Published on March 7, 2014
What Actually Security Is? Yulian Slobodian November 2008
What Actually Security Is? 2
Security Is… Collins Dictionary: the state of being secure; a person or thing that secures, guarantees, etc; precautions taken to ensure against theft, espionage, etc. Wikipedia: the condition of being protected against danger, loss, and criminals; individuals or actions that encroach upon the condition of protection are responsible for the breach of security. 3
Security and Privacy 4
Security and Privacy 5
Path History Points Formal Security Models Practices and Principles Techniques and Technologies 6
Information Security: History Points
Information Security History Points Seals (Bronze Age) Caesar Cipher (Roman Empire) Encryption techniques (Middle Ages) Cipher Machines (World War II) Academic disciplines of computer security, information security and information assurance (XX century) Modern Cryptography. Claude Shannon – "Communication Theory of Secrecy Systems" (1949) Custom hardware attack machines (1998) 8
Information Security: Formal Models
Security Layers Physical Operating System Network Application User 10
Your Applications Are Under Attack 11
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. - Sun Tzu, The Art of War 12
Information Security: Defender Perspective C-I-A Triad Parkerian Hexad 13
C-I-A Triad Confidentiality Data & Services Availability Integrity 14
Parkerian Hexad Confidentiality Completeness & Validity Secrecy & Control Possession Authenticity Data & Services Usability & Usefulness Integrity Availability Utility 15
Confidentiality Limited observation and disclosure of information 16
Possession (Control) Holding, controlling, and having the ability to use information. In extreme cases, a loss of possession could result in total loss of the information 17
Integrity Completeness, wholeness, and readability of information and quality of being unchanged from a previous state. 18
Authenticity Validity, conformance, and genuineness of information. When something does not possess authenticity, it is said to be fraudulent. 19
Availability The degree to which a system, service or equipment is operable and in a committable state Both timely and reliable access to data and other resources when needed 20
Utility Usefulness of information for a purpose. Utility simply means that we can use the data, system, or device in the manner for which it exists. 21
Information Security: Attacker Perspective STRIDE 22
STRIDE Taxonomy Spoofing Identity Tampering with Data Repudiation Information Disclosure Denial of Service Elevation of Privilege 23
Spoofing Identity Collins Dictionary: The act or an instance of impersonating another person Illegally accessing and then using another user's authentication information, such as username and password 24
Tampering with Data The malicious modification of data Unauthorized changes made to persistent data (e.g. database). The alteration of data as it flows between two computers over an open network, such as the Internet. 25
Repudiation Deny performing an action without other parties having any way to prove otherwise 26
Information Disclosure The exposure of information to individuals who are not supposed to have access to it The ability of users to read a file that they were not granted access to The ability of an intruder to read data in transit between two computers 27
Denial of Service An attempt to make a computer resource unavailable to its intended users. 28
Elevation of Privilege An unprivileged user gains privileged access Include those situations in which an attacker has effectively penetrated all system defenses and become part of the trusted system itself 29
Software Security: Practices & Principles
Secure Design Basic Secure Design Principles Attack Surface Analysis (ASA) and Attack Surface Reduction (ASD) Threat Modeling 31
Basic Secure Design Principles Economy of mechanism (KIS) Fail-safe defaults Complete mediation Secure the weakest link Open design Defense-In-Depth Separation of privilege Least privilege Least common mechanism Psychological acceptability 32
ASA and ASR Attack Surface Analysis Code Interfaces Services Protocols Attack Surface Reduction 33
Typical ASR Process Reduce the amount of code that executes by default Restrict the scope of who can access the code Restrict the scope of which identities can access code Reduce the privilege of the code 34
Threat Modeling A process of assessing and documenting a system’s security risks Define use scenarios. Gather a list of external dependencies. Define security assumptions. Create one or more DFDs of the application being modeled. Determine threat types. Identify the threats to the system. Determine risk. Plan mitigations. 35
Secure Coding Security awareness and education Understanding secure design principles Proper use of security techniques Code quality Security best practices Security checklists Security guidelines Up-to-date compilers Code analysis tools Secure code review 36
Security Verification Fuzz testing Penetration testing Run-time verification Privacy testing Vulnerability regression tests Reevaluating the attack surface Re-reviewing threat models 37
Software Security: Techniques & Technologies
Identification and Authentication Identity Authority Authentication factors Authentication: When, What Authentication problems 39
Authorization Definition Authentication versus Authorization Access Control 40
Cryptography Symmetric (Secret Key) Cryptography Asymmetric (Public Key) Cryptography Employed for confidentiality data integrity authentication 41
Symmetric (Secret Key) Cryptography Block ciphers DES TDES (Triple-DES) AES (Rijndael) RC2 Stream ciphers RC4 Cryptographic hash functions MD5 SHA-1 Message authentication codes (MAC) ANSI Data Authentication Algorithm (DES) UMAC (AES), HMAC (MD5 or SHA-1), CMAC (AES) 42
Asymmetric (Public Key) Cryptography Branches Public key encryption Digital signatures Ciphers RSA DSA Public Key Certificates Certificate authenticity approaches Public Key Infrastructure (PKI) Principles X.509 Web of trust PGP OpenPGP GPG 43
Cryptographic Protocols IPSec Kerberos NTLM TLS/SSL SSH … Other 44
Cryptography Technical Choices Use a hash when you want a way of verifying that data has not been tampered with in transit. Use a keyed hash when you want to prove that an entity knows a secret without sending the secret back and forth, or you want to defend against interception during transit by using a simple hash. Use encryption when you want to hide data when being sent across an insecure medium or when making the data persistent. Use a certificate when you want to verify the person claiming to be the owner of the public key. Use symmetric encryption for speed and when both parties share the key in advance. Use asymmetric encryption when you want to safely exchange data across an insecure medium. Use a digital signature when you want authentication and non-repudiation. Use a salt value (a cryptographically generated random number) to defend against dictionary attacks. 45
References and Resources Wikipedia Information Security Network Security Cryptography SANS Software Security Institute Application Security Resources Research Library Microsoft Patterns & Practices Security Guidance Michael Howard's Web Log J.D. Meier's Blog OWASP 46
Information Security Training, 8570.1, ... But the course wasn't just reading from a book, the instructor actually knew the material and taught it as such.
Cybersecurity Jobs; Cybersecurity Training & Exercises; Information Sharing; Education; Cybersecurity & Privacy; ... The Department of Homeland Security ...
Information Security Training, 8570.1, Security Certification Foundation; ... the instructor actually knew the material and taught it as such.
#1 Security+ Test Prep Solution, ... Immediate access to all CompTIA Security+ Certification Exams and 1800 ... - Comptia Security+ Study Guide - Security ...
Computer security; Computer security ... cost of security breaches can actually help organizations ... levels to keep studying is online security training, ...
Security Awareness Hub « back. OPSEC Awareness for Military Members, DoD Employees and Contractors. ... NOTE 1: The course includes ...
USDA Physical Security Training Program | Overseas Travel Security Briefing | Security Awareness | Security Library | Security ...
Computer based cyber security awareness training and security awareness programs for various industries and roles ... Security Training; Security ...
Training & Resources . Overview ; ... The Center for Internet Security mobilizes a broad community of stakeholders ... The Security Benchmarks program is ...