Predict – Preempt – Protect

Security Fundamentals

Karthikeyan Dhayalan
Tes
• tes

Karthikeyan Dhayalan
CIA - Triade
 Confidentiality
- Anything that needs to be
protected
- Safeguard against unauthorized
access, notice, use
- Protecting data at each stage
(storage, processing, transit)
Threats
• Capturing network traffic
•
•
Unauthorized access to network
Password dump stealing
• Dumpster diving
• Social engineering
• Port scanning
• Eavesdropping
Countermeasures
• Encryption
• Authentication to systems
• Access control
• Network traffic padding
• Data classification
• End-user training
Confidentiality Concepts
• Sensitivity
• Quality of information that could cause harm or damage if released
• Nuclear facility
• Discretion
• Showing prudence or self-restraint when dealing with data of interest
• Public release of military operations
• Criticality
• The level to which the information is critical
• HIGH Critical
• Concealment
• Act of hiding or preventing disclosure
• Steganography
• Secrecy
• Act of keeping information confidential
• Coke formula
• Privacy
• Keeping information about a person under safe custody
• PII/PHI
• Seclusion
• Storing something in an out-of-the way location
• Storage Vault
• Isolation
• Act of keeping something separated from the rest
• DMZ, ODC
Integrity
Threats
• The capability to maintain the • Virus
veracity and be intentionally • Logic bombs
• Errors
modified only by authorized • Malicious modifications
individuals • Intentional replacement
• System back door
• Enforces Accuracy
• Provides Assurance Countermeasures
• Prevent unauthorized modifications • Activity logging
• Access control
• Prevent unauthorized modifications • Authentication
by authorized users • Hashing
• Encryption
• Maintain internal and external • Intrusion detection systems
consistency of objects

Integrity is dependent on Confidentiality

Availability
Threats
• Provisioning un-interrupted and • Device failure
timely access to authorized subjects •
•
Software error
Natural calamity
• Offers high level of assurance that • Power
• Human error
data shall be available to authorized • oversight
subjects Countermeasures
• It includes • RAID
• Usability •
•
Redundant systems
Clustering
• Accessibility • Access control
• BCP/DR
• Timeliness • Fault tolerance

Availability is dependent on both Integrity and confidentiality

 Security concepts
Identification Authentication Authorization Auditing Accountability

 Subject professes  Verification of the  Comparing the subject,  Means by which  Capability to prove a
identity claimed Identity object and the intended subjects actions as subject’s identity and track
 First step in AAA process
 Verifies identity by activity to authorize well as system their activities.
 Username, smart card,
speaking a phrase, comparing against one actions operations are logged  Established by linking a
biometric, user ID or more factors stored and monitored human to the activities of
 Without identity there  Identification/
can be no in the database Authentication are all or  Helps detect un- an online identity
authentication  Identification and nothing model, while authorized or  Ultimately dependent on
authentication are Authorization can have abnormal activities the strength of
always together wide range of options Authentication factor

Nonrepudiation
 Ensures the subject of an activity  Can be established via digital certs, session
cannot deny the action identifiers, transaction logs
Security Control Concepts

Layering Abstraction Data Hiding Encryption

 Also known as defense  Putting similar  Preventing data from  Hiding the meaning
in depth elements in groups, being discovered or intent of a
 Multiple controls are classes or roles that  Some forms include – communication
applied in series are assigned security restricting visibility to  It is an important
 Layering should be controls high critical application element in security

applied in series and  Used for efficiency from low level subjects controls
not parallel  Includes definition of
object and subject
Security Management Plan
• SMP should use a top-down approach
• Senior management is responsible for initiating and defining policies;
• Middle management is responsible for releasing standards, baselines,
guidelines in relation to the policy
• Operations management/IT teams implement the controls defined above
• End-users must comply with all the functions of the organization
• SMP should have Approval from Senior Management before we start
to engage.
Security Management Plan Types
SMP Type Description
Strategic Long term plan
Plan Defines the organization’s security posture
Useful for at least 5 years. Reviewed annually
Helps understand security function and align it with business
Should include Risk Assessment
Tactical Plan Mid-term plan developed to provide more detailed goal
Usually for an year or two
More technology oriented
Eg: Project plans, acquisition plan, budget plan, hiring plan
Operational Short-term plan
Plan Highly-detailed plan
Must be updated often (monthly, quarterly)
Spell-out how to accomplish various goals
Eg: resource allotment, budgetary allocation, training plans
 Change Management
• Goal – Ensure any change does not lead to compromised or reduced
security
• Purpose – Make all changes subject to detailed documentation, auditing,
review and scrutiny by management
• Helps
• Implement changes in a controlled and orderly manner
• Formalized testing process
• Back out or roll back procedures
• Users are informed before the change
• Effects of change are systematically analysed
• Negative impact is minimized
• Changes are reviewed and approved by CAB
 Data Classification
- It is the process of
organizing items, objects, - Benefits
subjects into groups,
categories or collections
with similarities
- Primary means for data
protection
- Used to determine how
much effort, money and
resources are allocated to
protect the data and
control access to it
Benefits
• Demonstrates organization’s
commitment to protecting
assets
• Assists in identifying assets
that are critical for the
organization
• Lends credence to the
selection of protection
mechanisms
• Required for regulatory
compliance
• Helps define access levels
• Helps with data life-cycle
management
Criteria
• Usefulness
• Timeliness
• Value
• Maturity or age of data
• Life time of the data
• Association with personal
• Disclosure damage assessment
• Modification damage
• National security
• Authorized access to data
• Restriction from the data
• Maintenance and monitoring
• Storage
 7 Step Classification scheme

Identify owner and Document any

Specify evaluation Classify and label
define exceptions to the
criteria each resource
Responsibility classification policy

Select the security Specify

Create awareness
controls that will be declassification
program
applicable procedures
 Classification Scheme

Government/Military
Top Secret Confidential/Private
Secret Sensitive
Confidential Public

Commercial/Business
Sensitive
Unclassified

In Military, Classified is used to denote any data that is

ranked above the unclassified level
Security roles • Ultimately responsible for security
• Must signoff all policy issues
Senior Management • All activities must be approved
• Will be held responsible for overall security success/failure
• Responsible for due care and due diligence

• Responsible for following the directives mandated by SM

Security Professional • Has the functional responsibility for security
• They are not decision makers

• Responsible for classifying information

Data Owner • Ultimately responsible for the data they own
• Typically high level management representative

• Responsible for tasks of implementing the prescribed protection defined by Data

owner
Data Custodian • Responsibilities include, preforming/testing backups, validating data integrity,
deploying security solutions and managing data storage based on classification

• Has access to the secure system

User • Responsible for understanding and upholding the security policy

• Responsible for reviewing and verifying the security policy implementation

Auditor • Produces compliance and effectiveness reports
Due Care and Due Diligence

Due Care
• Taking reasonable care in protecting the organization
• It’s a legal term – it pertains to the legal duty of the
organization
• Lack of due care is considered negligence
Due Diligence
• Practicing the activities that maintain the due care effort
• Pertains to best practices that a company should follow
• It might not be legally liable
 Security Policy
- Strategic plan for implementing
Organizational Security policy –
security
focuses on issues relevant to every aspect of the
- Defines the scope of security needed organization
for the organization

Types
- Defines the main security objectives
and outlines the security framework Issue-specific policy –
- Identifies major functional areas of focuses on specific service, department, function that
is distinct from the organization as a whole
data processing
- Broadly outlines the security goals and
practices that should be employed System-specific policy –
- Its is used to assign responsibilities,
Focuses on individual systems
define roles, specify audit
requirements, outline enforcement
process, indicate compliance
requirements, and define acceptable
risk levels
It’s a compulsory document
Security Categories
Regulatory Advisory Informative

• Required • Discusses • Designed to

whenever behaviors and provide
industry or activities are information or
legal acceptable knowledge
standards are and defines about a
applicable to consequences specific
your of violation subject
organization • Not
enforceable
Standard/Baseline/Guideline/Procedure
Standard Baseline Guideline Procedure

• Define compulsory • Defines minimum • Offers • Final element of

requirements level of security recommendations the formalized
• Provides a course that every system on security policy
of action for must meet implementation structure
uniform • System-specific • Servers as an • Detailed step-by-
deployment of • Establishes operating guide step document
technology common secure • Flexible – can be describes actions
• Tactical documents state customized for necessary to
each unique implement
system security mandates
• System and
software specific
• Purpose is to
ensure integrity of
business process
 Threat Modelling
- A process where potential threats are identified, categorized,
and analysed
- Can be performed both pro-actively as well as reactively
- Two goals of threat modelling
- Reduce the number of security related coding and design
defects
- Reduce the severity of remaining defects

Proactive Approach Reactive Approach

- Also known as defensive approach
- Takes place during early stages of systems development
- Based on predicting threats and design specific counter
measures during the coding and crafting process
- Also known as adversarial approach
- Takes place after a product has been created and
deployed
- This is the core concept behind ethical hacking, PT,
source code review and Fuzz testing
Threat Modelling Steps

Determining
Performing
Identifying and Prioritization
Reduction
Threats Diagramming and Response
Analysis
Potential attacks
Identifying Threats – STRIDE approach
Microsoft Threat categorization scheme

SPOOFING
TAMPERING
REPUDIATION
INFORMAITON DISCLOSURE
DENIAL OF SERICE
ELEVATION OF PRIVILEGES
Determining and Diagramming Potential Attacks
• Post identifying threats, the next step is to determine
the potential attack concepts that could materialize
• Often accomplished by data flow diagrams, privilege
boundaries, and elements involved
• Once diagram has been crafted, identify all the
technologies involved.
• Identify attacks that could be targeted at each element
of the diagram
• Attacks should include all forms – logical, physical, social
 Perform Reduction Analysis
• Involves decomposing the application, system or environment
• Purpose of this process is to get a greater understanding on the purpose of
the product and its interactions with external entities
• Each element should be evaluated to understand inputs, processing,
security, data management, storage and output
• 5 key concepts to be aware of
• Trust Boundaries – location where the level of trust changes
• Data flow paths – movement of data between locations
• Input points – locations where external input is received
• Privilege Operations – Activity that requires greater privileges
• Security stance and approach – Declaration of the security policy, security
foundation and security assumptions
 Prioritization and Response
• Document the threat – define the means, target and consequences of a
threat
• After documentation, rank or rate the threats
• DREAD Rating System
• Damage potential
• Reproducibility
• Exploitability
• Affected Users
• Discoverability
Karthikeyan Dhayalan