Date post: | 16-Feb-2017 |
Category: |
Technology |
Upload: | mike-stone |
View: | 138 times |
Download: | 0 times |
1
Plain Talk about Security
January 27, 2015
by Mike Stone
Introduction
Plain Talk about Security01/05/2023 2
• Security is not just a matter of opinion• even though everybody has an opinion about security
• Security is not a wasted effort• even though it may seem like any determined attacker will get
through your defenses• Security is a logic, a calculation, and a profession
• logic: “you can’t protect assets you don’t know about”• calculation: “the value of a risk to an asset is equal to the value of
the asset times the probability that the risk will occur”• profession: “An occupation doesn’t need society’s recognition to be
a profession (CISSP). It only needs the actions and activities among its members to cooperate to serve a certain ideal (Security)” – (ISC)2
• Information Security has its counterparts in physical security
The Security Trinity (CIA)
Plain Talk about Security01/05/2023 3
Confidentiality
Integrity Availability
Keep the asset secret!
Ensure intended users can always access asset!
Prevent unauthorized change to asset!
Start with a Good Secure Architecture
Plain Talk about Security01/05/2023 4
Physical Security Information Security
• A good architecture• Form facilitates function• Modular• Adaptable• Scalable
• A secure architecture• Facilitates organizational
mission & objectives• Provides granular segmentation• Provides situational awareness• Defends its assets
InternetDev &
QA
DMZ
Users Prod
SOC & NOC
C
C C
C
C
CPublic
Confi-dential
TopSecret
C
C
Four A’s of Security: #1 Account Management
Plain Talk about Security01/05/2023 5
Physical Security Information Security
• User Accounts: represent interactive humans• Service Accounts: represent batch processes• Role-based Accounts: represent groups of accounts with similar profiles & needs
admins
services
employees
customers
suppliers
hackers
Four A’s of Security: #2: Authentication Controls
Plain Talk about Security01/05/2023 6
Physical Security Information Security
• One Factor Authentication: What you know (password)• Two Factor Authentication: What you have (token) + what you know• Three Factor Authentication: What you are (biometric) + what you
have + what you know
STOP! Identify yourself!
Show me your pass!
You don’t look like the commander!
Password
tokenBiometric
Hand Scanner“Digital Signatures and Certificates also provide User, Host, Software, Message, and Data Authentication Controls!”
Four A’s of Security: #3 Authorization (Access) Controls
Plain Talk about Security01/05/2023 7
Physical Security Information Security
• Who/what is allowed to do what to a resource (asset)• Resources are assets that are allowed to be used• Minimum Privilege: the least privileges required to perform a job (role) = Granularity• Strong Access Controls require Strong Authentication Controls!
$$$
General Prod
$
$$
$$$
C
C
ConfidentialProd
Top Secret Prod
ConfidentialClearance
Top SecretClearanceGeneral
Clearance
“Encryption also provides a Presentation Layer Access Control!”
SQL WS TS Srvr Rtr SW
Four A’s of Security: #4 Audit Controls
Plain Talk about Security01/05/2023 8
Physical Security Information Security
• Logs (Running) & Monitoring (Real-Time): ad hoc record of alerts and events• Audit: formal documentation of who did what when and where compared to a framework• Report: statistical (and possibly graphic) view of historical data and trends• Evidence: documentation proving compliance with a security control or standard
FW IPS A/V SSL DLP CA
NNMMoM
SIEMMoM
SQLEM
WSEM
TSEM
SrvrEM
RtrEM
SWEM
FWEM
IPSEM
A/VEM
SSLEM
DLPEM
CAEM
“Digital Signatures and trusted Certificates can provide non-repudiation for business or legal transactions!”
Confidentiality
Plain Talk about Security01/05/2023 9
Physical Security Information Security
• Protects an asset or person from unauthorized viewing or exposure by:• Access Controls• Encryption
• Symmetric• Asymmetric
Shredder
Symmetric Keys Public & Private Keys
“Considering Moore’s Law, you’d better add another bit to the encryption key length every 18 months!”
Bob Alice
E D
KG
key key
Hi! Hi!
@#$^
Bob Alice
E D
KG
Publickey
Privatekey
Hi! Hi!
@#$^
Integrity
Plain Talk about Security01/05/2023 10
Physical Security Information Security
• Protects an asset from unauthorized modification by:• Access Controls• Digital Signature• Hash• Encryption
$$$
“Digital Signature, Hash, & Encryption also provide Presentation Layer Access Controls!”
General Prod
$
$$
$$$
C
C
ImportantProd
Critical Prod
Medium IntegrityClearance
High IntegrityClearanceGeneral
Clearance
Site #1 Site #2
Availability
Plain Talk about Security01/05/2023 11
Physical Security Information Security
• Ensures an resource will always be available for authorized use• High-Availability services shouldn’t have Single Points of Failure (SPoF)
• Recovery Point Objective (RPO): how much data a service can afford to lose• Recovery Time Objective (RTO): how much time a service can afford to be shut down
S1
SW1
S2
SW2
c1 c2
LB1 LB2
S1
SW1
S2
SW2
c1 c2
LB1 LB2
R1 R2
DNS1
DNS2Internet
c3
A Risk-Driven Security Process
Plain Talk about Security01/05/2023 12
• Identify your major assets• Identify the risks to those assets• Measure the impacts ($) and probabilities (%)
of those risks• Decide what levels of impacts and probabilities
of risks are acceptable• Allocate a security budget equal to the
difference between the maximum risk (impact x probability) and the acceptable risk level
• Create or modify the policies, standards, procedures, and controls to defend those assets while achieving business missions and objectives
• Assess residual risks• Review effectiveness of those policies,
standards, procedures, and controls
ID Assets
ID Risks
Calc Impact & Probability
Decide Acceptable
Levels
Budget Security
Plan Defenses
Assess Residual
Risks
Review Effectiveness