Got Security? Information Assurance Considerations for Your

Research, Course Projects, and Everyday Life

James Cannady, Ph.D.Assistant Professor

Information Security Those measures, procedures, or controls which provide an

acceptable degree of safety of information resources from accidental or unauthorized intentional disclosure, modification, or destruction.

Based on the assumption that others either want your data or want to prevent you from having it.

Insecurity is the result of flaws, improper configurations, errors and bad design.

Patches and security add-ons merely address the symptoms, not the cause.

Information Security Problem

A large, rapidly growing international issue

Key to growth of digital environments Critical infrastructure at risk True magnitude of the problem unknown

Why bother with Information Security?? Some of our information needs to be protected against

unauthorized disclosure for legal and competitive reasons All of the information we store and refer to must be

protected against accidental or deliberate modification Information must be available in a timely fashion. We must also establish and maintain the authenticity

(correct attribution) of documents we create, send and receive

If poor security practices allow damage to our systems, we may be subject to criminal or civil legal proceedings

Good security can be seen as part of the market development strategy

The Changing Security Environment

The landscape for information security is changing: From closed systems and networks to Internet connectivity From manual to automated processes Increased emphasis of information security as core/critical requirement

EvidenceEvidence 90%: businesses detected computer security breaches within the last

twelve months 70%: reported a variety of serious computer security breaches (e.g.,

theft of proprietary information, financial fraud, system penetration from outsiders, denial of service attacks and sabotage of data or networks)

74%: acknowledged financial losses due to computer breaches 19%: reported ten or more incidents

Source: Computer Security Institute 2000 Computer Crime and Security Survey

The Four Big Issues: Authentication: Validation of transmissions,

messages, and users Confidentiality: Assurance that information is

not disclosed to unauthorized entities or processes Integrity: Assurance that information is not

modified by unauthorized entities or processes Reliability & Availability: Assurance that

information systems will function when required

Specific Security Issues & Solutions

Validation of transmissions, messages, and users IP Spoofing:

– Filtering routers Fake Web Sites:

– Web Site Certification– DNS certification

Unauthorized Users:– IP authentication– Identification devices– Intrusion Detection Systems

Authentication

Assurance that information is not disclosed to unauthorized entities or processes

Sniffing:– Encryption– Intrusion Detection

Unauthorized File Access:– Firewalls– Intrusion Detection Systems

Confidentiality

Assurance that data or processes have not been altered or corrupted by chance or by malice

Corrupted Web Sites:– Web Site Certification– Intrusion Detection

Corrupted Data Bases: – Encryption– Intrusion Detection

Integrity

Assurance that information systems will function when required

Denial of Service Attacks (e.g. SYN flooding):– Bandwidth– Attack Detection– Redundancy

Reliability & Availability

The Threat Environment Information technology is more vulnerable

than ever:– Open– Distributed– Complex– Highly Dynamic

Attacks are becoming more sophisticated Tools to exploit system vulnerabilities are

readily available and require minimal expertise

Typical Threats Eavesdropping and “sniffing” System Penetration Authorization Violation Spoofing/Masquerading Tampering Repudiation Trojan Horse Denial of Service

Common Security Mechanisms Obscurity Firewalls Intrusion Detection Vulnerability/Security Assessment Tools Virus Detection Host Security Authentication Systems Cryptography

1999 INFOSEC Research Council

Defines nine particularly difficult security problems impacting all aspects of IT.

InfoSec Hard ProblemsInfoSec Hard Problems

1. Intrusion Detection– The timely and accurate detection

of network attacks– Extremely important– No shortage of COTS– Limited effectiveness and reliability

InfoSec Hard ProblemsInfoSec Hard Problems

2. Intrusion Response– What do you do after an attack is

detected?– What do you do when you’re

wrong?

InfoSec Hard ProblemsInfoSec Hard Problems

3. Malicious Code Detection– Trojan horses, “dead” code, etc.– Example: Windows 98

InfoSec Hard ProblemsInfoSec Hard Problems

4. Controlled Sharing of Sensitive Information

– Sharing information from a variety of sources to different recipients.

– Classified information in an Open Environment

InfoSec Hard ProblemsInfoSec Hard Problems

5. Application Security– How do the applications enforce their own

requirements?– How does it effect the rest of the network?

InfoSec Hard ProblemsInfoSec Hard Problems

6. Denial of Service– Simple and effective– “Unfortunately there is currently no method

available of identifying and responding to a denial of service attack in an efficient and autonomous manner”

(National Research Council, 1998).

InfoSec Hard ProblemsInfoSec Hard Problems

7. Communications Security– Protecting information in transit

from unauthorized disclosure, and providing support for anonymity in networked environments.

InfoSec Hard ProblemsInfoSec Hard Problems

8. Security Management Infrastructure– Providing tools and techniques for managing

the security services in very large networks that are subject to hostile attack.

InfoSec Hard ProblemsInfoSec Hard Problems

9. Information Security for Mobile Warfare– Developing information security techniques and

systems that are responsive to the special needs of mobile tactical environments.

– Wireless security

InfoSec Hard ProblemsInfoSec Hard Problems

Advantages of InfoSec Research Important problem

– Touches all aspects of IT Little research has been done

– Large variety of potential dissertation topics– Can be incorporated into other IT topics

Opportunities for publications– Growing number of publications– Can add InfoSec to more traditional topic to increase

opportunities Huge job market for those with experience

– Job openings for network security professionals have increased 200 percent in the past six months

In Review• Security is a complex and growing area of information technology

•There are numerous opportunities for InfoSec research

•Demonstrated security experience can be a key discriminator in any IT career

Ongoing Research at NSU Benedict Eu – Dynamic Computer

Defense in Depth Dennis Bauer – Intrusion detection

using evolution strategies Jim Dollens – Intrusion detection using

computer system DNA Al Fundaburk – Developing an

information security curriculum

Questions?

Dr. James Cannadycannady@nova.edu

(954) 262-2085

http://scis.nova.edu/~cannady