1
Information Security: The Big Picture - SANS GIAC
© 2000
1
Information Security:
The Big Picture – Part I
Stephen Fried
Hello, and welcome to Information Security: The Big Picture. My name is Stephen Fried, and over
the course of the next six hours I will be guiding you on a tour of the world of information security.
This course provides an introduction into the area of computer and network security. As more and
more people and companies connect to the Internet, the incidence of hacker attacks, break-ins, and
vandalism continues to increase. With this comes an increasing need for trained professionals to
understand and combat this growing threat. This course will teach you the basics you need to begin
securing your systems against threats from both inside and outside your organization.
The course takes a high-level approach, touching on many different topics in an overview style. The
information here is presented in plain English, not technical jargon, so students from all backgrounds
can understand the material and begin to apply the concepts immediately. Technical concepts (e.g.
communications technology, networking, protocols) are explained thoroughly in an easy-to-
understand manner, allowing even non-technical students to understand these areas. We rely heavily
on real-world examples and common-sense descriptions, enabling students to take their own “real
world” experiences and apply them to the information security arena.
So, without further ado, let’s get started.
2
Information Security: The Big Picture - SANS GIAC
© 2000
2
Preface
• Course is designed to give a broad
introduction to information security
• Use of real-world analogies to explain
security concepts

© 2000
3
Agenda
•
General Security Introduction
• Telecommunications Fundamentals
•Network Fundamentals
•Network Security
• World Wide Web Security
• Information Secrecy & Privacy
• Identification and Access Control
• Programmatic Security
•Conclusion
Our first topic is a General Security Introduction.
In this section we introduce you to some basic terms, concepts, and definitions you will need to begin
understanding information security.
4
Information Security: The Big Picture - SANS GIAC
© 2000
4
What Is “Security”?
• “Freedom from risk or danger”*
• The application of safeguards to
prevent loss
• A subjective measurement of
preparedness for risk
•A
feeling
of safety
*The American Heritage Dictionary of the English Language

• Loss of company assets
• Loss of revenue/market share
• Loss of intellectual property
• Loss of privacy
• Damage to reputation
We will spend the rest of the course talking about the importance of security, risk and threats, and the steps you can take to improve
the security of your organization. However, I believe the best way to start out the course is a brief discussion about the
consequences of bad security. What would happen if you didn’t pay attention to security at all? Perhaps answering this question will
get you in a frame of mind to think seriously about your security efforts.
There are many consequences of bad security, and the list probably varies from organization to organization, but this slide shows
the five major consequences. The first is loss of company assets. This the most obvious, as it deals with real, definable losses–
damage to computers, loss of data, service disruptions on your network, etc. When most people think of security consequences they
think of these types of issues. However, there are other consequences that can be just as damaging, but do not immediately come to
mind.
One of these is loss of revenue or market share. When an attacker comes in and defaces your web site, there will be time and
expenses associated with repairing the damage. Those are the direct losses. However, the organization may also lose money because
customers can’t get to the web site to order the company’s products or services. The longer the site takes to rebuild, the more
potential revenue will be lost. Another indirect loss is market share. Depending on the type of business, a short-term loss is usually
recoverable from a customer service perspective. Customers on the web today are used to short-term outages – annoyed, but used to
it. However, if the outage lasts past a certain comfort level, customers will begin looking elsewhere for competing products. Ifthe
outage is long enough, a serious loss of market share may be the result.
An organization that does not pay proper attention to security can be risking its intellectual property. These represent the
knowledge, experience, and research that the organization has developed, and can sometimes be so valuable to the organization that
dollar figures can not even be placed on it. These are the types of assets that are most worthy of protection, since their loss might
mean irreparable harm to the organization’s product development or financial outlook.
A serious breach in security might mean the loss of privacy for your business or your customers. Privacy, particularly privacy of
customer information, has become quite a hot topic over the past several years. We’ll discuss privacy issues in depth later in the
course, but consumers and employees are coming to expect that their personal and financial information will be secured against
unauthorized disclosure or theft. If an organization does not protect this information heavily and allows it to get in the handsof
attackers, the loss to personal privacy may be irreparable.

need to pay less attention to one area or another. A web server that holds catalog or brochure
information for a company may require high availability, but lower confidentiality, since the
information is public anyway. Systems that handle bank wire transfers are usually concerned more
with integrity than confidentiality or availability.
However, in any review of overall security you will need to take all three of these issues into
account.
7
Information Security: The Big Picture - SANS GIAC
© 2000
7
How Secure is Secure
Enough? (1)
• Three fundamental questions
–What are you protecting?
–What is it worth to you?
–What is it worth to someone else?
Information security practitioners often wrestle with the problem of determining how much security is
considered “enough” for a particular application. Unfortunately, there is no single correct answer to this
question. The best place to start is by answering what I call the three fundamental questions about
information security:
First, what are you trying to protect? You need to define clearly what is the thing you have that is worth time
and effort and energy to keep it safe from harm. Is it a web site? A business plan? A patented formula? An
accounting system? You need to define as specifically as possible the object that needs protection, and
without knowing this, you can go no further. Many security efforts go awry because they fail to answer this
one basic question.
Second, you need to determine what the object is worth to you. What is the intrinsic value this thing has that
makes it worth protecting? It may be a monetary value. For instance, the amount of revenue an e-commerce
site brings into your company. Or it may be more of a symbolic or subjective value. For instance, the amount
your company’s reputation will suffer if its network gets hacked. In any case, you need to have a good idea
of the value of the object, since that will lead you to determine how much effort you will put into protecting

why you are getting hit. Without knowing the motivation, how do you determine how much security to apply?
One of the best strategies is to raise the effort bar, so to speak. You need to apply enough security so that the level of effort required is
greater than you think most attackers will be able to apply. You do this by applying the Defense in Depth strategy we will discuss
shortly. Each layer of defense will hopefully serve to deter the attacker from going further in his attack so that eventually he will give
up without getting to the “prize.” In this way, only the most determined, well funded, and experienced criminals will be able toget
through all your defenses. You may never be able to completely secure your systems against all attacks, as that might be too
expensive or resource intensive. But you can raise the effort level high enough for your own comfort.
You can also make an effort to make yourself less “attractive” to a potential attacker. I know people in my neighborhood that put up
“Beware of Dog” signs even if they don’t have a dog, or put burglar alarm company stickers in their windows even though they don’t
have an alarm, or light up their house like a Christmas tree at night, all in an effort to deter burglars from trying to break into their
house. You can apply the same concept with your systems and networks. Let people (both inside and outside your company) know
you use a strong firewall system, or that you monitor and check all transactions that go through your web site, or that you actively
prosecute attackers. These are the system equivalents of dog signs and flood lights. This may be enough to deter some would-be
attackers from even attempting to break into your systems. Be careful, though. If you brag too much about your defenses you may
actually encourage someone who wants to prove they are better than you.
Finally, you want to make your security efforts commensurate with the useful lifetime of your information. For example, if you are
trying to protect the revenue projections for your next quarter, you only really need to protect them until they are made public.
Devising a system that will protect the secret for the next 50 years will not only be expensive, it may be overkill.
9
Information Security: The Big Picture - SANS GIAC
© 2000
9
Who Are The Threats?
• Hackers?
•Vandals?
•Espionage?
• Insiders
When looking at the possible sources that threaten your organization’s systems, you have to look at several
types. The first group is the “hacker.” I use hacker in quotes because the real definition of hacker has changed
so much over the years. By hacker I mean a person that uses computers and networks to inflict damage (either

• Only allow authorized activities
• No undocumented features
• Trust vs. Security
Central to all discussions about information security is the concept of trust. In the real world, trust is an
intangible concept that can be difficult to define but is readily understood. You trust someone based on your
experiences with them, their reputation, your preferences, your ability to reach agreements with them, etc.
These are all intangible properties, and there is no real way to measure trust .
Computer and network security also uses the concept of trust and in many of the same ways. However, unlike
real life, trust in the security sense has a precise definition and a set of measurable criteria. In order to have trust
in a system, it must operate in ways that can be predicted, according to specifications, allowing only authorized
activities, and can contain no undocumented information paths or features. Let’s look at each one of those
criteria individually.
The system will operate in ways that can be predicted. If you give input into a computer, given the same
runtime environment, it should give you the exact same output every time. There should be no variation in the
way the system operates. For example, if you install a building card access system, you need to know that every
time a person holds their card up to the reader, the system will give an accurate response. If there is any
variability in the system, if it sometimes allows unauthorized people in or prevents entry to authorized people,
the system is of no use.
The system must run according to specifications. This means that the system must have a formal
specification of its operation and can not deviate from that specification. Like operating in predictable ways,
operating according to specifications eliminates any random elements in the system’s operation.
The system should only allow authorized activities. This means that every action taken by and within the
system must be authorized by the system, and any users must be authorized both for access to the system itself
as well as any activities they may perform while on the system.
There must be no undocumented features in the system. One of the more common causes of security
problems is the discovery of undocumented or hidden features. Once these features are discovered, they can be
used to manipulate the system in unpredictable ways, thus violating the trust of the system.
We should also make a distinction here between “trust” and “security”. As we have seen, trust refers to the
dependability of a system to perform as expected within certain parameters. Security, on the other hand, is the
sum total of issues relating to the confidentiality, integrity, and availability of systems and information. Trust is