information security foundations - harvard...
TRANSCRIPT
-
Information Security Foundations
-
This 4-hour workshop describes the fundamentals of information security
Designed for all IT employees at Harvard
Welcome to Information Security Foundations!
-
Be familiar with the principles of information security
Understand terminology used in information security
Integrate information security into every IT role and function at Harvard
Relate security principles to sample situations
Hypothesize security design flaws that enabled recently reported breaches; identify lessons learned for Harvard
Course Objectives
-
Information Security & The T Shaped Professional
T-shaped Professional
The T Shaped model is about depth & breadth of expertise
₋ Keep up with changing technologies and their impact on higher education
₋ Maintain a service mindset and trusted advisor relationships
Information Security is a core practice
₋ Cuts across all disciplines – Impacts the “what and the how” of IT services
-
Breaks and End time
Electronics – Please mute
Restrooms and Fire Exits
Administrative Notes
5
-
Name
Where you work
Your role within information security
What you hope to get out of today’s course
Introductions
6
-
Information Security Principles₋ Information Security’s role
₋ Threats, vulnerabilities, and risks
₋ Policy and standards to manage risk
Secure by Design₋ Data Security
₋ System and Application Security
₋ Cloud Considerations
Information Security Case Studies
Agenda
7
-
Information security ensures authorizedpeople and systems will have access to
reliable data when they need it.
Data
“It’s not like a secure version of Microsoft Word is
any better at spell checking or formatting your
document. It’s about the stuff that doesn’t
happen.”
Stephen Chong
Associate professor of computer science
Trusting the system: Innovations for an insecure world
http://www.seas.harvard.edu/topics/topics-fall-2015/trusting-system-innovations-for-insecure-world
What are examples of things gone wrong?
-
Security, Privacy, and Trust:Access to Electronic Information
http://hwpi.harvard.edu/files/provost/files/policy_on_access_to_
electronic_ information.pdf
https://youtu.be/9nTpN97KYaM?t=683
https://youtu.be/9nTpN97KYaM?t=683https://youtu.be/9nTpN97KYaM?t=683
-
IT Professional Code of Conduct
http://huit.harvard.edu/it-professional-code-conduct-protect-electronic-information
Being a Trusted Advisor
1. We only obtain the information we need to perform our job or which we
have been directed to obtain by proper University or legal authorities.
2. We only use the information gathered for the purpose for which it was
obtained, properly protect the information while in our possession, and
dispose of it properly once it is no longer needed for business
purposes.
3. We will not peruse or examine user’s electronic information for any
purpose other than to address a specific issue.
4. We understand any failure to meet the Code of Conduct is considered
a violation of trust and is grounds for disciplinary action up to and
including dismissal.
5. We will sign a yearly acknowledgment that we have received, read, and
understood this Code of Conduct.
-
The “Big Four” Behaviors for Everyone
Click
wisely
Apply
updates
Use strong
passwords
Know
your data
You help keep Harvard secure.
http://security.harvard.edu
-
InfoSec Professionals Keep the Lights On!
Business goal: illuminate room using energy-efficient LED bulbs in ceiling fixtures
Attacker: defeat goal!(Suggest 10 methods)
InfoSec professional:consider reasonable controls to reduce vulnerabilities
-
Threats, Vulnerabilities, and Risks
Threat Agent Exploits a vulnerability Resulting in a risk
Cyber criminal Unrestricted domain admin account
Exfiltration or destruction of research data – lost
grant $
Employee SSNs never purged despite records retention policy
Privacy breach is 4x larger than active record base
Hacktivism group Unpatched WordPress or ColdFusion on website
Defaced website causes public embarrassment
Emergingtechnology
Coursework not accessible on new tablet OS
Students create insecure app that leaks student data
For any risk – consider the probability and impact
if the threat and vulnerability come together.
Security seeks to balance the cost of controls
against potential losses and gains,
to keep the business successful.
-
Data Classification and Handling:A Risk-Based Approach
Do you know
the data you
work with?
Does the data
owner?
Policy.security.harvard.edu
-
15
Workbook Quiz: What is the risk level?
Financial Aid Application Detail
Course Catalog
Pre-Publication Research Report
Gang research with member names
Vendor Contract
-
Break: 10 minutes
-
Secure by Design: Part 1
-
Secure by Design: Part 1
Common Design Errors
Identification & Authentication
Authorization
Owner-Defined Authorization
Identity & Access Administration
Data Integrity and Confidentiality (Hashing and Encryption)
Small Group Activity: Protect De-Identified Research Data
Data
-
Secure by Design: Common Errors
-
Identification & Authentication
…because we can’t ALL be Spartacus
https://youtu.be/5_pKKO35Kh4?t=17https://youtu.be/5_pKKO35Kh4?t=17
-
Identification: a method of ensuring a subject (i.e. user, process, or program) is the entity it claims to be.
Authentication: positive proof of an identity through a recognized credential, e.g., password, token, or code.
2-Step (aka 2-Factor) Authentication: required presentation of two types of credentials from the following:• Something you know (e.g., password)
• Something you have (e.g., code sent to your smartphone)
• Something you are (e.g., fingerprint)
Identification & Authentication
-
Which access accounts/methods are risky and may need stronger authentication?
Where do you use these methods?
-
Authorization: Specific Allowed Actions
Group Authorization: 18+ = can be in night club
21+ = can drink alcohol
Criteria-based: no specific request process
Individual Authorization:A manager can view certain records and
conduct specific transactions
Authorization = rights and privileges associated with a
subject to access specified resources and perform certain
actions.
-
Least Privilege: the practice of limiting access to the minimal level that will allow normal functioning. ₋ This can be applied to accounts associated with people, processes
and programs.
Segregation of Duties: an internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task.
Authorization: Guiding Practices
Where do “least privilege” and “segregation of
duties” fit into the club and PeopleSoft examples?
-
25
Owner-Defined Authorization = Error-Prone
If everyone can set audience and authorization levels…
…then everyone IS
responsible for a data
protection project!
-
ALL organizations struggle with
this cycle.
Why is Identity and Access Management difficult?• Things change over time
• Organizations tend to be good about provisioning; not as good at de-provisioning access
• Enforcement requires governance
-
What are the challenges with managing access here?
What risks does this pose to password security?
-
Federated Identity Services Organize the Chaos
-
Encryption: method of transforming original data –plaintext or cleartext – into a form that appears to be random and unreadable – ciphertext. ₋ Decryption requires the secret/private “key”
to reverse this process.
₋ No key = cleartext not available
Data Integrity & Confidentiality
e.g. HTTPS over the Internet
-
One-Way Hashing: function that takes a variable-length string, and compresses and transforms it into a fixed-length value that represents the data, called a message digest or hash value.
Data Integrity & Confidentiality
₋ The hashing algorithm is reused – by data recipients or other systems – to produce their own message digest for that data to compare against the original message digest for a match (like a fingerprint).
What’s the main security goal of
one-way hashing?
-
Should You Hash or Encrypt?
Purpose Hashing Encryption
Compare two blobs of data for matching
Check if stored data has changed at all
Send or store data so it can be read only by specific individuals or machines
Make original plaintext data irretrievable
Guidance Key
Hash or Encrypt?
Verify an eSignature is authentic
Send personally identifiable data over the Internet
Check that a critical file/data element hasn’t changed
Store PCI/PHI on a server
Verify a matching password
-
Protect De-Identified Research Data
Help a principal investigator to maintain “anonymity”
of her research participants and the accuracy of
the research data.
Advise the investigator how to implement controls to protect against:
Anyone else having access to both PII and data (re-identification)
Someone altering any of the captured research data
Research data being unavailable when needed
-
Secure by Design: Part 2
-
Secure by Design: Part 2
Application Security
Vulnerability Scanning and Management
Logging & Monitoring
Security in the Cloud
-
The Top 10 Most Critical Web Application Security Risks
-
A1: SQL Injection – Illustrated
36
Fire
wal
l
Hardened OS
Web Server
App Server
Fire
wal
l
Dat
abas
es
Lega
cy S
yste
ms
Web
Ser
vice
s
Dir
ecto
ries
Hu
man
Res
rcs
Bill
ing
Custom Code
APPLICATIONATTACK
Net
wo
rk L
ayer
Ap
plic
atio
n L
ayer
Acc
ou
nts
Fin
ance
Ad
min
istr
atio
n
Tran
sact
ion
s
Co
mm
un
icat
ion
Kn
ow
led
ge M
gmt
E-C
om
mer
ce
Bu
s. F
un
ctio
ns
HTTP
request
SQL
query
DB Table
HTTP
response
"SELECT * FROM
accounts WHERE
--
1. Application presents a form to the attacker
2. Attacker sends an attack in the form data
3. Application forwards attack to the database in a SQL query
Account Summary
Acct:5424 - 6066 - 2134 - 4334
Acct:4128 - 7574 - 3921 - 0192
Acct:5424 - 9383 - 2039 - 4029
Acct:4128 - 0004 - 1234 - 0293
4. Database runs query containing attack and sends encrypted results back to application
5. Application decrypts data as normal and sends results to the user
-
Do not trust user-supplied input• Convert user input to “acceptable” formats and strings
• Use parameterized queries or stored procedures
• Reject anything that doesn’t fit your model
• Display generic/sanitized error messages – don’t leak data
Use plug-ins and QA scripts to check code for common
exposures
Remember: the system will function as designed
Design security into your applications!
Injection Example – Key Takeaways
-
Vulnerability Scanning & Management
A. In 2014, what percentage of all
successful exploits attacked
vulnerabilities for which
patches/fixes had been available for
more than a year?
1. 30%
2. 50%
3. 75%
4. 99.9%
B. In 2014, what percentage of new
vulnerabilities (in 2014) were
successfully attacked within two
weeks of their announcement and
patch availability?
1. 30%
2. 50%
3. 75%
4. 99.9%
What makes a particular vulnerability popular?
Source: 2015 Verizon Data Breach Investigations Report
Risk factors: prevalence, discoverability, ease of exploit, impact
-
Logging and Monitoring
Natural causes, error, or suspicious activity? • Behavior/pattern recognition for systems, employees, students...
• Network and system “health” – blockages, inhibitors, viruses, etc.
• Regulatory compliance (HRCI data access logs!)
• Cyber investigation forensics
Workbook Exercise: What
might a bank choose to
monitor as “unusual”
account activity?
-
Who Manages Security in the Cloud?
SaaS Model
Your Responsibility
Their Responsibility
-
Who Manages Security in the Cloud?
IaaS Model
Your Responsibility
Their Responsibility
-
Considerations for Cloud Computing
Legal issues – intellectual property when subpoenas request all data on a server (co-location risk). Would we even know?
Confidentiality – vendor administrators with access to data
Server hardening - spinning up new servers is quick and configurable, so use a template vetted by Information Security
Logging – do we have enough detail for investigations?
Failover/Back-ups – does data cross international borders?
-
BREAK - 10 minutes
-
Case Studies: Part 3
-
Security Breakdowns
Case 1: BankMuscat ATM No-Limit Withdrawals
Case 2: Target POS Compromise
Case 3: NYTimes.com Website Hijacking
-
The “Big Four” Behaviors for Everyone
Click
wisely
Apply
updates
Use strong
passwords
Know
your data
You help keep Harvard secure.
http://security.harvard.edu
-
Workshop Summary
Information security ensures authorized people and systems will have access to reliable data when they need it
For any risk – consider the probability and impact if the threat and vulnerability come together
Identification, Authentication and Authorization work together to enable appropriate access to data and applications
Whenever possible, leverage Harvard’s federated identity service and two-step authentication
-
Workshop Summary
Do not trust user-supplied input in your applications
Make a patching plan and stick to it
Know how your system is supposed to work so you can identify unusual behavior to log and monitor
Just because it’s “in the Cloud” doesn’t mean you’re no longer responsible for it
Integrate information security into the service you deliver; the stuff that doesn’t happen is equally important!
-
49
Thank you!Please complete your class survey :
bit.ly/ITAcademyFeedback
Claim your Badge:
After completion of this course, you will receive an Information Security Level I badge.
Look out for your email notification from IT Academy with instructions on how to:
Click to the Credly site - Create your account - Claim your badge- Share with friends
Information Security Level I
http://bit.ly/ITAcademyFeedback