1 Information Security: The Big Picture - SANS GIAC © 2000 1 Information Security: The Big Picture – Part I Stephen Fried Hello, and welcome to Information Security: The Big Picture. My name is Stephen Fried, and over the course of the next six hours I will be guiding you on a tour of the world of information security. This course provides an introduction into the area of computer and network security. As more and more people and companies connect to the Internet, the incidence of hacker attacks, break-ins, and vandalism continues to increase. With this comes an increasing need for trained professionals to understand and combat this growing threat. This course will teach you the basics you need to begin securing your systems against threats from both inside and outside your organization. The course takes a high-level approach, touching on many different topics in an overview style. The information here is presented in plain English, not technical jargon, so students from all backgrounds can understand the material and begin to apply the concepts immediately. Technical concepts (e.g. communications technology, networking, protocols) are explained thoroughly in an easy-to- understand manner, allowing even non-technical students to understand these areas. We rely heavily on real-world examples and common-sense descriptions, enabling students to take their own “real world” experiences and apply them to the information security arena. So, without further ado, let’s get started. 2 Information Security: The Big Picture - SANS GIAC © 2000 2 Preface • Course is designed to give a broad introduction to information security • Use of real-world analogies to explain security concepts • Will not go into too much technical depth • Some technical descriptions may be oversimplified • Use of sample data – not “real” As stated before, this course is designed to give the student an introduction to the broad spectrum of topics that are covered under the umbrella of Information Security. To completely and thoroughly discuss all the possible topics that could be housed under that term would really take several weeks of in-depth study. Unfortunately, we only have six hours so we are going to take a more practical approach. We will touch on a variety of areas, giving explanations of each and diving into a few in more detail, but we will refrain from diving too deep into any one topic. As much as possible, I will try to use real-world examples to illustrate different terms and concepts. I have found, over the years, that many issues in information security are really the same ones that arise in our everyday lives. By applying those experiences to this new area, I hope to better explain the terms, concepts, and topics we will be discussing. This course does not go into a great deal of technical detail. It is designed for people who do not necessarily have a technical background but need to know more about security. We won’t be discussing much about bit patterns, dissecting the mathematical algorithms used in cryptography, and we’ll stay pretty clear of discussion or dissection of hardware and software. That is not to say that the course does not have technical content, it’s just that I’ve tried to limit it as much as possible. Which brings me to my next point. Some of the topics we cover are, in actuality, highly technical and to completely understand them does take a certain amount of technical explanation. So, in order to allow non- geek regular folks to understand and enjoy the topics I have had to simplify some of the more esoteric technical details Fear Gets Lost In The Big Picture Fear Gets Lost In The Big Picture By: Joe Tye Paul’s image slammed on the brakes and cursed at the old man who had cut him off It was their third close call since leaving the school “You know,” Rafe chirped, “if this is the way you always drive, you’re a lot luckier than I gave you credit for.” “Very funny I may be afraid of losing my school, and I may be afraid of rich people, but at least when I get behind the wheel of a car, I’m a man above fear.” “There are times, my friend, when a little fear is a good thing,” Rafe replied with a laugh “In fact a little fear can be quite a positive thing if it helps you see the big picture Come on, let’s go for a walk.” “Right now? We can’t go for a walk! We’re headed for the bank.” “Oh, no problem.” Rafe pulled the watch out of his pocket and pushed a button; instantly everything froze in place Rafe stepped out, motioning Paul to follow him through the door AS LONG AS YOU’RE STILL BREATHING, YOU HAVEN’T LOST EVERYTHING They walked down a narrow alley Paul was fascinated that even though time had stopped, he could still smell the garbage Halfway down the alley Rafe stopped and looked at a man sleeping under a makeshift blanket of newspapers An empty booze bottle protruded from a brown bag near his head “Is this what you mean by losing everything?” Rafe asked “Close enough!” 1/3 Fear Gets Lost In The Big Picture “Okay, take a look.” An image appeared on the brick wall in front of them, as though a rear-screen projection television had been installed there Two men were standing on a stage; one was giving the other a large plaque and speaking “Jack O’Mara was down, but he never let himself get counted out He pulled himself out of the gutter, and somehow God gave him the courage to quit drinking And now not a day goes by that Jack isn’t out there in the streets helping others who are down, showing them how to get back up Let’s give a big hand ” As the picture faded out, Paul saw tears tracking the deep wrinkles of Jack’s ruddy cheeks He looked down at the younger man on the ground, who appeared so much older than he would in the future Rafe stooped to place another layer of newspaper over Jack’s shoulders “I guess as long as you’re still breathing, you haven’t lost everything.” They walked on through the alley and across the street An old man and a young boy were sitting together a the bus stop “Come on,” Rafe motioned, “let’s go listen in for a minute.” The little boy was talking: “Everybody says you used to be rich Were you really?” The old man laughed indulgently “If you mean did I have a lot of money, yes I used to be rich I had a big car, and a man to drive it, and in the morning people would say ‘good-day’ real polite because they were all so scared of me.” The man looked at the little boy and winked “Oh, I was pretty tough in those days Used to yell and scream a lot, and treated some people pretty bad But I made a lot of money.” “Wow!” The little boy’s eyes were big and greedy “What happened?” The old man frowned and shook his head “Well, it just sort of all fell apart There were lots of reasons, but mostly I jut got tired The business went downhill faster than I could catch it.” The little boy narrowed his gaze “You must really be sad now, huh?” The old man laughed “This morning I’m sitting here with a delightful young man Then I’ll go read at the library for a while, and feed the squirrels in the park When I get back home, the wonderful woman who put up with me for so many years will have soup on the stove, and she’ll jump when I pinch her bottom like she didn’t know it was coming, even though I’ve done it every day for forty-six years.” The little boy blushed and looked away, and the old man tussled his hair “No, I reckon I’m not sad.” Rafe froze the scene again and they walked back toward the car Paul was getting used to Rafe’s hand on his shoulder Rafe gave him a gentle shove and said, “I guess you don’t really mean you could lose everything, you?” 2/3 Fear Gets Lost In The Big Picture “I know,” Paul muttered, “keep your perspective There are still children starving in India even though I cleaned my plate all those years But it’s easy enough for you to pick out those happy endings What about all the endings that aren’t so happy?” 3/3 1 Information Security: The Big Picture - SANS GIAC © 2000 1 Information Security: The Big Picture – Part II Stephen Fried 2 Information Security: The Big Picture - SANS GIAC © 2000 2 International Standards & Policies • Trusted Computer System Evaluation Criteria (TCSEC – Orange Book) (1985) • Trusted Network Interpretation (TNI) (1987) •ITSEC In most industries there is a common set of rules and procedures that govern that industry. The rules may be imposed by the industry itself or they may be imposed by governmental and legal requirements. Examples of such standards in the US would be the Uniform Commercial Code that governs commercial transactions across the United States, or various national and local building codes that govern how structures are to be built. Many attempts have been made to standardize the practices and policies across the security industry as well. Unfortunately, because the information security field has been constantly evolving over the last several decades, there has been no unified consensus on what constitutes good security practice, how those practices should be defined, and how security should be measured. However, over the years several attempts have stood out as having considerable merit and weight, and thus have risen to the level of standards. In some areas, such as government computer security, these standards are mandatory. A side effect of these has been that private industry has picked up on them as well. One of the first standard attempts was the Trusted Computer System Evaluation Criteria, or TCSEC. It is also known as the Orange Book, because of the bright orange cover in its original printing. The TCSEC was developed by the US government in the 1980’s to provide a standard for manufacturers as to what security features to build into new government systems. It was also used as an evaluation criteria for the government to determine the degree of trust that can be placed in a computer system. The TCSEC divided security into four levels, labeled A through D. Some of the levels had several different sub-levels, so the highest rating a system could achieve was A1, while the lowest was level D. Despite several problems with certifying and implementing the requirements in systems that were actually usable, the TCSEC served its intended purpose for many years. One shortcoming of the TCSEC was that it was valid only for stand-alone computers. If a computer was connected to a network it was no longer eligible for TCSEC evaluation. Thus, in 1987 the US Government developed the Trusted Network Interpretation to the TCSEC, or TNI. The purpose of the TNI was to provide interpretations of the TCSEC for trusted computer and communication network systems. One aspect of the TCSEC that gained wide criticism was that it addressed primarily confidentiality issues and largely ignored integrity and availability issues. In addition, the TCSEC was a US government effort. Many countries, particularly in Europe, felt it did not address international issues. As a result, several European countries developed the International Technology Security Evaluation Criteria, or ITSEC. The ITSEC combined the Orange Book criteria with several of its European counterparts. In addition, it covered the integrity and availability issues that the TCSEC lacked. 3 Information Security: The Big Picture - SANS GIAC © 2000 3 International Standards & Policies • Common Criteria • BS7799 The Common Criteria represents the outcome of international efforts to align 1 Information Security: The Big Picture - SANS GIAC © 2000 1 Information Security: The Big Picture – Part III Stephen Fried 2 Information Security: The Big Picture - SANS GIAC © 2000 2 IP – The Internet Protocol • Deals with transmission of packets between end points • The fundamental protocol of the Internet The Internet Protocol (IP) is the protocol by which information is sent from one computer to another on the Internet. Each computer on the Internet has at least one address that uniquely identifies it from all other computers on the Internet. When you send or receive data (for example, an e-mail note or a web page), the message gets divided into little chunks called packets. Each of these packets contains both the sender's Internet address and the receiver's address. Any packet is sent first to a gateway computer that understands a small part of the Internet. The gateway computer reads the destination address and forwards the packet to an adjacent gateway that in turn reads the destination address and so forth across the Internet until one gateway recognizes the packet as belonging to a computer within its immediate neighborhood or domain. That gateway then forwards the packet directly to the computer whose address is specified. Because a message is divided into a number of packets, each packet can, if necessary, be sent by a different route across the Internet. Packets can arrive in a different order than the order they were sent in. The Internet Protocol just delivers them. It's up to another protocol, the Transmission Control Protocol (TCP) to put them back in the right order. IP is a connectionless protocol, which means that there is no established connection between the end points that are communicating. Each packet that travels through the Internet is treated as an independent unit of data without any relation to any other unit of data. (The reason the packets do get put in the right order is because of TCP, the connection-oriented protocol that keeps track of the packet sequence in a message.) The most widely used version of IP today is Internet Protocol Version 4 (IPv4). However, IP Version 6 (IPv6) is also beginning to be supported. IPv6 provides for much longer addresses and therefore the possibility of many more Internet users. IPv6 includes the capabilities of IPv4 and any server that can support IPv6 packets can also support IPv4 packets. 3 Information Security: The Big Picture - SANS GIAC © 2000 3 TCP – The Transmission Control Protocol • Connection-oriented communications • Ensures reliable packet delivery • Overhead can be “expensive” The Transmission Control Protocol, or TCP, is called a connection-oriented protocol. That is because it is primarily concerned with establishing connections between two computers and making sure that all communication on that connection are orderly and complete. TCP works in combination with the Internet Protocol, a combination usually referred to as TCP/IP. The IP layer provides the packet delivery service and the TCP layer provides the packaging and sequencing of the packets. TCP works by giving each packet a sequence number. When a packet is sent to a destination, the sending computer waits for an acknowledgement from the destination that the packet was received. The receiver will send the acknowledgement if it receives the packet and it was not damaged during the transmission. If the sender does not receive the F rom the Latin revisere, meaning to visit or look at again, revision is the most general re-examination of your essay. But it can also seem like the most overwhelming; it’s harder to step back and look at your entire essay with fresh eyes and ears than it is to correct spelling and punctuation errors. But this is a critical step in which you make sure you have achieved your goal, and see if any sections of the essay need improving. Revision takes place on a couple of levels: the “big picture” or essay level, and the paragraph level. It makes sense to look at your writing on these levels first, before jumpig into editing or proofreading. Think of it this way: Why take the time to correct grammatical errors and reword sentences if you might delete those sentences later in the revision process?  Re-visioning You can look at your essay with “fresh eyes” in two ways—literally, by giving your work to a trusted reader for feed- back, and figuratively, by examining your own work as if you’ve never seen it before. LESSON Revising: The Big Picture LESSON SUMMARY This is the first of two lessons dealing with the revision process. It shows you how to revise for three important “big picture” issues: fulfilling the assignment, stating a clear thesis, and providing strong support. 14 107 If you think professional writers work alone, think again. They know how important it is to get feedback before they send their work to the publisher—it’s not uncommon for them to share their work with a number of trusted readers first. That strategy is important for your essays, too. Readers can help you pinpoint the strengths and weaknesses of your writing. They can tell you what works well, and what doesn’t; what comes across clearly to them, and what confuses them. When you share your writing with people you trust to give you honest feedback, ask them: ■ What do you like about my essay? ■ Is there anything that seems confusing or unclear? ■ What do you think my purpose was in writing this essay? ■ Is there anything you need to know more about, or that needs more explanation? ■ What do you think I could do to improve this essay? These questions can also work when you direct them to yourself. But before you reread for revising, take a break. The best revisions take place a day or two after you’ve completed your draft. That time lets you approach your work with the “fresh eyes” we mentioned earlier in this lesson. Try reading your essay aloud. Read as if you are presenting it to an audience, and listen to your words. This technique can help you find places where your wording sounds awkward, or where your sentences are confusing or too long. You can also hear where your writing simply doesn’t convey what you intended it to. Mark those areas that sound as if they should be revised, making notes of ideas for how to improve them. Remember to keep in mind the following: ■ Does my essay fulfill the assignment? ■ Is my thesis statement clear? Is it easily identifiable? ■ Are my ideas well supported with examples, evidence, and details? Reworking Once you’ve got feedback and have taken your own notes on what could be improved, it’s time to make changes. Those changes could be additions, deletions, or rewordings. The second type of change is probably the hardest. Especially if you don’t consider yourself a strong writer, you may feel unwilling to give up a paragraph, or even a sentence. But revising is about keeping what works, and fixing or eliminating what doesn’t. If it doesn’t work, it detracts from the rest of your essay and needs to go. Fulfilling the Assignment On the largest scale, if your draft doesn’t fulfill the requirements of the assignment, you need to figure out where you went wrong. You probably don’t need to rewrite the whole thing, but Lost in the Stars: Movies Become Big Business in 1920s America Written by Frank Beardsley 10 May 2006 (MUSIC) VOICE ONE: THE MAKING OF A NATION a program in Special English by the Voice of America. (MUSIC) I'm Kay Gallant. Today, Harry Monroe and I tell more about the technological and social changes that took place in the United States in the early nineteen twenties. VOICE TWO: Some of the most important changes came as a result of the automobile and the radio. Automobiles began to be mass-produced. They were low enough in cost so many Americans could buy them. Gasoline was low in cost, too. Together, these developments put America on the move as never before. Automobiles made it easy for Americans to travel. Trucks made it easy for goods to be transported. Many people and businesses moved out of crowded, noisy cities. They moved to open areas outside cities: suburbs. VOICE ONE: As automobiles helped Americans spread out, the radio helped bring them closer together. Large networks could broadcast the same radio program to many stations at the same time. Soon, Americans everywhere were listening to the same programs. They laughed at the same jokes, sang the same songs, heard the same news. Another invention that produced big changes in American life was the motion picture. VOICE TWO: American inventor Thomas Edison began making short motion pictures at the turn of the century. In nineteen-oh-three, a movie called "The Great Train Robbery" was the first to tell a complete story. In nineteen fifteen, D. W. Griffith made a long, serious movie called "Birth of a Nation." By the early nineteen twenties, many American towns had a movie theater. Most Americans went to see the movies at least once a week. The movie industry became a big business. People might not know the names of government officials. But they knew the names of every leading actor and actress. VOICE ONE: A 1913 Ford Model T General Electric radio A motion picture class at Columbia University in 1927 Movies were fun. They provided a change from the day-to-day troubles of life. They also were an important social force. Young Americans tried to copy what they saw in the movies. And they dreamed about far-away places and a different kind of life. A young farm boy could imagine himself as romantic hero Douglas Fairbanks or comedian Charlie Chaplin. A young city girl could imagine herself as the beautiful and brave Mary Pickford. Rich families and poor families saw the same movies. Their children shared the same wish to be like the movie stars. In this way, the son of a banker and the son of a factory worker had much in common. The same was true for people from different parts of the country. VOICE TWO: In the early nineteen twenties, Americans also began reading the same publications. The publishing industry used some of the same kinds of mass-production methods as the automobile industry. It began producing magazines in larger amounts. It began selling the same magazines all over the country. One of the most widely-read magazines was the Saturday Evening Post. In nineteen-oh-two, it sold about three hundred thousand copies each week. Twenty years later, it sold more than two million copies each week. Americans everywhere shared the same information and advice in such nationwide magazines. The information was not always correct. The advice was not always good. But the effect was similar to that caused by the automobile and radio. Parts of American society were becoming more alike. They were trying to move toward the same kind of life economically and socially. VOICE ONE: Other industries used the techniques of assembly-line production to make their goods, too. They discovered that producing large numbers of goods reduced the cost of each one. One company that expanded in this way was the Atlantic and Pacific Tea Company. It was called A&P for short. The A&P was one of the first large American ... the courage to quit drinking And now not a day goes by that Jack isn’t out there in the streets helping others who are down, showing them how to get back up Let’s give a big hand ” As the picture. . .Fear Gets Lost In The Big Picture “Okay, take a look.” An image appeared on the brick wall in front of them, as though a rear-screen projection television had been installed there Two... really mean you could lose everything, you?” 2/3 Fear Gets Lost In The Big Picture “I know,” Paul muttered, “keep your perspective There are still children starving in India even though I cleaned my