文档详细内容(约176页)
CHAPTER 1 What is Information Security? Information in This Chapter: ssing Security Issues Attacks ■Defense in Depth INTRODUCTION Information security is a concept that becomes ever more enmeshed in many aspects of our society,largely as a result of our nearly ubiquitous adoption of computing technology.In our everyday lives,many of us work with computers for our employers,play on computers at home,go to school online,buy goods rom merchants on the Internet,take our lap aa asn pue sdrosp arry our smartph nk Although this technology enables us to be more productive and allows us to access a host of information with only a click of the mouse,it also carries with it a host of security issues.If the information on the systems used by our employers or our banks becomes exposed to an attacker,the consequences can be dire indeed.We could suddenly find ourselves bereft of funds,as the con- iddle of the night.Our could lose lega osecution,a suffer damage toits reputation because of a system configu ration issue al ing an attacker to gain access to a database containing per sonally identifiable information(Pll)or proprietary information.We see such issues appear in the media with disturbing regularity. If we look back 30 years,such issues related to computer systems were nearly nonexistent largely due to the low level of technology were using what was in place.Although technology chan
1 Introduction Information security is a concept that becomes ever more enmeshed in many aspects of our society, largely as a result of our nearly ubiquitous adoption of computing technology. In our everyday lives, many of us work with computers for our employers, play on computers at home, go to school online, buy goods from merchants on the Internet, take our laptops to the coffee shop and check our e-mail, carry our smartphones on our hips and use them to check our bank balances, track our exercise with sensors in our shoes, and so on, ad infinitum. Although this technology enables us to be more productive and allows us to access a host of information with only a click of the mouse, it also carries with it a host of security issues. If the information on the systems used by our employers or our banks becomes exposed to an attacker, the consequences can be dire indeed. We could suddenly find ourselves bereft of funds, as the contents of our bank account are transferred to a bank in another country in the middle of the night. Our employer could lose millions of dollars, face legal prosecution, and suffer damage to its reputation because of a system configuration issue allowing an attacker to gain access to a database containing personally identifiable information (PII) or proprietary information. We see such issues appear in the media with disturbing regularity. If we look back 30 years, such issues related to computer systems were nearly nonexistent, largely due to the low level of technology and the few people who were using what was in place. Although technology changes at an increasingly What is Information Security? CHAPTER 1 Information in This Chapter: ■ What is Security? ■ Models for Discussing Security Issues ■ Attacks ■ Defense in Depth
2 The Basics of Information Security rapid rate,and specific implementations arise on a seemingly daily basis,much of the theo that discusses how we go about keeping ourselves secure cha ology.If w can gain a nges to wer pace and does not amstauding of the basics of inf rmation security,we are on a strong footing to cope with changes as they come along. WHAT IS SECURITY? Information security is defined as"protecting information and information systems from unauthorized access,use,disclosure,disruption,modification,or destruction," s we want to protect our data and who would seek to misuset In a general sense,security means protecting our assets.This may mean protect ing them from attackers invading our networks,natural disasters,adverse envi ronmental conditions,power failures,theft or vandalism,or other undesirable states.Ultimately,we will attempt to secure ourselves against the most likely forms of attack,to the best extent we reasonably can,given our environment. When we look at what exactly it is that we secure,we may have a broad range of potential assets.We can consider physical ite ms that we might want ure,such as thos of inherent value ose that hav value to our business(eg.,computing hardware).We may also hav items o a more ethereal nature,such as software,source code,or data.In today's com- puting environment,we are likely to find that our logical assets are at least as valuable as,if not more than,our physical assets.Additionally,we must also protect the people who are involved in our operations.People are our single most valuable asset,as we cannot generally conduct business without them. We duplicate our physical and logical assets and keep backun copies of them elsewhere inst astrophe but without the skilled people to operate and maintain our environments,we will swiftly fail. In our efforts to secure our assets,we must also consider the consequences of the security we choose to implement.There is a well-known quote that says, "The only truly secure system is one that is powered off,cast in a block of con- crete and sealed in a lead-lined room with armed guards-and even then I have my doubts"I2I.Although we could certainly say that a system in such a state could be considered reasonably secure,it is surely not usable or productive.As we increase the level of secur we usually dec se the level of productivity. With the our qu the level of security would be very Additionally,when securing an asset,system,or environment,we must also consider how the level of security relates to the value of the item being secured.We can,if we are willing to accommodate the decrease in perfor- mance,apply very high levels of security to every asset for which we are
2 The Basics of Information Security rapid rate, and specific implementations arise on a seemingly daily basis, much of the theory that discusses how we go about keeping ourselves secure changes at a much slower pace and does not always keep up with the changes to our technology. If we can gain a good understanding of the basics of information security, we are on a strong footing to cope with changes as they come along. What is security? Information security is defined as “protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction,” according to U.S. law [1]. In essence, it means we want to protect our data and our systems from those who would seek to misuse it. In a general sense, security means protecting our assets. This may mean protecting them from attackers invading our networks, natural disasters, adverse environmental conditions, power failures, theft or vandalism, or other undesirable states. Ultimately, we will attempt to secure ourselves against the most likely forms of attack, to the best extent we reasonably can, given our environment. When we look at what exactly it is that we secure, we may have a broad range of potential assets. We can consider physical items that we might want to secure, such as those of inherent value (e.g., gold bullion) or those that have value to our business (e.g., computing hardware). We may also have items of a more ethereal nature, such as software, source code, or data. In today’s computing environment, we are likely to find that our logical assets are at least as valuable as, if not more than, our physical assets. Additionally, we must also protect the people who are involved in our operations. People are our single most valuable asset, as we cannot generally conduct business without them. We duplicate our physical and logical assets and keep backup copies of them elsewhere against catastrophe occurring, but without the skilled people to operate and maintain our environments, we will swiftly fail. In our efforts to secure our assets, we must also consider the consequences of the security we choose to implement. There is a well-known quote that says, “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards—and even then I have my doubts” [2]. Although we could certainly say that a system in such a state could be considered reasonably secure, it is surely not usable or productive. As we increase the level of security, we usually decrease the level of productivity. With the system mentioned in our quote, the level of security would be very high, but the level of productivity would be very near zero. Additionally, when securing an asset, system, or environment, we must also consider how the level of security relates to the value of the item being secured. We can, if we are willing to accommodate the decrease in performance, apply very high levels of security to every asset for which we are responsible. We can build a billion-dollar facility surrounded by razor wire fences and patrolled by armed guards and vicious attack dogs, and carefully
What is Information Security?CHAPTER 1 3 much sense.In some environments,however,such security measures might not be enough.In any environment where we plan to put heightened lev- els of security in place,we also need to take into account the cost of replac- ing our assets if we do happen to lose them,and make sure we establish reasonable levels of protection for their value.The cost of the security we put in place should never outstrip the value of what it is protecting When Are We Secure? we secure disconnected from the Internet entirely?From a certain point of view,all of these questions can be answered with a "no. Even if our systems are properly patched,there will always be new attacks to which we are vulnerable.When strong passwords are in use,there will be other ns can be esed。 stoler In sh ort,it is very difficul eo2 od2W3D谢A泥Ml0 Defining when we are insecure is a much easier task,and we can quickly list a number of items that would put us in this state: Not patching our systems Using weak passwords such as "password"or"1234" Downloading programs from the Internet Opening e-mail attachments from unknown senders Using wireless networks without encryption We could go on for some time creating such a list.The good thing is that once we are able to point out the areas in an environment that can cause it to be insecure,we can take steps to mitigate these issues.This problem is akin to cut- ting something in half over and over;there will always be some small portion left to cut again.Although we may never get to a state that we can definitively call "secure,"we can take steps in the right direction. ALERT! The bodies of law that define standards for security vary quite a bit from one industry to another and wildly from one country to another.Organizations that operate globally are very common at present,and we need to take care that we are not violating any such laws in the course of conducting business.We can see exactly such a case when e look at the amerences in data prvacy laws between the onited States and the uropean Union.When in doubt,consult legal counsel betore acting
What is Information Security? CHAPTER 1 3 place our asset in a hermetically sealed vault inside . so that mom’s chocolate chip cookie recipe will never come to harm, but that would not make much sense. In some environments, however, such security measures might not be enough. In any environment where we plan to put heightened levels of security in place, we also need to take into account the cost of replacing our assets if we do happen to lose them, and make sure we establish reasonable levels of protection for their value. The cost of the security we put in place should never outstrip the value of what it is protecting. When Are We Secure? Defining the exact point at which we can be considered secure presents a bit of a challenge. Are we secure if our systems are properly patched? Are we secure if we use strong passwords? Are we secure if we are disconnected from the Internet entirely? From a certain point of view, all of these questions can be answered with a “no.” Even if our systems are properly patched, there will always be new attacks to which we are vulnerable. When strong passwords are in use, there will be other avenues that an attacker can exploit. When we are disconnected from the Internet, our systems can be physically accessed or stolen. In short, it is very difficult to define when we are truly secure. We can, however, turn the question around. Defining when we are insecure is a much easier task, and we can quickly list a number of items that would put us in this state: n Not patching our systems n Using weak passwords such as “password” or “1234” n Downloading programs from the Internet n Opening e-mail attachments from unknown senders n Using wireless networks without encryption We could go on for some time creating such a list. The good thing is that once we are able to point out the areas in an environment that can cause it to be insecure, we can take steps to mitigate these issues. This problem is akin to cutting something in half over and over; there will always be some small portion left to cut again. Although we may never get to a state that we can definitively call “secure,” we can take steps in the right direction. Alert! The bodies of law that define standards for security vary quite a bit from one industry to another and wildly from one country to another. Organizations that operate globally are very common at present, and we need to take care that we are not violating any such laws in the course of conducting business. We can see exactly such a case when we look at the differences in data privacy laws between the United States and the European Union. When in doubt, consult legal counsel before acting
4 The Basics of Information Security some bodies of law or regulations do make an attempt to define what secure or at least some of the steps we should take to be "secure enough."We st aari Standard pan edit ents,the Health care and patient records,the Federal Information Security Management Act (FISMA)that defines security standards for many federal agencies in the United States,and a host of others.Whether these standards are effective or not is the source of much discussion,but following the security standards defined for the industry in which we are operating is generally considered to be advisable, if not mandated. MODELS FOR DISCUSSING SECURITY ISSUES When we discuss security issues,it is often helpful to have a model that we can s us a consistent set of terminol ogy and als can refe to when security ssues arse The Confidentiality,Integrity,and Availability Triad Three of the primary concepts in information security are confidentiality,integ rity,and availability,commonly known as the confidentiality,integrity,and availability (CIA)triad,as shown in Figure 1.1.The CIA triad gives us a model by which we can think about and discuss security concepts,and tends to be very focused on security,as it pertains to data. MORE ADVANCED The notation for confidentiality,availability is CIA.In cerain those deve No cha inge to the concepts is implied in this rearra nt.but it can be confusing for thos nay also see the CIA concepts XD essed in their negative forms:disclosure,alteration,and denial(DAD). CONFIDENTIALITY Confidentiality is a concept similar to.but not the same as privacy Confidentialitv mpo yand bility to protectou data se wh are not autho to view it.Confidentiality is a concept that may As an example,if we consider the case of a person withdrawing money from an ATM,the person in question will likely seek to maintain the confidentiality of the personal identification number(PIN)that allows him,in combination with his ATM card,to draw funds from the ATM.Additionally,the owner of the aTM will hopefully maintain the confidentiality of the account number
4 The Basics of Information Security Some bodies of law or regulations do make an attempt to define what secure is, or at least some of the steps we should take to be “secure enough.” We have the Payment Card Industry Data Security Standard (PCI DSS) for companies that process credit card payments, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for organizations that handle health care and patient records, the Federal Information Security Management Act (FISMA) that defines security standards for many federal agencies in the United States, and a host of others. Whether these standards are effective or not is the source of much discussion, but following the security standards defined for the industry in which we are operating is generally considered to be advisable, if not mandated. Models for discussing security issues When we discuss security issues, it is often helpful to have a model that we can use as a foundation or a baseline. This gives us a consistent set of terminology and concepts that we, as security professionals, can refer to when security issues arise. The Confidentiality, Integrity, and Availability Triad Three of the primary concepts in information security are confidentiality, integrity, and availability, commonly known as the confidentiality, integrity, and availability (CIA) triad, as shown in Figure 1.1. The CIA triad gives us a model by which we can think about and discuss security concepts, and tends to be very focused on security, as it pertains to data. Confidentiality Confidentiality is a concept similar to, but not the same as, privacy. Confidentiality is a necessary component of privacy and refers to our ability to protect our data from those who are not authorized to view it. Confidentiality is a concept that may be implemented at many levels of a process. As an example, if we consider the case of a person withdrawing money from an ATM, the person in question will likely seek to maintain the confidentiality of the personal identification number (PIN) that allows him, in combination with his ATM card, to draw funds from the ATM. Additionally, the owner of the ATM will hopefully maintain the confidentiality of the account number, More Advanced The common notation for confidentiality, integrity, and availability is CIA. In certain materials, largely those developed by ISC2 we may see this rearranged slightly as CAI. No change to the concepts is implied in this rearrangement, but it can be confusing for those who do not know about it in advance. We may also see the CIA concepts expressed in their negative forms: disclosure, alteration, and denial (DAD)
What is Information Security?CHAPTER 1 5 Confidentiality Availability Integrity FIGURE 1.1 The CIA Triad balance,and any other information needed to communicate to the bank from which the funds are being drawn.The bank will maintain the confidentiality of the transaction with the ATM and the balance change in the account after the funds have been withdrawn.If at any point in the transaction confidentiality is compromised,the results could be bad for the individual,the owner of the ATM,and the bank,potentially resulting in what is known in the information security field as a breach. Confidentiality can be compromised by the loss of a laptop containir g data,a person looking over our shoulder while we type a password,attach- ment being sent to the wrong person,an attacker penetrating our systems,or similar issues. INTEGRITY Integrity refers to the ability to prevent our data from being changed in an unauthorized or undesirable manner.This could mean the unauthorized change or deletion of our data or portions of our data.or it could mean an authorized,but undesirable changeor deletion of ou data Tomaintan ine we not only y need to h th eans to ed ch o be We can see a good example of mechanisms that allow us to control integrity in the file systems of many modern operating systems such as Windows and Linux. For purposes of preventing unauthorized changes,such systems often imple- ment permissions that restrict what actions an unauthorized user can perform on a ndesirable ortant when we are discussing the data that vides theouofor other decisions.If an attacker were to alter the data t pro
What is Information Security? CHAPTER 1 5 balance, and any other information needed to communicate to the bank from which the funds are being drawn. The bank will maintain the confidentiality of the transaction with the ATM and the balance change in the account after the funds have been withdrawn. If at any point in the transaction confidentiality is compromised, the results could be bad for the individual, the owner of the ATM, and the bank, potentially resulting in what is known in the information security field as a breach. Confidentiality can be compromised by the loss of a laptop containing data, a person looking over our shoulder while we type a password, an e-mail attachment being sent to the wrong person, an attacker penetrating our systems, or similar issues. Integrity Integrity refers to the ability to prevent our data from being changed in an unauthorized or undesirable manner. This could mean the unauthorized change or deletion of our data or portions of our data, or it could mean an authorized, but undesirable, change or deletion of our data. To maintain integrity, we not only need to have the means to prevent unauthorized changes to our data but also need the ability to reverse authorized changes that need to be undone. We can see a good example of mechanisms that allow us to control integrity in the file systems of many modern operating systems such as Windows and Linux. For purposes of preventing unauthorized changes, such systems often implement permissions that restrict what actions an unauthorized user can perform on a given file. Additionally, some such systems, and many applications, such as databases, can allow us to undo or roll back changes that are undesirable. Integrity is particularly important when we are discussing the data that provides the foundation for other decisions. If an attacker were to alter the data Confidentiality Availability Integrity Figure 1.1 The CIA Triad
