Gestión de la información Ha de dar soporte a :! Grado de Ingeniería Informática, Universitat de les Illes Balears IT Security Management @IsaacLera! [email protected]! ❖ Planificación! ❖ Aprovisionamiento! ❖ Instalación! SEGURIDAD ❖ Operación! RIESGO ❖ Mantenimiento ! INFORMACIÓN ❖ Administración CONTROL DE COSTES Marco de la gestión Isaac Lera - Grau d’informàtica Information Protection ❖ 2 Caso El bien más importante es la INFORMACIÓN! ❖ Clientes: contacto, pagos,… y proveedores; procesos, métodos, etc.! ❖ Etiquetado, distribución, duplicación, liberación, almacenamiento, y métodos de distribución.! ❖ Información confidencial, especializada o secreta.! ❖ Regulación: personal, salud y financiera. “Egghead Software was hurt by a December 2000 revelation that hackers had accessed its systems and potentially compromised customer credit card data (3.7 million credit card numbers) The company filed for bankruptcy in August 2001. After a deal to sell the company to Fry's Electronics for $10 million fell through, its assets were acquired by Amazon.com for $6.1 million.” http://en.wikipedia.org/wiki/Egghead_Software Isaac Lera - Grau d’informàtica 3 Isaac Lera - Grau d’informàtica 4 Seguridad Básica: “Three D” Propuestas… ❖ ❖ ❖ Un empleado nuevo en la oficina pueden descargar ficheros en cierto horario de trabajo pero no puede subir ficheros durante su periodo de prueba para prevenir que filtre o comparta información.! Durante las horas de trabajo evitar el acceso a páginas web categorizadas de entretenimiento para adultos.! Por legislación del U.S. Treasury está permitido controlar (registrar) las conversaciones de personas que trabajan en entornos financieros para evitar sabotajes, uso de información privilegiada, “casos: Transmitir o Almacenar” Isaac Lera - Grau d’informàtica Security Program ❖ Defense: evitar la entrada! ❖ Detection: registrar y monitorizar la presencia! ❖ Deterrence: disuadir (leyes, métodos,…) 5 Isaac Lera - Grau d’informàtica 6 Isaac Lera - Grau d’informàtica 8 Weakest link Perspective Reflexión Ejemplo Por lo general, ¿cuál es el elemento más débil de la cadena?! RESPONSIBILITIES! All employees, contractors, consultants, service providers, and temporary workers are responsible for following these practices.! ! Human Resources What to do:! Security Awareness! Comunicación Nivel de estudios, concienciación de lo que no se puede divulgar, el impacto que ocasionaría y beneficio personal.! • Protect the organization’s intellectual property and keep it confidential! • Report any unauthorized or inappropriate use, or any security concerns! • Follow the guidance in the Information Classification, Labeling, and Handling policy ! Isaac Lera - Grau d’informàtica 9 Isaac Lera - Grau d’informàtica Ejemplo 10 Ejemplo What not to do:! • Do not forward, provide access, store, distribute, and/or process confidential information to unauthorized people or places, or post confidential information on Internet bulletin boards, chat rooms, or other electronic forums ! • Do not access information resources, records, files, information, or any other data when there is no proper, authorized, job-related need ! • Do not provide false or misleading information to obtain access to information resources ! • Do not use any account and/or password that has not been assigned to you ! • Do not perform any conduct which may harm the organization’s reputation ! • Do not view offensive websites, send or forward offensive email ! • Do not place personal files on the organization’s computing servers ! • Do not connect any equipment not owned and managed by the organization to the organization’s network ! • Do not install personally owned software or non-licensed software on the organization’s computers Isaac Lera - Grau d’informàtica Internet Usage Monitoring All connections to the Internet must be monitored for the following activities: ! 11 • Attempts to access restricted web sites! • Transfers of very large files! • Excessive web browsing! • Unauthorized hosting of web servers by employees! • Transfers of the organization’s data to or from the Internet Isaac Lera - Grau d’informàtica 12 Ejemplo Actividad Personal Web Sites Employees may not run personal web sites on the organization’s! equipment.! Ethical Use of the Internet Personal Internet use must conform to the corporate standard of ethics.! Fotocopias… Non-Corporate Usage Agreement Outside organizations must sign a usage agreement before connecting to the corporate data resources.! Una policies - Una opinión Employee Usage Agreement All employees must sign a usage agreement.! Personal Use of Telephones Corporate phone systems may be used for limited, local, personal calls, as long as this usage does not interfere with the performance of the corporate business. Isaac Lera - Grau d’informàtica 13 Computer Security Institute (CSI) attack-type statistics from 2010 survey Security Controls Several categories:! Isaac Lera - Grau d’informàtica 15 • Preventative Block security threats before they can exploit a vulnerability! • Detective Discover and provide notification of attacks or misuse when they happen! • Deterrent: Discourage outsider attacks and insider policy violations! • Corrective Restore the integrity of data or another asset! • Recovery Restore the availability of a service! • Compensative In a layered security strategy, provide protection even when another control fails Isaac Lera - Grau d’informàtica 16 Implementations Casos Implementations of each category:! Physical • Physical Controls that are physically present in the “real world” ! • Administrative Controls defined and enforced by management ! • Logical/technical Technology controls performed by machines ! • Operational Controls that are performed in person by people ! • Virtual Controls that are triggered dynamically when certain circumstances arise Isaac Lera - Grau d’informàtica Logical/Technical Operational Virtual Listas Preventative “Puertas” Firewall Vigilante Detective Cámaras Registro Vigilante Vigilante Deterrent Normativa Mensajes Corrective Multas Redundancia Recovery Backups Compensative Manual 17 Buenas prácticas COBIT de ISACA! Administrative Planes Isaac Lera - Grau d’informàtica 18 ISO 27000 series: Controls ❖ Risk Assessment and Treatment The use of risk assessment as a basis for selecting appropriate security controls. ! ❖ Security Policy The clear expression of management intent for information protection. ! ❖ Organization of Information Security Defining and staffing the roles and functions needed by the security program. ! ❖ Asset Management The responsibility and classification of assets, including data. ! ❖ Human Resources Security Ensuring that the behaviors of trusted inside employees don’t defeat the security controls, because the majority of security problems come from insiders, not outsiders. ! ❖ Physical and Environmental Security Creating secure areas and protecting equipment. ! ❖ Communications and Operations Management Maintaining a safe, reliable, and correct IT environment (including the parts outside the direct control of the organization, provided by third parties). Malware protection, backups, and network security are included here. ! ❖ Access Control User controls and responsibilities, including access controls for the networks, operating systems, and applications, along with mobile computing. www.isaca.org/Knowledge-Center/cobit/Pages/Overview.aspx! ISO 27000 series! ❖ ISO/IEC 27001:2013 Information technology -- Security techniques -Information security management systems -- Requirements! ❖ ISO/IEC 27040:2015 Information technology -- Security techniques -Storage security! ❖ …! 800.53 NIST National Institute of Standards and Technology! csrc.nist.gov/publications/PubsSPs.html! Isaac Lera - Grau d’informàtica 19 Isaac Lera - Grau d’informàtica 20 ISO 27000 series: Controls ❖ ISO 27000 series: Examples Information Systems Acquisition, Development, and Maintenance Security requirements, ensuring integrity and confidentiality, change management in development and support processes, and vulnerability management. ! ❖ Information Security Incident Management Reporting security issues and vulnerabilities, and managing incidents. ! ❖ Business Continuity Management Information security aspects of business continuity. ! ❖ ❖ Access Control! ❖ Awareness and Training! 10.3 Perform capacity planning and resource monitoring for proactive allocation of resources. ! • 10.4 Protect against malware.! • 10.5 Establish reliable backups.! • 10.6 Establish network security controls NIST 800 Series: guías ❖ Physical and Environmental Protection! ❖ SP 800-113: Guide to SSL VPNs ! ❖ Planning! ❖ ❖ Personnel Security! SP 800-111: Guide to Storage Encryption Technologies for End User Devices ! ❖ SP 800-101: Guidelines on Cell Phone Forensics ! ❖ SP 800-98: Guidelines for Securing Radio Frequency Identification (RFID) Systems ! ❖ SP 800-95: Guide to Secure Web Services ! ❖ … Audit and Accountability! ❖ Security Assessment and Authorization! ❖ Configuration Management! ❖ Risk Assessment! ❖ Contingency Planning! ❖ System and Services Acquisition! ❖ Identification and Authentication! ❖ System and Communications Protection! ❖ Incident Response! ❖ System and Information Integrity! ❖ Program Management! ❖ • 21 800-53 NIST: Security control families ❖ 10.2 Manage third-party service delivery. ! Compliance Legal requirements, compliance with policies, standards, and specifications, and audit considerations. Isaac Lera - Grau d’informàtica ❖ • Maintenance! Media Protection! Isaac Lera - Grau d’informàtica 23 Secure Design Principles ❖ Confidencialidad, Integridad, Availability (CIA)! ❖ Confidentiality, Integrity, Availability, Accountability, Accuracy, Authenticity, Awareness, Completeness, Consistency, Control, Democracy, Ethics, Legality, Defense Models, Non-repudiation, Ownership, Physical Possession, Reassessment, Relevance, Response, Responsibility, Risk Assessment, Security Design and Implementation, Security Management , Timeliness, Utility Isaac Lera - Grau d’informàtica Defense models Lollipop Model 25 Defense measures I ❖ ❖ ❖ ❖ Password Protect Booting and CMOS/BIOS! Disable booting from USB and CD! Harden the Operating System! Patches updated! ❖ Use and antivirus scanner! ❖ ❖ Isaac Lera - Grau d’informàtica 26 Isaac Lera - Grau d’informàtica 28 Defense measures II Secure the Physical Environment! ❖ Onion Model Use firewall software! Secure Network Share Permissions Isaac Lera - Grau d’informàtica 27 ❖ Use Encryption! ❖ Securely Configure Applications! ❖ Securing email! ❖ blocking dangerous file types! ❖ blocking file attachments! ❖ Install applications to nonstandard directories and ports! ❖ Lock down applications! ❖ Secure P2P services! ❖ Implement static ARP Tables! ❖ Configure port rate limiting! ❖ Use DHCP Snooping and Dynamic ARP inspection Security Program Security Program: Phases 1. Requirements gathering! 1. Regulatory requirements (industry specific)! ❖ Purpose: ¿A quién concierne el plan?! ❖ Responsabilidades: ¿A quién va dirigido?! 2. Advisory requirements (best practices)! 3. Informative requirements (organization specific)! 2. Project definition and proposal based on requirements! ❖ Scope: ¿Dónde debería de ser aplicado?! 3. Policy development! ❖ Contenido 4. Review and approval! 5. Publication and distribution! 6. Ongoing maintenance (and revision) Isaac Lera - Grau d’informàtica 29 Isaac Lera - Grau d’informàtica Plan de seguridad 30 Plan de seguridad Elementos presentes:! • Human resources > “Premios y penas”! • Legal! • Information Technology! • Physical Security! Categoría de políticas:! Audiencia: empleados, subcontratados, o temporales; consultores, proveedores de HW/SW, partners, clientes que usan los recursos de información de la organización. Isaac Lera - Grau d’informàtica 31 • Legislativo/Normativa: Reglas al respecto de lo qué es requerido y por qué. Obligatorio! • Advisory ! • Informative: para unidades de negocio, partners, comerciales, clientes Isaac Lera - Grau d’informàtica 32 Category: Unclassified public Category: Proprietary Information is not confidential and can be made public without any implications for Company. Loss of availability due to system downtime is an acceptable risk. Integrity is important but not vital.! Information is restricted to management approved internal access and protected from external access. Unauthorized access could influence Company's operational effectiveness, cause an important financial loss, provide a significant gain to a competitor, or cause a major drop in customer confidence. Information integrity is vital.! Ejemplos:! • Product brochures widely distributed! • Information widely available in the public domain, including publicly available Company web site areas! Ejemplos:! • Passwords and information on corporate security procedures! Sample downloads of Company software that is for! • Know-how used to process client information! • sale! • Standard Operating Procedures used in all parts of Company’s business! • Financial reports required by regulatory ! • • Newsletters for external transmission All Company-developed software code, whether used internally or sold to clients • Isaac Lera - Grau d’informàtica 33 Isaac Lera - Grau d’informàtica 34 Category: Client Confidential Data Category: Company Confidential Data Information received from clients in any form for processing in production by Company. The original copy of such information must not be changed in any way without written permission from the client. The highest possible levels of integrity, confidentiality, and restricted availability are vital.! Information collected and used by Company in the conduct of its business to employ people, to log and fulfill client orders, and to manage all aspects of corporate finance. Access to this information is very restricted within the company. The highest possible levels of integrity, confidentiality, and restricted availability are vital. ! Ejemplos:! Ejemplos:! • • • Client media! Electronic transmissions from clients! Product information generated for the client by Company production activities as specified by the client Isaac Lera - Grau d’informàtica 35 • Salaries and other personnel data! • Accounting data and internal financial reports! • Confidential customer business data and confidential contracts! • Non disclosure agreements with clients\vendors! • Company business plans Isaac Lera - Grau d’informàtica 36 + Security ❖ DATA: ! • Databases, Aplications, Networks, Computers, Storage (local, removable, networked), data printed ! • Information Rights Management! • Encryption! ❖ Network: Patching, Switch, Access Control, Firewall (malware, intrusion detection - prevention, web content, filtering, email), VPNs (IPSec, PPTP, L2TP, SSL,…); Wireless Networks, VoIP, ! ❖ SO: Unix, Windows, ! ❖ Infrastructure: email, web servers, dns servers, proxy servers, ! ❖ J2EE security, .NET, Seguridad: Autenticación y Autorización La autenticación establece quién está conectado; la autorización especifica que puede hacer. > Administración < Autenticación Passwords Procesos para probar que se es quien se dice ser.! Dos partes: ! • un identidad pública (username) y ! • una respuesta privada! Almacenamiento local y comparación! Almacenamiento centro y comparación! ! Reto y respuesta! • algo que sabes (password, PIN): fácil de interceptar, compartir, anotaciones personales, ! Kerberos! • algo que eres (biométrico)! One-time password (OTP) • algo que tienes (tarjeta) Isaac Lera - Grau d’informàtica 39 Isaac Lera - Grau d’informàtica 40 Passwords: almacenamiento local Passwords: almacenamiento central Algunas veces está cifrado y otras no:! • WordPress con MySQL -> No! Circula sin cifrar por: telnet, FTP, rlogin… ! vsftpd!!!!! • Transmission : Torrent Server -> Sí! • UNIX:! Challenge Handshake Authentication Protocol (CHAP) usando mensajes MD5 (un hash combinado del id, secret, challenge)! ❖ /etc/passwd >> User y /etc/shadow >> pass -Cifrado! Administrador ha de proveer de servicios de recuperación, de cambio y comunicación de cambios. http://docs.oracle.com/cd/E19683-01/817-0204/pppsvrconfig.reference-21/index.html Si la máquina es obtenida por un ladrón… Isaac Lera - Grau d’informàtica 41 Isaac Lera - Grau d’informàtica 42 Kerberos Kerberos desarrollado en el MIT! “The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server has used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business" http://web.mit.edu/kerberos/ http://www.kerberos.org/software/tutorial.html Isaac Lera - Grau d’informàtica 44 One Time Password AIMS! ❖ The user's password must never travel over the network;! ❖ The user's password must never be stored in any form on the client machine: it must be immediately discarded after being used;! ❖ The user's password should never be stored in an unencrypted form even in the authentication server database;! ❖ The user is asked to enter a password only once per work session. Therefore users can transparently access all the services they are authorized for without having to re-enter the password during this session. This characteristic is known as Single Sign-On;! ❖ Authentication information management is centralized and resides on the authentication server. The application servers must not contain the authentication information for their users. This is essential for obtaining the following results:! Cada comunicación requiere un password nuevo! 1. The administrator can disable the account of any user by acting in a single location without having to act on the several application servers providing the various services;! • Time-based keys: {PIN + code/60s }! • Sequential keys: Challenges mediante MD5 o SHA-1! Comunicación basada en certificados:! 2. When a user changes its password, it is changed for all services at the same time;! 3. There is no redundancy of authentication information which would otherwise have to be safeguarded in various places;! ❖ Not only do the users have to demonstrate that they are who they say, but, when requested, the application servers must prove their authenticity to the client as well. This characteristic is known as Mutual authentication;! ❖ Following the completion of authentication and authorization, the client and server must be able to establish an encrypted connection, if required. For this purpose, Kerberos provides support for the generation and exchange of an encryption key to be used to encrypt data. SSL/TLS! • El servidor se autentifica con un cliente. Isaac Lera - Grau d’informàtica Autorización ❖ NIST! User Rights o privilegios (derecho a hacer) - deriva en diferentes permisos (derecho sobre unos determinados recursos)! ❖ Role-Based Authorization (RBAC) - grupos! ❖ Access Control List (ACLs) - ! • SP 800-120: Recommendation for EAP Methods Used in Wireless Network Access Authentication ! • SP 800-63: Electronic Authentication Guideline ! • SP 800-38B: Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication ! • SP 800-38C: Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality ! • SP 800-25: Federal Agency Use of Public Key Technology for Digital Signatures and Authentication ! COBIT • ! "rpc-whitelist": “127.0.0.1,192.168.*.*"! Isaac Lera - Grau d’informàtica 47 DS5.3: ! • Ensure that all users and their activity on IT systems are uniquely identifiable. ! • Enable user identities via authentication mechanisms. ! • Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. ! 46 End…