Updates from January, 2015 Toggle Comment Threads | Keyboard Shortcuts

  • Justin Pineda 2:19 pm on January 27, 2015 Permalink | Reply  

    Lesson 3: Defense in Depth and related concepts 

    Defense-in-Depth

    We have agreed that we protect data/information in Infosec. And as we have discussed in Lesson 1, the scope of Infosec is very broad and IT Security is just part of it. We have also learned in Lesson 2 that preventive controls are incomplete without detective controls and response. With former concepts discussed, a more concrete and concise security architecture is formed- Defense in Depth.

    The concept of Defense in Depth states that in order for anybody to access the data, it should pass layers of security first. Security controls may vary but it should be in layers.

    For example, if you want to access the bank database, you need to pass through frisking of security guards, inspection of bags and proper identification when entering the bank premises. That is what we call Physical Security.

    When you enter the premises, you are required to wear your ID at all times. If you are a visitor, a security personnel is required to accompany you wherever you go within the premises. That is the next layer called the Operational Security.

    If you connect to their wireless network and your laptop cannot access the Internet because of MAC filtering, that is an example of Network Security.

    When desktop computers have disabled USB ports to prevent spread/download of virus, that is an example of Host Security.

    When you need to enter a username and password to gain access to your account, that is an example of Application Security.

    Diversity of Defense

    The Diversity of Defense security concept is quite tricky. Management will always want a cost-effective IT infrastructure setup. For example, Huawei, a known networking product, might offer an IT infrastructure package that may be very appealing. Let’s say they offer the whole IT infrastructure with X pesos. The management may be lured to buy the package because of the cost. However, as an information security professional, you should weigh the possible security issues that may take in place.

    In Diversity of Defense, you are compelled to buy different brands of network and IT devices such as firewall, switch, router, etc. But assuming you plan to buy different types of devices, the cost may double (2X pesos) compared to the X pesos if you have a single brand.

    So what is the advantage of this concept?

    If a vulnerability in Huawei firewall is found, no matter how many Huawei firewalls you have, then your network is vulnerable to that particular attack. You can simply say that the cost of information disclosure is way more expensive than the implementation of diversity of defense when a single proprietary vulnerability is exploited.

    Security through Obscurity

    If we say that a company is implementing security through obscurity, can we consider it secured? In Security through Obscurity, we rely on the idea that nobody will think that some valuable asset is hidden in an obscure place.

    For example, will anybody think that there’s 1M pesos stored underneath the driver’s seat of my car? What are the odds, right? But if I accidentally left my car unlock and somebody randomly opens the door of my car, is my asset still secured?

    Security through obscurity is simply hiding something. But hiding something without proper safeguards has no security at all.

    Cost-Benefit Analysis (CBA)

    In information security terms, CBA refers to the weighing of the cost of safeguards to the value of asset. As a rule of thumb, you are not supposed to buy a safeguard that is more expensive than the asset.

    For example, you won’t buy a vault that is valued at 20,000 pesos to safeguard a Timex watch from a buy 1 take 1 sale worth 2,000 pesos. The thief will probably steal the safeguard instead of the asset in it.

    —– NOTHING FOLLOWS —–

    You can download the PDF version of this lesson here: INFOSEC_L3_GenSec

     
  • Justin Pineda 10:34 am on January 27, 2015 Permalink | Reply  

    Lesson 2: Security CIA, Protection & Least Privilege Concepts 

    The CIA Triad

    All issues and solutions pertaining to security fall under 3 categories:

    1. Confidentiality – Protection against unauthorized access
    2. Integrity – Protection against unauthorized modification
    3. Availability – Protection against denial of service

    The exact opposite of the CIA is the DAD – Disclosure, Alteration and Destruction.

    CIA-DAD

    The CIA Triad and its opposite, the DAD

    See the following events and solutions:

    1. Locking the door when you leave the house – This is a confidentiality solution because only the person who has the key to unlock the door can enter the house.
    2. A students overwrites the teacher’s Powerpoint presentation – This is an integrity issue because the content of the presentation is already changed.
    3. The system administrator backs up the file server every Friday – This is an availability solution because the backup ensures access to the files when the main file server becomes unavailable.
    Example

    Example scenarios that can be accidental or incidental

    A security issue can be a result of an accidental or intentional event. In example 2, the student may have accidentally overwritten the teacher’s file because of his negligence. He may also have overwritten the file intentionally out of revenge. But regardless of his intention, it is classified as a security issue.

    The Formula for Protection

    Some decades ago, the formula for protection is:

    PROTECTION_OLD

    This means that in order to protect something, you need to prevent something bad from happening. For example, in order to prevent a home intruder from entering your home, you install a gate around your house. You are preventing the intruder from getting in the house because of the gate.

    Similarly in the technical world, you can install a firewall in your network. A firewall is a hardware or software that enforces a security policy. For example, you have a web server in your company and you would like the public only to access the web server, the firewall can filter the traffic going to your network. Only packets/traffic that are destined to TCP port 80 (http) will be allowed to enter the network. That’s because port 80 is specifically opened for web connections. All other traffic will be denied.

    Now, what is the problem or limitation with this formula?

    In the first example (gate example), what will happen if the intruder climbs using a rope and he is able to pass the gate? Hypothetically, if the intruder is able to enter your house in the middle of the night, will you be able to stop him?

    The formula for protection lacks other components.

    Let’s say you bought a motion sensor alarm and a gun. You realize that if the intruder is able to enter your house after passing the gate using a rope, the motion sensor alarm will detect his movements and will alert you. Now if you see him and he’s planning to attack you with some weapon, you can defend yourself by shooting him using your gun.

    Well, that’s just a hypothetical situation. But the point is, you need to anticipate that your preventive tool may be bypassed. That’s why you need to set up other security controls.

    Therefore, the modified and correct formula for protection is:

    PROTECTION_NEW

    Protection = Gate + (Motion Sensor Alarm + Shoot using your gun)

    This formula can be applied to all domains of information security.

    Going back to the firewall example, can you determine the limitation of implementing only a firewall in your network? If the firewall is the preventive tool, what is the detective tool and the response mechanism?

    Least Privilege

    I think the concept of least privilege is the essence of information security. In least privilege, you only get the privilege and access that you need, nothing more and nothing less.

    In a company, there is an Accountant, HR assistant and Sales Agent. When we apply least privilege to these 3 employees, we will give each employees the following access to applications:

    Accountant – MS Excel, Calculator, E-mail, Printer

    HR Assistant – Telephone, Job Street, LinkedIn, MS Word, E-mail, Printer

    Sales Agent – Telephone, Facebook, MS Word, E-mail, Printer

    In least privilege, we list the things that each employee needs and we give the needed access to them. However, those applications that are not in the list won’t be given to the users.

    Types of Least Privilege

    Separation of Duties (SOD)

    SOD states that a task (especially critical jobs) must be delegated to more than 1 person. Let’s use the payroll system as an example.

    HR Department – Computes your daily time record (DTR)

    Accounting Department – Computes your salary based of the DTR submitted by HR department

    Management Group – Approves the salary computed and submitted by the Accounting department

    What happens if only one person, let’s say Paula, computes for the DTR and salary and approves the computation also?

    For instance, if an employee, Gilbert, does not go to work, then it will reflect in his DTR. However, if Paula decides to give Gilbert a salary, then she can freely do so without anybody questioning it. There’s nobody who checks if the task is done correctly or not.

    The SOD for the payroll scenario is very important to ensure checks and balances of activities related to work.

    SOD

    Implicit Deny

    Implicit Deny is another type of least privilege that is usually seen and applied in a firewall Access Control List (ACL). Assuming we have an entry in an access control list:

    access-list

    This ACL entry allows web traffic (tcp 80) going in and out of the network. If that’s the only rule that we have in the ACL, can we access the file server in the network (tcp 21)?

    The answer, of course, is no. But one can ask, will it deny tcp 21 even if there is not rule stating that it should be denied?

    The implicit deny states that if there is no rule that states allow, then deny access. So even without a specific rule, it is understood that there is a “deny all” rule after the last entry in the ACL.

    Job Rotation

    Job Rotation is a not so known type of least privilege. This concept requires that other persons are familiar with the job that you have especially if it is a critical role. Although it is costly because you need to train other employees, this is very helpful in determining what is happening to the tasks assigned to a particular person.

    If you are put in an employee’s shoes due to job rotation, you and the management may find a lot of things. For example, why does this employee take 10 hours (with overtime) to do his job when I can finish it in 4 hours when I assumed his role in job rotation? There may be something to investigate in this issue.

    Job Rotation

    —– NOTHING FOLLOWS —–

     

     
  • Justin Pineda 12:58 pm on November 23, 2014 Permalink | Reply
    Tags: infosec FUS model formula   

    Lesson 1: Introduction to Information Security 

    Information Security (Infosec) is relatively a new discipline in Information Technology (IT). Usually, it is included as an elective in a course or just a section in software development or network administration. But in these modern times, the study of Infosec encompasses various domains in IT and industries. Meaning to say, Infosec can be applied to database, business administration, human resource etc. It is important to understand that Infosec must be taken as a disparate discipline. Lastly, there are a lot of career opportunities that focus on Infosec because the field is taken as a separate entity. In the 90’s for instance, Infosec is just part of the IT department. Now, there is a separate Security Operations team that manages just security related incidents.

    Infosec vs. IT Security

    The question “What is the difference between Infosec and IT Security?” is usually queried in job interviews. Now, is there any distinction between the two terms? The answer can be based on the scope of the two. When we say IT Security, this talks about security solutions that are deployed to answer IT needs. For instance, IT Security can be deploying a firewall in the network to control acceptable packets that go in and out of the private network. Another IT Security solution can be deployment of Anti-virus (AV) software in end devices such as desktop computers and laptops.

    Infosec is bigger than just IT. IT Security is a subset of Infosec. A good example is, what type of door should I buy to securely lock the servers in the data center? Another example can be, what skills should the receptionist have in order to detect and counteract with fraud calls asking for confidential information?

    Formula of Security

    Can you imagine yourself going to SM Mall of Asia? Before you are allowed to get inside the mall, you will be subjected to so much inspection and frisking. I’m just not sure if the guards know what they are looking for (pun intended). After the bag inspection and frisking, the queue of people getting in becomes longer and a lot are already angry.

    Same is true when you are going to inquire about your credit card balance over the phone. Before you are given the account balance, you will be subjected to various verification questions like date of birth, mother’s maiden name, address and phone number.

    Isn’t security a hassle? You may somehow have thought how to show the formula for security.

    Simply put, Security is inversely proportional to Convenience. This formula is applicable to all scenarios that will involve security. The more you enforce security, the more it is inconvenient to the users of the facility.

    Functionality-Usability-Security (FUS) Model

    Supposed you are in your Software Development class or a freelance programmer doing a project for a client. The normal tendency of the programmer is to make sure that the requirements are met and that it is “user-friendly” with the user. In short, you need to please your client.

    In security, it will teach you to lessen the attack surface of your application. Yes, you will have to meet the client requirements but you have to check if you can improve it in the security perspective. If you have written the program with 1,000 lines of code, can you improve it by lessening the lines of code? Hypothetically, if you can provide the same program with 100 lines of code with the same functionalities (or removing unnecessary functionalities), then your program is much better for security. There are less ways to exploit a program of 100 lines of code compare to 1,000.

    The FUS Model simply states that if you focus solely on Usability, then there will be less Functionality and Security in your program. If you focus on Security on the other hand, there will be less Functionality and Usability in the program. The ideal scenario is to have balance between the three, as depicted in Figure 2.

    Depending on the program, however, the focus can change. If you are creating an online banking system for example, the program should be more on Security. In reality, the functionalities of online banking systems are very limited such as view account balance and transfer money from verified accounts at the very least. It is not user-friendly because you will be prompted to type a Transaction Password every time you do a transaction. All your activities are logged for auditing purposes.

    —– NOTHING FOLLOWS —–

    You can download the PDF version of this lesson here: INFOSEC_L1_IntroToInfosec.

     
c
Compose new post
j
Next post/Next comment
k
Previous post/Previous comment
r
Reply
e
Edit
o
Show/Hide comments
t
Go to top
l
Go to login
h
Show/Hide help
shift + esc
Cancel
%d bloggers like this: