Ch7 InfoSecurity

Designing Information
Security
Security Planning
Susan Lincke
Security Planning: An Applied Approach | 1/30/2020 | 2
Objectives
Student should know:
Define information security principles: need-to-know, least privilege, segregation of
duties, privacy
Define information security management positions: data owner, data custodians,
security administrator
Define access control techniques: mandatory, discretionary, role-based, physical, single
sign-on
Define authentication combination: single factor, two factor, three factor multifactor
Define Biometric: FRR, FAR, FER, EER
Define elements of BLP: read down, write up, tranquility principle, declassification
Define military security policy: level of trust, confidentiality principle
Define backup rotation, incremental backup, differential backup, degauss, audit trail,
audit reduction, criticality classification, sensitivity classification
Develop an information security classification scheme that addresses confidentiality and
availability
Information Security Goals

Confidentiality
CIA Triad
Integrity Availability
Conformity to Law
& Privacy Requirements
Information Security Principles

Need-to-know: Persons should have ability to access data
sufficient to perform primary job and no more
Least Privilege: Persons should have ability to do tasks sufficient
to perform primary job and no more
Segregation of Duties: Ensure that no person can assume two
roles: Origination, Authorization, Distribution, Verification
Privacy: Personal/private info is retained only when a true
business need exists: Privacy is a liability
Retain records for short time
Personnel office should change permissions as jobs change
Review: State Breach Law Protects…

Restricted data generally includes:
Social Security Number
Driver’s license # or state ID #
Financial account number (credit/debit) and access
code/password
DNA profile (Statute 939.74)
Biometric data
Some states & HIPAA protects:
Health status, treatment, or payment
President
Chief Sec. Chief Privacy Chief Info

Officer Chief Info.
Business Sec. Officer
Officer Protect Creates and Officer
Physical Executive customer & maintains a Manages
Security employee rights sec. program Info. Technology
Process Security Security Data

Data Owner IS Auditor
Owner Independent Architect Admin Custodian
Responsible for Maintains and
Responsible for assurance of Design/ impl. Administrates
security of protects data:
security of sec. objectives policies & computer &
data Backup/restore/
process & controls procedures network security
monitor/test
Some positions may be merged

Information Owner
or Data Owner
Is responsible for the data within business (mgr/director - not IS
staff)
Determines who can have access to data and may grant
permissions directly OR
Gives written permission for access directly to security
administrator, to prevent mishandling or alteration
Periodically reviews authorization to restrict authorization creep
Other Positions
Data Custodian Security Administrator
IS (security or IT) employee who Allocates access to employees
safeguards the data based on written
Performs backup/restore documentation
Verifies integrity of data Monitors access to terminals
and applications
Documents activities
• Monitors invalid login attempts
May be System Administrator
Prepares security reports
Criticality Classification
Critical $$$$: Cannot be performed manually. Tolerance to
interruption is very low
Vital $$: Can be performed manually for very short time
Sensitive $: Can be performed manually for a period of time, but
may cost more in staff
Nonsensitive ¢: Can be performed manually for an extended
period of time with little additional cost and minimal recovery
effort
Sensitivity Classification
(Example)
Proprietary:
Strategic Plan
Confidential:
Salary &
Health Info
Private:
Internal
Product Plans
Public
Product Users Manual
near Release
Sensitivity Classification
Workbook
Sensitivity Description Information Covered
Classification
Proprietary Protects competitive edge. Material is of
critical strategic importance to the
company. Dissemination could result
in serious financial impact.
Confidential Information protected by FERPA, PCI-DSS Student information & grades,
and breach notification law. Shall be Payment card information,
available on a need-to-know basis Employee information
only. Dissemination could result in
financial liability or reputation loss.
Private Should be accessible to management or Professor research,
for use with specific parties. Could Student homework,
cause internal strife or divulge trade Budgets
secrets if released.
Public Disclosure is not welcome, but would not Teaching lectures
adversely impact the organization
Data Classification
How do we mark classified information?
How do we determine which data should be classified
to which class?
How do we store, transport, handle, archive classified
information?
How do we dispose of classified data?
What does the law say about handling this information?
Who has authority to determine who gets access, and
what approvals are needed for access?
Handling of Sensitive Data
Confidential Private Public

Access Need to know Need to know Need to know
Paper Storage Locked cabinet, Locked cabinet Locked cabinet or locked
Locked room if unattended Locked room if room if unattended
unattended
Disk Storage Password-protected, Password- Password-Protected
Encrypted protected
Encrypted
Labeling & Clean desk, low voice, Clean desk, Clean desk,
Handling No SSNs, ID required low voice low voice
Transmission Encrypted Encrypted
Limited email or append
email security notice
Archive Encrypted Encrypted
Disposal Degauss & damage disks Secure wipe Reformat disks
Shred paper Shred paper
Storage & Destruction of Confidential

Information
Repair
Remove memory before
sending out for repair
Disposing of Media
Meet record-retention schedules
Reformat disk Storage
Use “Secure wipe” tool Encrypt sensitive data
****If highly secure***** Avoid touching media surface
Degauss = demagnetize Keep out of direct sunlight
Physical destruction Keep free of dust & liquids –
in firm container best
Avoid magnetic, radio, or vibrating fields
Use anti-static bags for disks
Avoid spikes in temperature for disks;
bring to room temperature before use
Write protect floppies/magnetic media
Store tapes vertically
Permission types
Read, inquiry, copy
Create, write, update, append, delete
Execute, check
Access Matrix Model (HRU)

File A File B File C Jack
Jack rwx rx -
Jill rwx r d
Jeff r rx rwx -
Work
Information Asset Inventory book
Asset Name Course Registration
Value to Organization Records which students are taking which classes
Location IS Main Center

Sensitivity & Criticality Sensitive, Vital
Classifications
IS System/ Peoplesoft
Server Name
Data Owner Registrar: Monica Jones
Designated IS Operations: John Johnson

Custodian
Granted Permissions Read: Department Staff, Advising
Read/Write: Students, Registration
Access is permitted at any time/any terminal
CISA Review Manual 2009
Question
The person responsible for deciding who should have access to
a data file is:
1. Data custodian
2. Data owner
3. Security administrator
4. Security manager
Question
Least Privilege dictates that:
1. Persons should have the ability to do tasks sufficient to
perform their primary job and no more
2. Access rights and permissions shall be commensurate with a
person’s position in the corporation: i.e., lower layers have
fewer rights
3. Computer users should never have administrator passwords
4. Persons should have access permissions only for their security
level: Confidential, Private or Sensitive
Question
A concern with personal or private information is that:
1. Data is not kept longer than absolutely necessary
2. Data encryption makes the retention of personal information
safe
3. Private information on disk should never be taken off-site
4. Personal data is always labeled and handled as critical or vital
to the organization
Question
The person responsible for restricting and monitoring
permissions is the:
1. Data custodian
2. Data owner
3. Security administrator
4. Security manager
Path Access
Authentication: Login/Password, Biometrics
Remote Access
AUTHENTICATION & ACCESS
CONTROL
Security: Defense in Depth
Border Router
Perimeter firewall
Internal firewall
Intrusion Detection System
Policies & Procedures & Audits
Authentication
Access Controls
Four Layers of Logical Security

System 1 System 2
App1
Database
App2
Two layers of general access to Networks and Systems

Two layers of granularity of control to Applications and Databases
Password Rules
One-way encrypted using a strong algorithm
Never displayed (except ***)
Never written down and retained near terminal or in desk
Passwords should be changed every 30 days, by notifying user in
advance
A history of passwords should prevent user from using same
password in 1 year
Passwords should be >= 8 (better 12) characters, including 3 of:
alpha, numeric, upper/lower case, and special characters
Passwords should not be identifiable with user, e.g., family
member or pet name
Authentication Combinations
Single Factor: Something you know
• Login & Password
Multifactor Authentication: Using two or more authentication
methods.
Two Factor: Add one of:
• Something you have: Card or ID
• Something you are or do: Biometric
Three Factor: Uses all three: e.g., badge, thumb, pass code
Biometrics
Biometrics: Who you are or what you do
Susceptible to error
False Rejection Rate (FRR): Rate of users rejected in error
False Acceptance Rate (FAR): Rate of users accepted in error
Failure to Enroll Rate (FER): Rate of users who failed to
successfully register
Equal Error Rate

EER:
FRR increases FAR increases
FRR = FAR
Biometrics with Best Response & Lowest

EER
Type (Top Best) Advantages Disadvantages
Palm Social acceptance Physical contact
Hand (3D) Social acceptance, low storage Not unique, injury affects
Iris No direct contact High cost, high storage
Retina Low FAR High cost, 1-2 cm away: invasive
Fingerprint Low cost, More storage=Lower Physical contact-> grime ->poor

EER quality image
Voice Phone use, social acceptance High storage, playback, voice
change, background noise
Signature Easy to use, low cost Uniqueness, writing onto tablet
differs from paper
Face Social
CISA acceptance
Review Manual 2009 Not unique, overcome with high
storage
Biometric Info Mgmt & Security Policy
Identification & authentication procedures

Backup authentication
Safe transmission/storage of biometric data
Security of physical hardware
Validation testing
Auditors should ensure documentation & use is professional
Single Sign On
Advantages Disadvantages
One good password replaces Single point of failure -> total
lots of passwords compromise
IDs consistent throughout Complex software development
system(s) due to diverse OS
Reduced admin work in setup Expensive implementation
& forgotten passwords
Quick access to systems
App1 DB2 App3
Secondary Domains
Enter
Password
Primary Domain (System)
Recommended Password Allocation

Security Admin User
User allocated First time login:

random password change Subsequent
or sent email w. link password Logins
Account [Forgot [Invalid password

[unlocked] Password] Attempts]
Account
Inform user [locked]
[Manual] Enter 5 invalid
in controlled
passwords
manner
[Auto
Timeout]
Notify
Verify user ID Security System
Account
(e.g., email) automatically
[unlocked]
unlocks
Admin & Login ID Rules

Restrict number of admin accounts
Admin password should only be known by one user
Admin accounts should never be locked out, whereas others are
Admin password can be kept in locked cabinet in sealed
envelope, where top manager has key
Login IDs should follow a confidential internal naming rule
Common accounts: Guest, Administrator, Admin should be
renamed
Session time out should require password re-entry
Access Control Techniques
Mandatory Access Control Discretionary Access Control

File User Group Permi… John
A John Mgmt rwx, r x A, B, C, D, E, F
B June Billing ,r
C May Factory r x, r x
D Al Billing June May
E Don Billing A, B, C D, E, F
Role-Based Access Control

Login Role Permission Al Don Pat Tom
John Mgr A, B,C,D,E,F A, B B, C D, F E, F
June Acct. A,B,C
Al Acct. A,B,C
Tim
May Factory D,E,F
E
Pat Factory D,E,F
Access Control Techniques

Mandatory Access Control: General (system-determined) access
control
Discretionary Access Control: Person with permissions controls
access
Role-Based Access Control: Access control determined by role in
organization
Physical Access Control: Locks, fences, biometrics, badges, keys
Workbook:
Role-Based Access Control
Role Name Information Access
(e.g., Record or Form) and
Permissions (e.g., RWX)
Instructor Student Records: Grading Form RW
Student Transcript (current students) R
Transfer credit form R
Advising Student Records: Student Transcript
(current students) R
Fee Payment R
Transfer credit form R
Registration Student Records: Fee Payment RW
Transfer credit form RW
System Access Control

Establish rules for access to information resources
Create/maintain user profiles
Allocate user IDs requiring authentication (per person,
not group)
Notify users of valid use and access before and upon
login
Ensure accountability and auditability by logging user
activities
Log events
Report access control configuration & logs
Application-Level Access Control

Create/change file or database structure
Authorize actions at the:
• Application level
• File level
• Transaction level
• Field level
Log network & data access activities to monitor access violations
Which Computer Do You Trust?

You plan to make a purchase on-line…
A library or college computer?

Your office computer?
Your children’s computer?

Trusted Computing Base (TCB)

Trusted app has
Horizontal dependencies: operating system, hardware
Vertical dependencies: server applications, network, authentication server, …
Trusted Trusted Trusted Trusted Trusted Trusted

App 1 App 2 App 3 Service Service Service
1 2 3
Trusted Operating System Trusted Operating System
Trusted Hardware Trusted Hardware

Trusted network
Processing requires Dependencies
Vertical Dependencies:
Secret App requires Horizontal Dependencies:
Secret-level database Secret App requires:
Secret-level OS Secret-level servers
Secret-level hardware Secret-level communications
Secret-level authentication
Trusted Computing Base (TCB)

TCB Subset: Verified security policy, provides reliability
Encapsulated security implementation provides rapid implementation
Security
Policy
Trusted Trusted Trusted Trusted Trusted Trusted
App 1 App 2 App 3 Service Service Service
1 2 3
Trusted Encapsulated Encapsulated Trusted
OS security impl. security impl. OS
Trusted Hardware Trusted Hardware

Trusted network
Bell and La Padula Model (BLP)
Property of Confinement:
Read Down: if Subject’s class is Top Secret
>= Object’s class
Write Up: if Subject’s class is <= Secret
Object’s class
Tranquility Principle: Object’s
Confidential
class cannot change
Declassification: Subject can
lower his/her own class Non-Classified
Joe => (Secret)
Military Security Policy
Class Finance Engineering Personnel

Top Secret Customer list New plans
(Secret, Eng)
(Confid., Secret Dept. Budgets Code Personnel
Finance) review
Confidential Expenses Emails Salary
Non-Classified Balance sheet Users Position
Manuals Descriptions
Person has an Authorization Level or Level of Trust

(S,D) = (sensitivity, domain) for Subject (potentially Project)
Object has a Security Class
Confidentiality Property: Subject can access object if it
dominates the object’s classification level
BIG Data
Alice Winter 222 Pine Dr. 262-513-2341 Birth=1989 Diabetic
Blacklist: Not stored Anonomize: Alter via Whitelist:

Or access via permission statistical distribution Permitted to
see
Options include:
Encryption, access control, firewall, security intelligence
Obfuscate: Make data unclear
Distribute data across multiple locations
No single location has useful data (e.g., RAID)
IS Auditor Verifies…
Written Policies & Procedures are professional & implemented

Access follows need-to-know
Security awareness & training implemented
Data owners & data custodians meet responsibility for
safeguarding data
Security Administrator provides physical and logical security for IS
program, data, and equipment
Authorization is documented and consistent with reality
See CISA Review Manual for specific details
Question
A form of biometrics that is considered invasive by users is:
1. Retina
2. Iris
3. 3D hand
4. Signature
Question
A form of biometrics that is not prone to error is
1. Retina
2. Voice
3. Finger
4. Signature
Question
Julie is a Data Owner. She configures permissions in the
database to enable users to access the forms she thinks they
should be able to access. This technique is known as
1. Bell and La Padula Model
2. Mandatory Access Control
3. Role-Based Access Control
4. Discretionary Access Control

Question
John has a security clearance of (Engineering, Confidential).
Using Bell and La Padula Model, John can write to:
1. Confidential
2. Top Secret, Secret, and Confidential
3. Confidential and Unclassified
4. Unclassified

AUDIT TRAILS
Audit Trail
Audit trail tracks responsibility
• Who did what when?
• Periodic review will help to find excess-authority access, login successes &
failures, and track fraud
Attackers often want to change the audit trail (to hide tracks)
Audit trail must be hard to change:
• Write-once devices
• Digital signatures
• Security & systems admins and managers may have READ-only access to
log
Audit trail must be sensitive to privacy
• Personal information may be encrypted
Audit Trail Tools

Audit Reduction: Filter important logs - eliminate unimportant
logs
Attack/Signature Detection: A sequence of log events may signal
an attack (e.g., 1000 login attempts)
Trend/ Variance-Detection: Notices changes from normal user
or system behavior (e.g., login during night)
Question
Audit trails:
1. Should be modifiable only by security administrators
2. Should be difficult to change (e.g., write-once)
3. Should only save important logs, using log reduction
4. Should avoid encryption to ensure no loss and quick
access
Summary
Data in inventoried
Data is allocated a sensitivity and criticality class
Class handling is defined for handling, transporting, storage
Roles are allocated permissions (access control)
Authorization ensures access control is enforced: biometrics, two-factor
authentication, single sign-on
Trust enables use
Access may be distributed: Trusted Computing Base
Audit trails enforce accountability
Jamie Ramon MD Chris Ramon RD Terry Pat

Doctor Dietician Licensed Software Consultant
Practicing Nurse
HEALTH FIRST CASE STUDY

Designing Information Security
Define Sensitivity Classification

Sensitivity Description Information
Classification Covered
Proprietary Protects competitive edge. Material is of critical strategic
importance to the company and its dissemination could
result in serious financial impact.
Confidential Information protected by law. Shall be made available or
visible on a need-to-know basis only. Dissemination could
result in financial liability or reputation loss.
Private Should be accessible to management or affected parties

only. Could cause internal strife or external
embarrassment if released: for use with particular parties
within the organization.
Public Disclosure is not welcome, but would not adversely
impact the organization
OR
Information is public record
Define Sensitivity Classification
Proprietary:
Strategic
Plan
Confidential:
Salary &
Health Info
Private:
Product Plans
Public
Product Users Manual
near Release
How should classes be treated?

Table 4.1.2: Handling of Sensitive Data
Proprietary Confidential Private
Access Need to know Need to know Need to know
Paper Storage Locked cabinet, Locked cabinet Locked cabinet or locked
Locked room if Locked room if room if unattended
unattended unattended
Disk Storage Password-protected, Password-protected Password-Protected
Encrypted Encrypted
Labeling and ‘Confidential’ Clean desk, Clean desk,
Handling Clean desk, low voice, low voice,
low voice, shut door policy shut door policy
shut door policy
Transmission Encrypted Encrypted
Archive Encrypted Encrypted
Disposal Degauss & damage disks Secure wipe, damage Reformat disks
Shred paper disks
Shred paper
Special
Define Roles & Role-Based Access Control
Health Plan Eligibility

Health Plan: Eligibility: Active
Maximum Benefit: Co-Pay: Deductible:
Exclusions
In-Plan Benefits Out-of-Plan Benefits Coordination of Benefits
Specific Procedure Request

Procedure Coverage Max. Coverage Co-pay / Non-covered
Dates Patient Resp Amounts
Role Name Information Access (e.g., Record or Form)

and Permissions (e.g., RWX)
Work
Information Asset Inventory book
Asset Name Course Registration
Value to Records which students are taking which classes
Organization
Location IS Main Center
Security Risk Sensitive, Vital
Classification
IS Server Peoplesoft
Data Owner (Who decides who should have access?)
Designated (Who takes care of backups and sys admin

Custodian functions?)
Granted Permissions Read: Department Staff, Advising
Read/Write: Students, Registration
Access is permitted at any time/any terminal

Ch7 InfoSecurity

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ch7 InfoSecurity

Uploaded by

Copyright:

Available Formats

Designing Information

Information Security Goals

Information Security Principles

Review: State Breach Law Protects…

Chief Sec. Chief Privacy Chief Info

Process Security Security Data

Some positions may be merged

Handling of Sensitive Data

Confidential Private Public

Storage & Destruction of Confidential

Access Matrix Model (HRU)

Location IS Main Center

Designated IS Operations: John Johnson

Security: Defense in Depth

Four Layers of Logical Security

Two layers of general access to Networks and Systems

Equal Error Rate

Biometrics with Best Response & Lowest

Iris No direct contact High cost, high storage

Retina Low FAR High cost, 1-2 cm away: invasive

Fingerprint Low cost, More storage=Lower Physical contact-> grime ->poor

Biometric Info Mgmt & Security Policy

Identification & authentication procedures

Recommended Password Allocation

User allocated First time login:

Account [Forgot [Invalid password

Admin & Login ID Rules

Access Control Techniques

Mandatory Access Control Discretionary Access Control

Role-Based Access Control

Access Control Techniques

System Access Control

Application-Level Access Control

Which Computer Do You Trust?

A library or college computer?

Your children’s computer?

Trusted Computing Base (TCB)

Trusted Trusted Trusted Trusted Trusted Trusted

Trusted Hardware Trusted Hardware

Processing requires Dependencies

Trusted Computing Base (TCB)

Trusted Hardware Trusted Hardware

Bell and La Padula Model (BLP)

Military Security Policy

Class Finance Engineering Personnel

Person has an Authorization Level or Level of Trust

Alice Winter 222 Pine Dr. 262-513-2341 Birth=1989 Diabetic

Blacklist: Not stored Anonomize: Alter via Whitelist:

Written Policies & Procedures are professional & implemented

CISA Review Manual 2009

CISA Review Manual 2009

Audit Trail Tools

Jamie Ramon MD Chris Ramon RD Terry Pat

HEALTH FIRST CASE STUDY

Define Sensitivity Classification

Private Should be accessible to management or affected parties

Define Sensitivity Classification

How should classes be treated?

Define Roles & Role-Based Access Control

Health Plan Eligibility

Specific Procedure Request

Role Name Information Access (e.g., Record or Form)

Data Owner (Who decides who should have access?)