文档详细内容(约176页)
What is Information Security?CHAPTER 1 whether we see a risk as being present or not If we our example of lost backup tape and stipulate that the unencrypted backup tapes contain only our collection of chocolate chip cookie recipes,we may not actually have a risk.The data being exposed would not cause us a problem,as there was nothing sensitive in it,and we can make additional backups from the source data.In this particular case,we might safely say that we have no risk. Controls In order to help us mitigate risk,we sure that a a given type of threat is counte asures are Controls are divided into three categories:physical administrative. PHYSICAL Physical controls are those controls that protect the physical environment in which our systems sit.or where our data is stored.Such controls also control access in and of such Physical con ogically include tems such as 1 gates,Io rds,guards,and but als e systems that maintain the physical enviro ent such as heating and air conditioning systems,fire suppression systems,and backup power generators. Although at first glance,physical controls may not seem like they would be integral to information security,they are actually one of the more critical con- trols with which we need to be concerned.If we are not able to physically pro- tect our systems and data,any other controls that we can put in place become levant. If an ttacker is able to physically syst a very destroy the system rendering it unava use in the est case.In t ase,n will have access directly to our appl cations and data and will be able to steal our information and resources,or subvert them for his own use. LOGICAL protec ogical controls sometimes called technical controls are those that syster netwo an at process,transmit,and store ou data.Logical controls can include item such as passwords,encryption,logical access controls,firewalls,and intrusion detection systems. Logical controls enable us,in a logical sense,to prevent unauthorized activi- ties from taking place.If our logical controls are implemented properly and are successful,an attacker or unauthorized user cannot access our applications and data without subverting the controls that we have in place. ADMINISTRATIVE Administrative controls are based on rules,laws,policies,procedures,guide- lines,and other items that are "paper"in nature.In essence,administrative
What is Information Security? CHAPTER 1 11 impact. If we consider the value of the asset being threatened to be a factor, this may change whether we see a risk as being present or not. If we revisit our example of lost backup tape and stipulate that the unencrypted backup tapes contain only our collection of chocolate chip cookie recipes, we may not actually have a risk. The data being exposed would not cause us a problem, as there was nothing sensitive in it, and we can make additional backups from the source data. In this particular case, we might safely say that we have no risk. Controls In order to help us mitigate risk, we can put measures in place to help ensure that a given type of threat is accounted for. These measures are referred to as controls. Controls are divided into three categories: physical, logical, and administrative. Physical Physical controls are those controls that protect the physical environment in which our systems sit, or where our data is stored. Such controls also control access in and out of such environments. Physical controls logically include items such as fences, gates, locks, bollards, guards, and cameras, but also include systems that maintain the physical environment such as heating and air conditioning systems, fire suppression systems, and backup power generators. Although at first glance, physical controls may not seem like they would be integral to information security, they are actually one of the more critical controls with which we need to be concerned. If we are not able to physically protect our systems and data, any other controls that we can put in place become irrelevant. If an attacker is able to physically access our systems, he can, at the very least, steal or destroy the system, rendering it unavailable for our use in the best case. In the worst case, he will have access directly to our applications and data and will be able to steal our information and resources, or subvert them for his own use. Logical Logical controls, sometimes called technical controls, are those that protect the systems, networks, and environments that process, transmit, and store our data. Logical controls can include items such as passwords, encryption, logical access controls, firewalls, and intrusion detection systems. Logical controls enable us, in a logical sense, to prevent unauthorized activities from taking place. If our logical controls are implemented properly and are successful, an attacker or unauthorized user cannot access our applications and data without subverting the controls that we have in place. Administrative Administrative controls are based on rules, laws, policies, procedures, guidelines, and other items that are “paper” in nature. In essence, administrative
12 The Basics of Information Security controls set out the rules for how we expect the users of our environment to behave.Depending on the environment and control in question,administra ols can nt differing lex vels of autho y have d tum the a simp off at the end ing that we ot cause a physical security problem by burning our b down at night.We may also have a more stringent administrative control,such as one that requires us to change our password every 90 days. One important concept when we discuss administrative controls is the ability to enforce compliance with them.If we do not have the authority or the abil- ity to ensure that our controls are being complied with,they are worse than useless.because they c eate a false sense of sec rity.For exat mple ifw ate a hat 人 ays used for per tside of a h ighly secure env ronment,this can be a difficult task.We will need to monitor telephone and mobile phone usage,Web access,e-mail use,instant message conversations, installed software,and other potential areas for abuse.Unless we were willing to devote a great deal of resources for monitoring these and other areas,and dealing with violations of our policy,we would quickly have a policy that we DEFENSE IN DEPTH Defense in depth is a strategy common to both military maneuvers and infor- mation security.In both senses,the basic concept of defense in depth is to formulate a multilayered defense that will allow us to still mount a success- ful defense should one or more of our defensive measures fail.In Figure 1.4, put in place to defend ical uld at th want defe at the e ex appl data l Given wel nplemented s at each laye we it very ditn to successfully penetrate deeply into our network and attack our assets directly. One important concept to note when planning a defensive strategy using defense in depth is that it is not a magic bullet.No matter how many layers we put in place,or how many defensive measures we place at each layer,we will not be able to keep every attacker out for an indefinite period of time,nor is this the ultimate goal of defense in depth in an info nation security set goa enoug defen ets an the attac er so that we will both notice th an attack i s in progress and also buy ourselves enough time to take more active measures to prevent the attack from succeeding. We can see exactly such a strategy in the theater release of the Batman movie, The Dark Knight,in 2008.The production company for the movie,Warner Bros.,spent six months developing a multilayered defensive strategy to keep the movie from being pirated and placed on lsharing networksfor as or
12 The Basics of Information Security controls set out the rules for how we expect the users of our environment to behave. Depending on the environment and control in question, administrative controls can represent differing levels of authority. We may have a simple rule such as “turn the coffee pot off at the end of the day,” aimed at ensuring that we do not cause a physical security problem by burning our building down at night. We may also have a more stringent administrative control, such as one that requires us to change our password every 90 days. One important concept when we discuss administrative controls is the ability to enforce compliance with them. If we do not have the authority or the ability to ensure that our controls are being complied with, they are worse than useless, because they create a false sense of security. For example, if we create a policy that says our business resources cannot, in any fashion, be used for personal use, we need to be able to enforce this. Outside of a highly secure environment, this can be a difficult task. We will need to monitor telephone and mobile phone usage, Web access, e-mail use, instant message conversations, installed software, and other potential areas for abuse. Unless we were willing to devote a great deal of resources for monitoring these and other areas, and dealing with violations of our policy, we would quickly have a policy that we would not be able to enforce. Once it is understood that we do not enforce our policies, we can quickly set ourselves up for a bad situation. Defense in depth Defense in depth is a strategy common to both military maneuvers and information security. In both senses, the basic concept of defense in depth is to formulate a multilayered defense that will allow us to still mount a successful defense should one or more of our defensive measures fail. In Figure 1.4, we can see an example of the layers we might want to put in place to defend our assets from a logical perspective; we would at the very least want defenses at the external network, internal network, host, application, and data levels. Given well-implemented defenses at each layer, we will make it very difficult to successfully penetrate deeply into our network and attack our assets directly. One important concept to note when planning a defensive strategy using defense in depth is that it is not a magic bullet. No matter how many layers we put in place, or how many defensive measures we place at each layer, we will not be able to keep every attacker out for an indefinite period of time, nor is this the ultimate goal of defense in depth in an information security setting. The goal is to place enough defensive measures between our truly important assets and the attacker so that we will both notice that an attack is in progress and also buy ourselves enough time to take more active measures to prevent the attack from succeeding. We can see exactly such a strategy in the theater release of the Batman movie, The Dark Knight, in 2008. The production company for the movie, Warner Bros., spent six months developing a multilayered defensive strategy to keep the movie from being pirated and placed on file-sharing networks for as long
What is Information Security?CHAPTER 1 13 5oa Host Application Data nse in Depti as possible.These measures included a tracking system to monitor who had cess to copies of the mo vie at any giv ven ti e,shipping the film reels in tiple parts separately to theaters in order to keep th stolen in shipping,monitoring movie theaters with night-vision equipment to watch for those attempting to record the movie in the theater,and other measures.Despite all the time and resources spent to prevent piracy of the movie,it was found on a file-sharing network 38 hours after it was released 41. For Warner Bros.,this was considered a success,as the company was able to pirated for a long enouh period that opening s were not significantly impacted. Layers When we look at the layers we might place in our defense in depth strategy, we will likely find that they vary given the particular situation and environ- ment we are defending.As we disc ssed fr om a strictly logical information security pers pective,we ould want to look at the nal etwork,netw er,int k,host,application,and data layers s area s to place our defenses.We could add complexity to our defensive model by including other vital layers such as physical defenses,policies,user awareness and train ing,and a multitude of others,but we will stay with a simpler example for the time being.As we progress through the book,we will return to the concept of defense in depth as we discuss security for more specific areas. As we can see in figure 15.some of the defenses we might use for each of the ayers we discussed are listed.In some we see a defensive measure listed in multiple layers as itapplie in more than one area example of this is penetration testing.Penetration testing is a method of
What is Information Security? CHAPTER 1 13 as possible. These measures included a tracking system to monitor who had access to copies of the movie at any given time, shipping the film reels in multiple parts separately to theaters in order to keep the entire movie from being stolen in shipping, monitoring movie theaters with night-vision equipment to watch for those attempting to record the movie in the theater, and other measures. Despite all the time and resources spent to prevent piracy of the movie, it was found on a file-sharing network 38 hours after it was released [4]. For Warner Bros., this was considered a success, as the company was able to prevent the movie from being pirated for a long enough period that opening weekend sales were not significantly impacted. Layers When we look at the layers we might place in our defense in depth strategy, we will likely find that they vary given the particular situation and environment we are defending. As we discussed, from a strictly logical information security perspective, we would want to look at the external network, network perimeter, internal network, host, application, and data layers as areas to place our defenses. We could add complexity to our defensive model by including other vital layers such as physical defenses, policies, user awareness and training, and a multitude of others, but we will stay with a simpler example for the time being. As we progress through the book, we will return to the concept of defense in depth as we discuss security for more specific areas. As we can see in Figure 1.5, some of the defenses we might use for each of the layers we discussed are listed. In some cases, we see a defensive measure listed in multiple layers, as it applies in more than one area. A good example of this is penetration testing. Penetration testing is a method of finding gaps in our External Network Internal Network Host Application Data Figure 1.4 Defense in Depth
14 The Basics of Information Security security by using some of the same methods an attacker would use in order to break in (we will discuss this in greater depth in Chapter 6),and is a tactic we might want to use at all layers of our defense.As we move through the book, we will discuss each of these areas in greater detail,and the specific defenses we might want to use for each. INFORMATION SECURITY IN THE REAL WORLD The concepts we discussed in this chapter are foundational to information security and are used on a regular basis in the course of normal information security tasks in many organizations.We will often find that security incidents are described in terms of their effects.such as breaches of confidentiality.or the authenticity of a given e-mail message. Information security is a daily concern for organizations of any size,particularly those that handle any type of personal information,financial data,health-care data,educa tional data,or other types of data that are regulated by the laws of the country in which they operate.In the case of an organization that does not take the time to prop ery put itselt on a good footing as relates to information security,the repercussions an be severe the sense or rep a continu cting business if ritical data lost.In short,informa SUMMARY Information security is a vital component to the era in which data regarding and organizations is stored in a variety of co pu ter r our direct control.When dis ssing information security
14 The Basics of Information Security security by using some of the same methods an attacker would use in order to break in (we will discuss this in greater depth in Chapter 6), and is a tactic we might want to use at all layers of our defense. As we move through the book, we will discuss each of these areas in greater detail, and the specific defenses we might want to use for each. Information Security in the Real World The concepts we discussed in this chapter are foundational to information security and are used on a regular basis in the course of normal information security tasks in many organizations. We will often find that security incidents are described in terms of their effects, such as breaches of confidentiality, or the authenticity of a given e-mail message. Information security is a daily concern for organizations of any size, particularly those that handle any type of personal information, financial data, health-care data, educational data, or other types of data that are regulated by the laws of the country in which they operate. In the case of an organization that does not take the time to properly put itself on a good footing as relates to information security, the repercussions can be severe in the sense of reputational impact, fines, lawsuits, or even the inability to continue conducting business if critical data is irretrievably lost. In short, information security is a key component of the modern business world. Summary Information security is a vital component to the era in which data regarding countless individuals and organizations is stored in a variety of computer systems, often not under our direct control. When discussing information security DMZ VPN Logging Auditing Penetration Testing Vulnerability Analysis Firewalls Proxy Logging Stateful Packet Inspection Auditing Penetration Testing Vulnerability Analysis IDS IPS Logging Auditing Penetration Testing Vulnerability Analysis Authentication Antivirus Firewalls IDS IPS Password Hashing Logging Auditing Penetration Testing Vulnerability Analysis SSO Content Filtering Data Validation Auditing Penetration Testing Vulnerability Analysis Encryption Access Controls Backup Penetration Testing Vulnerability Analysis External Network Network Perimeter Internal Network Host Application Data Figure 1.5 Defenses in Each Layer
What is Information Security?CHAPTER 1 15 in a general sense,it is important to remember that security and productivity are often diametrically opposing concepts,and that being able to point out exactly when we are secure is a diffcult task When discussing information security issues or situations,it is helpful to have a model by which to do so.Two potential models are the CIA triad,composed of confidentiality,integrity,and availability,and the Parkerian hexad,com- ality,integrity availability,possession orooauthentic and we have a vulnerability which that particular threat can exploit.In order to mitigate risk,we use three main types of controls:physical,logical,and administrative. Defense in depth is a particularly important concept in the world of informa- tion security.To build defensive measures using this concept,we put in place s of defense each giv of ction The s not to eep an a cker ou perm nently but to delay him long enough to alert us to the attack and to allow us to mount a more active defense. EXERCISES ween a vulnerabili ity and a threat. control 3.What term might we use to describe the usefulness of data? 4.Which category of attack is an attack against confidentiality? 5.How do we know at what point we can consider our environment to be secure? 6.Using the concept of defense in depth,what layers might we use to secure ourselves t so meone e removing confidential data from our offic 7.Based on the Parkerian hexad,what principles are affected if we losea shipment of encrypted backup tapes that contain personal and payment information for our customers? 8.If the web servers in our environment are based on microsoft's Internet Information Server (IIS)and a new worm is discovered that attacks Apache Web servers,what do we not have? 9.If we develop a new policy for our environment that requires us to use complex and a r。 passw that a uniq each 030 aracters in length,suc ch as !Hs4(joqOs t! what wil e adversely impacted: 10.Considering the CIA triad and the Parkerian hexad,what are the advan- tages and disadvantages of each model?
What is Information Security? CHAPTER 1 15 in a general sense, it is important to remember that security and productivity are often diametrically opposing concepts, and that being able to point out exactly when we are secure is a difficult task. When discussing information security issues or situations, it is helpful to have a model by which to do so. Two potential models are the CIA triad, composed of confidentiality, integrity, and availability, and the Parkerian hexad, composed of confidentiality, integrity, availability, possession or control, authenticity, and utility. When we look at the threats we might face, it is important to understand the concept of risk. We only face risk from an attack when a threat is present and we have a vulnerability which that particular threat can exploit. In order to mitigate risk, we use three main types of controls: physical, logical, and administrative. Defense in depth is a particularly important concept in the world of information security. To build defensive measures using this concept, we put in place multiple layers of defense, each giving us an additional layer of protection. The idea behind defense in depth is not to keep an attacker out permanently but to delay him long enough to alert us to the attack and to allow us to mount a more active defense. Exercises 1. Explain the difference between a vulnerability and a threat. 2. List six items that might be considered logical controls. 3. What term might we use to describe the usefulness of data? 4. Which category of attack is an attack against confidentiality? 5. How do we know at what point we can consider our environment to be secure? 6. Using the concept of defense in depth, what layers might we use to secure ourselves against someone removing confidential data from our office on a USB flash drive? 7. Based on the Parkerian hexad, what principles are affected if we lose a shipment of encrypted backup tapes that contain personal and payment information for our customers? 8. If the Web servers in our environment are based on Microsoft’s Internet Information Server (IIS) and a new worm is discovered that attacks Apache Web servers, what do we not have? 9. If we develop a new policy for our environment that requires us to use complex and automatically generated passwords that are unique to each system and are a minimum of 30 characters in length, such as !Hs4(j0qO$ &zn1%2SK38cn^!Ks620!, what will be adversely impacted? 10. Considering the CIA triad and the Parkerian hexad, what are the advantages and disadvantages of each model?
