Engineering Information Security E-Book

CONTENTS

Cover

Series Page

Title Page

Copyright

Dedication

Preface and Acknowledgments

About the Companion Website

Chapter 1: What is Security?

1.1 Introduction

1.2 The Subject of Security

1.3 A Twenty-First Century Tale

1.4 Why are You Important to Computer Security?

1.5 End of the Beginning

1.6 Chapter Summary

1.7 Further Reading and Resources

Chapter 2: Systems Engineering

2.1 So What is Systems Engineering?

2.2 Process Management

2.3 Organization Environments

2.4 Chapter Summary

2.5 Further Reading and Resources

Chapter 3: Foundation Concepts

3.1 Security Concepts and Goals

3.2 Role Of Cryptography In Information Security

3.3 Key Management Revisited

3.4 Chapter Summary

3.5 Further Reading and Resources

Chapter 4: Authentication of Subjects

4.1 Authentication Systems

4.2 Human Authentication

4.3 Chapter Summary

4.4 Further Reading and Resources

Chapter 5: Security Systems Engineering

5.1 Security Policy Development

5.2 Senior Management Oversight and Involvement

5.3 Security Process Management and Standards

5.4 Information Security Systems Engineering Methodology

5.5 Requirements Analysis and Decomposition

5.6 Access Control Concepts

5.7 Security Modeling and Security-Related Standards

5.8 Chapter Summary

Chapter 6: Traditional Network Concepts

6.1 Networking Architectures

6.2 Types of Networks

6.3 Network Protocols

6.4 Chapter Summary

6.5 Further Reading and Resources

Chapter 7: Next-Generation Networks

7.1 Framework and Topology of the Ngn

7.2 The Ngn Functional Reference Model

7.3 Relationship Between Ngn Transport and Service Domains

7.4 Enterprise Role Model

7.5 Security Allocation Within the Ngn Transport Stratum Example

7.6 Converged Network Management (TMN and eTOM)

7.7 General Network Security Architectures

7.8 Chapter Summary

7.9 Further Reading and Resources

Chapter 8: General Computer Security Architecture

8.1 The Hardware Protects the Software

8.2 The Software Protects Information

8.3 Element Security Architecture Description

8.4 Operating System (OS) Structure

8.5 Security Mechanisms for Deployed Operating Systems (OSs)

8.6 Chapter Summary

8.7 Further Reading and Resources

Chapter 9: Computer Software Security

9.1 Specific Operating Systems (OSs)

9.2 Applications

9.3 Chapter Summary

9.4 Further Reading and Resources

Chapter 10: Security Systems Design—Designing Network Security

10.1 Introduction

10.2 Security Design for Protocol Layer 1

10.3 Layer 2—Data Link Security Mechanisms

10.4 Security Design for Protocol Layer 3

10.5 IP Packet Authorization and Access Control

10.6 Chapter Summary

10.7 Further Reading and Resources

Chapter 11: Transport and Application Security Design and Use

11.1 Layer 4—Transport Security Protocols

11.2 Layer 5—User Service Application Protocols

11.3 Chapter Summary

11.4 Further Reading and Resources

Chapter 12: Securing Management and Managing Security

12.1 Securing Management Applications

12.2 Operation, Administration, Maintenance, and Decommissioning

12.3 Systems Implementation or Procurement

12.4 Chapter Summary

12.5 Further Reading and Resources

About the Author

Glossary

Index

End User License Agreement

List of Tables

Table 2.1

Table 2.2

Table 3.1

Table 3.2

Table 3.3

Table 3.4

Table 3.5

Table 3.6

Table 3.7

Table 3.8

Table 3.9

Table 3.10

Table 3.11

Table 3.12

Table 4.1

Table 4.2

Table 4.3

Table 4.4

Table 4.5

Table 4.6

Table 4.7

Table 4.8

Table 5.1

Table 5.2

Table 5.3

Table 5.4

Table 5.5

Table 5.6

Table 5.7

Table 5.8

Table 5.9

Table 5.10

Table 5.11

Table 5.12

Table 5.13

Table 5.14

Table 5.15

Table 5.16

Table 5.17

Table 5.18

Table 5.19

Table 5.20

Table 5.21

Table 5.22

Table 5.23

Table 5.24

Table 5.25

Table 5.26

Table 6.1

Table 6.2

Table 6.3

Table 6.4

Table 6.5

Table 6.6

Table 6.7

Table 6.8

Table 6.9

Table 6.10

Table 6.11

Table 6.12

Table 6.13

Table 6.14

Table 6.15

Table 6.16

Table 6.17

Table 6.18

Table 6.19

Table 6.20

Table 6.21

Table 6.22

Table 6.23

Table 6.24

Table 6.25

Table 6.26

Table 6.27

Table 6.28

Table 6.29

Table 6.30

Table 6.31

Table 6.32

Table 6.33

Table 7.1

Table 7.2

Table 8.1

Table 8.2

Table 8.3

Table 8.4

Table 8.5

Table 8.6

Table 8.7

Table 8.8

Table 8.9

Table 8.10

Table 8.11

Table 8.12

Table 8.13

Table 9.1

Table 9.2

Table 9.3

Table 9.4

Table 9.5

Table 9.6

Table 9.7

Table 9.8

Table 9.9

Table 9.10

Table 9.11

Table 9.12

Table 9.13

Table 9.14

Table 9.15

Table 9.16

Table 9.17

Table 9.18

Table 9.19

Table 9.20

Table 10.1

Table 10.2

Table 10.3

Table 10.4

Table 10.5

Table 10.6

Table 10.7

Table 10.8

Table 10.9

Table 10.10

Table 10.11

Table 10.12

Table 10.13

Table 10.14

Table 11.1

Table 11.2

Table 11.3

Table 11.4

Table 11.5

Table 11.6

Table 11.7

Table 11.8

Table 11.9

Table 11.10

Table 11.11

Table 11.12

Table 11.13

Table 11.14

Table 12.1

Table 12.2

Table 12.3

Table 12.4

Table 12.5

Table 12.6

Table 12.7

List of Illustrations

Figure 1.1

Figure 1.2

Figure 2.1

Figure 2.2

Figure 2.3

Figure 2.4

Figure 2.5

Figure 2.6

Figure 3.1

Figure 3.2

Figure 3.3

Figure 3.4

Figure 3.5

Figure 3.6

Figure 3.7

Figure 3.8

Figure 3.9

Figure 3.10

Figure 3.11

Figure 3.12

Figure 3.13

Figure 3.14

Figure 3.15

Figure 3.16

Figure 3.17

Figure 3.18

Figure 3.19

Figure 3.20

Figure 3.21

Figure 3.22

Figure 3.23

Figure 3.24

Figure 3.25

Figure 3.26

Figure 3.27

Figure 3.28

Figure 3.29

Figure 4.1

Figure 4.2

Figure 4.3

Figure 4.4

Figure 4.5

Figure 4.6

Figure 4.7

Figure 4.8

Figure 4.9

Figure 4.10

Figure 4.11

Figure 4.12

Figure 4.13

Figure 4.14

Figure 4.15

Figure 4.16

Figure 4.17

Figure 5.1

Figure 5.2

Figure 5.3

Figure 5.4

Figure 5.5

Figure 5.6

Figure 5.7

Figure 5.8

Figure 5.9

Figure 5.10

Figure 5.11

Figure 5.12

Figure 5.13

Figure 5.14

Figure 5.15

Figure 5.16

Figure 6.1

Figure 6.2

Figure 6.3

Figure 6.4

Figure 6.5

Figure 6.6

Figure 6.7

Figure 6.8

Figure 6.9

Figure 6.10

Figure 6.11

Figure 6.12

Figure 6.13

Figure 6.14

Figure 6.15

Figure 6.16

Figure 6.17

Figure 6.18

Figure 6.19

Figure 6.20

Figure 6.21

Figure 6.22

Figure 6.23

Figure 6.24

Figure 6.25

Figure 6.26

Figure 6.27

Figure 6.28

Figure 6.29

Figure 6.30

Figure 6.31

Figure 6.32

Figure 6.33

Figure 6.34

Figure 6.35

Figure 6.36

Figure 6.37

Figure 6.38

Figure 6.39

Figure 6.40

Figure 6.41

Figure 6.42

Figure 6.43

Figure 6.44

Figure 6.45

Figure 6.46

Figure 6.47

Figure 6.48

Figure 6.49

Figure 6.50

Figure 6.51

Figure 6.52

Figure 6.53

Figure 6.54

Figure 6.55

Figure 6.56

Figure 6.57

Figure 6.58

Figure 6.59

Figure 6.60

Figure 6.61

Figure 6.62

Figure 6.63

Figure 6.64

Figure 6.65

Figure 7.1

Figure 7.2

Figure 7.3

Figure 7.4

Figure 7.5

Figure 7.6

Figure 7.7

Figure 7.8

Figure 7.9

Figure 7.10

Figure 7.11

Figure 7.12

Figure 7.13

Figure 7.14

Figure 7.15

Figure 7.16

Figure 7.17

Figure 7.18

Figure 8.1

Figure 8.2

Figure 8.3

Figure 8.4

Figure 8.5

Figure 8.6

Figure 8.7

Figure 8.8

Figure 8.9

Figure 8.10

Figure 8.11

Figure 8.12

Figure 8.13

Figure 8.14

Figure 9.1

Figure 9.2

Figure 9.3

Figure 9.4

Figure 9.5

Figure 9.6

Figure 9.7

Figure 9.8

Figure 9.9

Figure 9.10

Figure 9.11

Figure 9.12

Figure 9.13

Figure 9.14

Figure 9.15

Figure 9.16

Figure 10.1

Figure 10.2

Figure 10.3

Figure 10.4

Figure 10.5

Figure 10.6

Figure 10.7

Figure 10.8

Figure 10.9

Figure 10.10

Figure 10.11

Figure 10.12

Figure 10.13

Figure 10.14

Figure 10.15

Figure 10.16

Figure 10.17

Figure 10.18

Figure 10.19

Figure 10.20

Figure 10.21

Figure 10.22

Figure 10.23

Figure 10.24

Figure 10.25

Figure 10.26

Figure 10.27

Figure 10.28

Figure 10.29

Figure 10.30

Figure 10.31

Figure 10.32

Figure 10.33

Figure 10.34

Figure 10.35

Figure 10.36

Figure 10.37

Figure 10.38

Figure 11.1

Figure 11.2

Figure 11.3

Figure 11.4

Figure 11.5

Figure 11.6

Figure 11.7

Figure 11.8

Figure 11.9

Figure 11.10

Figure 11.11

Figure 11.12

Figure 11.13

Figure 11.14

Figure 11.15

Figure 11.16

Figure 11.17

Figure 11.18

Figure 11.19

Figure 11.20

Figure 11.21

Figure 11.22

Figure 11.23

Figure 11.24

Figure 11.25

Figure 11.26

Figure 11.27

Figure 11.28

Figure 12.1

Figure 12.2

Figure 12.3

Figure 12.4

Figure 12.5

Figure 12.6

Guide

Cover

Table of Contents

Preface and AcknowledgmentsOrganization

Chapter 1

Pages

ii

iii

iv

v

vi

xxiii

xxiv

xxv

xxvi

xxvii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

651

652

653

654

655

656

657

658

659

660

661

662

663

664

665

666

667

668

669

670

671

672

673

674

675

676

677

678

679

680

681

682

683

684

685

686

687

688

689

690

691

692

693

694

695

696

697

698

699

700

701

702

703

704

705

706

707

708

709

710

711

712

713

714

715

716

717

718

719

720

721

722

723

724

725

726

727

728

729

730

731

732

733

734

735

736

737

738

739

740

741

742

743

744

745

746

747

748

749

750

751

IEEE Press

445 Hoes Lane

Piscataway, NJ 08854

IEEE Press Editorial Board

Tariq Samad, Editor in Chief

George W. Arnold

Vladimir Lumelsky

Linda Shafer

Dmitry Goldgof

Pui-In Mak

Zidong Wang

Ekram Hossain

Jeffrey Nanzer

MengChu Zhou

Mary Lanzerotti

Ray Perez

George Zobrist

Kenneth Moore, Director of IEEE Book and Information Services (BIS)

Engineering Information Security

The Application of Systems Engineering Concepts to Achieve Information Assurance

Second Edition

Copyright © 2016 by The Institute of Electrical and Electronics Engineers, Inc.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey. All rights reservedPublished simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Jacobs, Stuart.

Engineering information security: The application of systems engineering concepts to achieve information assurance/Stuart Jacobs.

p. cm.

ISBN 978-1-119-10160-4 (hardback)

1. Computer security. 2. Computer networks–Security measures. 3. Information technology–Security measures. 4. Data protection. I. Title.

QA76.9.A25J325 2010

005.8–dc22

2010028408

Dedication

This book is dedicated to my wife, Eileen, for her patience with my spending so much time at the keyboard rather than with her

Preface and Acknowledgments

Approach

This book focuses on information security (information assurance) from the viewpoint of how to control access to information in a systematic manner. Many books on security primarily cover specific security mechanisms such as authentication protocols, encryption algorithms, and security-related protocols. Other books on security are use case oriented, providing specific contexts for discussing vulnerabilities, threats, and counter-measures. Few books on security consider the planning, operations, and management aspects of protecting information. Unlike these other books that focus on security mechanisms, threats, and vulnerabilities, this book presents a methodology for addressing security concerns in any organization. The methodology is based on a set of concepts called systems engineering that are designed to methodologically examine, analyze, and document objectives and the functional and performance capabilities (requirements) that need to exist to achieve the stated goals. Systems engineering concepts provide:

a framework for developing capabilities and solutions that ensure compliance with the aforementioned requirements;

traceability starting at objectives, progressing through requirements development, solution design/development/procurement into, and during, operation and administration; and

support for compliance evaluation of deployed systems and how these systems are used.

Another critical aspect of the systems methodology is the necessity to consider all aspects of a system, not just the technical components. All information processing infrastructures (networks and computing devices) exist within a context defined by:

how the deploying organization operates,

what the deploying organization provides as services or products,

who competes with the deploying organization,

what legal and regulatory burdens the deploying organization has to accommodate, and

who may target the deploying organization with the intent of personal or financial gain, political advantage, or ideological objectives.

Over time the technologies used for the processing, storage, and communicating of information have changed dramatically and rapidly. By presenting a systems engineering approach to information security, this book will assist security practitioners to cope with these rapid changes. Achieving information security is not a matter of dealing with specific technologies, rather information security is a process of managing technologies to ensure that information is only accessible to valid users.

Organization

The coverage of information security by this book includes all aspects of security in a systematic engineering approach:

Chapter 1

considers why information security is needed, how security problems can have widespread impacts, and what are the more common ways security is discussed and the deficiencies/limitations of these views.

Chapter 2

discusses the many legal, technical, competitive, criminal and consumer forces, and influences that are rapidly changing our information-dependent society, along with exploring the concepts of systems engineering and the value these concepts provide to the development of new products and services along with the maintenance and evolution to existing products and services.

Chapter 3

reviews fundamental security concepts of subjects, objects, security services, and the role of cryptography in information security.

Chapter 4

considers different approaches for achieving authentication of individuals and systems.

Chapter 5

delves into how to establish and manage an information security program, evaluate vulnerabilities, threats, and risks, and develop security requirements, and the chapter considers the value and impact of security standards and the major organizations involved with developing these standards.

Chapter 6

describes the different forms and types of networks currently in use along with the protocols relied upon that are the cause of many security problems. All protocol layers are considered, and any security capabilities are analyzed for effectiveness and usability.

Chapter 7

focuses on the near future of next-generation network concepts and services defined within the developing Internet multimedia services framework.

Chapter 8

provides an in-depth discussion of computer hardware that impacts information security and the role of operating systems in supporting information security, and what security mechanisms an operating system should include.

Chapter 9

provides an examination of security capabilities in the major commercially available operating system (unix variants, Windows variants, and real time) and then considers security issues within applications software. This chapter concludes with a review of the different forms of malicious software (malware) encountered today and a number of anti-malware applications currently available.

Chapters 10

and

11

provide descriptions and analysis of the available networking security mechanisms within each protocol layer of networks. Both stand-alone applications (including their associated protocols) and the major application frameworks (e.g., Java, .NET, CORBA, and DCE) are discussed from a security capabilities perspective.

Chapter 12

explores the security issues within the management of networks, especially the management of security and considers the organizational needs for effective security management, operational security mechanisms, security operations, and other life cycle security issues. This chapter concludes with consideration of security within development, integration, and component purchasing activity areas.

Available for instructors, from the publisher, are (1) a set of assignments and associated grading rubrics, (2) lecture power point slides, (3) a set of quizzes and associated grading rubrics, and a final examination and associated grading rubric.

Second Edition Changes

Chapterwise changes in this 2nd edition include the following:

Errors found in each chapter have been corrected.

Chapter 3

: Revision of Section 3.1.5 to more clearly explain types and purposes of security services, including description of data integrity being based on use of a protected digest. Addition of discussion about protecting storage of private keys.

Chapter 4

: Revisions to Sections 4.1.5, 4.2, and 4.2.7 regarding need to control identities.

Chapter 5

: Revision of Sections 5.1 through 5.3.3 to discuss Governance followed by ISO 27001 and ISO 27002 for policy, and then provide discussion of COBIT, ITIL, and FISMA with revised discussion of requirements.

Chapter 7

: Major revision of material to include discussion of SCADA, Cloud, Sensor, and Ad Hoc networks.

Chapter 9

: Expansion of Section 9.2.1 to include coverage of code reviews, code scanning tools, and testing.

Chapter 11

: Added discussion in Section 11.1.1.3 regarding SSL VPNs and TLS lack of rekeying capabilities. Discussion in Section 11.2.2 of HTTP Basic and Digest authentication.

Chapter 12

: Rework of Section 12.1.1. Added Section 12.2.3.3 to discuss internal operations security process of monitor, review exceptions, plan remediation, and obtain either budget or exception.

Appendix A: Minor revisions.

Appendix B: Minor revisions.

Appendix C: Minor revisions.

Appendix D: Minor revisions.

Appendix E: Minor revisions.

Appendix F: Minor revisions.

Appendix G: New set of tables for asset inventory construction for risk management.

Inclusion of a glossary of terms.

Target Audience

The major audience for this book include graduate and undergraduate students studying, but not limited to, computer/information sciences/engineering systems engineering, technology management, and public safety. The book is also written for professionals in the sciences, engineering, communications, and other fields that rely on reliable and trustable information processing and communications systems and infrastructures. The subject of information security (information assurance, computer security, and network security) is routinely covered as a set of individual subjects and rarely addressed from an engineering perspective. Most professional and academic books focus on the common body of knowledge promulgated by organizations, such as the (ISO)2 and ISSA, or target-specific subjects (database management systems, incident response/forensics, common criteria, risks, encryption, Java, windows, etc.).

This book considers the complete security life cycle of products and services starting with requirements and policy development and progressing through development, deployment, and operations, and concluding with decommissioning.

Acknowledgments

I would like to thank Thomas Plevyak for encouraging me to write this book, all of my former Verizon co-workers who routinely challenged my opinions regarding security, and Verizon's management who, over the years, provided me with many challenging and interesting security-related assignments. I would also like to recognize Allen H. Levesque, Richard Stanley, Fred Kotler, and George Wilson, who were instrumental in my mastering systems engineering concepts.

About the Companion Website

This book is accompanied by a companion website: www.wiley.com/go/informationsecurity2jacobs

The website includes:

Appendix A

Appendix B

Appendix C

Appendix D

Appendix E

Appendix F

Appendix G

1What is Security?

1.1 Introduction

The central role of computer security for the working of the economy, the defense of the country, and the protection of our individual privacy is universally acknowledged today. This is a relatively recent development; it has resulted from the rapid deployment of Internet technologies in all fields of human endeavor and throughout the world that started at the beginning of the 1990s. Mainframe computers have handled secret military information and personal computers have stored private data from the very beginning of their existence in the mid-1940s and 1980s, respectively. However, security was not a crucial issue in either case: the information could mostly be protected in the old-fashioned way, by physically locking up the computer and checking the trustworthiness of the people who worked on it through background checks and screening procedures. What has radically changed and made the physical and administrative approaches to computer security insufficient is the interconnectedness of computers and information systems. Highly sensitive economic, financial, military, and personal information is stored and processed in a global network that spans countries, governments, businesses, organizations, and individuals. Securing this cyberspace is synonymous with securing the normal functioning of our daily lives.

Secure information systems must work reliably despite random errors, disturbances, and malicious attacks. Mechanisms incorporating security measures are not just hard to design and implement but can also backfire by decreasing efficiency, sometimes to the point of making the system unusable. This is why some programmers used to look at security mechanisms as an unfortunate nuisance; they require more work, do not add new functionality, and slow down the application and thus decrease usability. The situation is similar when adding security at the hardware, network, or organizational level: increased security makes the system clumsier and less fun to use; just think of the current airport security checks and contrast them to the happy (and now so distant) pre–September 11, 2001 memories of buying your ticket right before boarding the plane. Nonetheless, systems must work, and they must be secure; thus, there is a fine balance to maintain between the level of security on one side and the efficiency and usability of the system on the other. One can argue that there are three key attributes of information systems:

Processing capacity—speed

Convenience—user friendliness

Secure—reliable operation

The process of securing these systems is finding an acceptable balance of these attributes.

1.2 The Subject of Security

Security is a word used to refer to many things, so its use has become somewhat ambiguous. Here we will try to clarify just what security focuses on. Over the years, the subject of information security has been considered from a number of perspectives, as a concept, a function, and a subject area. We will discuss each of these perspectives and examine their value.

1.2.1 Branches of Security

A concept approach treats security as a set of related activity areas, or branches. Figure 1.1 shows the security-related areas typically considered. Note that all the areas are mutually dependent on each other. Within Figure 1.1, the rings do not define a hierarchy among the different areas of security. The rings are meant to express a layered approach to achieving cost-effective information security.

Figure 1.1 Areas of security

Each security area focuses on a specific need to erect a barrier against inappropriate use of, or access to, the assets (information, capabilities, property, equipment, personnel, processes, etc.) considered valuable to an organization. Since there are now multiple avenues (approaches) by which assets can be targeted, multiple security area activities are necessary. Physical security capabilities are necessary to control physical access to:

buildings, rooms, and offices;

equipment used for processing, storing, transferring, or accessing information; and

the cables used for communicating information between facilities, buildings, and even between individual systems within a building, floor, or rooms.

Personnel security processes and procedures are necessary to:

ensure that an organization's employees have been accurate in representing who they are and that academic or professional credentials and past experience are valid;

verify the identities and validate the reasons for nonemployee (guests, visitors, service/supply personnel) access to the organization's facilities or other assets;

ensure that the organization's security-related policies and procedures conform to legal constrains for employment, document disciplinary activities, and conditions for termination of employment; and

inform both new and continuing employees as to what the organization considers necessary, acceptable, and unacceptable behavior.

Network security technology, processes, and procedures are necessary to ensure that:

data transferred between networked devices is adequately protected from tampering, misuse, or destruction;

networked devices are appropriately managed, monitored, and utilized; and

networking resources are used only for acceptable activities.

Computer security spans all aspects of computing equipment hardware, software, usage, and administration (e.g., device, data, applications/operating systems, operations, and database subareas), and is necessary to ensure that they are:

adequately protected from tampering, misuse, or destruction;

appropriately managed and monitored;

utilized for organization sanctioned activities and purposes; and

available to support organization activities, processes, and functions.

Frequently, security discussions focus primarily on networks, their links and interconnecting equipment, and on securing operating systems and applications. However, providing network security is just not enough. Attackers can leverage other weaknesses to bypass the network security mechanisms in place. Network and computer security both need to be considered along with the other branches of security. The reader needs to remember that the term “information security” is generally used to refer to concepts, mechanisms, activities, and objectives that span all of the security areas mentioned above.

Regardless of what security area/branch is under discussion, the following three views of security measures can be applied to any situation: defense, deterrence, and detection. These are known as the three Ds of security.

Defense

—protect assets first. Network areas should be analyzed before adopting any protective efforts. Defense measures reduce the likelihood of an attack and lessen the risk of damage. Lack of defensive measures will leave sensitive information exposed and lead to losses. For example, installing a firewall is a good defensive measure. But, this may not be enough. The other two modes of security—deterrence and detection—should not be ignored.

Deterrence

—reduce the frequency of security compromises. With deterrence mechanisms and policies in place, attackers have to expend more effort, and thus risk discovery. Deterrence policies within an organization are enforced by using threats of discipline and termination of the employee if any company policies are violated (email, web browsing, etc.) Entering a computer network without company authorization is illegal, and laws are in place to prosecute and punish intruders. Intruders who know that their activities are being monitored will likely think twice before attacking a system.

Detection

—sound the alarm. Unfortunately, in practice, security control is the least implemented policy and often neglected. When security is violated, without security enforcers in place, the security breach could go unnoticed for a long time.

Each of the three Ds is important and complements the others. A security program that spans all three D categories provides strong protection. The following are examples of how each strategy can be implemented:

Defensive controls

—firewalls, access lists in routers, spam filters, virus filters, etc.

Deterrent controls

—email messages to employees, posting of Internet sites visited, display of IP addresses to external visitors, etc.

Detective controls

—audit trails, log files, intrusion detection systems, summary reports, etc.

1.2.2 Defining Security by Function

Alternatively, security can be categorized under the following functional areas:

Risk avoidance

Deterrence

Prevention

Detection

Recovery

1.2.2.1 Risk Avoidance

An enterprise should do a risk assessment that identifies what value and risk each component has to the system in whole and include strategies that reduce the likelihood of behavior/activity that can be damaging. Risk avoidance covers consideration of which components are required and which are optional. Components include hardware, services, processes, and applications. The components should be documented, reviewed, and the assessments of their value and risk accepted by all parties in the organization.

1.2.2.2 Deterrence

Deterrence is a common method of control used by governments, businesses, and individuals to cause people to think twice before performing an action. For example, a person's actions could be manipulated by the negative motivational influence with displaying a message, such as

Your IP address 132.208.213.4 has been recorded and all activity is subject to monitoring and logging. Unauthorized access is subject to civil and criminal prosecution.

when any unauthorized person logs into a server or accesses a system. The individual may then reconsider proceeding further. There are, of course, individuals who will not comply, and this mechanism will not deter a worm, virus, or an automated attacker. Nevertheless, such notice at least informs an intruder that further activity is comparable to trespassing. Posting such a notice is a component, but not the sole component, of an organization's effort at ensuring “due diligence.” Due diligence is a concept that applies in both civil and criminal contexts. In the civil litigation arena, due diligence refers to the effort made by a prudent or reasonable party to avoid harm to another party, and failure to make this effort could be considered negligence. In the criminal arena, due diligence is an available defense to a crime; however, defendants must prove beyond a reasonable doubt that they took every reasonable precaution.1

1.2.2.3 Prevention

From a business perspective, there is no product, or set of products, that will completely eliminate the chance of a security-related incident. There are two obvious explanations for this:

The expense of such a set of products, and their likely negative impact(s) on operational usefulness and life-cycle costs, will undoubtedly outweigh the economic damages suffered from the loss(es) caused by an incident. Unless a cost–benefit analysis is performed, more money may be expended to protect an asset than is justified by the asset's value. For example, it does not make economic sense to spend $10,000,000 to protect an asset with a replacement cost of $1,000,000.

Business systems routinely interact with humans who may have motives contrary to an organization's interests. Humans are the least dependable component in any system dedicated to ensuring the security of an organization's assets. History is full of examples where “highly trusted” people engaged in unauthorized, even criminal, activities.

There are certain situations where a security-related incident can result in the loss of life or equivalent harm. Law enforcement organizations, branches of the military, and other governmental and nongovernmental groups work under such circumstances. The security breaches the military, security, and law enforcement type of organizations face are frequently measured in people dying. This type of loss cannot be considered acceptable at any cost, and consequently what the community considers affordable becomes a social/political issue as to priorities, philosophy, and ethics.

However, most mishaps can be prevented by employing both procedural and technical security mechanisms that enforce authentication, authorization, confidentiality, and integrity based on well-thought out planning. Procedural mechanisms encompass understanding what needs protection, who needs access, who is responsible for different things, and what management and administrative responsibilities need to be considered. Procedural mechanisms can include separation of duties, mandated auditing, and separation of operational from development environments. Technical mechanisms include deploying packet filtering, strong authentication, encryption, virus prevention, malicious code filtering, and so forth. Each product provides a degree of protection and, when deployed in combination, can provide cost-effective layers of protection.

1.2.2.4 Detection

Despite the best prevention measures, a system is prone to be attacked2 at some time. Measures should be in place to detect and record the presence and activities of not just the suspected attacker, but any administrative personnel, service users, subscribers, or customers as the conditions change. Most organizations are allowed by law to monitor activity within their networks for maintenance purposes. Commercial organizations may control any activity within their internal networks. Telecommunications service providers (TSPs) who offer telephone (telecommunications) services and web/data (information) services to the general public are also required to support law enforcement organizations/agencies (LEOs) in “wire-taps” and “intercepts” of criminal suspects. Organizations, both large and small, should make use of intrusion detection (IDS) mechanisms, auditing and log analysis, virus/spy/malware scanners, and file-monitoring programs.

1.2.2.5 Recovery

Recovery considers how an organization is able to perform its primary functions and operations even in the face of natural or human-created situations. This area has been typically referred to as “disaster recovery” although the term “business continuity” is becoming more common today. Unfortunately, business continuity planning too frequently focuses primarily on natural disasters. Human-created situations, including security-oriented attacks, necessitate consideration in any business continuity plan. A physical recovery plan is important. Such a plan should include a solid backup and recovery system, procedures for secure off-site storage, contact lists, and so forth. Some plans should have a section dealing with business continuity using such mechanisms as geographic facility and system redundancy, redundant links and servers, and distributed load-sharing implementations. A logical recovery plan should include discussion of how to restore organizational capabilities even when some form of security-related attack is occurring. Planning for these situations needs to consider how:

assets under attack can be isolated from “healthy” enterprise resources, thereby limiting the scope of an attack and minimizing the extent of damage or loss;

services or functions remain available to legitimate users while an attack is occurring; and

damaged or destroyed assets will be restored upon cessation of an attack.

1.2.3 The Common Body of Knowledge (CBK) Security Domains

Over 20 years ago, many organizations recognized that geographically distributed interconnected systems were much more vulnerable than mainframe systems with minimal connectivity. At that time, few educational institutions offered any form of information security curricula, let alone academic degrees. This deficiency led to the establishment of the International Information Systems Security Certification Consortium (ISC)2, a nonprofit organization with the purpose of educating and certifying information security professionals. (ISC)2 certifications are based on a compendium of information security topics called the “common body of knowledge” (CBK). The CBK is the critical body of knowledge that serves as a common framework of security concepts, definitions, and principles that foster understanding of best practices among those engaged in activities related to information assurance/security.

The CBK categorizes security issues in terms of its elements in the following domains (areas):

Access control systems and methodology

Applications and systems development security

Business continuity planning and disaster recovery planning

Cryptography

Information security and risk management

Legal, regulations, compliance, and investigations

Operations security

Physical security

Security architecture and models

Telecommunications and network security

Confidentiality, integrity, and availability (CIA) are the core tenets of information security and are widespread over all the domains of the Common Body of Knowledge. Confidentiality is the measure of the secrecy of information. An organization determines how data are to be used and assigns a confidentiality level to that data. If transmitted from one place to the other, it ensures that the data were not observed by those who are not entitled to know about those contents. Integrity ensures that the information is accurate and reliable. If transmitted from one place to the other, it ensures that the data were not tampered with. Availability deals with the ability of users to access the information. It is commonly achieved through access control systems, redundant links and servers, and also with policies that take natural disasters into consideration.

1.2.3.1 Access Control Systems and Methodology

By the CBK definition, access control refers to a collection of mechanisms that allow the user/administrator of a system to have a directing or restraining influence over the behavior, use, and content of the system. Consequently, access controls are enforcement mechanisms that determine whether an action is authorized to occur. Access control methods determine what a user can access in the system. User's actions can be monitored for accountability. There are two main types of access control methods:

Discretionary access control

(DAC)

—the access control decision is made by the individual user. For example, the user creates a file and defines an access control list specifying who can access the file and how much access (read, write, etc.) each user can have.

Mandatory access control

(MAC

)—access control is imposed by categorizing resources and users based on a predetermined set of established criteria. For example, in military and government organizations dealing with sensitive data, the users and resources may be organized into the following categories: unclassified, confidential, secret, and top secret.

Based on these two broad types of access control, several methods have been developed to make them more comprehensive. Some of these are:

Lattice based

—defines the relationships within a MAC system. Usually, groups exist within each category and the access control method determines how control flows from one group to the other.

Rule based

—again a MAC-based system that uses a strict set of rules but requires a lot of management and administration.

Role based

—a MAC-based system where various roles are defined and users assigned to these roles. Permissions are now based on the job roles rather than by specific user. Examples of roles include system administrators, backup operators, and printer managers.

Access control list

(ACL)

—often used to define rules in firewalls and routers based on IP addresses. Also used by some operating systems to define the access allowed by users to resources.

The CBK access control domain not only focuses on access control mechanisms, but also includes:

identification and authentication mechanisms and techniques,

administration of access control mechanisms, and

mechanisms/methods for attacking information systems.

1.2.3.2 Application and Systems Development Security

By the CBK definition, this domain refers to the controls that are included within systems and applications software in centralized and distributed environments and the steps used in their development. Applications are vulnerable through buffer overflow attacks, cross-site attacks, SQL injection attacks, and so forth. Software security should be considered at the beginning of the design and implementation phases. Developers should understand how to produce secure, stable, and efficient software that is not vulnerable to known common types of attacks. Development projects, being under time pressure, often overlook these security aspects. This domain educates programmers and users about these inherent threats that their developed applications could face at a later time.

The CBK Application and Systems Development Security domain not only focuses on system internal security mechanisms, but also includes:

data warehousing and data mining,

risks associated with various software development practices,

vulnerabilities within software components, and

malicious software used for attacking information systems.

1.2.3.3 Business Continuity Planning and Disaster Recovery Planning

This domain addresses the continuation of the business in the event of a major disruption to normal business operations. In the event of a natural disaster or a major calamity, the entire company's resources could be lost. Whether the company survives or not depends on how the company prepares for these types of events. Having a disaster recovery plan determines what is required to keep the business functioning. These items should be prepared ahead of time and the procedures required to get the necessary data back online should be thought of. This plan is a short-term plan. Its objectives include:

protecting the organization from major systems failure,

minimizing the risk to the organization from delays in providing services,

guaranteeing the reliability of standby systems through testing and simulation, and

minimizing the decision-making required by personnel during a disaster.

The business continuity plan is a long-term plan that looks at recovery from beginning to end. It incorporates the disaster recovery plan and put into action when a threat occurs. It is essential to keep the recovery plans up to date, monitor critical assets, and so forth. This helps reduce damage in the long run. The major components of this process are:

Scope and plan initiation—to create the scope and define the parameters of the plan.

Business impact assessment—to understand the impact of a disruptive event.

Business continuity plan development—include plan implementation, testing, and maintenance.

Plan approval and implementation is another component that involves getting the plan approved and making people aware of the plan. Also important is implementing a maintenance procedure for updating the plan as needed.

1.2.3.4 Cryptography

By the CBK definition, this domain addresses the principles, means, and methods of disguising information to ensure its integrity, confidentiality, and authenticity. Data are encrypted and validated to ensure that the data remain secure and intact. Only authorized people can access the encrypted data through the process of decryption. Cryptography can also provide nonrepudiation (irrefutable proof that a message was created by a given person). Two types of encryption exist:

Symmetric encryption

—uses a shared key to both encrypt and decrypt the data.

Asymmetric encryption

—uses two keys, a public key and a corresponding private key. Before data are transmitted, the data are encrypted with the recipient's public key. The encrypted data can only be decrypted with the recipient's private key.

The CBK Cryptography domain not only focuses on system internal security mechanisms, but also includes:

infrastructures for the management of public keys allowing individuals to obtain valid keys and know when keys are no longer valid,

risks associated with various encryption algorithms and how they may be deployed, and

techniques for attacking the use of cryptography.

1.2.3.5 Information Security and Risk Management

This domain is concerned with the identification of an organization's information assets and the development, documentation, and implementation of policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability. Management tools such as data classification, risk assessment, and risk analysis are used to identify the threats, classify them, and consider asset vulnerabilities so that effective security controls can be implemented. This domain also includes personnel security, training, and security awareness. The organization needs to determine the items to be protected, see how they are accessed, and then select controls, and audit the users who operate the devices.

What are the threats to our infrastructure, and what is at risk? Consider the confidentiality, integrity, and availability tenets of security. Any physical damage or interruptions in providing system services affect availability. Unauthorized disclosure of information breaches confidentiality. Any loss of control over the system compromises integrity. If there is a theft, it affects all the three aspects mentioned above.

1.2.3.6 Legal, Regulations, Compliance, and Investigations

By the CBK definition, this domain addresses computer crime laws and regulations, investigative measures and techniques that can be used if a crime is committed, methods to gather evidence, and the ethical issues and code of conduct for security professionals. Intruders can access private data, destroy information, steal intellectual property, and so forth. The owner of the system should report the crime, making sure that no evidence is destroyed or lost. Federal, state, or civil laws may be applicable depending on the crime committed. Even if the attacker is identified, it is important not to attack the attacker. Attacking an attacker is considered illegal by many nations and should not be engaged in.

Computer forensics is the field of computer crime investigation and deals with the collection of information from computer systems that will be admissible in courts of law. Gathering, control, storage, and preservation of evidence are crucial. The evidence must be relevant, legally permissible, reliable, properly identified, and preserved to be admissible. Legal evidence can be classified into the following types:

Best evidence

—original or primary evidence rather than a copy.

Secondary evidence

—copy of the evidence.

Direct evidence

—information gathered through a witness.

Conclusive evidence

—incontrovertible evidence.

Expert opinion.

Circumstantial evidence

—inference of information from other facts.

Hearsay evidence

—computer-generated records.

Incident planning addresses the handling of malicious attacks through technical means and should address the following questions:

What is the incident?

How should it be reported?

To whom it should be reported?

When should management be informed of the incident?

What action to take if an incident is detected?

Who handles the response to an incident?

How much damage was caused by the incident?

What information was damaged or compromised by the incident?

How are follow-up and review after the incident handled?

What additional safeguards can be instituted as a result?

This CBK domain also includes consideration of software licensing and software piracy along with import–export laws and issues.

1.2.3.7 Operations Security

This domain identifies the controls over hardware, software, and information, and operations personnel with access privileges to any of these resources. Auditing and monitoring mechanisms are used to identify security events and report the information appropriately. To build a defensive system, put yourself in your opponent's place and see where the vulnerabilities are. Determine the resources that need to be protected and the privileges that need to be restricted. The following key principles have to be considered: identifying critical information, analyzing threats, assessing vulnerabilities and risks, and applying countermeasures. Operations Security uses indicators collected via log files, auditing, monitoring, and the like. Other sources of information gathering come from intrusion detection programs where administrators can look for anomalies. Penetration testing can also be utilized that play the role of an attacker to find a way into the system.

The operations security controls are categorized as follows:

Preventative controls

—to lower the impact of unintentional errors on the system and prevent unauthorized access to the system.

Detective controls

—to detect errors once they occur.

Corrective controls

—to mitigate any loss through data recovery procedures.

Recovery controls

—to allow restoration of operational capabilities during, or after, the occurrence of a security breach.

Monitoring and auditing are an integral part of operations security. Monitoring includes scrutinizing for illegal software installation, for hardware faults, and for anomalies. Monitoring tools are used for intrusion detection, penetration testing, and violation analysis. Auditing allows the review of patterns of access, discovery of any attempts to bypass the protection mechanisms, and security controls.

Another critical part of this domain is the maintenance of antivirus, and other anti-malware capabilities, personnel training, and resource protection activities. Security and fault tolerance technologies are included, along with security standards, operational compliance to regulations, and the concept of due diligence (also referred to as due care).

1.2.3.8 Physical Security

This domain addresses countermeasures that can be utilized to physically protect organization's resources and sensitive information from physical threats. Protecting from remote intruders is just not enough. Steps must be taken to protect assets that can be accessed physically. Examples of threats to physical security include emergencies (fire, building damage, utility loss, water damage, etc.), natural disasters (earthquakes, floods, etc.), and human intervention (sabotage, vandalism, etc.).

Controls for physical security include administrative controls and physical and technical controls. Administrative controls involve facility requirements planning, facility security management, and administrative personnel controls. Facility requirements planning deals with the planning for physical security controls in the early stages of the site construction, for example, choosing and designing a secure site. Audit trails and emergency procedures fall under facility security management. Administrative personnel controls include pre-employment screening, ongoing employee checks, and post-employment procedures. Environmental and life safety controls are required to sustain the personnel's or computer's operating environment, and these include power, fire detection, heating, ventilation, air conditioning, and the like.

Physical and technical controls relate to the areas of facility control requirements, access control devices, intrusion detection and alarms, inventory control, and media storage requirements. Storage media should be properly destroyed when no longer needed. Formatting a disk once doesn't destroy all the data and the disk should be overwritten or formatted at least seven times to conform to object reuse standards.

1.2.3.9 Security Architecture and Models

By the CBK definition, this domain spans the concepts, principles, structures, and standards used to design, implement, monitor, and secure operating systems, equipment, networks, and applications, including the controls used to enforce various levels of confidentiality, integrity, and availability. Some of the architectural models that define information security are:

Bell–LaPadula model

—defines security through confidentiality and is designed using a

no write down, no read up

approach. This model maintains security through classification levels. Subjects are allowed access to a classified object only if their clearance is at that level or higher.

Biba model

—focuses on the integrity of data and is designed using a

no write up, no read down

approach. This model is based on the trust relations that exist between subjects and objects and ensures that no subject can depend on a less trustworthy object.

Clark–Wilson model

—enforces data integrity for commercial applications. The model ensures that the data modifications made are consistent and done with well-formed transactions. This model also addresses the case where a computer crash occurs as data are being modified. In such a case, the system should roll back to the original state.

Access Control List

(ACL) model

—the most commonly used model to define access rights between data and the users.

Also considered within this domain are:

the functions and capabilities within operating systems for state management, memory management, kernel and monitoring activities;

architecture evaluation methodologies such as the Trusted Computer Security Evaluation Criteria (TCSEC), Information Technology Security Evaluation Criteria (ITSEC), and Common Criteria (CC);

application and system software problems, logic flaws, and design/implementation errors that create opportunities for system compromises/attacks; and

the concepts of certification and accreditation.

1.2.3.10 Telecommunications and Network Security

By the CBK definition, this domain encompasses the structures, transmission methods, transport formats, and security measures used to provide integrity, availability, authentication, and confidentiality for transmissions over private and public communication networks and media/cabling. This is the largest and most technical domain in the CBK. It includes the OSI model with the seven layers of functionality: physical, data-link, network, transport, session, presentation, and application layers. Included herein are the subjects of:

local area network

s (LANs), enterprise, metropolitan, and wide area networks;

common network devices, such as routers, bridges, switches, and firewalls;

network security protocols; and

common forms of attacks against network infrastructures.

It deals with the actual hardware used to connect information systems to each other. Security is dealt with in terms of hubs, routers, switches, and firewalls, for example. To keep the data safe, secure, and error-free, the domain deals with the safeguards and protocols that administrators have to enforce.

1.2.3.11 CBK Summary