fall-2015/trusting-system-innovations-for-insecure-world

What are examples of things gone wrong?

Security, Privacy, and Trust: Access to Electronic Information

http://hwpi.harvard.edu/files/provost/files/policy_on_access_to_

electronic_ information.pdf

https://youtu.be/9nTpN97KYaM?t=683

IT Professional Code of Conduct

http://huit.harvard.edu/it-professional-code-conduct-protect-electronic-information

Being a Trusted Advisor

1. We only obtain the information we need to perform our job or which we

have been directed to obtain by proper University or legal authorities.

2. We only use the information gathered for the purpose for which it was

obtained, properly protect the information while in our possession, and

dispose of it properly once it is no longer needed for business

purposes.

3. We will not peruse or examine user’s electronic information for any

purpose other than to address a specific issue.

4. We understand any failure to meet the Code of Conduct is considered

a violation of trust and is grounds for disciplinary action up to and

including dismissal.

5. We will sign a yearly acknowledgment that we have received, read, and

understood this Code of Conduct.

The “Big Four” Behaviors for Everyone

11

Click

wisely

Apply

updates

Use strong

passwords

Know

your data

You help keep Harvard secure.

http://security.harvard.edu

InfoSec Professionals Keep the Lights On!

Business goal: illuminate room using energy-efficient LED bulbs in ceiling fixtures

Attacker: defeat goal! (Suggest 10 methods)

InfoSec professional: consider reasonable controls to reduce vulnerabilities

Threats, Vulnerabilities, and Risks

Threat Agent Exploits a vulnerability Resulting in a risk

Cyber criminal Unrestricted domain admin account

Exfiltration or destruction of research data – lost

grant $

Employee SSNs never purged despite records retention policy

Privacy breach is 4x larger than active record base

Hacktivism group Unpatched WordPress or ColdFusion on website

Defaced website causes public embarrassment

Emerging technology

Coursework not accessible on new tablet OS

Students create insecure app that leaks student data

For any risk – consider the probability and impact

if the threat and vulnerability come together.

Security seeks to balance the cost of controls

against potential losses and gains,

to keep the business successful.

Data Classification and Handling: A Risk-Based Approach

14

Do you know

the data you

work with?

Does the data

owner?

Policy.security.harvard.edu

15

Workbook Quiz: What is the risk level?

Financial Aid Application Detail

Course Catalog

Pre-Publication Research Report

Ukraine Protesters’ Twitter Accounts

Vendor Contract

Break: 10 minutes

Secure by Design: Part 1

Secure by Design: Part 1

Common Design Errors

Identification & Authentication

Authorization

Owner-Defined Authorization

Identity & Access Administration

Data Integrity and Confidentiality (Hashing and Encryption)

Small Group Activity: Protect De-Identified Research Data

Data

Secure by Design: Common Errors

Identification & Authentication

…because we can’t ALL be Spartacus

Identification: a method of ensuring a subject (i.e. user, process, or program) is the entity it claims to be.

Authentication: positive proof of an identity through a recognized credential, e.g., password, token, or code.

2-Step (aka 2-Factor) Authentication: required presentation of two types of credentials from the following:

• Something you know (e.g., password)

• Something you have (e.g., code sent to your smartphone)

• Something you are (e.g., fingerprint)

Identification & Authentication

Which access accounts/methods are risky and may need stronger authentication?

Where do you use these methods?

Authorization: Specific Allowed Actions

Group Authorization: 18+ = can be in night club

21+ = can drink alcohol

Criteria-based: no specific request process

Individual Authorization: A manager can view certain records and

conduct specific transactions

Authorization = rights and privileges associated with a

subject to access specified resources and perform certain

actions.

Least Privilege: the practice of limiting access to the minimal level that will allow normal functioning. ₋ This can be applied to accounts associated with people, processes

and programs.

Segregation of Duties: an internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task.

Authorization: Guiding Practices

Where do “least privilege” and “segregation of

duties” fit into the club and PeopleSoft examples?

25

Owner-Defined Authorization = Error-Prone

If everyone can set audience and authorization levels…

…then everyone IS

responsible for a data

protection project!

ALL organizations struggle with

this cycle.

Why is Identity and Access Management difficult? • Things change over time

• Organizations tend to be good about provisioning; not as good at de-provisioning access

• Enforcement requires governance

How is this a phishing risk?

Have any accounts that require a separate password? What are the challenges with managing access to

these types of accounts?

Federated Identity Services Organize the Chaos

Encryption: method of transforming original data – plaintext or cleartext – into a form that appears to be random and unreadable – ciphertext. ₋ Decryption requires the secret/private “key”

to reverse this process.

₋ No key = cleartext not available

Data Integrity & Confidentiality

e.g. HTTPS over the Internet

One-Way Hashing: function that takes a variable-length string, and compresses and transforms it into a fixed-length value that represents the data, called a message digest or hash value.

Data Integrity & Confidentiality

₋ The hashing algorithm is reused – by data recipients or other systems – to produce their own message digest for that data to compare against the original message digest for a match (like a fingerprint).

What’s the main security goal of

one-way hashing?

Should You Hash or Encrypt?

Purpose Hashing Encryption

Compare two blobs of data for matching

Check if stored data has changed at all

Send or store data so it can be read only by specific individuals or machines

Make original plaintext data irretrievable

Guidance Key

Hash or Encrypt?

Verify an eSignature is authentic

Send personally identifiable data over the Internet

Check that a critical file/data element hasn’t changed

Store PCI/PHI on a server

Store a password

Protect De-Identified Research Data

Help a principal investigator to maintain “anonymity”

of her research participants and the accuracy of

the research data.

Advise the investigator how to implement controls to protect against:

Anyone else having access to both PII and data (re-identification)

Someone altering any of the captured research data

Research data being unavailable when needed

Secure by Design: Part 2

Secure by Design: Part 2

System Hardening

Application Security

Vulnerability Scanning and Management

Logging & Monitoring

Security in the Cloud

System hardening addresses all four!

-How?

System Hardening

SYSTEM HARDENING

Configure and

manage user

privileges

Employ password

complexity & policies

Patch all

known

vulnerabilities

Remove

unused user

accounts

Remove

unused

services

Close unused

network ports

The Top 10 Most Critical Web Application Security Risks

A1: SQL Injection – Illustrated

37

Fire

wal

l

Hardened OS

Web Server

App Server

Fire

wal

l

Dat

abas

es

Lega

cy S

yste

ms

Web

Ser

vice

s

Dir

ecto

ries

Hu

man

Res

rcs

Bill

ing

Custom Code

APPLICATION ATTACK

Net

wo

rk L

ayer

A

pp

licat

ion

Lay

er

Acc

ou

nts

Fin

ance

Ad

min

istr

atio

n

Tran

sact

ion

s

Co

mm

un

icat

ion

Kn

ow

led

ge M

gmt

E-C

om

mer

ce

Bu

s. F

un

ctio

ns

HTTP

request

SQL

query

DB Table

HTTP

response

"SELECT * FROM

accounts WHERE

acct=‘’ OR 1=1--

’"

1. Application presents a form to the attacker

2. Attacker sends an attack in the form data

3. Application forwards attack to the database in a SQL query

Account Summary

Acct:5424-6066-2134-4334

Acct:4128-7574-3921-0192

Acct:5424-9383-2039-4029

Acct:4128-0004-1234-0293

4. Database runs query containing attack and sends encrypted results back to application

5. Application decrypts data as normal and sends results to the user

Do not trust user-supplied input

• Convert user input to “acceptable” formats and strings

• Use parameterized queries or stored procedures

• Reject anything that doesn’t fit your model

• Display generic/sanitized error messages – don’t leak data

Remember: the system will function as designed

Design security into your applications!

Injection Example – Key Takeaways

Vulnerability Scanning & Management

A. In 2014, what percentage of all

successful exploits attacked

vulnerabilities for which

patches/fixes had been available for

more than a year?

1. 30%

2. 50%

3. 75%

4. 99.9%

B. In 2014, what percentage of new

vulnerabilities (in 2014) were

successfully attacked within two

weeks of their announcement and

patch availability?

1. 30%

2. 50%

3. 75%

4. 99.9%

What makes a particular vulnerability popular?

Source: 2015 Verizon Data Breach Investigations Report

Risk factors: prevalence, discoverability, ease of exploit, impact

Partnership Spiral (Service Mindset)

Are you clear about who is responsible for patching which layers? Have you discussed and agreed?

Make a patching plan and stick to it!

Logging and Monitoring

Natural causes, error, or suspicious activity? • Behavior/pattern recognition for systems, employees, students...

• Network and system “health” – blockages, inhibitors, viruses, etc.

• Regulatory compliance (HRCI data access logs!)

• Cyber investigation forensics

Workbook Exercise: What

might a bank choose to

monitor as “unusual”

account activity?

Who Manages Security in the Cloud?

SaaS Model

Your Responsibility

Their Responsibility

Who Manages Security in the Cloud?

PaaS Model

Your Responsibility

Their Responsibility

Who Manages Security in the Cloud?

IaaS Model

Your Responsibility

Their Responsibility

Considerations for Cloud Computing

Legal issues – intellectual property when subpoenas request all data on a server (co-location risk). Would we even know?

Confidentiality – vendor administrators with access to data

Server hardening - spinning up new servers is quick and configurable, so use a template vetted by Information Security

Logging – do we have enough detail for investigations?

Failover/Back-ups – does data cross international borders?

45

BREAK - 10 minutes

Case Studies: Part 3

Security Breakdowns

Case 1: BankMuscat ATM No-Limit Withdrawals

Case 2: Target POS Compromise

Case 3: NYTimes.com Website Hijacking

Workshop Summary

Information security ensures authorized people and systems will have access to reliable data when they need it

For any risk – consider the probability and impact if the threat and vulnerability come together

Identification, Authentication and Authorization work together to enable appropriate access to data and applications

Whenever possible, leverage Harvard’s federated identity service and two-step authentication

System hardening provides an environment that has fewer opportunities for exploits

49

Workshop Summary

Do not trust user-supplied input in your applications

Make a patching plan and stick to it

Know how your system is supposed to work

so you can identify unusual behavior to log and monitor

Just because it’s “in the Cloud” doesn’t mean you’re no longer responsible for it

Integrate information security into the service you deliver; the stuff that doesn’t happen is equally important!

50

Information Security Foundations