8.19 Installation of software on operational systems 101 End users may be able to install software on their PCs themselves. This brings with it a high risk, because this software cannot be controlled and may contain malware or other threats. Best Practices to prevent issues with software installations • Only authorized administrators may install software. • Software needs to be verified and tested for vulnerabilities before use. • Use a configuration management database (CMDB) to verify what software at what versions is installed on the systems. • Use an automated patch management system to install vendor patches as soon as they are released.
8.24 Use of cryptography 102 Cryptography aims to achieve • Confidentiality • Integrity • Non-repudiation • Authentication The use of cryptography requires • A policy covering the principles for protecting information • A link to data classification and what classification needs encryption • The need for encryption on specific vulnerable devices, such as cell phones, USB sticks, etc. • Encryption standards to use, including key length, key management, algorithms, etc.
Symmetric encryption A B f1() f2() Key Key cleartext ciphertext cleartext 103
Symmetric encryption • Symmetric because both parties use the same key. • An example of the mathematics used is the Data Encryption Standard (DES). It uses a 56-bit key. • DES is considered insecure (the key can be found within minutes by employing brute-force techniques), it has been replaced by AES (Advanced Encryption Standard). • Symmetric encryption is fast and therefore used often. • The problem, however, is key management. When a lot of parties need to communicate with each other, the secured distribution of keys becomes a problem. 104
Asymmetric encryption A B f1() f2() Keys: Private-A, Public-B Keys: Public-A, Private-B cleartext ciphertext cleartext Certificate Authority (CA) manages private and public keys of A and B 105
Asymmetric encryption • Every party generates two keys: a private key that needs to be kept secret and a public key that everyone may know. • When A needs to send a confidential message to B, she uses a mathematical formula that encrypts the message using her private key and B’s public key. • When B receives the message, he can decrypt the message using his private key and A’s public key. • A separate entity, the certificate authority (CA), acts as an intermediate responsible for delivering the public key of someone to everyone that asks for it. • For this to work there are a number of pre-requisites, such as: • The CA should make sure that the public key someone asks for indeed belongs to the party that generated it. • The mathematics involved should 100% guarantee that without the private keys no one can decipher messages of the one that used the corresponding public key to cipher. • An attention point must be given, in case the certificate authority (CA) is hacked, fake certificates can be hacked and/or all certificates can be made invalid. 106
Digital signatures • A private key is a unique identifier, thus it can be used as an electronic signature. • Together with hash functions they can be used to prove identity and/or integrity. • A generates a hash of a document and encrypts (“signs”) that document and its hash using her private key and sends the results to B. • B decrypts the document and hash using A’s public key and reruns the hashing function. If the result on the decrypted document matches the decrypted hash that A sent, the document can only have originated from A. • Of course this only works when A keeps her private key secret and there is definite proof that she “owns” her public key. This is again arranged using Certificate Authorities (CA). 107
8.20-8.22 Networks security E-mail server DNS Webserver DMZ Router Firewall Router Internet Home office LAN IDS Mainframe Antivirus Server Servers Clients Printers Firewall Development Servers Workstations 108
Infrastructural components – firewall types Packet filtering firewall These act by inspecting the "packets" which transfer between computers on the Internet. If a packet matches the packet filter's set of rules, the packet filter will drop or reject it. This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic. It filters each packet based only on information contained in the packet header (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, the port number). Stateful firewall These record all connections passing through it and determine whether a packet is the start of a new connection, a part of an existing connection, or not part of any connection. Though static rules are still used, these rules can now contain connection state as one of their test criteria. Application layer firewall These can "understand" certain applications and protocols (such as File Transfer Protocol (FTP), Domain Name System (DNS), or Hypertext Transfer Protocol (HTTP)). This is useful as it is able to detect if an unwanted protocol is attempting to bypass the firewall on an allowed port, or detect if a protocol is being abused in any harmful way. 109
8.7 Protection against malware Malware • Malware comes in a variety of types; they damage data and/or applications or steal information. • Systems (either hardware or software based) that detect malicious code rely on signatures that represent previously found code of the malware or detect the malicious behavior of the malware itself. • Unfortunately, these systems generate false-positives and accurately fail to detect all known malware. • Note that ISO/IEC 27002 uses the more general term ‘malware’. This also denotes for instance hidden backdoors and logical bombs that can (sometimes!) only be detected by humans when doing a code review of bespoke software. • A lot of malware nowadays is transferred via USB sticks but mostly by visiting infected websites. 110
8.31 Separation of development, test and production environments • Tests environments should be controlled via authorization controls in order to protect the production environment’s integrity. • By implementing this control an authorization must be made every time that data are being moved from the production to test and from the test to the environment. • This will increase not only the integrity of the data, but also guarantees that transferred data are aligned with the information security policy of the organization. Test environment Production environment Authorization controls 111
Service Oriented Architecture (SOA) Service Oriented Architecture (SOA) is an architectural approach in which applications make use of services available in the network. In a service oriented architecture, a number of services communicate with each other, in one of two ways: through passing data or through two or more services coordinating an activity. The main SOA characteristics are: business value, strategic goals, intrinsic inter-operability, shared services, flexibility and evolutionary refinement Service provider Service consumer Service response Service request There are two major roles within SOA: Service provider: The service provider is the maintainer of the service and the organization that makes available one or more services for others to use. To advertise services, the provider can publish them in a registry, together with a service contract that specifies the nature of the service, how to use it, the requirements for the service, and the fees charged. Service consumer: The service consumer can locate the service metadata in the registry and develop the required client components to bind and use the service. 112
Service Oriented Architecture (SOA) and information security • When it comes down to information security, some aspects must be taken into consideration. • Information security architecture follows information security strategy. • It is important that when designing services or infrastructure based on SOA, the information security team are involved in the project. • The definition of which security services will be provided, and in which architecture, must be defined to better align the information security requirements and the service for the customers. 113
Open-design architecture • Open-design architecture advocates that establishing a single, consistent, clearly defined control catalog provides an excellent means to simplify requirements from numerous standards, governance frameworks, legislation, and regulations. • Using OSA (Open Security Architect) patterns provides a fast start, improves the quality of the solution that must be deployed, and reduces overall effort. • Commonly, open-design architectures are tested a lot, which improves the security of the services. Simplicity over flexibility Usability over restriction Defense in depth Open design Secure coding practices Black box and white box testing Complete mediation Least privilege Audit trails Architectural principles Implementation principles Operations and configuration principles 114
Common Criteria • Since firewalls and other access granting equipment are the gate-keepers to the information assets of the organization, independent certification is required. • ISO/IEC 15408, or “common criteria”, “… is a framework in which computer system users can specify their security functional and assurance requirements, vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims”. • When a security product has been tested against ISO/IEC 15408, it will be assigned an Evaluation Assurance Level (EAL). When users determine their assurance requirements, they can then decide to install only equipment with the corresponding EAL’s. • Assurance levels range from 1 (basic) to 7 (most stringent). ISO/IEC 15408 115
Questions? Thank you 116
Contact EXIN www.exin.com