Security Concepts and Fundamentals
7CCSMSEM
Dr Jose Such
jose.such@kcl.ac.uk
1
What Infrastructure would you Protect Most?
Bacton Gas Terminal
Heathrow Airport
Beach in Cornwall
• WHERE DO THREATS COME FROM??
Hackers • Albert Gonzalez
– Head of an international ring of 11 hackers that stole 40 million credit and debit cards from US retailers’ systems
– Given a 20 year jail term (sentenced in 2010)
– On sentencing forfeited $1.65m in cash, a condominium in Miami, a BMW car, and several other items
• Was a CIA informant (being paid $75K a year!)
Insider Threat • James Stevenson
– IT Worker at Sainsbury’s jailed for 20 months fraud of millions of Nectar Points (14 January 2011)
– Created false accounts to give himself
– The nectar points would have been worth £70,000
Viruses and Trojans
Phishing and Social Engineering
DEFINITIONS
Directly affects Threat Agent Safeguard
gives rise to
Threat
exploits
Vulnerability
leads to
can be counter- measured by a
Impact
and causes
Asset
Risk
can damage
Definitions
• The Threat Agent may give rise to a
Threat
• The Threat will exploit a Vulnerability – a weakness in a system, which may be in a procedure, hardware or software.
• The Risk is the likelihood of a threat agent taking advantage of a vulnerability and the resultant impact on the business.
Definitions
• The impact is the loss suffered,
• A safeguard or countermeasure can be used to mitigate, transfer or remove the risk altogether.
•
Threats
Potential cause of an incident that may result in harm to a system or organisation (ISO 27002)
In other words, what can go wrong and how can it hurt the organisation?
… let’s consider a naive threat example
•
11
Threats
Will it rain?
12
Vulnerabilities
• A weakness of an asset or group of assets that can be exploited by one or more threats (ISO 27002)
• In other words, why is the asset not protected from the threat?
Again, let’s consider another naive example.
13
Vulnerabilities
Smart Umbrella
Getting wet
14
Contingency plans… We’ll talk about that later!
15
Vulnerabilities
Key Point:
The organisation needs to take some action to protect its asset against the threat.
16
Risks
• Thepotentialthatagiventhreatwillexploit vulnerabilities of an asset or group of assets and thereby cause harm to the organisation (ISO 27002)
• Inotherwords,let’ssayweknowaboutthethreatand the vulnerability:
What is the likelihood the asset will suffer and what bad things can happen if it does?
Again, another naive example.
17
Risks
How many days will it rain in London this september (on average)?
18
Risks
How many days will it rain
in Londo
a
ys
!
1
5
d
n
(on average)?
t
h
eptember
is
s
19
Risk and the Domino Effect
• Exploiting a vulnerability can result in another
vulnerability being exploited.
• This is often how a hacker infiltrates a system.
• Find their way in, sit, wait, and find another vulnerability to exploit.
20
Impact
• The result of an information security incident, caused by a threat, which affects assets (ISO 27005)
• In other words, what if the asset is exploited, what is the big deal? Is there a real cost to the organisation?
Again, our naive example.
21
Impact
Late for interview? Too wet for the interview? May not get the job!
22
Potential impact must be considered
If the impact is small and insignificant
Getting wet in the example above – then it may be entirely appropriate to accept the risk and to take no further action other than to monitor it.
23
Potential impact must be considered
If the impact is big and significant
A reputation hit because all customers passwords have been leaked – then it is crucial to pursue measures to prevent it from happening.
24
Risk Management • ISO27005:
– coordinated activities to direct and control an organisation with regard to cyber security risks
• Ensures that security measures are: – Relevant,
– Timely,
– Responsive to threats, – Cost-effective.
Risk Management lifecycle
• Alexander, David. Information Security Management Principles (p. 24). BCS Learning & Development Limited.
1
2
3
4
5 6
Risk Management Steps
• Asset Identification (and their value)
• Threat Assessment
• Vulnerability Assessment
• Risk Assessment
• Risk Treatment
• (Reduce, Transfer, Avoid or Accept the risk.)
• Risk Monitoring
Total vs. Residual risk • 𝑅𝑖𝑠𝑘 = 𝑇h𝑟𝑒𝑎𝑡𝑠 ∗ 𝑉𝑢𝑙𝑛𝑒𝑟𝑎𝑏𝑖𝑙𝑖𝑡𝑦 ∗
𝐴𝑠𝑠𝑒𝑡 𝑉𝑎𝑙𝑢𝑒
• 𝑅𝑒𝑠𝑖𝑑𝑢𝑎𝑙 𝑅𝑖𝑠𝑘 = 𝑅𝑖𝑠𝑘 − 𝐶𝑜𝑢𝑛𝑡𝑒𝑟𝑚𝑒𝑎𝑠𝑢𝑟𝑒𝑠
Quantitative?
• Attempt to assign meaningful numbers against e.g.: Safeguard costs, asset value, business impact, threat frequency, safeguard effectiveness, exploit probabilities, etc.
• Attempt to assign meaningful percentages against probability of likelihood.
Qualitative?
• Scenariosofriskpossibilities,
• Rank the seriousness of the threats,
• Validityofcountermeasures.
• Reliesonjudgement,bestpractices,intuition, experience.
• Techniques:
– Delphi (relies on panel of experts), – Brainstorming,
– Storyboarding,
– Focus groups,
– Surveys
Who is Responsible?
• Risk Manager role depends on
– Organisational Culture and operational sector
– It also depends on what function is already there
• Risk is implemented in the organisation depending on the maturity level
• Physical, Personnel and Information security is often segregated via tradition
BUT WHAT TYPES OF RISKS ARE WE CONSIDERING??
32
INFORMATION SECURITY
33
•
What is information Security?
The practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information.
34
• But wait …
… what makes information “valuable”?
35
Value of Information • Information is an asset
• Three main types:
1. Pure Information
2. Physical Assets
3. Software
36
Pure information
1. Pure Information
A social network dataset.
• Adatascientistwithinan
oArsgoacniailsnaetwiornk duasteasteht.is
dataset to better understand
data scientist within an organisation use this
relationships between their
set to better understand relationships between
users.
their users.
• Forexample,the
example, the organisation can work out who are
organisation can work out
who are the “influencers”
“influencers” in a social group and pay them to
advertise their service.
in a social group and pay them to advertise their service.
37
(1)
A data
For the
2. Physical Assets
2) Physical assets such as buildings and computer ystems
• Suchascomputersystems Hardware is expensive!
• Forinstance,Hardwareis 1m IBM mainframe in 2003 is still worth $75k
expensitvodea!y!
vides computation resources to both store and
• A$1mIBMmainframein2003 is still worth $75k today!
process your asset (pure information).
• Providescomputationresources to both store and process your
frame/
://techcrunch.com/2015/01/13/the-new-ibm-z13-is-not-your-fathers-
asset (pure information).
38
( s
A$ Pro
https main
Software is expensive!
• Softwareisexpensive! . Inventor Pro is $7,295?!
• InventorProis$7,295!!
It is also going to read and process your
• Itisalsogoingtoreadand information!
process your information! • Weneedaguaranteeofits
3. Software
(3) Software used to process or otherwise manage
• Usedtoprocessormanage information.
information.
We need a guarantee of its integrity (i.e. no
integrity (i.e. no back-doors)
back-doors) and that it can keep the information
and that it can keep the
confidential!
information confidential!
ttps://www.intertech.com/Blog/13-expensive-software-products/
39
h
• What are the properties to ensure Information Security?
• Let’s start with the basic CIA triad
40
guidelines do we use when designing policies for Information Security?
41
at
h
What guidelines do we use when desi for Information Security
42
gni ?
n
Confidentiality
• Restricting access to those who have a ‘need to
Confidentiality
know’.
• Why? Letting those without the “need to
know” access information can result in
Restricting access to those who have a ‘need to know’.
embarrassment or worst, financial penalties!
Why? Letting those without the “need to know” access information can result in embarrassment or worst, financial penalties!
43
Availability
• Information that is not available when and as required is not information at all, but irrelevant data.
44
Confidentiality vs Availability
• There is a trade-off between how well information can be kept private and the ease of its availability to those “who need to know”.
45
Integrity
• Information is only useful if it is complete and
Integrity
accurate, and remains so.
Information is only useful if it is complete and accurate, and remains so.
• Only certain people should have the
appropriate authority to alter, update or delete
information.
Only certain people should have the appropriate authority to alter, update or
delete information.
46
Other properties beyond CIA • Accountability
– Responsibility for actions on information (related to non-repudiation)
• Auditability
– Ability to review of actions, processes, policies and
procedures • Reliability
– When the system is down (e.g. due to an attack) how and how long does it take to bring it to normal operation
47
Security Policy
• An information security policy needs to reflect your organisation’s view on information security (and the security properties you want) and must:
– Provide information security direction for your organisation;
– Include information security objectives;
– Include information on how you will meet business,
contractual, legal or regulatory requirements; and
– Contain a commitment to continually improve your Information Security Management.
48
Security Control
• A way to operationalise the security policy
• A way to treat risks in the risk management process
– E.g. to reduce risks
• Can be technical, social (procedural), and/or physical
49