chapter 1 lecture notes Principles Cybersecurity

What is a security?

A state of being secure and free from danger or harm; the actions taken to make someone or something secure."

The 1960s

Advanced Research Projects Agency (ARPA) began to examine the feasibility of redundant networked communications Larry Roberts developed the ARPANET from its inception

1978

Bisbey and Hollingsworth publish their study "Protection Analysis: Final Report," which discussed the Protection Analysis project created by ARPA to better understand the vulnerabilities of operating system security and examine the possibility of automated vulnerability detection techniques in existing system software.

CIA Triad

Confidentiality, Integrity, Availability

1979

Dennis Ritchie publishes "On the Security of UNIX" and "Protection of Data File Contents," which discussed secure user IDs, secure group IDs, and the problems inherent in the systems.

1982 2

Grampp and Morris write "The UNIX System: UNIX Operating System Security." In this report the authors examined four "important handles to computer security": physical control of primes and computer facilities, management commitment to security objectives, education of employees, and administrative procedures aimed at increased security

SDLC waterfall methodology

Investigation Analysis Logical Design Physical Design Implementation Maintenance and Change

1968

Maurice Wilkes discusses password security in Time - Sharing Computer Systems.

1975

The Federal Information Processing Standards (FIPS) examines DES (Digital Encryption Standard) In the Federal Register.

1982 1

The US. Department of Defense Computer Security Evaluation Center publishes the first version of the Trusted Computer Security (TCSEC) documents, which came to be known as the Rainbow Series

Late 1970s

The microprocessor expanded computing capabilities and security threats.

what is another definition of security?

The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information •Includes information security management, data security, and network security

1970

Willis H. Ware author the report Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security—RAND R.609 which was not declassified until 1979. It became known as the seminal work identifying the need for computer Security.

Mainframe

, time-sharing operating system was developed in the mid-1960s by General Electric (GE), Bell Labs, and Massachusetts Institute of Technology (MIT)‏.

activities of initiation

-Delineation of business requirements in terms of confidentiality, integrity, and availability -Determination of information categorization and identification of known special handling requirements to transmit, store, or create information Determination of any privacy requirements

NIST Special Publication 800-64, rev. 2 maintains that early integration of security in the SDLC enables agencies to maximize return on investment through:

-Early identification and mitigation of security vulnerabilities and misconfigurations -Awareness of potential engineering challenges -Identification of shared security services and reuse of security strategies and tools -Facilitation of informed executive decision making

Using a methodology

-Ensures a rigorous process with a clearly defined goal -Increases probability of success

•C.I.A. triad

-Is a standard based on confidentiality, integrity, and availability, now viewed as inadequate. -Expanded model consists of a list of critical characteristics of information.

•Some commonplace security principles

-Keep design simple and small -Access decisions by permission not exclusion -Every access to every object checked for authority -Design depends on possession of keys/passwords -Protection mechanisms require two keys to unlock -Programs/users utilize only necessary privileges

•Some commonplace security principles also

-Minimize mechanisms common to multiple users -Human interface must be easy to use so users routinely/automatically use protection mechanisms.

SwA CBK, which is a work in progress, contains the following sections

-Nature of Dangers -Fundamental Concepts and Principles -Ethics, Law, and Governance -Secure Software Requirements -Secure Software Design -Secure Software Construction -Secure Software Verification, Validation, and Evaluation -Secure Software Tools and Methods -Secure Software Processes -Secure Software Project Management -Acquisition of Secure Software Secure Software Sustainment

•Fundamental problems with ARPANET security were identified.

-No safety procedures for dial-up connections to ARPANET -Nonexistent user identification and authorization to system

•A successful organization should have multiple layers of security in place to protect:

-Operations -Physical infrastructure -People -Functions -Communications -Information

Seldom works, as it lacks a number of critical features

-Participant support -Organizational staying power

•Several MULTICS key players created UNIX.

-Primary purpose of UNIX was text processing.

The scope of computer security grew from physical security to include

-Securing the data -Limiting random and unauthorized access to data -Involving personnel from multiple levels of the organization in information security

1973

Schell, Downey, and Popek examine the need for additional security in military systems in Preliminary Notes on the Design of Secure Military Computer Systems.

Grassroots effort

Systems administrators attempt to improve security of their systems

Security in the Systems Development Life Cycle

Systems development life cycle methodology

U.S. Department of Defense and Department of Homeland Security supported the Software Assurance Initiative

which resulted in the publication of Secure Software Assurance (SwA) Common Body of Knowledge (CBK).

Analysis

•Consists of assessments of: -The organization -Current systems -Capability to support proposed systems •Analysts determine what the new system is expected to do and how it will interact with existing systems. •Analysis ends with documentation of findings and an update of feasibility.

bottom-up approach

•Grassroots effort: Systems administrators attempt to improve security of their systems. •Key advantage: technical expertise of individual administrators •Seldom works, as it lacks a number of critical features: -Participant support -Organizational staying power

top-down approach

•Initiated by upper management -Issue policy, procedures, and processes -Dictate goals and expected outcomes of project -Determine accountability for each required action The most successful type of top-down approach also involves a formal development strategy referred to as systems development life cycle

The NIST Approach: Development/Acquisition

•Key security activities include: -Conducting risk assessment and using results to supplement baseline security controls -Analyzing security requirements -Performing functional and security testing -Preparing initial documents for system certification and accreditation Designing security architecture

Maintenance and Change

•Longest and most expensive phase •Consists of the tasks necessary to support and modify the system for the remainder of its useful life •Life cycle continues until the team determines the process should begin again from the investigation phase •When current system can no longer support the organization's mission, a new project is implemented

Early focus of computer security research centered on a system called

•Multiplexed Information and Computing Service (MULTICS)‏.

Implementation

•Needed software is created. •Components are ordered, received, and tested. •Users are trained and supporting documentation created. •Feasibility analysis is prepared. -Sponsors are presented with the system for a performance review and acceptance test.

90S

•Networks of computers became more common, as did the need to connect them to each other. •Internet became the first global network of networks. •Initially, network connections were based on de facto standards. •In early Internet deployments, security was treated as a low priority. •In 1993, DEFCON conference was established for those interested in information security.

Physical Design

•Specific technologies are selected to support the alternatives identified and evaluated in the logical design. •Selected components are evaluated on make-or-buy decision. •Feasibility analysis is performed. •Entire solution is presented to organization's management for approval.

2000 to Present

•The Internet brings millions of unsecured computer networks into continuous communication with each other. •The ability to secure a computer's data was influenced by the security of every computer to which it is connected. •Growing threat of cyber attacks has increased the awareness of need for improved security. -Nation-states engaging in information warfare

Logical Design

•The first and driving factor is the business need. -Applications are selected to provide needed services. •Data support and structures capable of providing the needed inputs are identified. •Specific technologies are delineated to implement the physical solution. •Analysts generate estimates of costs and benefits to allow comparison of available options. Feasibility analysis is performed at the end.

investigation

•What problem is the system being developed to solve? •Objectives, constraints, and scope of project are specified. •Preliminary cost-benefit analysis is developed. •At the end of all phases, a process is undertaken to assess economic, technical, and behavioral feasibilities and ensure implementation is worth the time and effort.

Methodology

•a formal approach to solving a problem based on a structured sequence of procedures

Systems development life cycle (SDLC

•a methodology for the design and implementation of an information system

(1970s and 80s) ARPANET grew in popularity, as did

•its potential for misuse.

Information security began with RAND Report R-609

•paper that started the study of computer security and identified the role of management and policy issues in it)‏.

Key advantage

•technical expertise of individual administrators

1984

Reeds and Weinberger publish "File Security and the UNIX System Crypt Command." Their premise was: "No technique can be secure against wiretapping or is equivalent on the computer. Therefore no technique can be secure against the system administrator or other privileged users... the naive user have no chance."

1992

Researchers for the Internet Engineering Task force, working at the Naval Research Laboratory, develop the Simple Internet Protocol Plus (SIPP) Security protocols, creating what is now known as IPSEC security

Security should be considered

a balance between protection and availability.

What is Information Security

a critical business capability that needs to be aligned with corporate expectations and culture that provides the leadership and insight to identify risks and implement effective controls.

To achieve balance, the level of security must

allow reasonable access, yet protect against threats.

A computer can be the subject of

an attack and/or the object of an attack.

procedures

are another frequently overlooked component. Procedures are written instructions for accomplishing a specific task.

the enigma

caused considerable anguish to Allied forces before finally being cracked

When it is the subject of an attack, the computer is used as an active tool to

conduct attack

availability

enables authorized users to access info without interference it in the required format

Groups developing code-breaking computations during World War II created

first modern computers. Multiple levels of security were implemented.

Vulnerabilities

flaws in programs that can be exploited to either crash the system or take control of it

Computer security began

immediately after the first mainframes were developed

Rudimentary

in defending against physical theft, espionage, and sabotage

software

includes applications, operating systems, and assorted command utilities. Software is perhaps the most difficult IS component to secure.

integrity

is a whole, complete and uncorrupted

Software Assurance

is an approach to software development that seeks to build security into the development life cycle rather than address it at later stages. SA attempts to intentionally create software free of vulnerabilities and provide effective, efficient software that users can deploy with confidence.

Network

is the IS component that created much of the need for increased computer and information security.

Hardware

is the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system

Impossible to obtain perfect information security

it is a process, not a goal.

the probability of an unwanted occurrence, such as an adverse event or loss, is known as a

loss

The NIST Approach: Initiation

security considerations are key to diligent and early integration, thereby ensuring that threats, requirements, and potential constraints in functionality and integration are considered. At this point, security is looked at more in terms of business risks, with input from the information security office.

First operating system was created with

security integrated into core functions.

Physical controls limiting access to

sensitive military locations to authorized personnel

SwA CBK

serves as a strongly recommended guide to developing more secure applications

data

stored, processed, and transmitted by a computer system must be protected. Data is often the most valuable asset of an organization and therefore is the main target of intentional attacks.

When it is the object of an attack,

the computer is the entity being attacked.

Risk

the probability of an unwanted occurrence. Organizations must minimize risks to match their risk appetite - the quantity and nature of risk they are willing to accept

authenticity

the quality or state of being genuine or original, rather a reproduction or fabrication

Utility

the quality or state of having value for some purpose or end.

possesion

the quality or state of ownership or control

Accuracy

when it is free from mistakes or errors, and has a value that the end user expects

Confidentiality

when its protected from disclosure or exposure to unauthorized individuals or systems.