文档详细内容(约176页)
6 The Basics of Information Security that contained the results of medical tests.we might see the wrong treatment prescribed,potentially resulting in the death of the patient. AVAILABILITY The final leg of the CIA triad is availability.Availability refers to the ability to access our data when we need it.Loss of availability can refer to a wide variety of breaks anywhere in the chain that allows us access to our data.Such issues can result from power oss,operating system or application problems,network of a sys em,or problems.When such issue caused b an outs d party,such as an attacker,they are commonly referred to as a denial of service(DoS)attack. RELATING THE CIA TRIAD TO SECURITY Given the elements of the CIA triad,we can begin to discuss security issues in a very specific fashion.As an example we can look at a shipment of backu apes on h we have e only existing but unencryptec copy of some c our sensitive data stored.If we were to lose the shipment in transit,we will have a security issue.From a confidentiality standpoint,we are likely to have a problem since our files were not encrypted.From an integrity standpoint,pre- suming that we were able to recover the tapes,we again have an issue due to the lack of encryption used on our files.If we recover the tapes and the unen- vahles were altered,this would not be immedi oparent to us as we have an issue unless the tapes are have a backup copy of the files Although we can describe the situation in this example with relative accuracy using the CIA triad,we might find that the model is more restrictive than what we need in order to describe the entire situation.An alternative model does exist that is somewhat more extensive. The Parkerian Hexad The Parkerian hexad,named for Donn Parker and introduced in his book ichtin Compter Crime provides us with a somewhat more compley variation classic CIA triad.Where the CIA triad c onsists of confidentiality, integ ity,and availability,the Pa rian hexad c on three princ s we as pos control authenticity,and utility [3]for a total of six principles,as shown in Figure 1.2. ALERT! d by some obe a more complete model,the Parkerian he se h
6 The Basics of Information Security that contained the results of medical tests, we might see the wrong treatment prescribed, potentially resulting in the death of the patient. Availability The final leg of the CIA triad is availability. Availability refers to the ability to access our data when we need it. Loss of availability can refer to a wide variety of breaks anywhere in the chain that allows us access to our data. Such issues can result from power loss, operating system or application problems, network attacks, compromise of a system, or other problems. When such issues are caused by an outside party, such as an attacker, they are commonly referred to as a denial of service (DoS) attack. Relating the CIA Triad to Security Given the elements of the CIA triad, we can begin to discuss security issues in a very specific fashion. As an example, we can look at a shipment of backup tapes on which we have the only existing, but unencrypted, copy of some of our sensitive data stored. If we were to lose the shipment in transit, we will have a security issue. From a confidentiality standpoint, we are likely to have a problem since our files were not encrypted. From an integrity standpoint, presuming that we were able to recover the tapes, we again have an issue due to the lack of encryption used on our files. If we recover the tapes and the unencrypted files were altered, this would not be immediately apparent to us. As for availability, we have an issue unless the tapes are recovered since we do not have a backup copy of the files. Although we can describe the situation in this example with relative accuracy using the CIA triad, we might find that the model is more restrictive than what we need in order to describe the entire situation. An alternative model does exist that is somewhat more extensive. The Parkerian Hexad The Parkerian hexad, named for Donn Parker and introduced in his book Fighting Computer Crime, provides us with a somewhat more complex variation of the classic CIA triad. Where the CIA triad consists of confidentiality, integrity, and availability, the Parkerian hexad consists of these three principles, as well as possession or control, authenticity, and utility [3], for a total of six principles, as shown in Figure 1.2. Alert! Although it is considered by some to be a more complete model, the Parkerian hexad is not as widely known as the CIA triad. If we decide to use this model in discussion of a security situation, we should be prepared to explain the difference to the uninitiated
What is Information Security?CHAPTER 1 7 Parkerian Hexad Integrity Authenticity FIGURE 1.2 The parkerian Hexad CONFIDENTIALITY,INTEGRITY.AND AVAILABILITY ClA triad in how Parker describes integrity,as he does not account for authorized,but incorrect,modification of data,and instead focuses on the state of the data itself in the sense of completeness. POSSESSION OR CONTROL sition of the media on which is stored.This enables US, without involving other factors such as availability,to discuss our loss of the data in its physical medium.In our lost shipment of backup tapes,let us say that some of them were encrypted and some of them were not.The principle of possession would enable us to more p ro beo romn e nmey apes are a problem on both counts. AUTHENTICITY Authenticity allows us to talk about the proper attribution as to the owner or creator of the data in question.For example,if we send an e-mail message that is altered so as to appear to have come from a different e-mail address than the one from which it was actually sent,we would be violating the authentic- ity of the e-mail.Authenticity can be enforced through the use of digital signa res,which we will discuss further in Chapter 5.A very similar,but rev ncept to this is nonrepudiation.Nonrepudiation preven s some ne from sending an e-ma and then later denying that he or she has done so.We will discuss nonrepudiation at greater length in Chapter 5 as well
What is Information Security? CHAPTER 1 7 Confidentiality, Integrity, and Availability As we mentioned, the Parkerian hexad encompasses the three principles of the CIA triad with the same definitions we just discussed. There is some variance in how Parker describes integrity, as he does not account for authorized, but incorrect, modification of data, and instead focuses on the state of the data itself in the sense of completeness. Possession or Control Possession or control refers to the physical disposition of the media on which the data is stored. This enables us, without involving other factors such as availability, to discuss our loss of the data in its physical medium. In our lost shipment of backup tapes, let us say that some of them were encrypted and some of them were not. The principle of possession would enable us to more accurately describe the scope of the incident; the encrypted tapes in the lot are a possession problem but not a confidentiality problem, and the unencrypted tapes are a problem on both counts. Authenticity Authenticity allows us to talk about the proper attribution as to the owner or creator of the data in question. For example, if we send an e-mail message that is altered so as to appear to have come from a different e-mail address than the one from which it was actually sent, we would be violating the authenticity of the e-mail. Authenticity can be enforced through the use of digital signatures, which we will discuss further in Chapter 5. A very similar, but reversed, concept to this is nonrepudiation. Nonrepudiation prevents someone from taking an action, such as sending an e-mail, and then later denying that he or she has done so. We will discuss nonrepudiation at greater length in Chapter 5 as well. Confidentiality Availability Integrity Possession Authenticity Utility Parkerian Hexad Figure 1.2 The Parkerian Hexad
8 The Basics of Information Security UTILITY Utility refers to how useful the data is to us.Utility is also the only principle of the Parkerian hexad that is not necessarily binary in nature;we can have a vari- ety of degrees of utility,depending on the data and its format.This is a some- what abstract concept,but it does prove useful in discussing certain situations in the security world.For instance,in one of our earlier examples we had a shipmen of back p pes f which w encrypted and of which were r n,the encryp would likely be of very little utility,as the data would not be readable.The unencrypted tapes would be of much greater utility,as the attacker or unau- thorized person would be able to access the data. ATTACKS and angles When we exactly makes up an atta we can ling to th type of attack that it represents,the risk the attack represents,and the controls we might use to mitigate it. Types of Attacks When we look at the types of attacks we might face,we can generally place them into one of four categories:interception,interruption,modification,and fabrication.Each category can affect one or more of the principles of the CIA triad,as shown in Figure 1.3.Additionally,the lines between the categories of attack and the particular effects they can have are somewhat blurry.Depending Confidentiality Interception Integrity ·Modification Fabrication ·Interruption Availability Modification .Fabrication FIGURE 1.3 Categories of Attack
8 The Basics of Information Security Utility Utility refers to how useful the data is to us. Utility is also the only principle of the Parkerian hexad that is not necessarily binary in nature; we can have a variety of degrees of utility, depending on the data and its format. This is a somewhat abstract concept, but it does prove useful in discussing certain situations in the security world. For instance, in one of our earlier examples we had a shipment of backup tapes, some of which were encrypted and some of which were not. For an attacker, or other unauthorized person, the encrypted tapes would likely be of very little utility, as the data would not be readable. The unencrypted tapes would be of much greater utility, as the attacker or unauthorized person would be able to access the data. Attac ks We may face attacks from a wide variety of approaches and angles. When we look at what exactly makes up an attack, we can break it down according to the type of attack that it represents, the risk the attack represents, and the controls we might use to mitigate it. Types of Attacks When we look at the types of attacks we might face, we can generally place them into one of four categories: interception, interruption, modification, and fabrication. Each category can affect one or more of the principles of the CIA triad, as shown in Figure 1.3. Additionally, the lines between the categories of attack and the particular effects they can have are somewhat blurry. Depending Interception Interruption Modification Fabrication Interruption Modification Fabrication Availability Integrity Confidentiality Figure 1.3 Categories of Attack
What is Information Security?CHAPTER 1 9 on the attack in question,we might argue for it to be included in more than one category,or have more than one type of effect INTERCEPTION Interception attacks allow unauthorized users to access our data.applica tions,or environments,and are primarily an attack against confidentiality. Inte erception might take the fo rm of unauthorized file vie ewing or copying phone conversations,or reading e-mail,and can be con data at rest or in motion.Properly executed,interception attacks can be very difficult to detect. INTERRUPTION Interruption attacks cause our assets to become unusable or unavailable for our use,on a temporary or permanent basis.Interruption attacks often affec availability but can be an attack on integrity as well.In the case of a DoS attack on a mail server,we would classify this as an availability attack.In the case of an attacker manipulating the processes on which a database runs in order e to te poleupom o mbination of the wo.We might alsc such a database attack to be a modific ation attack n an interruption atta MODIFICATION Modification attacks involve tar g with our asset.Such attacks might pri marily be considered attack.If ould also represent a vailability we access a file in an unautho orized manner and alter the data it con tains,we have affected the integrity of the data contained in the file.However if we consider the case where the file in question is a configuration file that manages how a particular service behaves,perhaps one that is acting as a Web server.we might affect the availability of that service by changing the con- tents of the file if we continue with this concept and say the configuration we altered in the file for our web se er is one that alters ho the s rver deals with encrypted con ould even ake this entiality attack. FABRICATION Fabrication attacks involve generating data,processes,communications,or other similar activities with a syste attacks ty bu could be considered an availabili attack well.If we gen mation in a database,this would be considered to be a fabrication attack.We could also generate e-mail,which is commonly used as a method for propagat ing malware,such as we might find being used to spread a worm.In the sense of an availability attack,if we generate enough additional processes,network traf fic,e-mail,Web traffic,or nearly anything else that consumes resources,we can potentially render the service that handles such traffic unavailable to legitimate users of the system
What is Information Security? CHAPTER 1 9 on the attack in question, we might argue for it to be included in more than one category, or have more than one type of effect. Interception Interception attacks allow unauthorized users to access our data, applications, or environments, and are primarily an attack against confidentiality. Interception might take the form of unauthorized file viewing or copying, eavesdropping on phone conversations, or reading e-mail, and can be conducted against data at rest or in motion. Properly executed, interception attacks can be very difficult to detect. Interruption Interruption attacks cause our assets to become unusable or unavailable for our use, on a temporary or permanent basis. Interruption attacks often affect availability but can be an attack on integrity as well. In the case of a DoS attack on a mail server, we would classify this as an availability attack. In the case of an attacker manipulating the processes on which a database runs in order to prevent access to the data it contains, we might consider this an integrity attack, due to the possible loss or corruption of data, or we might consider it a combination of the two. We might also consider such a database attack to be a modification attack rather than an interruption attack. Modification Modification attacks involve tampering with our asset. Such attacks might primarily be considered an integrity attack but could also represent an availability attack. If we access a file in an unauthorized manner and alter the data it contains, we have affected the integrity of the data contained in the file. However, if we consider the case where the file in question is a configuration file that manages how a particular service behaves, perhaps one that is acting as a Web server, we might affect the availability of that service by changing the contents of the file. If we continue with this concept and say the configuration we altered in the file for our Web server is one that alters how the server deals with encrypted connections, we could even make this a confidentiality attack. Fabrication Fabrication attacks involve generating data, processes, communications, or other similar activities with a system. Fabrication attacks primarily affect integrity but could be considered an availability attack as well. If we generate spurious information in a database, this would be considered to be a fabrication attack. We could also generate e-mail, which is commonly used as a method for propagating malware, such as we might find being used to spread a worm. In the sense of an availability attack, if we generate enough additional processes, network traffic, e-mail, Web traffic, or nearly anything else that consumes resources, we can potentially render the service that handles such traffic unavailable to legitimate users of the system
10 The Basics of Information Security Threats,Vulnerabilities,and Risk In order to be able to speak more specifically on attacks.we need to introduce a few new items of terminology.When we look at the potential for a particular attack to affect us. can sp eak of it in terr the associated risk that might accompany them THREATS When we spoke of the types of attacks we might encounter,in the "Attacks"sec- tion earlier in this chapter.we discussed some of the things that have the poten- tial to cause harm to our assets.ultimately.this is what a threat is-somethins that has the potential to cause us harm.Threats tend to be specific to certain environ men might in the e world of info ation secu nty example, e problemati on a w same virus will be unlikely to have any effect on a Linux operating system. VULNERABILITIES Vulnerabilities are weaknesses that can be used to harm us.In essence.they are holes that can be exploited by threats in order to cause us harm.A vulner- be s erat ng system pplica a physic al location where we ave chos place our of伍 ng,a center that is populated over the capacity of its air-conditioning system,a lack of backup generators,or other factors. RISK Risk is the likelihood that something bad will happen.In order for us to have isk in articular t,w eed to have both a thre it and vulner or exa om wood and ple ve we set 1 it on fire,we have both a threat(the fire) and a vulnerability that matches it (the wood structure).In this case,we most definitely have a risk. Likewise,if we have the same threat of fire,but our structure is made of con- crete,we no longer have a credible risk,because our threat does not have a vul- ability to exploit.We can argue that a sufficiently hot flame could damag the less likely event. We will often have similar discussion sregarding potential risk in computing environments,and potential,but unlikely,attacks that could happen.In such cases,the best strategy is to spend our time mitigating the most likely attacks. If we sink our resources into trying to plan for every possible attack,however unlikely,we will spread ourselves thin and will be lacking in protection where we actually need it the most. IMPACT
10 The Basics of Information Security Threats, Vulnerabilities, and Risk In order to be able to speak more specifically on attacks, we need to introduce a few new items of terminology. When we look at the potential for a particular attack to affect us, we can speak of it in terms of threats, vulnerabilities, and the associated risk that might accompany them. Threats When we spoke of the types of attacks we might encounter, in the “Attacks” section earlier in this chapter, we discussed some of the things that have the potential to cause harm to our assets. Ultimately, this is what a threat is—something that has the potential to cause us harm. Threats tend to be specific to certain environments, particularly in the world of information security. For example, although a virus might be problematic on a Windows operating system, the same virus will be unlikely to have any effect on a Linux operating system. Vulnerabilities Vulnerabilities are weaknesses that can be used to harm us. In essence, they are holes that can be exploited by threats in order to cause us harm. A vulnerability might be a specific operating system or application that we are running, a physical location where we have chosen to place our office building, a data center that is populated over the capacity of its air-conditioning system, a lack of backup generators, or other factors. Risk Risk is the likelihood that something bad will happen. In order for us to have a risk in a particular environment, we need to have both a threat and a vulnerability that the specific threat can exploit. For example, if we have a structure that is made from wood and we set it on fire, we have both a threat (the fire) and a vulnerability that matches it (the wood structure). In this case, we most definitely have a risk. Likewise, if we have the same threat of fire, but our structure is made of concrete, we no longer have a credible risk, because our threat does not have a vulnerability to exploit. We can argue that a sufficiently hot flame could damage the concrete, but this is a much less likely event. We will often have similar discussions regarding potential risk in computing environments, and potential, but unlikely, attacks that could happen. In such cases, the best strategy is to spend our time mitigating the most likely attacks. If we sink our resources into trying to plan for every possible attack, however unlikely, we will spread ourselves thin and will be lacking in protection where we actually need it the most. Impact Some organizations, such as the U.S. National Security Agency (NSA), add an additional factor to the threat/vulnerability/risk equation, in the form of
