Skip to main content. Start your free trial. Book description Revised and updated with the latest data in the field, Fundamentals of Information Systems Security, Third Edition provides a comprehensive overview of the essential concepts readers must know as they pursue careers in information systems security.
The text opens with a discussion of the new risks, threats, and vulnerabilities associated with the transition to a digital world. Each chapter in the book has been written by a different expert to ensure you gain the comprehensive understanding of what it takes to develop an effective information security program. The CISSP R Accredited Info Systems Security Professional eligibility is one of the most respected certifications in the information security industry, demonstrating an advanced comprehension of cybersecurity.
Why is this guide different? This book is extensively researched and documented and will prove extremely effective in preparing you for your Certification, providing the latest information according to the most recent CISSP exam curriculum.
Author : Kevin D. Kevin Mitnick zeigt Ihnen, wie es geht. What are you waiting for? Includes all testable terms, concepts, persons, places, and events. Cram Just the FACTS studyguides gives all of the outlines, highlights, and quizzes for your textbook with optional online comprehensive practice tests.
Only Cram is Textbook Specific. Accompanies: This item is printed on demand. A must for working network and security professionals as well as anyone in IS seeking to build competence in the increasingly important field of security Written by three high-profile experts, including Eric Cole, an ex-CIA security guru who appears regularly on CNN and elsewhere in the media, and Ronald Krutz, a security pioneer who cowrote The CISSP Prep Guide and other security bestsellers Covers everything from basic security principles and practices to the latest security threats and responses, including proven methods for diagnosing network vulnerabilities and insider secrets for boosting security effectiveness.
WorldCIST is a global forum for researchers and practitioners to present and discuss recent results and innovations, current trends, professional experiences and challenges of modern Information Systems and Technologies research, together with their technological development and applications. The time determines what needs to be done, who needs to do it, and how to do it, is not when we are faced with a burning emergency.
Detection and analysis The detection and analysis phase is where the action begins to happen in our incident response process. In this phase, we will detect the occurrence of an issue and decide whether or not it is actually an incident so that we can respond to it appropriately. The detection portion of this phase will often be the result of monitoring of or alerting based on the output of a security tool or service.
The analysis portion of this phase is often a combination of automation from a tool or service, usually an SIEM, and human judgment. While we can often use some sort of thresholding to say that X number of events in a given amount of time is normal or that a certain combination of events is not normal two failed logins followed by a success, followed by a password change, followed by the creation of a new account, for instance , we will often want human intervention at a certain point when discussing incident response.
Such human intervention will often involve review of logs output by various security, network, and infrastructure devices, contact with the party that reported the incident, and general evaluation of the situa- tion. When the incident handler evaluates the situation, they will make a determination regarding whether the issue constitutes an incident or not, an initial evaluation as to the criticality of the incident if any , and contact any additional resources needed to proceed to the next phase.
Containment, eradication, and recovery The containment, eradication, and recovery phase is where the majority of the work takes place to actually solve the incident, at least in the short term.
Containment involves taking steps to ensure that the situation does not cause any more damage than it already has, or to at least lessen any ongoing harm. If the problem involves a malware infected server actively being controlled by a remote attacker, this might mean disconnecting the server from the network, putting firewall rules in place to block the attacker, and updating signatures or rules on an Intrusion Prevention System IPS in order to halt the traffic from the malware.
During eradication, we will attempt to remove the effects of the issue from our environment. In the case of our malware infected server, we have already isolated the system and cut it off from its command and control network. Now we will need to remove the malware from the server and ensure that it does not exist elsewhere in our environment.
This might involve additional scanning of other hosts in the environment to ensure that the malware is not present, and examination of logs on the server and activities from the attacking devices on the network in order to determine what other systems the infected server had been in communication with. With malware, particularly very new malware or variants, this can be a tricky task to ensure that we have properly completed.
The adversary is constantly developing countermeasures to the most current security tools and methodologies. Whenever doubt exists as to whether malware or attackers have been truly evicted from our environment, we should err to the side of caution while balancing the impact to operations. Each event requires a risk assessment. Lastly, we need to recover to a better state that were in which we were prior to the incident, or perhaps prior to the issue started if we did not detect the problem immediately.
This would potentially involve restoring devices or data from backup media, rebuilding systems, reloading applications, or any of a number of similar activities. Additionally we need to mitigate the attack vector that was used. Again, this can be a more painful task than it initially sounds to be, based on potentially incomplete or unclear knowledge of the situation surrounding the incident and what exactly did take place.
We may find that we are unable to verify that backup media is actually clean and free or infection, backup media may be bad entirely, application install bits may be missing, configuration files may not be available, and any of a number of similar issues.
Post incident activity Post incident activity, as with preparation, is a phase we can easily overlook, but should ensure that we do not. In the post incident activity phase, often referred to as a postmortem latin for after death , we attempt to determine specifically what happened, why it happened, and what we can do to keep it from happening again. This is not just a technical review as policies or infrastructure may need to be changed. The purpose of this phase is not to point fingers or place blame although this does sometimes happen , but to ultimately prevent or lessen the impact of future such incidents.
Defense in depth 19 Defense in depth Defense in depth is a strategy common to both military maneuvers and information security. In both senses, the basic concept of defense in depth is to formulate a multilayered defense that will allow us to still achieve a successful defense should one or more of our defensive measures fail. In Figure 1. Given well-implemented defenses at each layer, we will make it very difficult to successfully penetrate deeply into our network and attack our assets directly.
One important concept to note when planning a defensive strategy using defense in depth is that it is not a magic bullet. No matter how many layers we put in place, or how many defensive measures we place at each layer, we will not be able to keep every attacker out for an indefinite period of time, nor is this the ultimate goal of defense in depth in an information security setting.
The goal is to place enough defensive measures between our truly important assets and the attacker so that we will both notice that an attack is in progress and also buy ourselves enough time to take more active measures to prevent the attack from succeeding. We can see exactly such a strategy in the theater release of the Batman movie, The Dark Knight, in The production company for the movie, Warner Bros.
Even with all the time and resources spent to prevent piracy of the movie, it was found on a file-sharing network 38 h after it was released [4]. For Warner Bros. Layers When we look at the layers we might place in our defense in depth strategy, we will likely find that they vary given the particular situation and environment we are defending. As we discussed, from a strictly logical information security perspective, we would want to look at the external network, network perimeter, internal network, host, application, and data layers as areas to place our defenses.
We could add complexity to our defensive model by including other vital layers such as physical defenses, policies, user awareness and training, and a multitude of others, but we will stay with a simpler example for the time being. As we progress through the book, we will return to the concept of defense in depth as we discuss security for more specific areas.
As we can see in Figure 1. In some cases, we see a defensive measure listed in multiple layers, as it applies in more than one area. Summary 21 around the headquarters. As we move through the book, we will discuss each of these areas in greater detail, and the specific defenses we might want to use for each.
Information security in the real world The concepts we discussed in this chapter are foundational to information security and are used on a regular basis in the course of normal information security tasks in many organizations.
We will often find that security incidents are described in terms of their effects, such as breaches of confidentiality, or the authenticity of a given e-mail message. Information security is a daily concern for organizations of any size, particularly those that handle any type of personal information, financial data, health-care data, educational data, or other types of data that are regulated by the laws of the country in which they operate.
In the case of an organization that does not take the time to properly put itself on a good footing as relates to information security, the reper- cussions can be severe in the sense of reputational impact, fines, lawsuits, or even the inability to continue conducting business if critical data is irretrievably lost. In short, information security is a key component of the modern business world.
SUMMARY Information security is a vital component to the era in which data regarding countless individuals and organizations is stored in a variety of computer systems, often not under our direct control. When discussing information security in a general sense, it is important to remember that security and productivity are often diametrically opposing concepts, and that being able to point out exactly when we are secure is a difficult task.
When discussing information security issues or situations, it is helpful to have a model by which to do so. Two potential models are the CIA triad, composed of confidentiality, integrity, and availability, and the Parkerian hexad, composed of confidentiality, integrity, availability, possession or control, authenticity, and utility.
When we look at the threats we might face, it is important to understand the concept of risk. We only face risk from an attack when a threat is present and we have a vulnerability which that particular threat can exploit. In order to mitigate risk, we use three main types of controls: physical, logical, and administrative. Defense in depth is a particularly important concept in the world of information security. To build defensive measures using this concept, we put in place multiple layers of defense, each giving us an additional layer of protection.
The idea behind defense in depth is not to keep an attacker out permanently but to delay him long enough to alert us to the attack and to allow us to mount a more active defense. Explain the difference between a vulnerability and a threat. List six items that might be considered logical controls. What term might we use to describe the usefulness of data? Which category of attack is an attack against confidentiality? How do we know at what point we can consider our environment to be secure?
Using the concept of defense in depth, what layers might we use to secure ourselves against someone removing confidential data from our office on a USB flash drive? Based on the Parkerian hexad, what principles are affected if we lose a shipment of encrypted backup tapes that contain personal and payment information for our customers? If we develop a new policy for our environment that requires us to use complex and automatically generated passwords that are unique to each system and are a minimum of 30 characters in length, such as!
Considering the CIA triad and the Parkerian hexad, what are the advantages and disadvantages of each model? Fighting computer crime. Wiley; , ISBN: In short, identification is the claim of what someone or some- thing is, and authentication establishes whether this claim is true. We can see such processes taking place on a daily basis in a wide variety of ways. One very common example of an identification and authentication transaction can be found in the use of payment cards that require a personal identification num- ber PIN.
When we swipe the magnetic strip on the card, we are asserting that we are the person indicated on the card. At this point, we have given the identification but nothing more. When we are prompted to enter the PIN associated with the card, we are completing the authentication portion of the transaction. Some of the identification and authentication methods that we use in daily life are particularly fragile and depend largely on the honesty and diligence of those involved in the transaction.
Many such exchanges that involve the showing of identification cards, such as the purchase of items restricted to those above a cer- tain age, are based on the theory that the identification card being displayed is genuine and accurate.
We also depend on the person or system performing the authentication being competent and capable of not only performing the act of authentication but also being able to accurately detect false or fraudulent activity. We can use a number of methods for identification and authentication, from the simple use of usernames and passwords, to purpose-built hardware tokens that serve to establish our identity in multiple ways. We will discuss several of these methods and how they are used throughout the chapter.
Identification Identification, as we mentioned in the preceding section, is simply an assertion of who we are. This may include who we claim to be as a person, who a computer sys- tem claims to be over the network, who the originating party of an e-mail claims to be, what authority we claim to have, or similar transactions.
It is important to note that the process of identification does not extend beyond this claim and does not involve any sort of verification or validation of the identity that we claim. That part of the process is referred to as authentication and is a separate transaction. Who we claim to be Who we claim to be is a tenuous concept, at best. We can identify ourselves by our full names, shortened versions of our names, images of ourselves, nicknames, account numbers, usernames, ID cards, fingerprints, DNA samples, and an enormous variety of other methods.
Who we claim to be can, in many cases, be an item of information that is sub- ject to change. For instance, our names can change, as in the case of women who change their last name upon getting married, people who legally change their name to an entirely different name, or even people who simply elect to use a different name.
In addition, we can generally change logical forms of identification very eas- ily, as in the case of account numbers, usernames, and the like. Even physical iden- tifiers, such as height, weight, skin color, and eye color, can be changed.
One of the most crucial factors to realize when we are working with identification is that an invalidated claim of identity is not reliable information on its own. Identity verification Identity verification is a step beyond identification, but it is still a step short of authentication, which we will discuss in the next section.
As an identity verification, this is very superficial, at best. We can take the example a bit further and validate the form of identifica- tion—say, a passport—against a database holding an additional copy of the infor- mation that it contains, and matching the photograph and physical specifications with the person standing in front of us.
This may get us a bit closer, but we are still not at the level of surety we gain from authentication. Identity verification is used not only in our personal interactions but also in computer systems. In many cases, such as when we send an e-mail, the identity we provide is taken to be true, without any additional steps taken to authenticate us.
Such gaps in security contribute to the enormous amount of spam traffic that we see, estimated to have accounted for Falsifying identification As we have discussed, methods of identification are subject to change. As such, they are also subject to falsification. This constant struggle between security measures and criminals is also going on in the virtual world.
On a slightly more sinister note, such falsified means of identification are also used by criminals and terrorists for a variety of tasks of a nefarious nature. This type of attack is unfortunately common and easy to execute. Given a minimal amount of information—usually a name, address, and Social Security number are sufficient—it is possible to imperson- ate someone to a sufficient degree to be able to act as that person in many cases. Victims of identity theft may find that lines of credit, credit cards, vehicle loans, home mortgages, and other transactions have taken place using their stolen identity.
Such crimes are made easier due to the lack of authentication requirements for many of the activities in which we engage. In most cases, the only check that takes place is identity verification, as we discussed in the preceding section. This process is a small obstacle, at best, and can easily be circumvented using falsified forms of identification. To rectify this situation, we need to complete the process of identifying and authenticating the people involved in these transactions, in order to at least more conclusively prove that we are actually interacting with the people we believe we are.
In the case of individuals, this is not an unsolvable technical problem by any extent, but it is more of a people problem. When we look at similar issues for computer systems and environments, we can see many of the same difficulties. It is entirely possible to send an e-mail from an address that is different from the actual sending address, and this tactic is used by spammers and social-engineering-based attacks on a regular basis.
We can see the same problems in many other systems and protocols that are in daily use and are part of the functionality of the Internet. We will discuss such issues at greater length in Chapter Authentication Authentication is, in an information security sense, the set of methods we use to establish a claim of identity as being true.
It is important to note that authentica- tion only establishes whether the claim of identity that has been made is correct. Authentication does not infer or imply anything about what the party being authenticated is allowed to do; this is a separate task known as authorization.
We will discuss authorization at greater length in Chapter 3, but the important thing to understand for now is that authentication needs to take place first. Factors In terms of authentication, there are several methods we can use, with each cate- gory referred to as a factor. Within each factor, there are a number of possible methods we can use. When we are attempting to authenticate a claim of identity, the more factors we use, the more positive our results will be.
Something you know is a very common authentication factor. This can include passwords, PINs, passphrases, or most any item of information that a person can remember. We can see a very common implementation of this in the passwords we use to log in to our accounts on computers. This is somewhat of a weak factor because if the information the factor depends on is exposed, this can nullify the uniqueness of our authentication method. Something you are is a factor based on the relatively unique physical attributes of an individual, often referred to as biometrics.
This factor can be based on sim- ple attributes, such as height, weight, hair color, or eye color, but these do not tend to be unique enough to make very secure identifiers.
More commonly used are more complex identifiers such as fingerprints, iris or retina patterns, or facial characteristics. This factor is a bit stronger, as forging or stealing a copy of a physical identifier is a somewhat more difficult, although not impossible, task. There is some question as to whether biometrics truly is an authentication factor or whether it really only constitutes verification. We will discuss this again later in the chapter when we cover biometrics in greater depth.
Something you have is a factor generally based on the physical possession of an item or a device, although this factor can extend into some logical concepts as well. We can see such factors in general use in the form of ATM cards, state or federally issued identity cards, or software-based security tokens, as shown in Figure 2. This factor can vary in strength depending on the implementation.
In the case of a security token, we would actually need to steal a specific device in order to falsify the authentication method. In the case of access to an e-mail address being used as this type of factor, we have a measure of considerably less strength. Something you do, sometimes considered a variation of something you are, is a factor based on the actions or behaviors of an individual. These factors present a very strong method of authentication and are very difficult to falsify or create false positive.
They do, however, have the potential to create false negative and incorrectly reject legiti- mate users at a higher rate than some of the other factors, resulting in denials for some users that should actually be authenticated. Where you are is a geographically based authentication factor. This factor operates differently than the other factors, as its method of authentication depends on the person being authenticated as being physically present at a particular loca- tion or locations.
The most common implementation of this is for servers to only be accessible from a terminal in the server room. This factor, although potentially of less utility than some of the other factors, is very difficult to counter without entirely subverting the system performing the authentication or gaining physical access. Multifactor authentication Multifactor authentication uses one or more of the factors we discussed in the pre- ceding section.
This practice is also referred to, in some cases, as two-factor authentication when we are using only two factors, but multifactor authentication encompasses this term as well. We can see a common example of multifactor authentication in using an ATM. Our ATM card does double duty as both a factor for authentication and a form of identification.
We can see a similar example in writing checks that draw on a bank account—in this case, something we have, the checks themselves, and something we do, applying our signature to them. Here, the two factors involved in writing a check are rather weak, so we sometimes see a third factor, a fingerprint, applied to them. We could also argue that the signature and fingerprint are, in this case, not actually authentication, but rather verification, a much less robust process that we discussed when talking about identity earlier in the chapter.
Depending on the particular factors selected, we can assemble stronger or weaker multifactor authentication schemes in a given situation. In some cases, although certain methods may be more difficult to defeat, they are not practical to implement. As we discussed in Chapter 1, when discussing security, we need to be careful to build security that is reasonably proportionate to what we are protecting.
Mutual authentication Mutual authentication refers to an authentication mechanism in which both parties authenticate each other.
In the standard authentication process, which is one-way authentication only, the client authenticates to the server to prove that it is the party that should be accessing the resources the server provides. In mutual authen- tication, not only does the client authenticate to the server, but the server authenti- cates to the client as well. Mutual authentication is often implemented through the use of digital certificates, which we will discuss at greater length in Chapter 5.
Briefly, both the client and the server would have a certificate to authenticate the other. In cases where we do not perform mutual authentication, we leave ourselves open to impersonation attacks, often referred to as man-in-the-middle attacks. In the man-in-the-middle attack, the attacker inserts himself between the client and the server and impersonates the server to the client, and the client to the server, as shown in Figure 2.
This is done by circumventing the normal pattern of traffic, then intercepting and forwarding the traffic that would normally flow directly between the client and the server. If we implement mutual authentication, this becomes a considerably more difficult attack to carry out for the attacking party. Mutual authentication can also be used in combination with multifactor authentication, with the latter generally taking place on the client side only.
Multifactor authentication from the server back to the client would be not only technically challenging but also impractical in most environments. Conceivably, we could implement mutual multifactor authentication in an extremely high secu- rity environment, but this would result in a very large loss in productivity. Passwords Passwords are familiar to the vast majority of us who use computers regularly as they are still the most common form of validation.
In combination with a user- name, a password will generally allow us access to a computer system, an appli- cation, a phone, or similar devices.
Passwords, although only a single factor of authentication, can, when constructed and implemented properly, represent a rela- tively high level of security.
When we describe a password as being strong, we do not provide an immedi- ately accurate image of what we are discussing. A better descriptive term might be complex in order to communicate the important concepts inherent to building a password. If we construct a password that is all lowercase letters and is eight char- acters long, we can use a password-cracking utility, which we will discuss further in Chapter 12, to crack the password in a minute or two, given a reasonably strong computer on which to run the cracking tool.
If we use the same eight-character password but use both upper- and lowercase letters, it will take the password cracker around 6 days to break the password. If we add numbers into the mix, it will take a little more than 25 days to break our password. If we use multiple com- puters, these times can be reduced. If we use the recommended password construc- tion method for creating strong passwords, we would create a password that was constructed of uppercase letters, lowercase letters, numbers, and symbols, such as punctuation marks.
More advanced The type of password cracking we are discussing here is called brute force cracking. This involves trying every possible combination of characters that the password could be composed of, in sequence, until we try them all. Given a powerful system on which to run the cracker and a poorly constructed password, this can be a very effec- tive means of recovering passwords. We will discuss this at greater length in Chapter The problem with locking users out lies in impact to productivity and cost of the administrators time to subsequently unlock accounts.
In addition to constructing strong passwords, we also need to be careful to prac- tice good password hygiene. One problem with strong passwords is that they can be difficult to remember. This might encourage us to take steps to remember our passwords, such as writing them down and posting them in a handy place, perhaps under our keyboard or on our monitor.
This, of course, completely defeats the pur- pose of having a password if someone comes snooping around our desk. There are a number of arguments for and against such tools, but when they are used carefully, they can be of assistance in maintaining good password hygiene. Another password security issue is manual synchronization of passwords—in short, using the same password everywhere.
If we use the same password for our e-mail, for our log-in at work, for our online knitting discussion forum, and every- where else, we are placing the security of all our accounts with each system owner where we use the same password. If any one of them is compromised and its password exposed, we have a serious problem.
All an attacker needs to do is look up our account name, luv2knit, on the Internet to find some of the places where the same name is used and start trying our default password. By the time the attacker gets into our e-mail account, the game is over. Biometrics When we look at biometrics, we should consider what exactly it is when we use it as an authentication factor.
When we complete an authentication transaction with a biometric identi- fier, we are essentially asking the user to provide evidence that he or she is who he or she claims to be; this is, by definition, verification, and not authentication.
At some point in the future, we will need to develop more robust biometric characteristics to measure or stop using biometrics as an authentication mechanism. It pays to research such devices carefully before we depend on them for security, as some of the cheaper versions are very easily bypassed.
We can use them to verify the claim of identity that someone has put forth, as we dis- cussed earlier, or we can reverse the process and use biometrics as a method of identification. This process is commonly used by law enforcement agencies to identify the owner of fingerprints that have been left on various objects and can be a very time-consuming effort, considering the sheer size of the fingerprint libraries held by such organizations.
We also see similar use in the comparison of DNA samples taken from suspects in crimes compared to physical evidence recovered from the crime scene. To use a biometric system in either manner, we need to put the user through the enrollment process. Enrollment involves recording the chosen biometric char- acteristic from the user—for instance, making a copy of a fingerprint—and recording the characteristic in the system. Processing of the characteristic may also include noting certain parts of the image, depending on the characteristic in question, to use for later matching in the system.
An iris scan data file can be compromised and there is no requirement that they be notified. Additionally some biometrics can relive personal information. For exam- ple an iris scan can identify changes that indicate that a woman is pregnant. Characteristics Biometric factors are defined by seven characteristics: universality, uniqueness, permanence, collectability, performance, acceptability, and circumvention [4].
Universality stipulates that we should be able to find our chosen biometric characteristic in the majority of people we expect to enroll in the system. For instance, although we might be able to use a scar as an identifier, we cannot guar- antee that everyone will have a scar.
Even if we choose a very common character- istic, such as a fingerprint, we should take into account that some people may not have an index finger on their right hand and be prepared to compensate for this. Uniqueness is a measure of how unique a particular characteristic is among individuals. For example, if we choose to use height or weight as a biometric identifier, we would stand a very good chance of finding several people in any given group who are of the same height or weight.
We can select characteristics with a higher degree of uniqueness, such as DNA, or iris patterns, but there is always a possibility of duplication, whether intentional or otherwise.
Permanence tests show how well a particular characteristic resists change over time and with advancing age. If we choose a factor that can easily vary, such as height, weight, or hand geometry, we will eventually find ourselves in the posi- tion of not being able to authenticate a legitimate user. We can instead use factors such as fingerprints that, although they can be altered, are unlikely to be altered without deliberate action.
Collectability measures how easy it is to acquire a characteristic with which we can later authenticate a user. If we choose a characteristic that is more difficult to acquire, such as a foot- print, the user will need to remove his shoe and sock in order to enroll and to authenticate again later , which is considerably more troublesome than taking a fingerprint.
These can change over time. Today there are efforts to be able to col- lect iris scans from a distance so the users can be identified while they walk toward the device and they never even have to stop. Performance is a set of metrics that judge how well a given system functions. Such factors include speed, accuracy, and error rate. We will discuss the perfor- mance of biometric systems at greater length later in this section. Acceptability is a measure of how acceptable the particular characteristic is to the users of the system.
In general, systems that are slow, difficult to use, or awkward to use are less likely to be acceptable to the user [5]. Systems that require users to remove their clothes, touch devices that have been repeatedly used by others, or pro- vide tissue or bodily fluids will likely not enjoy a high degree of acceptability. Circumvention describes the ease with which a system can be tricked by a fal- sified biometric identifier. Some of the newer generations of biometric systems have features specifically designed to defeat such attacks by measuring skin tem- perature, pulse, pupillary response, and a number of other items.
Measuring performance We can look at many factors when measuring the performance of a biometric sys- tem, but a few primary metrics stand out as being particularly important for gaug- ing how well the system is working.
FAR occurs when we accept a user whom we should actually have rejected. This type of issue is also referred to as a false positive. FRR is the problem of rejecting a legitimate user when we should have accepted him.
This type of issue is commonly known outside the world of biometrics as a false negative. Either of these situations is undesirable in excess. What we try to achieve with such systems is a balance between the two error types, referred to as an equal error rate EER [6].
EER is sometimes used as a measure of the accuracy of biometric systems. Issues There are several issues common to biometric systems. As we mentioned when discussing circumvention, some biometric identifiers can be easily forged.
0コメント