Security Laboratory

Security Laboratory

Computer Security Training and Education

This series will look at the many perspectives of network and computer security training and education, what works and what doesn't.

Other Related Articles in Computer Security Training and Education

How do you get started in Information security?

By Stephen Northcutt
Version 1.1

How do You Get Started in Information Security?

This article considers getting started in computer and network security, physical or facilities security is out of the scope of this writing. This article is an introduction, you may want to consider our introductory course if you find you are interested in learning more about information security basics, intro to Information Security.

There is no perfect security, no perfect solution. Everything we do in life has a certain amount of risk. A strong foundation is security means understanding the fundamentals, they include risks, threats, and vulnerabilities which are highly interrelated. Their relationship can be expressed by this simple formula:

Risk (due to a threat) = Threat x Vulnerability (to that threat)

This formula shows that risk is directly related to the level of threat and vulnerability that you, your systems, or your networks face. Here's how the formula works:
  • If you have a very high threat, but a very low vulnerability to that threat, your resulting risk will be only moderate. For example, if you live in a high crime neighborhood (thus, high threat) but you keep your doors and windows locked (so you have a low vulnerability to that threat), your overall risk is moderate. What is an example of a "low vulnerability"? If a vulnerability, a weakness, is on a system that is behind a firewall and is not reachable from the Internet, it is a lower level vulnerability than a system that is reachable by the Internet. A couple other characteristics include the availability or exploit or attack code and if the attack code lets the attack achieve privileged status or note. On Unix and Linux systems, privileged status means root or superuser, entities that can do almost anything. On Windows, privileged status is the user or group Administrator.
  • If you have a high vulnerability to a threat, but the threat itself is minor there are no public exploits and if the vulnerability was to be exploited it can't get the attacker privileged access, once again you have only a moderate risk factor.
  • If, however, you have a high level of threat potential, the exploit is widely available and your vulnerability to that threat is very high, the system is Internet reachable, you have a very high risk factor. In this case you should prioritize taking action.
Key Focus of Risk
We'll start by explaining some fundamental principles that you need to understand and apply everyday in securing your systems. We'll progress from what exactly it is about our systems that we're trying to protect - confidentiality, integrity and availability - to the risks our systems face. After looking at threats and vulnerabilities, we'll talk about an overarching approach to protecting our systems.

Access Control
According to Apple, "Security is about restricting access, whether to a physical object, a location, information, an application, or a particular feature of an application." While that is important, there is more to security than access control as we will quickly see. If you have an hour or so, please take some time to read some issues in NewsBites archive and see where the root problem was a failure in access control. The NewsBites archive is available here. And here are some examples of access control failures and their implications in two recent editions. In each case I will point to both the NewsBites edition and also the specific story:
Vol 44 Issue 44:
Virginia Data Breach
Aviva Data Breach

Vol 44 Issue 43:

Clandestine database (insider access control is hard )
Ex Employee accessed data

Confidentiality, Integrity and Availability
What exactly about the system or information do we wish to protect? Traditionally, information security professionals focus on ensuring confidentiality, integrity, and availability. Simply "CIA" in "infosec" jargon, these are the three bedrock principles about which we will be concerned. A good habit when first exploring any new business application or system is to think about confidentiality, integrity, and availability - and countermeasures or lack thereof for protecting these. Attacks may come against any or all of these.

We will discuss a variety of threats that jeopardize our computer systems. To focus that discussion, we will consider some of the more famous attacks that have occurred. Now, information assurance can get really complex, but these kinds of problems decompose nicely. As we work our way through the material, we will be pointing out aspects of confidentiality, integrity, and availability, in both the attacks and also the defenses we discuss.

Let's use an example: You've been assigned to oversee the security of your employer's new e-commerce site, its first attempt at conducting business directly on the Internet. How do you approach this? What should you consider? What could go wrong?

Think C-I-A: confidentiality, integrity, and availability. Customers will expect that the privacy of their credit card numbers, their addresses and phone numbers, and other information shared during the transaction will be ensured. These are examples of confidentiality. They will expect quoted prices and product availability to be accurate, the quantities they order at the prices they agreed not to be changed, and anything downloaded to be authentic and complete. These are examples of integrity. Customers will expect to be able to place orders when convenient for them, and the employer will want the revenue stream to continue without disruption. These are examples of availability.

Keep in mind that the dimensions we have been discussing can be interrelated. An attacker may exploit an unintended function on a web server and use the cgi-bin program "phf" to list the password file. Now, this would breach the confidentiality of this sensitive information (the password file). Then, in the privacy of his own computer system, the attacker can use brute force or dictionary-driven password attacks to decrypt the passwords. Then, with a stolen password, the attacker can execute an integrity attack when he gains entry to the system. And he can even use an availability attack as part of the overall effort to neutralize alarms and defensive systems, so they can't report his existence. When this is completed, the attacker can fully access the target system, and all three dimensions (confidentiality, integrity and availability) would be in jeopardy. Always think C-I-A.

C-I-A can drive critical design and engineering decisions. The first decision to make is whether to fail open or closed. In other words, is either Integrity or Confidentiality more important than Availability.

Focus on the Value of Information
The most important thing to protect with information security is your information. Often information is stored in a database. Oracle has an excellent page on getting started with security from a database perspective. If you take credit cards, we recommend you read about getting started with the Payment Card Industry Security Standards. Many new web applications are based on service oriented architecture, if your organization is doing that you may want to read about XML security. So our mission in information security is to focus on minimizing the impact to our information, essentially loss control.

What is the role of threat in defense in depth?
In security discussions we hear a lot about threats. Threats, in an information security sense, are any activities that represent possible harm to our information or operations. Threats can be thought of as anything that would negatively affect the confidentiality, integrity, or availability of your systems or services. Thus, if risk is the potential for loss or harm, threats can be thought of as the agents of risk.

Threats can come in many different forms and from many different sources. There are physical threats, like fires, floods, terrorist activities, and random acts of violence. And there are electronic threats, like hackers, vandals, and viruses. Your particular set of threats will depend heavily on your situation: what business you are in; who your partners and adversaries are; how valuable your information is; how it is stored, maintained, and secured; who has access to it; and a host of other factors.

The point is that there are too many variables to ever protect against all the possible threats to your information. That is OK, we simply prioritize. We suggest that you schedule a half day to working out the threat vulnerability pairs by expanding the six threats we have listed. Don't be surprised if you quickly realize that you cannot nullify the majority of them. In point of fact, our IT infrastructure is remarkably similar to the aging bridge problem ( a reference to the tragic bridge collapse in Minneapolis ).
• The problem didn't happen overnight, it has developed over years
• The strategy of ignoring the problem (officially known as accepting the risk, as is in risk management) eventually has to lead to failure

After, you have your basic foundation it is time to start getting hands on. Steve Hailey, an expert in security suggests "If you don't already have one, setup a network at home. I recommend that you have at least three computers, at a minimum and go with removable hard drives. While this sounds costly, you'll find some pretty good deals at used computer stores you have in your area." Another possibility is to take a hands on course such as the highly acclaimed SANS Security Essentials Bootcamp Style , it is six days of training with evening sessions that covers operating systems, threats, networking, a comprehensive overview of security where you actually work with the things that are discussed. The US Department of Defense has selected it for their training and certification needs in their 8570 instruction.