Plain talk about security public - ms1

1

Plain Talk about Security

January 27, 2015

by Mike Stone

Introduction

Plain Talk about Security01/05/2023 2

• Security is not just a matter of opinion• even though everybody has an opinion about security

• Security is not a wasted effort• even though it may seem like any determined attacker will get

through your defenses• Security is a logic, a calculation, and a profession

• logic: “you can’t protect assets you don’t know about”• calculation: “the value of a risk to an asset is equal to the value of

the asset times the probability that the risk will occur”• profession: “An occupation doesn’t need society’s recognition to be

a profession (CISSP). It only needs the actions and activities among its members to cooperate to serve a certain ideal (Security)” – (ISC)2

• Information Security has its counterparts in physical security

The Security Trinity (CIA)


Confidentiality

Integrity Availability

Keep the asset secret!

Ensure intended users can always access asset!

Prevent unauthorized change to asset!

Start with a Good Secure Architecture


Physical Security Information Security

• A good architecture• Form facilitates function• Modular• Adaptable• Scalable

• A secure architecture• Facilitates organizational

mission & objectives• Provides granular segmentation• Provides situational awareness• Defends its assets

InternetDev &

QA

DMZ

Users Prod

SOC & NOC

C

C C

C

C

CPublic

Confi-dential

TopSecret

C

C

https://www.google.co.il/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=https://www.pinterest.com/SkNerfHerder/architecture/&ei=nOnIVJ2ZMIrraJ_8gtgM&bvm=bv.84607526,d.d2s&psig=AFQjCNE7X8sLcjXpS-NaKPVDOmmQ3r5RlQ&ust=1422539415803774

Four A’s of Security: #1 Account Management



• User Accounts: represent interactive humans• Service Accounts: represent batch processes• Role-based Accounts: represent groups of accounts with similar profiles & needs

admins

services

employees

customers

suppliers

hackers

Four A’s of Security: #2: Authentication Controls



• One Factor Authentication: What you know (password)• Two Factor Authentication: What you have (token) + what you know• Three Factor Authentication: What you are (biometric) + what you

have + what you know

STOP! Identify yourself!

Show me your pass!

You don’t look like the commander!

Password

tokenBiometric

Hand Scanner“Digital Signatures and Certificates also provide User, Host, Software, Message, and Data Authentication Controls!”

Four A’s of Security: #3 Authorization (Access) Controls



• Who/what is allowed to do what to a resource (asset)• Resources are assets that are allowed to be used• Minimum Privilege: the least privileges required to perform a job (role) = Granularity• Strong Access Controls require Strong Authentication Controls!

$$$

General Prod

$

$$

$$$

C

C

ConfidentialProd

Top Secret Prod

ConfidentialClearance

Top SecretClearanceGeneral

Clearance

“Encryption also provides a Presentation Layer Access Control!”

SQL WS TS Srvr Rtr SW

Four A’s of Security: #4 Audit Controls



• Logs (Running) & Monitoring (Real-Time): ad hoc record of alerts and events• Audit: formal documentation of who did what when and where compared to a framework• Report: statistical (and possibly graphic) view of historical data and trends• Evidence: documentation proving compliance with a security control or standard

FW IPS A/V SSL DLP CA

NNMMoM

SIEMMoM

SQLEM

WSEM

TSEM

SrvrEM

RtrEM

SWEM

FWEM

IPSEM

A/VEM

SSLEM

DLPEM

CAEM

“Digital Signatures and trusted Certificates can provide non-repudiation for business or legal transactions!”

Confidentiality



• Protects an asset or person from unauthorized viewing or exposure by:• Access Controls• Encryption

• Symmetric• Asymmetric

Shredder

Symmetric Keys Public & Private Keys

“Considering Moore’s Law, you’d better add another bit to the encryption key length every 18 months!”

Bob Alice

E D

KG

key key

Hi! Hi!

@#$^

Bob Alice

E D

KG

Publickey

Privatekey

Hi! Hi!

@#$^

Integrity



• Protects an asset from unauthorized modification by:• Access Controls• Digital Signature• Hash• Encryption

$$$

“Digital Signature, Hash, & Encryption also provide Presentation Layer Access Controls!”

General Prod

$

$$

$$$

C

C

ImportantProd

Critical Prod

Medium IntegrityClearance

High IntegrityClearanceGeneral

Clearance

Site #1 Site #2

Availability



• Ensures an resource will always be available for authorized use• High-Availability services shouldn’t have Single Points of Failure (SPoF)

• Recovery Point Objective (RPO): how much data a service can afford to lose• Recovery Time Objective (RTO): how much time a service can afford to be shut down

S1

SW1

S2

SW2

c1 c2

LB1 LB2

S1

SW1

S2

SW2

c1 c2

LB1 LB2

R1 R2

DNS1

DNS2Internet

c3

A Risk-Driven Security Process


• Identify your major assets• Identify the risks to those assets• Measure the impacts ($) and probabilities (%)

of those risks• Decide what levels of impacts and probabilities

of risks are acceptable• Allocate a security budget equal to the

difference between the maximum risk (impact x probability) and the acceptable risk level

• Create or modify the policies, standards, procedures, and controls to defend those assets while achieving business missions and objectives

• Assess residual risks• Review effectiveness of those policies,

standards, procedures, and controls

ID Assets

ID Risks

Calc Impact & Probability

Decide Acceptable

Levels

Budget Security

Plan Defenses

Assess Residual

Risks

Review Effectiveness

Date post:	16-Feb-2017
Category:	Technology
Upload:	mike-stone
View:	138 times
Download:	0 times

Plain talk about security public - ms1

Technology