Security Training: #1 What Actually a Security Is?

0 %
100 %
Information about Security Training: #1 What Actually a Security Is?

Published on March 7, 2014

Author: YulianSlobodyan


What Actually Security Is? Yulian Slobodian November 2008

What Actually Security Is? 2

Security Is…  Collins Dictionary:  the state of being secure;  a person or thing that secures, guarantees, etc;  precautions taken to ensure against theft, espionage, etc.  Wikipedia:  the condition of being protected against danger, loss, and criminals;  individuals or actions that encroach upon the condition of protection are responsible for the breach of security. 3

Security and Privacy 4

Security and Privacy 5

Path  History Points  Formal Security Models  Practices and Principles  Techniques and Technologies 6

Information Security: History Points

Information Security History Points  Seals (Bronze Age)  Caesar Cipher (Roman Empire)  Encryption techniques (Middle Ages)  Cipher Machines (World War II)  Academic disciplines of computer security, information security and information assurance (XX century)  Modern Cryptography. Claude Shannon – "Communication Theory of Secrecy Systems" (1949)  Custom hardware attack machines (1998) 8

Information Security: Formal Models

Security Layers Physical Operating System Network Application User 10

Your Applications Are Under Attack 11

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. - Sun Tzu, The Art of War 12

Information Security: Defender Perspective  C-I-A Triad  Parkerian Hexad 13

C-I-A Triad Confidentiality Data & Services Availability Integrity 14

Parkerian Hexad Confidentiality Completeness & Validity Secrecy & Control Possession Authenticity Data & Services Usability & Usefulness Integrity Availability Utility 15

Confidentiality  Limited observation and disclosure of information 16

Possession (Control)  Holding, controlling, and having the ability to use information.  In extreme cases, a loss of possession could result in total loss of the information 17

Integrity  Completeness, wholeness, and readability of information and quality of being unchanged from a previous state. 18

Authenticity  Validity, conformance, and genuineness of information.  When something does not possess authenticity, it is said to be fraudulent. 19

Availability  The degree to which a system, service or equipment is operable and in a committable state  Both timely and reliable access to data and other resources when needed 20

Utility  Usefulness of information for a purpose.  Utility simply means that we can use the data, system, or device in the manner for which it exists. 21

Information Security: Attacker Perspective  STRIDE 22

STRIDE Taxonomy  Spoofing Identity  Tampering with Data  Repudiation  Information Disclosure  Denial of Service  Elevation of Privilege 23

Spoofing Identity  Collins Dictionary: The act or an instance of impersonating another person  Illegally accessing and then using another user's authentication information, such as username and password 24

Tampering with Data  The malicious modification of data  Unauthorized changes made to persistent data (e.g. database).  The alteration of data as it flows between two computers over an open network, such as the Internet. 25

Repudiation  Deny performing an action without other parties having any way to prove otherwise 26

Information Disclosure  The exposure of information to individuals who are not supposed to have access to it  The ability of users to read a file that they were not granted access to  The ability of an intruder to read data in transit between two computers 27

Denial of Service  An attempt to make a computer resource unavailable to its intended users. 28

Elevation of Privilege  An unprivileged user gains privileged access  Include those situations in which an attacker has effectively penetrated all system defenses and become part of the trusted system itself 29

Software Security: Practices & Principles

Secure Design  Basic Secure Design Principles  Attack Surface Analysis (ASA) and Attack Surface Reduction (ASD)  Threat Modeling 31

Basic Secure Design Principles  Economy of mechanism (KIS)  Fail-safe defaults  Complete mediation  Secure the weakest link  Open design  Defense-In-Depth  Separation of privilege  Least privilege  Least common mechanism  Psychological acceptability 32

ASA and ASR  Attack Surface Analysis  Code  Interfaces  Services  Protocols  Attack Surface Reduction 33

Typical ASR Process  Reduce the amount of code that executes by default  Restrict the scope of who can access the code  Restrict the scope of which identities can access code  Reduce the privilege of the code 34

Threat Modeling  A process of assessing and documenting a system’s security risks  Define use scenarios.  Gather a list of external dependencies.  Define security assumptions.  Create one or more DFDs of the application being modeled.  Determine threat types.  Identify the threats to the system.  Determine risk.  Plan mitigations. 35

Secure Coding  Security awareness and education  Understanding secure design principles  Proper use of security techniques  Code quality  Security best practices  Security checklists  Security guidelines  Up-to-date compilers  Code analysis tools  Secure code review 36

Security Verification  Fuzz testing  Penetration testing  Run-time verification  Privacy testing  Vulnerability regression tests  Reevaluating the attack surface  Re-reviewing threat models 37

Software Security: Techniques & Technologies

Identification and Authentication  Identity  Authority  Authentication factors  Authentication: When, What  Authentication problems 39

Authorization  Definition  Authentication versus Authorization  Access Control 40

Cryptography  Symmetric (Secret Key) Cryptography  Asymmetric (Public Key) Cryptography  Employed for  confidentiality  data integrity  authentication 41

Symmetric (Secret Key) Cryptography  Block ciphers  DES  TDES (Triple-DES)  AES (Rijndael)  RC2  Stream ciphers  RC4  Cryptographic hash functions  MD5  SHA-1  Message authentication codes (MAC)  ANSI Data Authentication Algorithm (DES)  UMAC (AES), HMAC (MD5 or SHA-1), CMAC (AES) 42

Asymmetric (Public Key) Cryptography  Branches  Public key encryption  Digital signatures  Ciphers  RSA  DSA  Public Key Certificates  Certificate authenticity approaches  Public Key Infrastructure (PKI)  Principles  X.509  Web of trust  PGP  OpenPGP  GPG 43

Cryptographic Protocols  IPSec  Kerberos  NTLM  TLS/SSL  SSH …  Other 44

Cryptography Technical Choices  Use a hash when you want a way of verifying that data has not been tampered with in transit.  Use a keyed hash when you want to prove that an entity knows a secret without sending the secret back and forth, or you want to defend against interception during transit by using a simple hash.  Use encryption when you want to hide data when being sent across an insecure medium or when making the data persistent.  Use a certificate when you want to verify the person claiming to be the owner of the public key.  Use symmetric encryption for speed and when both parties share the key in advance.  Use asymmetric encryption when you want to safely exchange data across an insecure medium.  Use a digital signature when you want authentication and non-repudiation.  Use a salt value (a cryptographically generated random number) to defend against dictionary attacks. 45

References and Resources  Wikipedia  Information Security  Network Security  Cryptography  SANS Software Security Institute  Application Security Resources  Research Library  Microsoft Patterns & Practices  Security Guidance  Michael Howard's Web Log  J.D. Meier's Blog  OWASP 46

Questions 47

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Information Technology Training and Bootcamps

Information Security Training, 8570.1, ... But the course wasn't just reading from a book, the instructor actually knew the material and taught it as such.
Read more

Cybersecurity | Homeland Security

Cybersecurity Jobs; Cybersecurity Training & Exercises; Information Sharing; Education; Cybersecurity & Privacy; ... The Department of Homeland Security ...
Read more

Information Security Training -

Information Security Training, 8570.1, Security Certification Foundation; ... the instructor actually knew the material and taught it as such.
Read more

Real Security+ Exam Questions | 98.6% Pass Ratio - Actual ...

#1 Security+ Test Prep Solution, ... Immediate access to all CompTIA Security+ Certification Exams and 1800 ... - Comptia Security+ Study Guide - Security ...
Read more

Computer security - Wikipedia, the free encyclopedia

Computer security; Computer security ... cost of security breaches can actually help organizations ... levels to keep studying is online security training, ...
Read more

OPSEC awareness training - Security Awareness Hub

Security Awareness Hub « back. OPSEC Awareness for Military Members, DoD Employees and Contractors. ... NOTE 1: The course includes ...
Read more

Security in the Workplace - Information Material

USDA Physical Security Training Program | Overseas Travel Security Briefing | Security Awareness | Security Library | Security ...
Read more

Cyber Security Awareness Training and Programs | SANS ...

Computer based cyber security awareness training and security awareness programs for various industries and roles ... Security Training; Security ...
Read more

Center for Internet Security

Training & Resources . Overview ; ... The Center for Internet Security mobilizes a broad community of stakeholders ... The Security Benchmarks program is ...
Read more