IINS 210-260

IINS 210-260

Building Blocks of Information Security

CIA Triad

It's no surprise that our networks are becoming more and more interconnected and the data is flowing more freely on the Internet, and not just using, let's say, traditional Internet but also with the advent of more mobility devices, and handheld pads, and things like that. So it's very important for us to focus on security services, especially, from a commercial standpoint, because connectivity is mandatory but the risks of a connectivity don't outweigh their benefits, so we're going to be using it. So we have to have adequate protection mechanisms for our companies that are doing business in what we call a relatively open environment.

Now our basic security requirements really come into play with what we call the CIA or the security triad. We have C as Confidentiality, I as Integrity, and A is Availability – system and data availability. So Confidentiality is making sure that we're guaranteeing that only authorized users can view the sensitive information.

Integrity means that only authorized subjects can modify this sensitive information. Integrity may also guarantee authenticity of data, but it's actually coming from the party that its supposed to come from or being received by the party that is supposed to be receiving it.

And there is also Availability – making sure that you have the guarantee of its data and system availability, that you have uninterrupted access by authorized users to computing resources and data. So we have to think about the CIA triad, also we need to be aware of the possible threats that could compromise our security, the risks of those threats, how relevant they are for our organization or our business unit, how much it's going to cost to implement countermeasures, and is the countermeasure more costly than the value of the asset – we need to think about that. So we do a cost versus benefit analysis to see if it's worthwhile to implement certain security controls.

Assets, vulnerabilities, and threats

Let's go ahead and define some key terms here, starting with an asset. Now an asset is anything of value to your company or organization, and it's interesting because for example, if you have a USB key or one of those USB drives that cost $1 per GB. That drive itself as an asset may not be very valuable, but what about the data that's stored on that USB drive? The microwave oven in the break room may not have been that expensive, but if it's interrupting your wireless LAN and interrupting and affecting wireless LAN security, well, then it can be a different asset value. So we're looking at the little USB key, all the way to the datacenter servers and virtual software platforms, and all the licensing that goes into that. So we have to be able to understand all the assets we're trying to protect, know where they're located, know how they're exposed, their vulnerability, and their value. And their value can be quantitative in dollar terms or qualitative, you know, the value relative to other assets. Those are two very important things to know about assets.

A vulnerability is also a term that's very important, okay. A vulnerability can be known or unknown okay, but it's basically a weakness in a system or a system design, or weakness in a protocol or a service that can be exploited by a threat or a threat agent, okay. And as we mentioned, a vulnerability maybe known, it maybe unknown. There are vulnerabilities in TCP/IP that we're well aware of, but those vulnerabilities are going to remain there because we have to have the interoperability and effectiveness of the TCP/IP protocol. So we accept the vulnerabilities and we find other ways to create countermeasures. Vulnerabilities are most often due to human error, and they're found in programs, applications and operating systems.

A threat is a potential danger to assets, okay. A threat is realized if it's identified by a specific vulnerability and it's exploited. That exploit is called a threat agent, it's the delivery system of that threat; for example a worm, or a Trojan horse program, or a virus. Now if the vulnerability is theoretical and it hasn't been exploited, then we call that an unrealized threat or a latent threat. Another word for threat agent, by the way, something that takes advantage of a vulnerability is a threat vector.

A countermeasure is a safeguard, it's also what we call a mitigation. It mitigates a potential risk, so countermeasures mitigate risk by either eliminating the vulnerability altogether or reducing it to acceptable levels, and of course, that acceptable level of risk is part of risk management itself, or what you could do is you could lower the probabilities of a threat agent or a threat vector exploiting a particular risk, that can also be a countermeasure.

Classifying assets

Now in order to effectively deliver the CIA triad – Confidentiality, Integrity, and Availability, you have to be able to classify and identify your data - what is it worth. So sometimes we have to do that, maybe it's part of governance or regulation, maybe the HIPAA requirement for the privacy or security rule, maybe you're under the Sarbanes-Oxley mandate and there are liability issues, okay. So the people who classify data are data custodians, and we need to make the proper evaluations as well as implementing the proper controls – CIA controls – to secure our data based on our requirements. We need to take it seriously because it shows not only our employees but also our vendors and our customers and our partners that we are serious about security.

Now classification levels – it really depends upon kind of what sector you're in, so for example in the public sector, you might have the lowest form of data would be unclassified, all the way up to top secret.

In the private sector, you may have public, and then sensitive, and then private, and confidential okay. So it really depends upon public or private sector – the labels that you use.

But there is other criteria as well besides value. We think about, you know, just the monetary value of the asset being the main criteria, but that's not necessarily true. It could be the age okay, the older data is, the less valuable it gets.

Levels - Public Sector Unclassified
SBU (Sensitive but Unclassified)
Confidential
Secret
Top Secret
Levels - Private Sector Public
Sensitive
Private
Confidential
Criteria Value
Age
Useful Life
Personal Association
Replacement Cost
Liability
Roles Owner
Custodian
User

There are three main benefits to doing this by the way. This shows a commitment to security on our behalf of our organization. We're identifying the most sensitive assets which is very important, this'll also play into other countermeasures, for example like IPS – Intrusion Prevention System – that you'll learn about later on. Also by classifying assets it helps us identify which countermeasures we're going to apply to which type of data and assets. The more expensive countermeasures to the more mission-critical data, the more mission-critical assets.

There are also three roles. The owner – the owner is the person who is ultimately responsible for the information like a CEO or a CIO, senior level management. The custodian is typically an IT or IS staff who has day-to-day operational responsibility for maintaining data. The owner might determine security controls, but the custodian will actually be the one that marks it, backs it up, and secures the data to enforce the security controls mandated by the owner or the senior level management. And then there is the user, and we're often all users, okay. The user has no responsibility for data classification or even maintaining of that classified data, but they do have responsibility based on their operational procedures or AUP – Acceptable Use Policies.

Classifying vulnerabilities

Now the weaknesses we find are not only in applications and programs that are written by humans, we also find them in the actual countermeasures themselves, okay, in operational ongoing procedures practices. So knowing this will help you build a more effective security architecture. If you're looking for vulnerabilities, one of the things that will help is if you categorize these into different classes or different types of vulnerabilities. So for example, you could have flaws in your policy, I mentioned the Acceptable Use Policy – that may have some weaknesses in it okay. Maybe you haven't considered mobile devices or people who are bringing their own iPhones, and iPads, and Android, BlackBerry type devices. Maybe you have policy flaws and weaknesses in instant messaging, you're allowing them to use the whiteboard or the camera.

Design errors themselves in the design of the system or the protocol or the service, weaknesses in protocols and these can be protocols that have been there out for a long time, these could be new protocols. And protocols may just be your standards and operational procedures, vulnerabilities in software those are ongoing – are you making sure that you're using hotfixes and security patches. Misconfigured firewalls, misconfigured security policies on routers, edge devices, hostile code – are you protected against disgruntled employees, do you have a procedure in place if you are going to terminate an employee so they can't introduce hostile code into the organization. And of course, the human factor which we mentioned is already a big issue.

There are a couple of ways that you can you know design your vulnerability analysis. For example, it's CVE.mitre.org where you can see the Common Vulnerabilities and Exposure dictionary, there is also the NVD – the National Vulnerability Database at NVD.nist.gov – that has a security checklist, it shows software related flaws, misconfigurations, things like that.

Classifying countermeasures

Well, once you've completed your classification and you've looked at all your assets and possible vulnerabilities, we need to look at threats next. Threat classification and threat analysis is part of your risk management architecture. We'll look at this a little bit later on in more detail. Once you considered your threat vectors, you're going to use various controls to apply your defence-in-depth mechanisms. And there are several ways to classify these controls. We can break it down into administrative, technical, and physical – where administrative is basically policies and procedures, you know, your security policy, your written security policy, Acceptable Use Policy, change and configuration control, doing auditing and penetration testing, background checks of your employees and your contractors, those are all Administrative.

Technical-related things we're going to be looking at here throughout this course - hardware, software, firewalls, IPS sensors, VPN technology even biometric authentication.

And then physical controls - these are the mechanical. These are the ones that protect the infrastructure the facilities, using things like locking mechanisms, security guards, fire suppression systems, positive airflow systems, UPS – Uninterruptible Power Supplies, those are all physical controls.

You can also break these down into how they manage the incident and the exposure, preventive would be basically employing a locking mechanism or a policy or a firewall to prevent the threat. There is detective, this could be surveillance cameras, CCTV, Intrusion Prevention Systems, logging, okay. And there is corrective, these are things that are mitigation or they reduce the effects of the threat like doing antivirus or antimalware procedures, or updating your IPS signature database. There is recovery, these basically put a system back into production, once there has been an incident or a breakout. This could be disaster recovery. And then there's deterrent here the goal is to discourage security violations, and this is a lot more like putting a sticker on your window at home or a sign in your front yard, okay. Even having a surveillance camera can be a deterrent. Once people see that camera, they'll know that they're going to be under observation.

You can also categorize risk based on the ways that they manage the situation, you can do risk avoidance which is basically not performing a risky activity. You could do risk reduction or optimization where you reduce the severity of the loss or the likelihood of the loss, okay. There is risk sharing or transfer, this is kind of like buying an insurance policy or outsourcing security to some other company. Risk sharing or risk transfer could be a business partner. There is risk retention or acceptance. Basically you're just going to accept the loss when a risk occurs, so you're budgeted in for the loss or the gain from the risk. This is a viable strategy only for small risks. And keep in mind, it's not always possible to classify these controls, you know, it's strictly into one category or one type. There is always a lot of overlap you know, for example preventative and deterrent controls often overlap.