Professional Documents
Culture Documents
Security
Security Planning
Susan Lincke
Security Planning: An Applied Approach | 1/30/2020 | 2
Objectives
Student should know:
Define information security principles: need-to-know, least privilege, segregation of
duties, privacy
Define information security management positions: data owner, data custodians,
security administrator
Define access control techniques: mandatory, discretionary, role-based, physical, single
sign-on
Define authentication combination: single factor, two factor, three factor multifactor
Define Biometric: FRR, FAR, FER, EER
Define elements of BLP: read down, write up, tranquility principle, declassification
Define military security policy: level of trust, confidentiality principle
Define backup rotation, incremental backup, differential backup, degauss, audit trail,
audit reduction, criticality classification, sensitivity classification
Develop an information security classification scheme that addresses confidentiality and
availability
Security Planning: An Applied Approach | 1/30/2020 | 3
CIA Triad
Integrity Availability
Conformity to Law
& Privacy Requirements
Security Planning: An Applied Approach | 1/30/2020 | 4
President
Information Owner
or Data Owner
Is responsible for the data within business (mgr/director - not IS
staff)
Determines who can have access to data and may grant
permissions directly OR
Gives written permission for access directly to security
administrator, to prevent mishandling or alteration
Periodically reviews authorization to restrict authorization creep
Security Planning: An Applied Approach | 1/30/2020 | 8
Other Positions
Data Custodian Security Administrator
IS (security or IT) employee who Allocates access to employees
safeguards the data based on written
Performs backup/restore documentation
Verifies integrity of data Monitors access to terminals
and applications
Documents activities
• Monitors invalid login attempts
May be System Administrator
Prepares security reports
Security Planning: An Applied Approach | 1/30/2020 | 9
Criticality Classification
Critical $$$$: Cannot be performed manually. Tolerance to
interruption is very low
Vital $$: Can be performed manually for very short time
Sensitive $: Can be performed manually for a period of time, but
may cost more in staff
Nonsensitive ¢: Can be performed manually for an extended
period of time with little additional cost and minimal recovery
effort
Security Planning: An Applied Approach | 1/30/2020 | 10
Sensitivity Classification
(Example)
Proprietary:
Strategic Plan
Confidential:
Salary &
Health Info
Private:
Internal
Product Plans
Public
Product Users Manual
near Release
Security Planning: An Applied Approach | 1/30/2020 | 11
Sensitivity Classification
Workbook
Sensitivity Description Information Covered
Classification
Proprietary Protects competitive edge. Material is of
critical strategic importance to the
company. Dissemination could result
in serious financial impact.
Confidential Information protected by FERPA, PCI-DSS Student information & grades,
and breach notification law. Shall be Payment card information,
available on a need-to-know basis Employee information
only. Dissemination could result in
financial liability or reputation loss.
Private Should be accessible to management or Professor research,
for use with specific parties. Could Student homework,
cause internal strife or divulge trade Budgets
secrets if released.
Public Disclosure is not welcome, but would not Teaching lectures
adversely impact the organization
Security Planning: An Applied Approach | 1/30/2020 | 12
Data Classification
How do we mark classified information?
How do we determine which data should be classified
to which class?
How do we store, transport, handle, archive classified
information?
How do we dispose of classified data?
What does the law say about handling this information?
Who has authority to determine who gets access, and
what approvals are needed for access?
Security Planning: An Applied Approach | 1/30/2020 | 13
Disposing of Media
Meet record-retention schedules
Reformat disk Storage
Use “Secure wipe” tool Encrypt sensitive data
****If highly secure***** Avoid touching media surface
Degauss = demagnetize Keep out of direct sunlight
Physical destruction Keep free of dust & liquids –
in firm container best
Avoid magnetic, radio, or vibrating fields
Use anti-static bags for disks
Avoid spikes in temperature for disks;
bring to room temperature before use
Write protect floppies/magnetic media
Store tapes vertically
Security Planning: An Applied Approach | 1/30/2020 | 15
Permission types
Read, inquiry, copy
Create, write, update, append, delete
Execute, check
Work
Information Asset Inventory book
Asset Name Course Registration
Value to Organization Records which students are taking which classes
Question
The person responsible for deciding who should have access to
a data file is:
1. Data custodian
2. Data owner
3. Security administrator
4. Security manager
Security Planning: An Applied Approach | 1/30/2020 | 18
Question
Least Privilege dictates that:
1. Persons should have the ability to do tasks sufficient to
perform their primary job and no more
2. Access rights and permissions shall be commensurate with a
person’s position in the corporation: i.e., lower layers have
fewer rights
3. Computer users should never have administrator passwords
4. Persons should have access permissions only for their security
level: Confidential, Private or Sensitive
Security Planning: An Applied Approach | 1/30/2020 | 19
Question
A concern with personal or private information is that:
1. Data is not kept longer than absolutely necessary
2. Data encryption makes the retention of personal information
safe
3. Private information on disk should never be taken off-site
4. Personal data is always labeled and handled as critical or vital
to the organization
Security Planning: An Applied Approach | 1/30/2020 | 20
Question
The person responsible for restricting and monitoring
permissions is the:
1. Data custodian
2. Data owner
3. Security administrator
4. Security manager
Security Planning: An Applied Approach | 1/30/2020 | 21
Path Access
Authentication: Login/Password, Biometrics
Remote Access
AUTHENTICATION & ACCESS
CONTROL
Security Planning: An Applied Approach | 1/30/2020 | 22
Border Router
Perimeter firewall
Internal firewall
Intrusion Detection System
Policies & Procedures & Audits
Authentication
Access Controls
Security Planning: An Applied Approach | 1/30/2020 | 23
App1
Database
App2
Password Rules
One-way encrypted using a strong algorithm
Never displayed (except ***)
Never written down and retained near terminal or in desk
Passwords should be changed every 30 days, by notifying user in
advance
A history of passwords should prevent user from using same
password in 1 year
Passwords should be >= 8 (better 12) characters, including 3 of:
alpha, numeric, upper/lower case, and special characters
Passwords should not be identifiable with user, e.g., family
member or pet name
Security Planning: An Applied Approach | 1/30/2020 | 25
Authentication Combinations
Single Factor: Something you know
• Login & Password
Multifactor Authentication: Using two or more authentication
methods.
Two Factor: Add one of:
• Something you have: Card or ID
• Something you are or do: Biometric
Three Factor: Uses all three: e.g., badge, thumb, pass code
Security Planning: An Applied Approach | 1/30/2020 | 26
Biometrics
Biometrics: Who you are or what you do
Susceptible to error
False Rejection Rate (FRR): Rate of users rejected in error
False Acceptance Rate (FAR): Rate of users accepted in error
Failure to Enroll Rate (FER): Rate of users who failed to
successfully register
Hand (3D) Social acceptance, low storage Not unique, injury affects
Single Sign On
Advantages Disadvantages
One good password replaces Single point of failure -> total
lots of passwords compromise
IDs consistent throughout Complex software development
system(s) due to diverse OS
Reduced admin work in setup Expensive implementation
& forgotten passwords
Quick access to systems
App1 DB2 App3
Secondary Domains
Enter
Password
Primary Domain (System)
Security Planning: An Applied Approach | 1/30/2020 | 30
Workbook:
Role-Based Access Control
Role Name Information Access
(e.g., Record or Form) and
Permissions (e.g., RWX)
Instructor Student Records: Grading Form RW
Student Transcript (current students) R
Transfer credit form R
Advising Student Records: Student Transcript
(current students) R
Fee Payment R
Transfer credit form R
Registration Student Records: Fee Payment RW
Transfer credit form RW
Security Planning: An Applied Approach | 1/30/2020 | 35
Vertical Dependencies:
Secret App requires Horizontal Dependencies:
Secret-level database Secret App requires:
Secret-level OS Secret-level servers
Secret-level hardware Secret-level communications
Secret-level authentication
Security Planning: An Applied Approach | 1/30/2020 | 40
Security
Policy
Trusted Trusted Trusted Trusted Trusted Trusted
App 1 App 2 App 3 Service Service Service
1 2 3
Trusted Encapsulated Encapsulated Trusted
OS security impl. security impl. OS
Property of Confinement:
Read Down: if Subject’s class is Top Secret
>= Object’s class
Write Up: if Subject’s class is <= Secret
Object’s class
Tranquility Principle: Object’s
Confidential
class cannot change
Declassification: Subject can
lower his/her own class Non-Classified
Joe => (Secret)
Security Planning: An Applied Approach | 1/30/2020 | 42
BIG Data
IS Auditor Verifies…
Question
A form of biometrics that is considered invasive by users is:
1. Retina
2. Iris
3. 3D hand
4. Signature
Security Planning: An Applied Approach | 1/30/2020 | 46
Question
A form of biometrics that is not prone to error is
1. Retina
2. Voice
3. Finger
4. Signature
Security Planning: An Applied Approach | 1/30/2020 | 47
Question
Julie is a Data Owner. She configures permissions in the
database to enable users to access the forms she thinks they
should be able to access. This technique is known as
1. Bell and La Padula Model
2. Mandatory Access Control
3. Role-Based Access Control
4. Discretionary Access Control
Question
John has a security clearance of (Engineering, Confidential).
Using Bell and La Padula Model, John can write to:
1. Confidential
2. Top Secret, Secret, and Confidential
3. Confidential and Unclassified
4. Unclassified
AUDIT TRAILS
Security Planning: An Applied Approach | 1/30/2020 | 50
Audit Trail
Audit trail tracks responsibility
• Who did what when?
• Periodic review will help to find excess-authority access, login successes &
failures, and track fraud
Attackers often want to change the audit trail (to hide tracks)
Audit trail must be hard to change:
• Write-once devices
• Digital signatures
• Security & systems admins and managers may have READ-only access to
log
Audit trail must be sensitive to privacy
• Personal information may be encrypted
Security Planning: An Applied Approach | 1/30/2020 | 51
Question
Audit trails:
1. Should be modifiable only by security administrators
2. Should be difficult to change (e.g., write-once)
3. Should only save important logs, using log reduction
4. Should avoid encryption to ensure no loss and quick
access
Security Planning: An Applied Approach | 1/30/2020 | 53
Summary
Data in inventoried
Data is allocated a sensitivity and criticality class
Class handling is defined for handling, transporting, storage
Roles are allocated permissions (access control)
Authorization ensures access control is enforced: biometrics, two-factor
authentication, single sign-on
Trust enables use
Access may be distributed: Trusted Computing Base
Audit trails enforce accountability
Security Planning: An Applied Approach | 1/30/2020 | 54
Proprietary:
Strategic
Plan
Confidential:
Salary &
Health Info
Private:
Product Plans
Public
Product Users Manual
near Release
Security Planning: An Applied Approach | 1/30/2020 | 57
Work
Information Asset Inventory book
Asset Name Course Registration
Value to Records which students are taking which classes
Organization
Location IS Main Center
Security Risk Sensitive, Vital
Classification
IS Server Peoplesoft