IT6222 Principles of Information Security

What is Information Security

Paul Bryant

Introduction

What is security
Models for Discussing Security Issues
Attacks
Defence in depth

What is Security?
The term security is used in a variety of
contexts.
Personal, corporate, personnel, national, energy,
operational, communications, system, financial, etc.

What is Security?
In the most general terms, security seems
to mean something like
protection of assets against threats.
What assets?
What kinds of threats?
What does protection mean?
Does the nature of protection vary
depending on the threat?
4

Definition Information
Security
protecting information and information systems from unauthorised
access, use, disclosure, disruption, modification or destruction (p.2)
Information Security
1.1.14. Information security is considered a higher level of abstraction
than cyber security relating to the protection of information regardless of
its form (electronic or physical). The accepted definition of information
security within government is: measures relating to the confidentiality,
availability and integrity of information.
1.1.15. This is sometimes described as cyber security. A number of
specialised security areas contribute to information security within
government; these include: physical security, personnel security,
communications security and information and communications
technology (ICT) security along with their associated governance
measures. (NZISMv2, 2014)
5

When are we secure?

Challenge to define when we are secure

Easier to define when were insecure
Mitigation
Residual risk

Models for discussing security

issues
Confidentiality, Integrity and Availability
Triad
Disclosure, Alteration, and Denial (DAD)
Parkerian Hexad
McCumber Model / NSTISSC model

CIA Triad

Copyright 2011 Elsevier Inc. All rights reserved.

Confidentiality
The protection of information within systems
so that unauthorised people, programs, and
processes cannot access that information.
Sensitive information is protected against
unauthorised disclosure.
Encryption is a primary tool to ensure
confidentiality.
9

Integrity
The protection of information or processes
from intentional or accidental unauthorised
changes.
Integrity Business accuracy, logic,
relevance, ethicality, etc. of information
Integrity = No unauthorised alteration

10

Protecting Integrity
Need to protect the process or program used to manipulate
information, e.g.,
Air traffic control systems
Welfare systems
Payroll systems

Examples in database management systems

Entity integrity
Referential integrity
Transaction and rollback

Cryptography (hash functions) is an important tool to verify

integrity.
11

Availability
The assurance that information and systems are
accessible by authorised users whenever needed.
Protected against denial-of-service (DoS) attacks and
vandalism
Protected against losses stemming from natural
disasters or human errors and actions (this type
probably is more common)

Time can be of the essence for many informationrelated activities.

12

Relating CIA Triad to Security

Shipment of backup tapes containing only
existing, but unencrypted, copy of sensitive
data.
Confidentiality
Integrity
Availability

13

DAD Triad
Disclosure
Unauthorized individuals gain access to confidential
information

Alteration
Data is modified through some unauthorized mechanism

Denial
Authorized users cannot gain access to a system for
legitimate purposes

DAD activities may be malicious or accidental

14

Parkerian Hexad

15

Parkerian Hexan
Encompasses traditional C-I-A concepts
Variance in integrity
Parker doesnt account for authorised, but incorrect,
modification of data
Rather focuses on state of data itself

Adds Possession or Control, Authenticity, and

Utility

16

Parkerian Hexad Possession

or Control
Refers to physical disposition of media on
which data is stored
Backup tape example
Unencrypted
Possession and confidentiality

Encrypted
Possession problem but not confidentiality

17

Parkerian Hexad -- Utility

How useful is the data
Backup tape example
If encrypted, not useful to attacker as data
unreadable
If unencrypted, useful as data can be accessed

18

Parkerian Hexad -- Authenticity

Allows us to talk about proper attribution to
owner/creator of data.
Similar but reversed concept is nonrepudiation

19

Non-Repudiation
Prevents the parties to a transaction from
subsequently denying involvement in the
transaction.
Someone cannot deny that she did send a
message, sign an electronic contract, etc.
Public-key encryption (digital signature to be
exact) is instrumental to achieving nonrepudiation.
20

Attacks

21

More terminology
Assets: Things we want to protect (stored
data / data in transit)
Threats: Something that has the potential
to cause harm
Attacks: Attempts to make threats happen
Vulnerabilities: Weaknesses that can be
used to harm us
22

More terminology
Risk: The chance that something bad will
happen
Impact: A measure of how serious an
attack would be

23

Controls
Help mitigate risk
Three categories of controls
Physical
Protect physical environment
Access, HVAC, fire, fences, locks, gates, etc

Logical controls a.k.a Technical controls

Protect systems, networks and environments.
Passwords, encryption, logical access controls,
firewalls, IDS etc
24

Controls cont.
Administrative
Based on rules, laws, policies, procedures,
guidelines
Example is AUP governing use of REDNet and
Production networks at WelTec.

25

Incident Response
If risk management efforts fail, incident
response exists to react to such events
Incident response process at high level:
Preparation
Detection and analysis
Containment
Eradication
Recovery
Post-incident activity
26

McCumber Model
Desired Goals
Information States
Safeguards

http://en.wikipedia.org/wiki/McCumber_cube

27

NSTISSC Model

28

McConachy and Schou

Source: it210web.groups.et.byu.net/lectures/MSRW%20Paper.pdf

29

Master of Defense in Depth Vauban

30
Source: P. Griffith, The Vauban Fortifications of France, Osprey.

El Morro Fort, San Juan, PR

Five layers (levels) of protection;

31

The inner layer has the highest

concentration
of protective
Source: bitscn.com.

32

Layered Protection
Broached by the SANS Institute.
Organisation must have a layered defence at the
perimeter, network, equipment, and data layers.
Because there are so many potential attackers taking
advantage of numerous attack vectors, there is no
single method for successfully protecting a network.
Instead, we should protect a network with a variety of
defensive mechanisms so that if one mechanism
fails, another will already in place to thwart an attack.
33

Layered Protection

34
Based on Carr et l, The Management of Network Security,

Defences in Each Layer

35