Lesson 2: Security CIA, Protection & Least Privilege Concepts

The CIA Triad

All issues and solutions pertaining to security fall under 3 categories:

  1. Confidentiality – Protection against unauthorized access
  2. Integrity – Protection against unauthorized modification
  3. Availability – Protection against denial of service

The exact opposite of the CIA is the DAD – Disclosure, Alteration and Destruction.

CIA-DAD
The CIA Triad and its opposite, the DAD

See the following events and solutions:

  1. Locking the door when you leave the house – This is a confidentiality solution because only the person who has the key to unlock the door can enter the house.
  2. A students overwrites the teacher’s Powerpoint presentation – This is an integrity issue because the content of the presentation is already changed.
  3. The system administrator backs up the file server every Friday – This is an availability solution because the backup ensures access to the files when the main file server becomes unavailable.
Example
Example scenarios that can be accidental or incidental

A security issue can be a result of an accidental or intentional event. In example 2, the student may have accidentally overwritten the teacher’s file because of his negligence. He may also have overwritten the file intentionally out of revenge. But regardless of his intention, it is classified as a security issue.

The Formula for Protection

Some decades ago, the formula for protection is:

PROTECTION_OLD

This means that in order to protect something, you need to prevent something bad from happening. For example, in order to prevent a home intruder from entering your home, you install a gate around your house. You are preventing the intruder from getting in the house because of the gate.

Similarly in the technical world, you can install a firewall in your network. A firewall is a hardware or software that enforces a security policy. For example, you have a web server in your company and you would like the public only to access the web server, the firewall can filter the traffic going to your network. Only packets/traffic that are destined to TCP port 80 (http) will be allowed to enter the network. That’s because port 80 is specifically opened for web connections. All other traffic will be denied.

Now, what is the problem or limitation with this formula?

In the first example (gate example), what will happen if the intruder climbs using a rope and he is able to pass the gate? Hypothetically, if the intruder is able to enter your house in the middle of the night, will you be able to stop him?

The formula for protection lacks other components.

Let’s say you bought a motion sensor alarm and a gun. You realize that if the intruder is able to enter your house after passing the gate using a rope, the motion sensor alarm will detect his movements and will alert you. Now if you see him and he’s planning to attack you with some weapon, you can defend yourself by shooting him using your gun.

Well, that’s just a hypothetical situation. But the point is, you need to anticipate that your preventive tool may be bypassed. That’s why you need to set up other security controls.

Therefore, the modified and correct formula for protection is:

PROTECTION_NEW

Protection = Gate + (Motion Sensor Alarm + Shoot using your gun)

This formula can be applied to all domains of information security.

Going back to the firewall example, can you determine the limitation of implementing only a firewall in your network? If the firewall is the preventive tool, what is the detective tool and the response mechanism?

Least Privilege

I think the concept of least privilege is the essence of information security. In least privilege, you only get the privilege and access that you need, nothing more and nothing less.

In a company, there is an Accountant, HR assistant and Sales Agent. When we apply least privilege to these 3 employees, we will give each employees the following access to applications:

Accountant – MS Excel, Calculator, E-mail, Printer

HR Assistant – Telephone, Job Street, LinkedIn, MS Word, E-mail, Printer

Sales Agent – Telephone, Facebook, MS Word, E-mail, Printer

In least privilege, we list the things that each employee needs and we give the needed access to them. However, those applications that are not in the list won’t be given to the users.

Types of Least Privilege

Separation of Duties (SOD)

SOD states that a task (especially critical jobs) must be delegated to more than 1 person. Let’s use the payroll system as an example.

HR Department – Computes your daily time record (DTR)

Accounting Department – Computes your salary based of the DTR submitted by HR department

Management Group – Approves the salary computed and submitted by the Accounting department

What happens if only one person, let’s say Paula, computes for the DTR and salary and approves the computation also?

For instance, if an employee, Gilbert, does not go to work, then it will reflect in his DTR. However, if Paula decides to give Gilbert a salary, then she can freely do so without anybody questioning it. There’s nobody who checks if the task is done correctly or not.

The SOD for the payroll scenario is very important to ensure checks and balances of activities related to work.

SOD

Implicit Deny

Implicit Deny is another type of least privilege that is usually seen and applied in a firewall Access Control List (ACL). Assuming we have an entry in an access control list:

access-list

This ACL entry allows web traffic (tcp 80) going in and out of the network. If that’s the only rule that we have in the ACL, can we access the file server in the network (tcp 21)?

The answer, of course, is no. But one can ask, will it deny tcp 21 even if there is not rule stating that it should be denied?

The implicit deny states that if there is no rule that states allow, then deny access. So even without a specific rule, it is understood that there is a “deny all” rule after the last entry in the ACL.

Job Rotation

Job Rotation is a not so known type of least privilege. This concept requires that other persons are familiar with the job that you have especially if it is a critical role. Although it is costly because you need to train other employees, this is very helpful in determining what is happening to the tasks assigned to a particular person.

If you are put in an employee’s shoes due to job rotation, you and the management may find a lot of things. For example, why does this employee take 10 hours (with overtime) to do his job when I can finish it in 4 hours when I assumed his role in job rotation? There may be something to investigate in this issue.

Job Rotation

—– NOTHING FOLLOWS —–

 

Lesson 1: Introduction to Information Security

Information Security (Infosec) is relatively a new discipline in Information Technology (IT). Usually, it is included as an elective in a course or just a section in software development or network administration. But in these modern times, the study of Infosec encompasses various domains in IT and industries. Meaning to say, Infosec can be applied to database, business administration, human resource etc. It is important to understand that Infosec must be taken as a disparate discipline. Lastly, there are a lot of career opportunities that focus on Infosec because the field is taken as a separate entity. In the 90’s for instance, Infosec is just part of the IT department. Now, there is a separate Security Operations team that manages just security related incidents.

Infosec vs. IT Security

The question “What is the difference between Infosec and IT Security?” is usually queried in job interviews. Now, is there any distinction between the two terms? The answer can be based on the scope of the two. When we say IT Security, this talks about security solutions that are deployed to answer IT needs. For instance, IT Security can be deploying a firewall in the network to control acceptable packets that go in and out of the private network. Another IT Security solution can be deployment of Anti-virus (AV) software in end devices such as desktop computers and laptops.

Infosec is bigger than just IT. IT Security is a subset of Infosec. A good example is, what type of door should I buy to securely lock the servers in the data center? Another example can be, what skills should the receptionist have in order to detect and counteract with fraud calls asking for confidential information?

Formula of Security

Can you imagine yourself going to SM Mall of Asia? Before you are allowed to get inside the mall, you will be subjected to so much inspection and frisking. I’m just not sure if the guards know what they are looking for (pun intended). After the bag inspection and frisking, the queue of people getting in becomes longer and a lot are already angry.

Same is true when you are going to inquire about your credit card balance over the phone. Before you are given the account balance, you will be subjected to various verification questions like date of birth, mother’s maiden name, address and phone number.

Isn’t security a hassle? You may somehow have thought how to show the formula for security.

Simply put, Security is inversely proportional to Convenience. This formula is applicable to all scenarios that will involve security. The more you enforce security, the more it is inconvenient to the users of the facility.

Functionality-Usability-Security (FUS) Model

Supposed you are in your Software Development class or a freelance programmer doing a project for a client. The normal tendency of the programmer is to make sure that the requirements are met and that it is “user-friendly” with the user. In short, you need to please your client.

In security, it will teach you to lessen the attack surface of your application. Yes, you will have to meet the client requirements but you have to check if you can improve it in the security perspective. If you have written the program with 1,000 lines of code, can you improve it by lessening the lines of code? Hypothetically, if you can provide the same program with 100 lines of code with the same functionalities (or removing unnecessary functionalities), then your program is much better for security. There are less ways to exploit a program of 100 lines of code compare to 1,000.

The FUS Model simply states that if you focus solely on Usability, then there will be less Functionality and Security in your program. If you focus on Security on the other hand, there will be less Functionality and Usability in the program. The ideal scenario is to have balance between the three, as depicted in Figure 2.

Depending on the program, however, the focus can change. If you are creating an online banking system for example, the program should be more on Security. In reality, the functionalities of online banking systems are very limited such as view account balance and transfer money from verified accounts at the very least. It is not user-friendly because you will be prompted to type a Transaction Password every time you do a transaction. All your activities are logged for auditing purposes.

—– NOTHING FOLLOWS —–

You can download the PDF version of this lesson here: INFOSEC_L1_IntroToInfosec.