Security Laboratory
How do you get started in Information security?
October 25th, 2008
By Stephen Northcutt
This article considers getting started in computer and network security (physical or facilities security is out of the scope of this writing). This is an introduction; you may want to consider our introductory course if you find you are interested in learning more about security, intro to Information Security.
A strong foundation is security means understanding the fundamentals, they include risks, threats, and vulnerabilities which are highly interrelated. Their relationship can be expressed by this simple formula:
Risk (due to a threat) = Threat x Vulnerability (to that threat)
This formula shows that risk is directly related to the level of threat and vulnerability that you, your systems, or your networks face. Here's how the formula works:
- If you have a very high threat, but a very low vulnerability to that threat, your resulting risk will be only moderate. For example, if you live in a high crime neighborhood (thus, high threat) but you keep your doors and windows locked (so you have a low vulnerability to that threat), your overall risk is moderate.
- If you have a high vulnerability to a threat (by keeping your doors and windows unlocked), but the threat itself is minor (by living in a safe neighborhood), once again you have only a moderate risk factor.
- If, however, you have a high level of threat potential (a high crime area) and your vulnerability to that threat is very high (no locks), you have a very high risk factor.
We'll start by explaining some fundamental principles that you need to understand and apply everyday in securing your systems. We'll progress from what exactly it is about our systems that we're trying to protect - confidentiality, integrity and availability - to the risks our systems face. After looking at threats and vulnerabilities, we'll talk about an overarching approach to protecting our systems.
Access Control
According to Apple, "Security is about restricting access, whether to a physical object, a location, information, an application, or a particular feature of an application." While that is important, there is more to security than access control as we will quickly see.
Confidentiality, Integrity and Availability
What exactly about the system or information do we wish to protect? Traditionally, information security professionals focus on ensuring confidentiality, integrity, and availability. Simply "CIA" in "infosec" jargon, these are the three bedrock principles about which we will be concerned. A good habit when first exploring any new business application or system is to think about confidentiality, integrity, and availability - and countermeasures or lack thereof for protecting these. Attacks may come against any or all of these.
We will discuss a variety of threats that jeopardize our computer systems. To focus that discussion, we will consider some of the more famous attacks that have occurred. Now, information assurance can get really complex, but these kinds of problems decompose nicely. As we work our way through the material, we will be pointing out aspects of confidentiality, integrity, and availability, in both the attacks and also the defenses we discuss.
Let's use an example: You've been assigned to oversee the security of your employer's new e-commerce site, its first attempt at conducting business directly on the Internet. How do you approach this? What should you consider? What could go wrong?
Think C-I-A: confidentiality, integrity, and availability. Customers will expect that the privacy of their credit card numbers, their addresses and phone numbers, and other information shared during the transaction will be ensured. These are examples of confidentiality. They will expect quoted prices and product availability to be accurate, the quantities they order at the prices they agreed not to be changed, and anything downloaded to be authentic and complete. These are examples of integrity. Customers will expect to be able to place orders when convenient for them, and the employer will want the revenue stream to continue without disruption. These are examples of availability.
Keep in mind that the dimensions we have been discussing can be interrelated. An attacker may exploit an unintended function on a web server and use the cgi-bin program "phf" to list the password file. Now, this would breach the confidentiality of this sensitive information (the password file). Then, in the privacy of his own computer system, the attacker can use brute force or dictionary-driven password attacks to decrypt the passwords. Then, with a stolen password, the attacker can execute an integrity attack when he gains entry to the system. And he can even use an availability attack as part of the overall effort to neutralize alarms and defensive systems, so they can't report his existence. When this is completed, the attacker can fully access the target system, and all three dimensions (confidentiality, integrity and availability) would be in jeopardy. Always think C-I-A.
C-I-A can drive critical design and engineering decisions. The first decision to make is whether to fail open or closed. In other words, is either Integrity or Confidentiality more important than Availability?
Focus on the Value of Information
The most important thing to protect with information security is your information. Often information is stored in a database. Oracle has an excellent page on getting started with security from a database perspective. If you take credit cards, we recommend you read about getting started with the Payment Card Industry Security Standards. Many new web applications are based on service oriented architecture, if your organization is doing that you may want to read about XML security. So our mission in information security is to focus on minimizing the impact to our information, essentially loss control.
What is the role of threat in defense in depth?
In security discussions we hear a lot about threats. Threats, in an information security sense, are any activities that represent possible harm to our information or operations. Threats can be thought of as anything that would negatively affect the confidentiality, integrity, or availability of your systems or services. Thus, if risk is the potential for loss or harm, threats can be thought of as the agents of risk.
Threats can come in many different forms and from many different sources. There are physical threats, like fires, floods, terrorist activities, and random acts of violence. And there are electronic threats, like hackers, vandals, and viruses. Your particular set of threats will depend heavily on your situation: what business you are in; who your partners and adversaries are; how valuable your information is; how it is stored, maintained, and secured; who has access to it; and a host of other factors.
The point is that there are too many variables to ever protect against all the possible threats to your information. That is OK, we simply prioritize. We suggest that you schedule a half-day to working out the threat vulnerability pairs by expanding the six threats we have listed. Don't be surprised if you quickly realize that you cannot nullify the majority of them. In point of fact, our IT infrastructure is remarkably simple:
- The problem didn't happen overnight, it has developed over years
- The strategy of ignoring the problem (officially known as accepting the risk, as is in risk management) eventually has to lead to failure