Roger Clarke's Web-Site

 

© Xamax Consultancy Pty Ltd,  1995-2017


Roger Clarke's 'Introduction to Info Security'

Introduction to Information Security

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Version of 2 February 2001

© Xamax Consultancy Pty Ltd, 2001

This document is at http://www.rogerclarke.com/EC/IntroSecy.html


Contents


1. Introduction

Security has long been viewed by information systems professionals as being vital. Computing facilities and the information systems they support have become increasingly accessible as a result of the explosion of the open, public Internet since about 1993. A great deal of public attention is now being focussed on the topic. Regrettably late, even corporate executives are getting the message.

The demand for security safeguards has long been dominated by the military. As a result, the orientation is rather different from what corporations, government agencies and the public really need. Meanwhile, the supply of security safeguards has been dominated by computing and communications specialists. As a result, the language used is arcane.

There is a serious shortage of straightforward introductions to the topic of security in the context of information systems and the inter-connected computing facilities that support them. This document sets out to provide such an outline. Feedback is actively sought, especially criticisms and suggestions for improvement.

My intention has been to deliver a lead-in and overview for relative newcomers to the topic, and a summary and review for those who know a bit about it. This paper simply is not a substitute for deeper study through text-books, peer-reviewed articles and standards documents. For those, see the substantial bibliography.

A word of warning about the writing style. I've been in the I.T. industry for 30 years, and much of this material has been drawn from previous reports. So for some readers it may still be too jargon-ridden; whereas a person steeped in the lore of Internet cracking may find it old-fashioned and probably too shallow. Sorry, but you gets what you pays for.


2. The Nature of Security

This first section considers security in general. It is applicable to the security of people, buildings, the contents of buildings, organisations, and even nations, as well as information.

Security is used in at least two senses:

Threatening events can be analysed into the following kinds:

Threatening events may give rise to harm. The generic categories of harm are as follows:

A legal framework exists within which determinations can be made about the responsibility for security, and for reparation or compensation for harm. This comprises a wide range of heads of law, including contract, negligence and product liability.

Appendix 1 contains a glossary of security terms. The terminology and definitions provided there differ somewhat from those commonly used in military circles (in that they are less oriented toward intentional threats), and from those common in computing and communications (in that they extend beyond the boundaries of technical systems).


3. The Nature of Information Security

The focus of this document is on the security of information. The scope is not limited to information systems internal to organisations. Local area networks linked the computing islands within organisations as far back as the mid-1980s. Inter-connection between organisations over wide-area networks was mainstream by the late 1980s. Widespread inter-connection via the open public Internet has exploded since about 1992. (On the subject of supra-organisational systems generally, see Clarke 2001). The scope of this paper therefore extends to security against threatening events that occur outside the organisation and involve electronic communications.

A mainstream definition of information security is provided by the Australian Defence Signals Directorate (DSD). DSD defines information security as the combination of communications security, computer security and radiation security (i.e. emissions from devices such as monitors and printers, also known as TEMPEST). This usage is fairly consistent with authorities and standards such as TCSEC (1985), ITSEC (1991), Guttman & Roback (1995), GMITS (1996-2000), AS/NZS 3931 (1998), CCIB (1998), BS 7799 (1999), TPEP (1999), AS/NZS 4444 (1999/2000)

Many of these standards and guidelines concentrate on technical aspects of information systems. A great many of the threats to information arise outside the technical aspects of information systems, however, and hence the scope needs to be defined broadly enough to expressly and meaningfully encompass the whole of an information system. This includes organisational and individual behaviour, and manual aspects of the overall system, as well as aspects of the system supported by computing and communications facilities.

For an information system to be secure, it must have a number of properties:

There is a strong tendency in the information systems security literature to focus on the security of data communications. But security is important throughout the information life-cycle, i.e. during the collection, storage, processing, use and disclosure phases, as well as transmission. Each of the properties of a secure system identified above needs to be applied to all of the information life-cycle phases.


4. Information Security Architecture

There are many elements in a security strategy. To ensure orderliness and integration among them, a framework or architecture is needed.

A comprehensive security strategy comprises a suite of inter-related safeguards structured in a hierarchical fashion, as follows, and as depicted in Exhibit 1:

It is important to apply the longstanding military principle of 'defence-in-depth'. This asserts that a security architecture has to be devised such that any threatening event must break through successive layers of safeguards before it causes harm. A more recent expression of the principle is that there must be many onion-layers that have to be peeled back before serious damage is suffered.

Exhibit 1: Information Security Architecture


5. The Information Security Process

The process whereby information security is assured comprises a series of phases, expressed below and depicted in Exhibit 2. References include ACSI 33 (1998), AS/NZS 4360 (1999), BS 7799 (1999) and AS/NZS 4444 (1999).

Exhibit 2: The Information Security Process


(1) Scope Definition

A Security Strategy and Plan needs to be sculpted to the context. The first step in the process is the definition of its scope, with reference to the following:

It is highly desirable that the scope definition be formalised, and that relevant executives be exposed to it, and commit to it. It then sets the framework within which the subsequent phases unfold.


(2) Threat Assessment

A stocktake needs to be undertaken of the information and processes involved, their sensitivity from the perspectives of the various stakeholders, and their attractiveness to other parties. This needs to be followed by analysis of the nature, source and situation of threats.

The nature of threats are of a variety of kinds, including access to data by unauthorised persons, disclosure of it to others, its alteration, and its destruction.

The sources of the threats include several categories of entities:

Categorisations of intentional threats to facilities are to be found in Neumann (1995, reproduced in Appendix 3), and Anderson 2001.

The situations of the threats include several categories of locations:


(3) Vulnerability Assessment

The existence of a threat does not necessarily mean that harm will arise. For example, it is not enough for there to be lightning in the vicinity. The lightning has to actually strike something that is relevant to the system. Further, there has to be some susceptibility within the system, such that the lightning strike can actually cause harm. The purpose of the Vulnerability Assessment is to identify all such susceptibilities to the identified threats, and the nature of the harm that could arise from them.

It is common for vulnerabilities to be countered by safeguards. For example, safeguards against lightning strikes on a facility include lightning rods on the building in which it is housed. Safeguards may also exist against threatening events occurring in situations remote to the system in question. For example, a lightning strike on a nearby electricity substation may result in a power surge, or a power outage in the local facility. This may be safeguarded against by means of a surge protector and an Uninterruptable Power Supply (UPS).

Every safeguard creates a further round of vulnerabilities, including susceptibilities to threats that may not have been previously considered. For example, a UPS may fail because the batteries have gone flat and not been subjected to regular inspections, or because its operation is in fact dependent on the mains supply not failing too quickly, and has never been tested in such a way that that susceptibility has become evident.


(4) Risk Assessment

The term 'risk' is used in many different senses (including as a synonym for what was called above 'threat', and 'harm', and even 'vulnerability'!). But when security specialists use the word 'risk', they have a very specific meaning for it: a measure of the likelihood of harm arising from a threat.

Risk assessment builds on the preceding analyses of threats and vulnerabilities, by considering the likelihood of threatening events occurring and impinging on a vulnerability. More detailed discussion is to be found in AS/NZS 4360 (1999).

In most business contexts, the risk of each particular harmful outcome is not all that high. The costs of risk mitigation, on the other hand, may be very high. Examples of the kinds of costs involved include:

Risks have varying degrees of likelihood, have varying impacts if they do happen, and it costs varying amounts of time and money in order to establish safeguards against the threatening events or against the harm arising from a threatening event.

The concept of `absolute security' is a chimera; it is of the nature of security that risks have to be managed. It is therefore necessary to weigh up the threats, the risks, the harm arising, and the cost of safeguards. A balance must be found between predictable costs and uncertain benefits, in order to select a set of measures appropriate to the need.

The aim of risk assessment is therefore to determine the extent to which expenditure on safeguards is warranted in order to provide an appropriate level of protection against the identified threats.


(5) Risk Management Strategy and Security Plan

A range of alternative approaches can be adopted to each threat. These comprise:

Devising a risk management strategy involves the following:


(6) Security Plan Implementation

The process of implementing the Security Plan must be subjected to strong project management. Policies need to be expressed and communicated. Manual procedures need to be variously modified and created, in order to comply with the strategy and policy. Safeguards need to be constructed, tested and cutover.

Critically, implementation of a Security Plan also requires the development of awareness among staff, education in the generalities, and training in the specifics of the attitudes and actions required of them. This commonly involves a change in organisational culture, which must be achieved, and then sustained.


(7) Security Audit

No strategy is complete without a mechanism whereby review is precipitated periodically, the need for adaptation detected, and appropriate actions taken.

To be effective, audit must be comprehensive, rather than being limited to specific aspects of security; and it must follow through the entire organisation and its activities rather than being restricted to examinations of technical safeguards. Needless to say, this is heavily dependent on real commitment to the security strategy by executives and managers.


6. Information Security Tools, Standards and Protocols

A range of tools have been devised to assist in information security. In some cases, they are general-purpose safeguards, intended to be implemented by multiple organisations in order to provide protections against particular kinds of threats. In other cases, they are tool-kits rather than tools, devised as means whereby specific-purpose safeguards can be conveniently developed.

Examples of tools include:

Particularly in contexts in which interaction between networks is involved, commonality is important. Standards have been negotiated and published, and some categories of tools need to be compliant with them. In the area of electronic communications, standards are expressed in the form of protocols which connected devices need to comply with.

Examples of security standards and protocols include:

In an increasingly mature marketplace, a significant proportion of a Security Plan comprises the selection of tools that are compliant with relevant standards and protocols, and the specification of ways in which their potentials are to be applied in order to achieve safeguards desired in the particular context.


7. Conclusions

Information security is important, challenging, and multi-faceted. It involves organisational safeguards as well as technical safeguards. It cannot be approached using naive military ideas about 'absolute security'. Instead a 'risk-managed' approach has to be adopted, and costs and inconvenience traded-off against security. And it requires vigilance, because security schemes suffer from entropy, i.e. they run down very quickly unless they are maintained.


Appendix 1: Glossary of Security Terms

Security
A condition in which an Entity does not suffer Harm from Threatening Events
Threat
A circumstance that could result in Harm to the Entity, e.g. earthquake, electricity failure, vandalism, malware, software bug. A Threat may be natural, accidental or intentional
Threatening Event
An actual occurrence of a Threat
Harm
Anything that has deleterious consequences for the Entity, and includes injury to persons, damage to property, loss of value of an asset, and loss of reputation and confidence
Safeguard
A measure that:
- prevents a Threatening Event causing Harm to the Entity;
- mitigates the Harm caused by a Threatening Event; or
- enables detection and/or investigation of a Threatening Event
Vulnerability
The susceptibility of an Entity to a Threat, in the form of a weakness that may permit a Threatening Event to give rise to Harm. Safeguards are intended to reduce Vulnerablities. However, they may also increase them, and they may create new Vulnerabilities
Risk
A measure of the likelihood of Harm arising from a Threat
Threat Analysis or Threat Assessment
A process to identify and examine the nature and implications of Threats to an Entity
Risk Analysis or Risk Assessment
A process to determine the extent to which expenditure on Safeguards is warranted in order to protect against the identified Threats
Security Strategy or Risk Strategy
A statement of the approaches adopted to Threats, including the Safeguards implemented, and the reasoning underlying the choices made
Security Plan
A plan to implement Safeguards, to monitor Threats, Vulnerabilities and Safeguards, to respond to Threatening Events, and to progressively adapt Risk Strategy to reflect new information

Appendix 2: Checklist of Stakeholders and Proxies

Stakeholders
Proxies
employees
unions, and regulators
management and executives
volunteers
investors
investor associations, and regulators
funding providers
insurers
insurance associations
customers
industry associations
suppliers
industry associations
the public as consumers
consumer representative associations, consumer advocates, regulators
the public as residents
environmental associations, environmental advocates, local and regional governments, and regulators
the public as citizens
public interest associations and advocates (e.g. privacy, civil liberties), elected representatives, and regulators
the physically disadvantaged
associations, advocates
the economically disadvantaged
welfare associations, welfare advocates
the aged
associations, advocates
politicians
researchers
historians
students
educators

Appendix 3: Categories of Computer Misuse

From Neumann (1995, p.102):

External

Hardware Misuse

Masquerading

Pest Programs

Bypasses

Active Misuse

Passive Misuse

Inactive Misuse

Indirect Misuse


Appendix 4: Conventional Categories of Security Safeguard

Security measures can be usefully categorised into the following categories:

Physical security for sites, equipment, data, software and documentation includes:

Logical security for computer processes includes:

Logical security for data, software and documentation includes:

Network security includes:

Organisational measures relevant to application development staff include:

Organisational measures relevant to technical operations staff include:

Organisational measures relevant to all staff, including users, include:

Legal measures include:



xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 23 January 2001 - Last Amended: 2 February 2001 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/EC/IntroSecy.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2017   -    Privacy Policy