SECURITY CONTROLS (II)
7CCSMSEM Security Management Dr. Jose M. Such
Learning Outcomes
• Types of Security Controls
• Physical Security Controls
• Procedural Security Controls
• Legislation to consider for Security Controls • Cloud Computing and Risks
Types of Security Controls
TECHNICAL (Firewall)
PROCEDURAL (Clear Desk Policy)
SECURITY CONTROLS
PHYSICAL (secure physical storage)
Types of Security Controls
Preventative, Detective and Reactive
Physical, Procedural and Technical can be used in three different “modes”
Preventative
Stop an exploit from being exploited Detective
If something bad happens, the person in charge
will be notified
Reactive
We can perform a contingency plan to minimise
the fallout from the exploit
Anti-Virus Example
Prevent malware from being loaded on a computer system
Detect infection by routinely running checks
React by trying to remove the virus once it is found
Types of Security Controls
• There are many security controls that can be used to mitigate risks.
• Examples of useful collections:
• The 20 CIS Critical Security Controls For Effective Cyber Defense
(available from KEATS)
• ISO27000-series
• They describe security controls more abstractly, rather than mentioning specific products
PHYSICAL SECURITY CONTROLS
Physical Controls
• Rely on the presence, or otherwise on physical limitations, to the activities that a criminal or other unauthorised
Castle, Moats and Fake Sharks
person might wish to carry out.
Moat is physical, o is proc
Shark is cool, but and “enhanc
penin edura
used e” se
c
Physical Controls
Who is the attacker?
(Recall threat assessment!)
Teenagers?
Joy hackers? Organised Criminals? Governments?
What are you trying to protect? Direct access to computers,
Access to telecommunication lines, Access to internal LANS,
Access to internal offices, Information – hard-copy, removable media, etc.
Physical Controls
What are the attacker’s resources?
Technical skills: lock picking alarm neutralization, radio jammers, climbing, etc
Detailed knowledge of the facility Insider assistance?
Physical Controls
What if an attacker gets direct access?
Computer Access Remove risk,
use debugger to gain root privileges, replace BIOS,
scan for cryptographic keys, install a keystroke logger?
Physical access lets the attacker win 99% of the time.
Lines and LANS
Plant wiretraps?
Bypass firewall?
Denial of service? Dumpster Diving
Raid outside trash bins, Discarded information can be useful.
Probably legal in the US!
Physical Controls
Physical Controls – CPNI examples
https://www.cpni.gov.uk/protecting-my-asset
Employee Authentication
Authenticating Employees
What security controls are used to check an employees identity and what links the access control to their real world identity?
Are badge rules (or biometrics) enforced? How are badges authenticated?
Does the guard check the picture?
Is it possible to “tailgate”?
What happens during a fire alarm? What about external service personnel?
Protection of Equipment
What are the threats when trying to protect equipment?
Unauthorised staff stealing (or damaging) equipment
Mark equipment to make it less attractive to steal
CCTV and deterrence (but monitoring can also be questioned ethically)
An “Amnesty day” where staff can return stolen equipment without fault/charge
Accidental loss of use of some critical equipment
Stand-by power generated to use if main power fails
Maintenance contracts with realistic timings (i.e. an Engineer can come quickly to fix)
Separate hardware electrical circuits (i.e. if kettle is put on and a fuse is blown, critical infrastructure is still powered)
Protection of Equipment
Protection of Equipment
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/621100/2016_HO_ICT_stats.csv/preview
Secure Deletion – Data
When we dispose of a computer or a laptop or any kind of device, we must ensure it is securely deleted (i.e. it is never recoverable).
• Is clicking “delete” for a file good enough?
• No!Informationisstillinan Operating System file/folder, and in the physical media (e.g. SSD).
• Importantto:
• delete AND overwrite the physical
media (but how many times?)
• ORdestroythephysicalmedia
• SeeExtraReading(KEATS): Secure Data Deletion
• Verifiable Deletion?
• Ifanorganisationhand’sover hard-drives to a contractor to destroy, how can it check that the hard-drive was actually destroyed?
• Redundant backups?
• Isthereaproceduretomakesure thatallfilesaretaggedsuchthat they can be found and deleted when necessary?
Secure Deletion – Videos
• Mr Robot:
• https://www.youtube.com/watch?v=mh3AQuhQO8U
• DEFCON:
• https://www.youtube.com/watch?v=-bpX8YvNg6Y
Secure Deletion – Paper
• Cheap paper shredders
• An attacker can reassemble a shredded document.
• Use product that increases the difficulty of recovery (or simply burn the file).
Secure Shredding?
QUIZ TIME!
Go to: PollEv.com/josesuch498
PROCEDURAL (or SOCIAL) SECURITY CONTROLS
Procedural Controls
• Also called “Social” security controls
• Cover the rules, regulations and policies that an organisation
puts in place to help reduce the risk of issues arising. • Examples include:
• more specific policies than organisation policies.
• Sometimes contain policy, standard, procedure, and guideline elements all
together.
• e.g. system and network use policies
• user training
• Users need to comply with the above policies and organisational policies,
standards, and procedures
• Howdowemakethemawareandtrainthemforthat?
ExampleC:lCealeraSrcrSeecnreaenndDaensdkDPoelisckyPolicy
Protecting confidential documents within the office space
Open-office and visibility of screen
Colleagues can watch your screen as they walk past
If there is a fire alarm, colleague can spend undisturbed time on your computer
Lock, Lock and Lock your screen! Clear Screen
and
Documentation / paper records on desk
Confidential information should be locked away in a cupboard / drawer.
If paper records left unattended, easy to quickly steal without a trace.
Password on a sticky note… also a bad idea! esk Policy
D
Example: NetworkAcceptableUsePolicy
A set of rules applied by the owner, creator or administrator of a network, website, or service, that restrict the ways in which the network, website or system may be used and sets guidelines as to how it should be used
Who is allowed to use it? Employees of organisation Privacy Statement
Does the organisation (GANT) monitor traffic on the network? If so what is it watching?
What can it be used for?
Legitimate education and business purposes?
User Compliance
By using the network, users automatically agree to this policy.
Network Acceptable Use Policy
User Training
• Users need to comply with the specific policies and the organisational policies, standards, and procedures
• E.g. by contract (recall Lecture 6)
• Providing appropriate security training will help individuals to understand their security responsibilities, how the enterprise’s information assets can be put at risk, and how they can avoid that.
• More in Usable Security lecture.
LEGISLATION TO CONSIDER
(for all security controls, regardless of their type)
Acts of Parliament for the UK
Acts of Parliament for the UK
● Data Protection Act (DPA)
○ Recently updated in 2018 with GDPR
○ Defines how data should be protected and
used.
● Human Rights Act (HRA)
○ All security controls and policies must respect human rights
● Financial Services Act (FSA)
○ A new regulatory framework for the
financial system and financial services in
the UK
○ Only important if you work in the financial
industry
● Official Secrets Act (OSA)
○ Required for government and defence
projects
● Markets in Financial Instruments Directive
(MiFID)
○ Investment intermediaries that provide
services to clients around shares, bonds, units in collective investment schemes and derivatives
● Freedom of Information Act
○ A public “right of access” to information
held by public authorities.
Protection of Personal Data
• Privacy laws exist to protect the rights of individuals. • Most organisations hold and process your data, but
compliance restricts what can be done. • Main Points
• All information must be surrounded by robust security controls and working practices.
• Processes should be implemented to ensure data is entered correctly (or can be corrected).
• Paper records locked away and computer screens turned off. Destroy information securely.
Employment Privacy Issues
Several technical controls rely on monitoring the organisation’s computer systems and activity of their employees
● Do employees have the right to privacy?
○ Yes!
● Do employees have the right to know what is held by them?
○ Yes!
● Do employees have the right to know the scale of monitoring being carried out by the enterprise (and why)?
○ Yes!
● Subject Access Request:
○ Freedom of Information Act
provides the right to request information.
Employment Privacy Issues
What must be considered before monitoring employees
What must be considered before Monitoring
Employees?
● Why would the enterprise want to monitor employees actions?
○ Understand traffic of e-mails and if it impacts performance
○ Protect against illicit or malice use of the organisation’s computers
● Employees must agree to monitoring
○ Monitoring should be assessed to ensure it
is justified, not excessive and meets legal
requirements.
○ Included in Employment contract
● What if personal information is discovered during monitoring?
○ Care should be taken
○ Employees should be requested to
delete all personal info
● What if employee is suspected as an insider threat?
○ “Covert Monitoring”, i.e. without employee knowing is rarely justifiable.
○ Evidence can be used for employment tribunal or court case.
Monitoring Data
Can we still detect misuse/crime without reading
messages?
Yes! Yes! Yes!
Most of the time, we only care about the meta-data, and not the data itself!
Metadata: a set of data that describes and gives information about other data. (Wikipedia)
Can we still detect misuse/crime without reading
Monitoring Data
messages?
https://listed.standardnotes.org/@sn/819/don-t-be-fooled-metadata-is-the-real-data
See what can be done with e-mail metadata (to,from,cc, etc.) here:
https://immersion.media.mit.edu/demo
What is the point of a secure system if the building is blown up and all the data is lost??
Principles of Recovery Capability
Principles of Recovery Capability
Or how to make sure your data isn’t lost!
Grandfather-Father-Son (GFS) Approach
Back up the previous three versions of data. Sometimes you may need to “rollback” to an older version
Cause of risk is outside of your control
Sometimes there is nothing the organisation can do about the risk. (Think 9/11 in the USA)
Relocate Data Centre during Emergency
Keep a backup in a secure location off-chain. (Think Mr Robot)
Synchronizing data across multiple data centres
A distributed system problem!
A lot of overhead of a possibly rare event!
QUIZ TIME!
Go to: PollEv.com/josesuch498
What about the Cloud?
What is Cloud Computing?
What is Cloud Computing?
The practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer. (Wikipedia)
In other words, the data is stored and processed remotely.
Examples include Microsoft Azure, Amazon AWS, etc.
Why is this useful?
companies have access to powerful computers that was previously out of reach/not
Small
cost-effective.
Cloud Computing
Benefits
• Infinite storage
• Rapid resource provisioning
• Data stored in the cloud is continuing to grow • Financial information
• Medical information
Cloud Computing – Legal Implications
What are the legal implications of cloud computing?
Organisation must fully assess the terms and conditions of the cloud computing provider…
Location of servers?
Cloud provider’s server may not be in an undesirable or not legally permitted jurisdiction – Data Protection Laws require organisation to verify.
Access to information?
Cloud provider might be given important rights over the information (i.e. right to use it commercially or disclose it to third parties)
Audit cloud provider?
Can the organisation audit the cloud provider to ensure the data is protected?
Sub-contractors?
Can the organisation restrict the cloud provider from outsourcing the work to one of their sub-contractors?
Cloud Computing – Security Risks
• Whatproblemscanariseifacloudcomputingproviderisused? • Cloudproviderishacked
• While the risk of protecting the data is outsourced to the provider, if the data is leaked will also impact the organisation.
• “They were hacked and not us” will not work.
• This is why risk is shared, and not transferred.
• Dataisdeleted(orlost)
• There is no guarantee the cloud provider is backing up the data or the results.
• DataisNOTdeletedappropriatelyorwhenitshould
• There is no guarantee data will be completely removed from the cloud infrastructure when the client decides to delete data from the cloud.
Assured deletion in the Cloud?
Assured Deletion: “Rendering data completely irrecoverable”
• Completelyremovingdatafromthestoragemedia.
• Making data inaccessible to anyone after it has been deemed deleted.
Why
• Users want sensitive data that is no longer needed to be destroyed.
• Cloud Providers may want assured deletion to comply with regulations
– E.g.GDPR’sRighttobeforgotten
Assured Deletion in the Cloud?
• Normal deletion leaves data behind
• Incompletely deleted data risks disclosure • Not a new problem, but more challenging
• No access to the physical media! • Important issue, less attention
• Difficult to completely delete data • Newchallenges
• Nobuildingblocks
Assured deletion Threat – Honest Provider
• Provider is honest but prone to accidental data leaks.
• Provider wants to provide complete deletion in order to
comply with regulations and meet tenants requirements.
• Malicious tenants probe resources for partially deleted data
Requirements – Honest cloud provider
Providing deletion should
• Not disrupt service availability
• make data either inaccessible or completely remove it
• affect all copies
• be fine-grained
• Take place immediately and without errors
• Provable to users
Challenges– Honest cloud provider
Main cloud features pose different challenges
• Multiple copies of data
• Virtualization
• Multiple users
– Data gets tangled together
• Multiple components
• Multiple logical layers
• Underlying hardware
– E.g., Different storage media – SSDs • Third-party and Offline backups
– e.g., other services / tapes
Assured deletion Threat – Dishonest Provider
• Curious provider
• Tenants are suspicious about provider’s data disposal
responsibilities
• Tenants are aware of risks involved with incomplete deletion.
• Tenants want assured deletion without incurring extra costs.
• See extra reading in KEATS
Risk of Conventional vs Cloud-based solutions
Risks of conventional vs cloud-based solutions
By “conventional” we mean where management/systems/data stays within the organisation.
● Conventional benefits:
○ Organisation retains full end-to-end
control of their service/data
● Conventional disadvantage:
○ Overhead and financial cost for
selecting, implementing, maintaining,
securing and upgrading components
○ Internal staff dedicated to protecting
the information
● Cloud benefits:
○ Cheaper than purchasing hardware /
hiring staff to maintain
○ Speed of implementation as it can
be deployed within a few hours (i.e. no need to wait for a delivery)
● Cloud disadvantage:
○ Shared Risk with a trusted third party
and it is difficult to manage the risk.
○ Regulatory oversight is difficult (i.e.
where is the data stored?)