Xem mẫu
- Information Security:
The Big Picture – Part I
Stephen Fried
Information Security: The Big Picture - SANS GIAC © 2000 1
Hello, and welcome to Information Security: The Big Picture. My name is Stephen Fried, and over
the course of the next six hours I will be guiding you on a tour of the world of information security.
This course provides an introduction into the area of computer and network security. As more and
more people and companies connect to the Internet, the incidence of hacker attacks, break-ins, and
vandalism continues to increase. With this comes an increasing need for trained professionals to
understand and combat this growing threat. This course will teach you the basics you need to begin
securing your systems against threats from both inside and outside your organization.
The course takes a high-level approach, touching on many different topics in an overview style. The
information here is presented in plain English, not technical jargon, so students from all backgrounds
can understand the material and begin to apply the concepts immediately. Technical concepts (e.g.
communications technology, networking, protocols) are explained thoroughly in an easy-to-
understand manner, allowing even non-technical students to understand these areas. We rely heavily
on real-world examples and common-sense descriptions, enabling students to take their own “real
world” experiences and apply them to the information security arena.
So, without further ado, let’s get started.
1
- Preface
• Course is designed to give a broad
introduction to information security
• Use of real-world analogies to explain
security concepts
• Will not go into too much technical depth
• Some technical descriptions may be
oversimplified
• Use of sample data – not “real”
Information Security: The Big Picture - SANS GIAC © 2000 2
As stated before, this course is designed to give the student an introduction to the broad spectrum of topics
that are covered under the umbrella of Information Security. To completely and thoroughly discuss all the
possible topics that could be housed under that term would really take several weeks of in-depth study.
Unfortunately, we only have six hours so we are going to take a more practical approach. We will touch on
a variety of areas, giving explanations of each and diving into a few in more detail, but we will refrain from
diving too deep into any one topic.
As much as possible, I will try to use real-world examples to illustrate different terms and concepts. I have
found, over the years, that many issues in information security are really the same ones that arise in our
everyday lives. By applying those experiences to this new area, I hope to better explain the terms, concepts,
and topics we will be discussing.
This course does not go into a great deal of technical detail. It is designed for people who do not
necessarily have a technical background but need to know more about security. We won’t be discussing
much about bit patterns, dissecting the mathematical algorithms used in cryptography, and we’ll stay pretty
clear of discussion or dissection of hardware and software. That is not to say that the course does not have
technical content, it’s just that I’ve tried to limit it as much as possible.
Which brings me to my next point. Some of the topics we cover are, in actuality, highly technical and to
completely understand them does take a certain amount of technical explanation. So, in order to allow non-
geek regular folks to understand and enjoy the topics I have had to simplify some of the more esoteric
technical details and descriptions. My apologies in advance if my simplification goes a little far. Please
know that it was all for the sake of reaching as wide an audience as possible.
Finally, I use many examples of sample data in this course – Social Security numbers, network addresses,
people and company names, etc. I have tried my best to make as much of this up as possible. Any
resemblance between the example data and any persons, companies, or groups, living or dead, is purely
coincidental.
2
- Agenda
• General Security Introduction
• Telecommunications Fundamentals
• Network Fundamentals
• Network Security
• World Wide Web Security
• Information Secrecy & Privacy
• Identification and Access Control
• Programmatic Security
• Conclusion
Information Security: The Big Picture - SANS GIAC © 2000 3
Our first topic is a General Security Introduction.
In this section we introduce you to some basic terms, concepts, and definitions you will need to begin
understanding information security.
3
- What Is “Security”?
• “Freedom from risk or danger”*
• The application of safeguards to
prevent loss
• A subjective measurement of
preparedness for risk
• A feeling of safety
*The American Heritage Dictionary of the English Language
Information Security: The Big Picture - SANS GIAC © 2000 4
I suppose the best way to start talking about information security is to examine the term “security” itself.
What is “security?” I looked it up in my handy dictionary and found that the definition of Security is
“freedom from risk or danger.” So, by extension, this would mean that information security would be
the science of keeping information free from risk or danger. Well, that sounds good, and is certainly a
worthy goal, but as we shall see over the span of this course, it is not a very realistic one. Why? Because
in today’s world, particularly in today’s on-line world, you can never be completely free from risk or
danger. There is just too much danger going around. So there will always be some risk. But that means
we can never be secure…..
I guess I am talking in circles here, somewhat intentionally. Let’s start at the beginning. You can never
be completely free from risk. When we get to the section on risk and risk analysis we will see how this
is true. But for now, suffice to say that you can never completely prepare for all the bad things that will
happen. So you have to pick and choose the dangers you want to protect against. You put your energy
into preparing for those that you think are the most threatening and spend less time on those that you
think are more remote. So here we see that security becomes subjective. If you have prepared against
your own personal top ten threats, you feel secure. But, your top threats might be different than someone
else’s top threats. Given your list of preparations, someone else might not feel as secure.
There are no absolutes in security, no quick measurement to say definitively if you are secure or not. So
you can never be sure that you have covered all the bases. But, if you do your homework, define your
goals and threats, and make the proper preparations and install the proper safeguards, you will be more
secure than if you had done nothing. And, in the end, maybe that’s what security is really all about – a
feeling of safety. The notion that you feel better about your efforts to protect yourself and your assets.
Perhaps we’ve started off a bit philosophically. Don’t worry, we’ll get back into the meat of things
quickly, but I wanted to start you out with a feel of what security people face every day. Security is part
art, part science, part technical, part philosophy, and all very interesting.
4
- The Consequences of
Inadequate Security
• Loss of company assets
• Loss of revenue/market share
• Loss of intellectual property
• Loss of privacy
• Damage to reputation
Information Security: The Big Picture - SANS GIAC © 2000 5
We will spend the rest of the course talking about the importance of security, risk and threats, and the steps you can take to improve
the security of your organization. However, I believe the best way to start out the course is a brief discussion about the
consequences of bad security. What would happen if you didn’t pay attention to security at all? Perhaps answering this question will
get you in a frame of mind to think seriously about your security efforts.
There are many consequences of bad security, and the list probably varies from organization to organization, but this slide shows
the five major consequences. The first is loss of company assets. This the most obvious, as it deals with real, definable losses –
damage to computers, loss of data, service disruptions on your network, etc. When most people think of security consequences they
think of these types of issues. However, there are other consequences that can be just as damaging, but do not immediately come to
mind.
One of these is loss of revenue or market share. When an attacker comes in and defaces your web site, there will be time and
expenses associated with repairing the damage. Those are the direct losses. However, the organization may also lose money because
customers can’t get to the web site to order the company’s products or services. The longer the site takes to rebuild, the more
potential revenue will be lost. Another indirect loss is market share. Depending on the type of business, a short-term loss is usually
recoverable from a customer service perspective. Customers on the web today are used to short-term outages – annoyed, but used to
it. However, if the outage lasts past a certain comfort level, customers will begin looking elsewhere for competing products. If the
outage is long enough, a serious loss of market share may be the result.
An organization that does not pay proper attention to security can be risking its intellectual property. These represent the
knowledge, experience, and research that the organization has developed, and can sometimes be so valuable to the organization that
dollar figures can not even be placed on it. These are the types of assets that are most worthy of protection, since their loss might
mean irreparable harm to the organization’s product development or financial outlook.
A serious breach in security might mean the loss of privacy for your business or your customers. Privacy, particularly privacy of
customer information, has become quite a hot topic over the past several years. We’ll discuss privacy issues in depth later in the
course, but consumers and employees are coming to expect that their personal and financial information will be secured against
unauthorized disclosure or theft. If an organization does not protect this information heavily and allows it to get in the hands of
attackers, the loss to personal privacy may be irreparable.
Finally, a great deal of e-commerce today is based on trust – trust in the vendor, trust in the vendor’s ability to perform as
advertised, trust that information about yourself and your business will be kept confidential. A successful attack on your network or
web site can cause that trust to be lost. Your organization’s reputation is based partly on the fact that it is perceived to be well run,
treats business partners with respect, and that it takes the due care necessary to protect itself and its customers. As any
businessperson knows, reputation can be as important as the balance sheet to a well-run business. Protecting your systems and
networks helps to protect that reputation.
5
- Basic Security Management
Confidentiality
Integrity Availability
Information Security: The Big Picture - SANS GIAC © 2000 6
Information Security is generally said to rest on three fundamental pillars: Confidentiality, Integrity,
and Availability. These three functions are commonly referred to as the C-I-A Triad.
Confidentiality refers to the areas affecting the need to keep information private or secret and to
prevent disclosure of information to those who do not need to see it. Confidentiality can be achieved
through the use of encryption, by selective use of access controls, or by keeping sensitive
information apart from publicly-available information.
Integrity is the notion that information should be complete and unaltered as it is used and that any
changes are made only by authorized people and properly recorded. Altering account balances in a
financial system or modifying log records to hide a computer attack are examples of integrity
attacks.
Availability refers to the need to have information available for use when it is needed and in a form
that is usable. Crashing a computer system or large-scale virus attacks are examples of availability
attacks.
These three elements - Confidentiality, Integrity, and Availability - are often interrelated. For
instance, you can use encryption to handle both confidentiality and integrity issues. Alteration of a
system’s information, generally considered an integrity issue, can also have availability
consequences as well. Or, you may determine that for a particular environment or application, you
need to pay less attention to one area or another. A web server that holds catalog or brochure
information for a company may require high availability, but lower confidentiality, since the
information is public anyway. Systems that handle bank wire transfers are usually concerned more
with integrity than confidentiality or availability.
However, in any review of overall security you will need to take all three of these issues into
account.
6
- How Secure is Secure
Enough? (1)
• Three fundamental questions
–What are you protecting?
–What is it worth to you?
–What is it worth to someone else?
Information Security: The Big Picture - SANS GIAC © 2000 7
Information security practitioners often wrestle with the problem of determining how much security is
considered “enough” for a particular application. Unfortunately, there is no single correct answer to this
question. The best place to start is by answering what I call the three fundamental questions about
information security:
First, what are you trying to protect? You need to define clearly what is the thing you have that is worth time
and effort and energy to keep it safe from harm. Is it a web site? A business plan? A patented formula? An
accounting system? You need to define as specifically as possible the object that needs protection, and
without knowing this, you can go no further. Many security efforts go awry because they fail to answer this
one basic question.
Second, you need to determine what the object is worth to you. What is the intrinsic value this thing has that
makes it worth protecting? It may be a monetary value. For instance, the amount of revenue an e-commerce
site brings into your company. Or it may be more of a symbolic or subjective value. For instance, the amount
your company’s reputation will suffer if its network gets hacked. In any case, you need to have a good idea
of the value of the object, since that will lead you to determine how much effort you will put into protecting
it. If the object is the cafeteria’s lunch menu for the week, you probably won’t put a lot of effort or money
into protecting it. If, however, the object is the secret formula to your best-selling perfume, that is probably
worth a lot more money to your company and worth putting extra resources into protecting it.
Finally, how valuable the thing might be to someone else. If it is valuable to you, you can bet that there are
others that will be willing to put effort into getting it as well. How much money could your top competitor
make if they got hold of that secret formula? If word leaked out that your system for holding customer credit
card numbers got attacked, would your customers move to your business rival? The value of your
information to others may factor into how much you put into security.
You need to address these three questions early on in your security planning. Until you have answered them
to your satisfaction, do not go any further, because you will be putting money and resources into an ill-
defined goal.
7
- How Secure is Secure
Enough? (2)
• Dealing with motivations
• Raising the effort bar
• Making yourself less “attractive”
• Security “lifetime”
Information Security: The Big Picture - SANS GIAC © 2000 8
There are other factors to consider as well when determining how much security is “enough”.
Conventional wisdom has it that you need to make security hard enough to break so that eventually an attacker will give up and go
somewhere else. This is because it may become too expensive for an attacker to continue, or they may fear that additional time spent
risks getting caught, or they may just get bored and go elsewhere. Much of this goes to the motivation of the attacker. Why are they
trying to attack you? What do you have that they want? Unfortunately, the answer may not be so obvious. Sure, you may have
something immediately identifiable like a product or money that they want. But you may be getting attacked because of who you are
(like a government or a big, mean, oppressive multinational corporation). You may be getting attacked because of association with
something you represent, like a particular industry (e.g. fur trading or a tobacco company). Or you may be attacked because your
name popped into the head of the attacker as someone that might be “cool” to break into. The problem is that you may never know
why you are getting hit. Without knowing the motivation, how do you determine how much security to apply?
One of the best strategies is to raise the effort bar, so to speak. You need to apply enough security so that the level of effort required is
greater than you think most attackers will be able to apply. You do this by applying the Defense in Depth strategy we will discuss
shortly. Each layer of defense will hopefully serve to deter the attacker from going further in his attack so that eventually he will give
up without getting to the “prize.” In this way, only the most determined, well funded, and experienced criminals will be able to get
through all your defenses. You may never be able to completely secure your systems against all attacks, as that might be too
expensive or resource intensive. But you can raise the effort level high enough for your own comfort.
You can also make an effort to make yourself less “attractive” to a potential attacker. I know people in my neighborhood that put up
“Beware of Dog” signs even if they don’t have a dog, or put burglar alarm company stickers in their windows even though they don’t
have an alarm, or light up their house like a Christmas tree at night, all in an effort to deter burglars from trying to break into their
house. You can apply the same concept with your systems and networks. Let people (both inside and outside your company) know
you use a strong firewall system, or that you monitor and check all transactions that go through your web site, or that you actively
prosecute attackers. These are the system equivalents of dog signs and flood lights. This may be enough to deter some would-be
attackers from even attempting to break into your systems. Be careful, though. If you brag too much about your defenses you may
actually encourage someone who wants to prove they are better than you.
Finally, you want to make your security efforts commensurate with the useful lifetime of your information. For example, if you are
trying to protect the revenue projections for your next quarter, you only really need to protect them until they are made public.
Devising a system that will protect the secret for the next 50 years will not only be expensive, it may be overkill.
8
- Who Are The Threats?
• Hackers?
• Vandals?
• Espionage?
• Insiders
Information Security: The Big Picture - SANS GIAC © 2000 9
When looking at the possible sources that threaten your organization’s systems, you have to look at several
types. The first group is the “hacker.” I use hacker in quotes because the real definition of hacker has changed
so much over the years. By hacker I mean a person that uses computers and networks to inflict damage (either
real or threatened) upon your environment. (Editor’s note: some people use the term ‘hacker’ simply to refer to
someone who is interested in computers and in finding out how they work. This is in contrast with the work
‘cracker’, which refers to someone with malicious intent. – JEK) Hackers have certainly gotten a large amount
of press in recent years and for good reason. But they are not necessarily your only threat, nor are they the
biggest.
Vandals are a sub-class of hackers. Whereas hackers may or may not be out to steal or disrupt your information,
more often than not they will attempt to cover their tracks, at least initially. And, if they are really good, you
may never know they have been in your systems. Vandals, on the other hand, are out to do visible damage to
your systems. They will deface your web pages, erase your files, anything they can do to disrupt or damage your
systems. You will know instantly when a vandal has been in your computer.
Hackers and vandals present a real threat to your systems, but for the most part, they may not be out to get you
directly. You are just a symbol or an object to them. However, practitioners of espionage are out to target you
specifically. They will try to get your intellectual property, try to disrupt your operations or communications,
and wreak havoc on your environment. They will be backed by your competitors or by a foreign government,
and in some respects represent the most dangerous of all outside threats. They are generally well financed, well
trained, and have a valuable goal in mind.
Finally, one of the largest threats to any environment is insiders. Studies have repeatedly shown that insiders
represent the largest cause of security incidents year after year. The reasons are obvious. These people are
already in a position of trust, they know their way around the systems, and they know what security controls are
in place and usually how they can be defeated. Whether it is through bribery, disgruntled employees, outsourced
personnel, or someone with personal financial hardship, you need to be as mindful of the security impact of your
insiders as you do of outsiders.
9
- Who Do You “Trust?”
• System will operate in ways that
can be predicted
• According to specifications
• Only allow authorized activities
• No undocumented features
• Trust vs. Security
Information Security: The Big Picture - SANS GIAC © 2000 10
Central to all discussions about information security is the concept of trust. In the real world, trust is an
intangible concept that can be difficult to define but is readily understood. You trust someone based on your
experiences with them, their reputation, your preferences, your ability to reach agreements with them, etc.
These are all intangible properties, and there is no real way to measure trust .
Computer and network security also uses the concept of trust and in many of the same ways. However, unlike
real life, trust in the security sense has a precise definition and a set of measurable criteria. In order to have trust
in a system, it must operate in ways that can be predicted, according to specifications, allowing only authorized
activities, and can contain no undocumented information paths or features. Let’s look at each one of those
criteria individually.
The system will operate in ways that can be predicted. If you give input into a computer, given the same
runtime environment, it should give you the exact same output every time. There should be no variation in the
way the system operates. For example, if you install a building card access system, you need to know that every
time a person holds their card up to the reader, the system will give an accurate response. If there is any
variability in the system, if it sometimes allows unauthorized people in or prevents entry to authorized people,
the system is of no use.
The system must run according to specifications. This means that the system must have a formal
specification of its operation and can not deviate from that specification. Like operating in predictable ways,
operating according to specifications eliminates any random elements in the system’s operation.
The system should only allow authorized activities. This means that every action taken by and within the
system must be authorized by the system, and any users must be authorized both for access to the system itself
as well as any activities they may perform while on the system.
There must be no undocumented features in the system. One of the more common causes of security
problems is the discovery of undocumented or hidden features. Once these features are discovered, they can be
used to manipulate the system in unpredictable ways, thus violating the trust of the system.
We should also make a distinction here between “trust” and “security”. As we have seen, trust refers to the
dependability of a system to perform as expected within certain parameters. Security, on the other hand, is the
sum total of issues relating to the confidentiality, integrity, and availability of systems and information. Trust is
an important part of security, but it is only one part.
10
- Security Strategies
• Separation/Rotation of duties
• Security Perimeter
• Defense in Depth
Information Security: The Big Picture - SANS GIAC © 2000 11
There are as many different security configurations, practices, and approaches as there are security
practitioners. One of the great things about security is that there can be many different ways to accomplish a
task that will give you many different levels of security, depending on your goals and values. However, there
are some basic tenets of security that you should be aware of and apply as often as possible.
The first is separation and rotation of duties. Separation of duties refers to the practice of not relying on a
single person or process to accomplish a task that has high security impact. For example, safe deposit boxes at a
bank require two keys. The manager of the bank holds one and the customer holds the other. Another example
is that two separate controls must be operated simultaneously by separate people to launch a nuclear missile. A
third example is when each person knows a small piece of information to complete a task, but all the pieces
must be brought together in order for the task to be completed. This requires that more than one person need to
plot together to commit a crime. Rotation of duties helps detect a crime. Rotation of duties involves having
people rotate jobs occasionally. Doing this allows the new person at a task to discover frauds being committed
by the previous person.
The security perimeter is a boundary around your network, service, or process that represents the distinction
between the “safe” or “trusted” inside and the big, bad outside. Sometimes a security perimeter can be physical,
like a large gate or a network firewall, or it can be imaginary, like security levels in an operating system. In
either case, the perimeter is an important concept to know and understand.
Finally is the concept of defense in depth. Defense in depth takes the concept of a security perimeter one step
further by introducing the use of multiple perimeters, one inside of the other, for a greater level of safety. At
each level there is another protection mechanism. At the network level this might be a firewall. When an
intruder somehow gets past the firewall and starts to attack a host on the network, he will meet up against any
host security that is in place. If he breaks through that defense he will need to get past any application-level
security that is in place, and so on. Defense in Depth provides more security by making it harder for an attacker
to get at anything valuable. The harder it is, the more likely they will go elsewhere.
11
- Defense In Depth
Network
Host
Application
Info
Information Security: The Big Picture - SANS GIAC © 2000 12
This diagram shows a pictorial representation of the Defense In Depth concept. At the center of the
diagram is your information. However, the center can be anything you value, or the answer to the
question “What are you trying to protect?” Around that center you build successive layers of
protection. In the diagram, the protection layers are shown as blue rings. In this example, your
information is protected by your application. The application is protected by the security of the host
it resides on, and so on. In order to successfully get your information, an attacker would have to
penetrate through your network, your host, your application, and finally your information protection
layers.
Using a Defense in Depth strategy does not make it impossible to get to your core resources – the
resource at the center of the diagram. For example, your defense layers might be trivial or easy to
compromise. However, a well-thought-out Defense in Depth strategy, utilizing the strongest
protections feasibly possible at each layer, present a formidable defense against would-be attackers.
12
- Computer Crime is Not That
Hard to Do!
• Openly displayed information
• Easily available tools
• Dumpster Diving
• Shoulder Surfing
Information Security: The Big Picture - SANS GIAC © 2000 13
Most people outside of the computer security industry believe that to commit computer crime requires highly technical skills and
extensive knowledge of computers. However, the plain fact is that most of the activities involved in computer crime are not that
complicated at all. In fact, that is part of the reason that the incidence of computer crime continuously rises each year. Let’s look in
more detail why computer crime is not that hard to do.
One of the biggest problems is that there is a great deal of so-called “sensitive” information that is left openly displayed for all to see.
How many people do you know have their computer passwords written on yellow sticky-notes attached to their monitors? If you walk
past any open printer or fax machine in your office, I bet you can find lots of sensitive company information lying around because
somebody forgot to pick it up. And if you walk through any office building after hours you will see literally piles of sensitive
information left lying out on people’s desks. Information that is sensitive or confidential should not be displayed openly for anyone to
see and should not be left out available to anyone who happens to walk by.
The tools and techniques needed to commit computer crime are getting increasingly easier to use and are becoming commonly
available on the Internet. In today’s computer criminal world, only the first person to commit a new type of attack needs to be the
smart one. He then distributes the tools used in the attack around the Internet where it is picked up by young hacker wanna-bes. The
wanna-bes use the tools to commit the crime without really knowing how it works because they don’t have to. Rather than the criminal
rising to the skill set needed for the crime, the skill set for the crime has now lowered itself to the criminal.
Dumpster diving is a common “sport” among computer criminals. Dumpster diving refers to the practice of rummaging around the
trash of a company to see what valuable information can be obtained. You’d be surprised at the sensitive documents that people will
just throw into the trash. System printouts, password lists, phone lists, drafts of financial reports, you name it. All sitting there in the
bin waiting to be taken away. This information can be extremely valuable to competitors. If you have sensitive or proprietary
information, make sure it is shredded or otherwise destroyed before being put into the trash.
Shoulder surfing is another common sport used to get important information. Shoulder surfing is the name given to the act of looking
over somebody’s shoulder as they handle information. Shoulder surfing is most common in the phone credit card industry where card
number thieves wait near public pay phones waiting for someone to enter a credit card number into the phone. When they do, the
thieves write it down and sell the number for lots of money. Shoulder surfing can also apply to other areas as well. You can watch
someone as they type their user ID and password into a computer. If you fly on airplanes regularly, you may see some people working
on their laptop computers. Unfortunately, if you do this, the person in the seat next to you or behind you will be able to see everything
you are working on, including sensitive company information. As I am writing this, I am on an airplane and the man in the seat next to
me is constantly looking over reading what I am writing. The rules of polite society do not apply when a thief wants to get at your
information.
13
- Beware of SKRAM*
• Skills
• Knowledge
• Resources
• Authority
• Motives
* Donn Parker, Fighting Computer Crime
Information Security: The Big Picture - SANS GIAC © 2000 14
Most attempts to classify and profile computer criminals have generally failed since there is no known or
discernible pattern in personalities or motivations. Donn Parker, in his book Fighting Computer Crime, has come
up with a way of characterizing potential adversaries. In his words:
“Although it is impossible to characterize these criminals in a single profile, there are some interesting and useful
criminal phenomena that we need to know to be effective in protecting information. Several of these
characteristics differentiate cyber criminals from white-collar criminals.” Mr. Parker refers to these as SKRAM -
Skills, Knowledge, Resources, Authority, and Motives.
Skills fall into three basic areas: formal learning, experience with information systems, and social interaction with
people. Criminals that can combine good technical skills with strong and influential interpersonal skills can be
the most damaging to your information.
Criminals must have knowledge of the environment, technology, or people in order to be successful. Criminals
who do not possess sufficient knowledge must obtain it before moving forward.
Resources represent the means to engage in the abuse and misuse of information. In most cases, resources are
relatively basic and easy to obtain.
Authority refers to the assigned rights or privileges that a criminal has, or needs to acquire, in order to commit a
crime. Criminals gain the necessary authority by having a user ID and password along with privileges to
manipulate information. They can also gain authority through the theft of identity.
Motives are often difficult to understand or predict, and thus are often the most overlooked aspects of computer
crime.
When analyzing your systems, and formulating your security efforts, rather than focusing on a narrow definition
of character types (e.g. “hackers” or “vandals”) it may be advantageous to analyze your potential attackers in
terms of SKRAM. By looking at those with high enough levels of skills, knowledge, resources, authority, and
motives you may be able to better defend against a broader spectrum of threats.
14
- Data Classification
• What is it and how does it work
• DC in a military environment
• DC in a corporate environment
Information Security: The Big Picture - SANS GIAC © 2000 15
There may be situations where you need to separate information into different groups. You may
need to separate information by departments, or you might need to separate information into
sensitivity levels. In either case, you need to develop a mechanism for specifying how the
information will be separated and who has access to which pieces of information. This process is
called Data Classification.
With data classification, each resource gets tagged with a sensitivity, usually high, medium, or low.
Then, each person who needs access to information gets tagged with an access level. If, for
example, a person with a low access level wants to see a document with a high sensitivity level the
access will be denied. Likewise, a person with a high access level will be able to access information
with high, medium, or low sensitivity. In some classification schemes, you are only able to access
information with the exact same level as the one you possess. In this case, high access level people
can only see high sensitivity documents, and so forth.
Data classification can be applied in different ways in different environments. In government and
military environments, where they often deal with state secrets, classification is very strictly
controlled and there are severe penalties for breaking classification rules. Every application, system,
and network follows the classification system and every effort is made to keep information from
crossing classification boundaries.
In corporate environments, classification is more loosely controlled and, in some cases, not applied
at all. Information in commercial applications needs to flow much more freely, and the people using
them are often more concerned with getting information quickly than in protecting it properly.
While this may be good for business, it is usually very bad for security. In most companies, forced
classification is some sort of proprietary, or confidentiality marking on the bottom of documents.
The company may have policies for handling different types of proprietary information, but most
often do not strictly enforce those policies in their systems.
15
- Three Phases of
Security Processes
Prevention
Det
e
ns
e
o
c ti o
sp
Re
n
Information Security: The Big Picture - SANS GIAC © 2000 16
Another part of your strategy concerns the process of preparation and reaction to activities that
happen at your facilities. As you plan your security strategy and activities you will probably be able
to categorize them into three broad areas: prevention, detection, and response.
Prevention activities are those you perform to keep bad things from happening. This includes all
your work on security policies, awareness, network, host and application security, access control,
and everything else you do to raise the security level of your environment.
If your prevention efforts fail you need to fall back to your next line of defense, detection. This is
the process of finding out that bad things have happened and reacting accordingly. Detection can
take many forms, but usually involves some sort of alerting or monitoring functions.
Once you have detected a security incident you need to move to the next phase, response. This is
how you deal with the incident. Response can take many forms, but usually involves finding out
what went wrong, fixing the problem that allowed it to happen in the first place, and possibly trying
to find out who the perpetrator is and bring them to justice.
The process of prevention, detection, and response is not a one-time process. It is usually considered
a cycle. The information you learn from each step in the process feeds in to the next step. Once you
have gotten through the response phase, you try to determine how the incident could have been
prevented. You then feed that information back into the prevention phase and start all over again.
16
- Security Awareness
• The importance of awareness
– Security stance
– Dos and don’ts
– Information protection
– Assisting in the security effort
• The benefits of effective awareness
– Reduced security incidents
– Improved knowledge amongst users
– Reduction in losses
Information Security: The Big Picture - SANS GIAC © 2000 17
Security awareness is the process through which you let your employees, associates, business partners, or
anyone else who uses your computers or networks know what your security policies and practices are, what is
expected of them, and how they are to handle your information. Security awareness is arguably one of the most
important aspects of information security.
Why is this? Well, for one thing, people need to know how you feel about security and how you approach its
enforcement. Does your site have a very restrictive security stance, like many government facilities, or does it
treat security loosely, like many academic environments? Knowing this will help your users model their
behavior after the environment.
Effective awareness will also let your users know what is expected of them, the dos and don’ts of your service.
You can’t very well expect them to follow rules if you don’t make an effort to tell them what the rules are to
begin with. Let them know the best ways to handle information securely, and tell them the consequences of
poor information handling.
Finally, a good security awareness program will enlist the help of your users in assisting with the security effort.
You can’t enforce security alone, so you might as well get the help of the people who work in and around your
systems every day. Use your awareness efforts to let users know how they can protect your information. Let
them know how important they are in the process, and let them know the consequences of failing to enforce
your policies. Give them the tools and the processes to detect fraud and security breaches, and give them an
easy method for reporting security incidents. By making your users feel like they are part of the process you
will have a much higher level of security.
There are some obvious benefits to having a strong security awareness effort. You will reduce the number of
security incidents. This will be a result of both a reduction in the number of accidental security incidents
(because people will be more conscious of security issues) and a reduction in the number of intentional
incidents (because people will have more knowledge of how to prevent security problems in the first place).
You will improve the security knowledge amongst your users and they will be able to help you reduce losses.
17
- What is Risk?
• A potential for loss or harm
• An exposure to a threat
• Risk is subjective
• Dependent on situation and
circumstances
Information Security: The Big Picture - SANS GIAC © 2000 18
The concept of risk is central to any discussion about information security. The term risk has many
meanings for many different situations, but it can generally be defined as a potential for loss or harm.
Risk usually comes about because you have a vulnerability to some sort of threat.
The reason that risk means different things to different people is that everyone has a different idea
about what risk entails, the amount of risk they are comfortable with, and how much effort they are
willing to go to to minimize or eliminate the risk. Your comfort level or aversion to risk is also
highly dependent on the situation and circumstances in which you find yourself.
For example, you might consider walking down a dark street to be a risk. If you are a small child,
you might think the risk is high. If you are a policeman wearing a gun you might think the risk is
reduced. If the street is in a suburban neighborhood you might feel there is less risk than if the street
is in a big city. If the street is in the middle of Disneyland you might not feel any risk at all. The
point is that risk is a subjective, variable feeling that can very often not be absolutely described or
measured. It is these subjective criteria that makes dealing with risk a particularly interesting matter.
However, dealing with risk is at the core of the information security professional’s job.
18
- Handling Risk
• Eliminate risk
• Minimize risk
• Accept risk
• Transfer risk
Information Security: The Big Picture - SANS GIAC © 2000 19
There are several ways of dealing with risk. First, you can eliminate the risk. You do this by eliminating the
cause of the risk or by decreasing your vulnerability to the risk. For instance, if the risk is that you might get
into a car accident you can eliminate the risk by not driving your car. A bit of overreaction, perhaps, but it
does eliminate the risk.
The last example demonstrates clearly why elimination of risk is usually not practical or acceptable to many
people. True, by not driving your car you won’t get into an accident. But how many of us could function
normally without being able to drive? The cost of eliminating the risk is just too high. So the second method
of dealing with risk is to minimize the risk. In our example we can minimize the risk of accidents in many
ways. We can drive slower and avoid crowded streets. Or we can avoid driving at rush hour. Many of these
may impose some restrictions on our driving habits, but they are not as severe as eliminating driving all
together.
Once you have reduced risk to a certain level you might reach a point where you are willing to accept the
remaining risk. After you’ve driven slower, changed your routes and times, fastened your seat belts and
checked your air bags, you may conclude that, despite the possibility of an accident, you have done everything
you could to reduce the damage to yourself and your car. You are now ready to accept the remaining risk as a
justifiable cost of driving. Accepting risk is OK, and each person, company, government, and whatever must
decide for themselves how much risk is acceptable.
Finally, you can choose to transfer risk. Transferring risk means making your risk someone else’s
responsibility. A primary example of risk transference is the use of insurance. When you take out insurance
on your car, you are, in effect, saying that you understand that there is a risk of driving but you want the
insurance company to assume that risk. If you get into an accident the insurance company will pay the
damages, not you. Risk transference is an established practice in the general business community, but it is still
very new in the information security area. Because there are very few statistical models from which to draw
any sort of conclusions about the likelihood of computer and network crime, insurance companies have been
extremely reluctant to provide coverage.
19
- Threats
• Activity that represents possible danger
• Can come in different forms & from
different sources
• You can’t protect against all threats
• Protect against the ones that are most
likely or most worrisome based on:
– Business goals
– Validated data
– Industry best practice
Information Security: The Big Picture - SANS GIAC © 2000 20
In security discussions you will hear a lot about threats. Threats, in an information security sense, are any
activity that represent possible danger to your information. Danger can be thought of as anything that would
negatively affect the confidentiality, integrity or availability of your systems or services. Thus, if risk is the
potential for loss or harm, threats can be thought of as the agents of risk.
Threats can come in many different forms and from many different sources. There are physical threats, like
fires, floods, terrorist activities and random acts of violence. And there are electronic threats like hackers,
vandals and viruses. Your particular set of threats will depend heavily on your situation – what business you are
in, who your partners and enemies are, how valuable your information is, how it is stored, maintained and
secured, who has access to it, and a host of other factors.
The point is there are too many variables to ever possibly protect against all the possible threats to your
information. To do so would cost too much money, take too much time and too much effort. So, you will need
to pick and choose what threats you will protect against. You will start by identifying those threats that are most
likely to occur or most worrisome to your organization.
The way to do this is by identifying three primary areas of threat. The first is based on your business goals. If
your business is heavily dependent on a patented formula you would consider theft of that formula to be a likely
threat. If your business is the movement of fund transfers over a network you would consider attacks on that
network link to be a likely threat. These are two examples of business-based threats.
The second type of threats are those based on validated data. If your web site is repeatedly hacked through
your firewall you would consider Internet hackers to be a major threat. If your main competitor always manages
to find out key confidential information about your business plans you would start considering corporate
espionage a threat. These are examples of threats identified because of validated instances of damage based on
those threats. In some ways these may be the most serious, because they have already happened and are likely
to happen again in the future.
The final type of threats are those that are widely known in the security industry. To protect against them is just
good common sense. That is why we put badge readers and guards in buildings, why we use passwords on our
computer systems, and why we keep secret information locked in a safe. We may not have had attacks against
any of these, but it is commonly understood to be foolish not to do so.
20
nguon tai.lieu . vn
