CNSS Security Model (cont.

most challenging to protect

 CNSS Security Model (cont.)
Example: Data Loss Prevention (DLP) System
Data Loss Prevention identifies, monitors, and protects data transfer through deep
content inspection and analysis of transaction parameters (source, destination,
data object, and protocol), with a centralized management framework. I.e., DLP
detects and prevents the unauthorized transmission of confidential information.

Protecting data-in-use accomplished by protecting

data-at-rest and data-in-transit!
trusted environment non-trusted environment
(enterprise network)

no explicit
protection of DLP
‘data in use’ System

https://sc1.checkpoint.com/documents/R77/CP_R77_DataLossPrevention_AdminGuide/62453.htm
CNSS Security Model (cont.)
But, what if no part of the network/environment
is trusted?!
(e.g., in case of Cloud Computing)
CNSS Security Model (cont.)
Example: Data that needs protection in the Cloud
CNSS Security Model (cont.)
Example: Homomorphic Encryption

http://www.slideshare.net/NYTechCouncil/computing-on-encrypted-data
CNSS Security Model (cont.)
Example: Homomorphic Encryption (cont.)

http://www.slideshare.net/NYTechCouncil/computing-on-encrypted-data
CNSS Security Model (cont.)
Countermeasures/Safeguards
 Technology - software and hardware solutions (e.g.,
antivirus, firewalls, intrusion-detection systems, etc.)
 Policy and practices - administrative controls, such as
management directives (e.g., acceptable use policies)
 People - aka awareness, training, education - ensure
that users are aware of their roles & responsibilities
 CNSS Security Model (cont.)
• Each of 27 cells in the cube represents an area that
must be addressed to secure an information system
 e.g., intersection between data integrity, storage and
technology implies the need to use technology to protect
data integrity of information while in storage
 solution: new ‘file check sum’ is calculated every time a critical
file is modified …

Desired goals:
Measures:

Information states:
CNSS Security Model (cont.)

Example: How to protect

- confidentiality of data
- while in transit (e.g., moved to/by USB)
- through education/awareness?
Scenario: An employee stores company
information on a personal USB drive, in
order to transfer it to another computer
(e.g., work from home)
Safeguard: Educate employees about
the importance of carefully handling data
and encrypting data before transferring it
to insecure ‘movable’ media – in case that
USB is infected or lost, encryption ensures
that data cannot be read
CNSS Security Model (cont.)

Are all 27 aspects of security

worth investing into
at every company?
 CNSS Security Model (cont.)
Example: Protecting Confidentiality of Data Over
Wireless …

WiFi used in an area that is

within outside reach.

WiFi used in an area that is

NOT within outside reach.
Threats

• Security Threat – any action/inaction that could cause

disclosure, alteration, loss, damage or unavailability of
a company’s/individual’s assets
• Three main components of a security threat:
 Target [asset with vulnerability]: organization’s asset that
might be attacked
 information (its confidentiality, integrity, availability), software,
hardware, network service, system resource, etc.
 Agent [may or may not be present]: people/organizations
originating the threat – intentional or non-intentional
 employees, ex-employees, hackers, commercial rivals, terrorists, …

 Event: action that exploits target’s vulnerability

 malicious / accidental destruction or alteration of information, misuse
of authorized information, etc.
Threats (cont.)
Example: Threat in WiFi network

Asset with v.
WiFi within
outside reach

Agent Event
Threat competitor
competitor
actually invests
interested in
time & effort to
seizing your
capture data
data

NO EVENT ⇒ NO THREAT !!!

Threats (cont.)
Example: Threat without Agent

Asset with v.
data on a server,
not backuped!

Event
Threat
flood or fire
in the server room
Threats (cont.)
Example: outsider vs. insider, deliberate vs. accidental

Asset
with vulnerability

Threat
Agent Event
outsider deliberate
or insider or accidental

Example of insider agent: SysAdmin has added a new soft-

ware to the system and has forgotten to change the password
Threats (cont.)
Example: attack definition

Asset
with vulnerability

Threat
Agent Event
deliberate

THREAT EVENT DELIBERATELY EXECUTED BY AGENT = ATTACK

Threats (cont.)
• Criteria for threat identification/prioritization :
 asset identification
 e.g. what are the company’s main assets:
(a) web servers (e-commerce company), or
(b) workstations (software company)?

 conditions under which its key assets operate

 e.g. are there any wireless links / access points?

 organizational strategy regarding risk

 e.g. cost/time of encrypting every file/email vs. worker’s productivity
Threat Events

• Main Groups of Threat Events :

with human agent

ATTACKS
no human
 Threat Events (cont.)

• Categories of Threat Events :

Treat Events

Intentional
Unintentional
Attacks

Not-involving Involving Passive Active

Humans Humans Attacks Attacks
always involve humans
Threat Events (cont.)

• Top Threat-Driven Expenses (C-ACM study)

Rating of different threat events based on

their frequency and significance.
Threat Events: Unintentional / No Human

• Hardware and Software Failures and Errors

 cannot be fully controlled/prevented by the organization
 best defence: keep up-to-date about latest hardware and
software vulnerabilities

• Forces of Nature
 fire, flood, earthquake, hurricane, tsunami, electrostatic
discharge, dust contamination
 cannot be predicted/prevented
 organization must implement controls to limit damage
as well as develop incident response plans and business
continuity plans
Threat Events: Unintentional / Human
• Act of Human Error or Failure
 organization’s own employee’s are
one of its greatest threats
 examples:
 entry of erroneous data
 accidental deletion or modification of data
 failure to protect data
 storing data in unprotected areas

Much of human error or failure can be prevented!

 preventative measures:
 training and ongoing awareness activities
 enhanced control techniques:
 require users to type a critical command twice
 ask for verification of commands by a second party
Threat Events: Unintentional / Human (cont.)

• Deviations in Quality of Service

 in organizations that relies
on the Internet and Web,
irregularities in available
bandwidth can dramatically
affect their operation
 e.g. employees or customers
cannot contact the system

 possible ‘defence’: backup ISP

Threat Events: Intentional Attacks
 Passive Attack - attempts
to learn or make use of info.
from the system but does not
affect system resources
 compromises Confidentiality
 generally hard to detect !!!
 examples: release of message
content and traffic sniffing

 Active Attack - attempts

to alter system resources
or affect their operation
 compromises Integrity or
Availability
 examples: masquerade,
data modification and DoS
Threat Events: Intentional Attacks (cont.)
• Compromise to Intellectual Property (IP)
 IP = any intangible asset that consist of
human knowledge & ideas – creations
of the mind (copyright, patent, …)
 any unauthorized use of IP constitutes
a security threat
 defense measures:
 use of digital watermarks and embedded code

Example: Peter Morch story – compromise to IP by insider

In 2000, while still employed at Cisco Systems, Morch logged into a computer
belonging to another Cisco software engineer, and obtained (burned onto a CD)
proprietary information about an ongoing project.
Shortly after, Morch started working for Calix Networks – a potential competitor
with Cisco. He offered them Cisco’s information.
Morch was sentenced to 3 years’ probation.
Threat Events: Intentional Attacks (cont.)
• Deliberate Act of Info. Extortion / Blackmail
 hacker or malicious insider steals
information and demands
compensation for its return
 example:
 theft of data files containing customer
credit card information

• Deliberate Act of Sabotage or Vandalism

 hacker or malicious insider destroys an
asset in order to cause financial loss or
damage the organization’s reputation
 example:
 hackers accessing a system and damaging
or destroying critical data
Threat Events: Intentional Attacks (cont.)
Example: Two Kazakhstan employees story –
info. extortion by insider
In 2002, two employees in a company in Kazakhstan allegedly got
access to Bloomberg L.P. financial information database because their
company was an affiliate of Bloomberg.
They allegedly demanded $200,000 from Bloomberg to reveal how they
got access to the database.
Bloomberg opened an offshore account with $200,000 balance, and
invited the pair to London to personally meet with Michael Bloomberg.
The meeting was recorded. Soon after the two were arrested ....
In the end, there were sentences to 51 months in prison.
NOTE: finding a vulnerability and requiring payment to learn about it may
be considered extortion.
http://www.cybercrime.gov/zezevIndict.htm
Threat Events: Intentional Attacks (cont.)

Example: Maxus story – info. extortion by outsider

In 2000, a mysterious hacker identified as Maxus demanded $100,000 from
CDUniverse company in exchange for not releasing the names and credit card
numbers of over 350,000 customers he had obtained from the company
website.
After CDUniverse failed to pay him, Maxus decided to set up the site, titled
Maxus Credit Cards Datapipe, and to give away the stolen customer data. He
announced the site’s presence Dec. 25th on an Internet Relay Chat group
devoted to stolen credit cards.
Soon after launching his site, Maxus said it became so popular among credit
card thieves that he had to implement a cap to limit visitors to one stolen card at
a time.
The case remains unsolved, as Maxus moved online using stolen accounts and
relayed his emails through other sites to conceal the originating IP address …
www.nytimes.com/2000/01/10/business/thief-reveals-credit-card-data-when-web-extortion-plot-fails.html
www.cyberagecard.com/news/?page=2
Threat Events: Intentional Attacks (cont.)

Example: Patrick McKenna story – information vandalism

by insider
In 2000, McKenna was fired by Bricsnet (software company).
As a revenge, he remotely accessed his former employer’s computer server,
and:
1) deleted approximately 675 computer files;
2) modified computer user access levels;
3) altered billing records;
4) sent emails, which appeared to have originated from an authorized
representative of the victim company to over 100 clients. Emails
contained false statement about business activities of the company.
He was sentenced to 6 months in prison, followed by 2-years of supervised
release. He was also ordered to pay $13,614.11 for caused damages …

http://www.cybercrime.gov/McKennaSent.htm
Threat Events: Intentional Attacks (cont.)
• Deliberate Act of Trespass
 unauthorized access to info.
that an organization is trying
to protect
 low-tech e.g.: shoulder surfing
 high-tech e.g.: hacking

shoulder surfing hacker profiles

Threat Events: Intentional Attacks (cont.)
Example: Princeton vs. Yale – trespass by outsider
Yale University’s admission created a web-based system to enable
applicants to check the status of their application on-line. To access
the system, the applicants had to prove their identity by answering
questions regarding their name, birth date, SIN.
Many of these students also applied to other top universities.
At Princeton, Associate Dean and Director of Admissions - Stephen
LeMenager - knew that the private information that Yale used to control
access was also in the applications that candidates submitted to
Princeton. He used this information to log into the Yale system several
times as applicants.
When the word got out, he admitted doing the break-ins but said that he
was merely testing the security of the Yale system. Princeton put him on
administrative leave.
NOTE: The case emphasizes that information used to control access
must not be generally available …
Threat Events: Software Attacks
• Deliberate Software Attacks
 a deliberate action aimed to violate / compromise a
system’s security through the use of specialized software
 types of attacks:
a) Use of Malware
b) Password Cracking
c) DoS and DDoS
d) Spoofing
e) Sniffing
f) Man-in-the-Middle
g) Phishing
h) Pharming