1
Information Security: The Big Picture - SANS GIAC
© 2000
1
Information Security:
The Big Picture – Part VI
Stephen Fried
2
Information Security: The Big Picture - SANS GIAC
© 2000
2
Certificates
• Certificates match an identity with a
public key
• Similar to a driver’s license or passport
• Validated by a Certificate Authority
• Certificates have many uses
–Encryption
– Authentication
– Verification
Most of us have either a drivers license or a passport. These are official government documents that
match an external representation of yourself (in this case, your picture) with an official recognition
of your identity, for example a government or state seal. By using one of these documents you are
reasonably able to prove your identity to someone. (OK, many of us had fake drivers licenses when
we were kids, but let’s ignore those for now.)
There is an equivalent concept in the information security world. It’s called a “certificate.” A
certificate is a small piece of code that matches an external representation of yourself (in this case
your public key) with an official recognition of your identity. So, for example, you might have a
certificate that says “Public Key 12345 belongs to Alice Smith.” Like the Motor Vehicle Agency in
the real world, there is an agency that certifies certificates in the computer world. It’s called a
Certificate Authority, or CA. A CA is a group or agency that certifies and manages collections of

These are not the only pieces of information contained in a certificate. A valid certificate also
contains the version number of the certificate. There have been several versions of the X.509 format.
The current version is version 3. There is also an identifier to indicate the encryption and signature
algorithm used to sign the certificate. Without knowing what algorithm was used to sign the
certificate there is no way of verifying the signature.
A certificate also contains validation dates. These are the dates that the certificate was issued and the
date it expires. Applications should always check to make sure a certificate it is using or accepting is
still valid.
4
Information Security: The Big Picture - SANS GIAC
© 2000
4
Certificate Issues
• Multiple CAs
• CA Trust
Like everything else in the information security world, the use of certificates is not as clean and easy
as you might first think. This slide will describe some of the issues you may need to be concerned
with before you begin using certificates.
The first, and most important fact is that there is no single Certificate Authority for everyone. Maybe
someday there will be, but for now we must deal with the fact that there will be multiple CAs for a
long time to come. There can also be many different forms of CAs. You may have a CA run by your
employer that certifies keys for your business dealings, you may have a second CA run by your bank
that certifies your keys for handling Internet purchases, and you may have a third CA run by your
brokerage for your stock trading account. Consider the situation as similar to the credit card industry
today. You probably have more than one credit card and you use each for different types of
purchases. However, the credit card industry is mature enough that you can pretty much be assured
that whatever card you use, it will most likely be accepted by any merchant. Of course, there are still
the odd cards that are used for specialty applications. For example, the card issued by your wholesale
grocery club probably won’t be accepted for the purchase of an airline ticket. By and large, most of
the major cards are accepted everywhere.

certificate revocation should be easy, but in actually it’s very hard. A large part of this is that the Certificate Authority
“industry” (for lack of a better term) is still in its infancy.
Some of you may be old enough to remember back when credit cards were first coming into widespread use. When you
went to a merchant and handed them your card, they didn’t swipe it through a reader and wait for a reply from credit
card central to see if your card was valid or not. In those days, each merchant had a little booklet full of thousands of
invalid or revoked card numbers. They would look up your number in the book and if it was there it meant your card
was invalid. If your number wasn’t there it meant the card was OK and they would continue to process your charge. It
was a large, manual, painful system for both the merchant and the customer, but it worked because new technology
hadn’t yet been developed to automate the transaction. Well, Certificate Authority technology is in the same stage of
development as credit card books were in. There are many processes that are difficult, manual, and sometimes painful
to go through, but eventually, somebody will develop technology that will tie it all together. Let’s just hope that day
comes sooner, rather than later.
Finally, a last word about encryption and certificates. All the things we have discussed in the last few slides – the
encryption, certificates, certificate authorities, trust, chaining, revocation, etc – are all part of a concept called the
Public Key Infrastructure, or PKI. PKI is a concept used to describe all the processes, policies, procedures and
technologies used to enable the use of certificates for identification, authorization, and encryption. The deployment of a
successful PKI is an essential step for anybody who wants to deploy a successful e-commerce service.
6
Information Security: The Big Picture - SANS GIAC
© 2000
6
Encryption Export/Import
Issues
• Many governments regulate encryption
–Import
–Export
–Domestic Use
• Check with legal counsel before
importing or exporting your encryption
technology

for customer information
• Individuals should expect one
Privacy means many things to many people. Supreme Court Justice Louis Brandeis once stated that “privacy is
the right to be left alone.” However, that is just one facet of privacy. Generally, privacy is the expectation that
personal information about yourself (for example your physical characteristics, your friends, your medical
information, or your political beliefs, etc.) are your property and the decision as to whether anyone else has the
right to know that information should be yours and yours alone.
Privacy is also interpreted differently in different legal systems. In the United States, the right to privacy is not
explicitly granted in the Constitution, but court cases and legal precedents have given US citizens certain
specific rights to privacy. In other countries, privacy is an explicit right given to the people by their
governments. Unfortunately, however, there are still some countries where citizens have no right to privacy at
all.
There is also a difference in your privacy rights when you are acting as an employee of a company. Although
you may have privacy protection under your country’s laws, many companies specifically tell their employees
that within their roles as employees they have no privacy. The company may have the right to examine your
work, your e-mail, your phone conversations, or anything else you may do as an employee of the company. You
should check with your employer to see what your company’s policy is.
Whether or not a specific country or company affords its people privacy rights, privacy is something citizens of
the Internet have come to expect in many of the transactions that occur every day, particularly when dealing
with business or financial transactions. As you wander through the Internet, you leave little traces of yourself
and your travels at every site you visit. However, there are many services available which will allow you to
retain some of your privacy on the internet. Anonymous remailers will alter your e-mail so that the recipient will
not know who it was sent by. And Web anonymizers will strip out all identifying information from your browser
transmissions so that web sites you visit can not identify you.
Over the past few years, the concept of a “privacy policy” has come into existence. A privacy policy tells
customers or associates of a company how that company will use personal information about them. Privacy
policies vary from company to company, but most deal with collection of personal information, giving or selling
of that information to other companies, and giving the customer the option of correcting or removing their
information from the company’s databases. As the concept becomes more and more prevalent, customers will
begin expecting to see them on the web sites they visit, and begin to avoid web sites that do not have them.

Identifiable Information (PII). Personal Data is any information that relates to an identified person, or that can
easily lead to the identification of an unknown person. Thus, information such as “half the people in this group
have a rare disease” is not necessarily considered Personal Data, whereas “John, Mary, and Sue have a rare
disease” would be considered personally identifiable information. Another example would be to say that the
statement “the person living at 123 Main Street is a Communist” contains personal data, because even though a
specific person was not named, if there is only one person living at 123 Main Street you’ve pretty much got
them pegged.
The Privacy Directive states that member countries must take all reasonable and appropriate steps to ensure that
transborder flows of personal information are uninterrupted and secure. They must permit free flow to countries
who comply with the guidelines, but they may restrict certain types of data. In addition, member countries must
avoid developing laws that would create obstacles to transborder flows of personal data that are overly
excessive. They must provide the means by which individuals can enforce their privacy rights and ensure that
there is no unfair discrimination against the subjects of data collection.
9
Information Security: The Big Picture - SANS GIAC
© 2000
9
OECD Privacy Directive Principles
• Collection Limitation
• Data Quality
• Purpose Specification
• Use Limitation
•Security Safeguards
• Openness
• Individual Participation
• Accountability
The Privacy Directives have 8 distinct principles that EU members must abide by.
The Collection Limitation Principle states that there should be no limits to the collection of personal data, any
such data should be obtained by lawful and fair means and, where appropriate, with the consent of the data
subject.

Harbor by self-certification
While the OECD guidelines work fine for members of the European Union, it does not necessarily
coincide with practices in other parts of the world, particularly in the US. The US approach to
privacy is markedly different from the EU. In the US, citizens have an expectation of privacy in
many circumstances and that expectation has been upheld by several landmark court cases.
However, the US does not have a national privacy law as do many European countries. Privacy laws
are mostly left up to the various states to implement, making national enforcement next to
impossible. The end result is that different organizations in the US treat privacy differently.
Unfortunately, the OECD guidelines specify that member states should not transfer personal data to
any country that does not provide an adequate level of privacy protection. Since there is no
standardization of privacy policies in the US, most US companies technically would not pass this
adequacy standard. It is for this reason that the US Department of Commerce began discussions with
the European Commission to create a “safe harbor” for US companies that choose to voluntarily
adhere to certain privacy principles.
According to the proposal, organizations within the safe harbor would have a presumption of
adequacy, and transfers from the European Community to them could continue. Organizations could
come within the safe harbor by self-certifying that they adhere to certain privacy principles.
According to the safe harbor proponents, the proposal has several advantages. First, they provide for
adequate privacy protection for European citizens. They also reflect the US views on privacy and
allow for relevant US legislation and public interest requirements. Finally, it provides a predictable
and cost-effective framework for the private sector.
The Safe Harbor principles have been in discussion for over a year and talks have stalled several
times. If passed, it would open up a large opportunity for US companies that are now threatened with
an inability to share information with their European counterparts.
11
Information Security: The Big Picture - SANS GIAC
© 2000
11
Privacy Organizations
• TRUSTe (www.truste.org)

12
Information Security: The Big Picture - SANS GIAC
© 2000
12
Agenda
• General Security Introduction
• Telecommunications Fundamentals
•Network Fundamentals
•Network Security
• World Wide Web Security
• Information Secrecy & Privacy
•
Identification and Access Control
• Programmatic Security
•Conclusion
Identification and Access Control are two fundamental concepts in information security. In this
section we will examine both concepts, discuss their differences and relationships, and look at
various methods for handling both in a real-world environment.
13
Information Security: The Big Picture - SANS GIAC
© 2000
13
Identity: Who Are You?
• Identification – describing who
you are
• Authentication – proving you are
who you say you are
• Authorization – determining
where you can go
A large part of information security is based on being able to identify yourself, proving that identity, and then using that identity to enable you to

Information Security: The Big Picture - SANS GIAC
© 2000
14
Password Problems
• Passwords are easy to guess
• People choose bad
passwords
• Dictionary attacks
• How to choose good
passwords
Passwords have been around as long as people have needed to prove who they are. Passwords work because
they are easy for people to understand. Unfortunately, because people want them to be easy to remember, they
usually pick passwords that are easy to guess. How many of you use passwords or PIN numbers that are based
on your name, your spouse’s name, your dog’s name, your birthday, anniversary date, etc? We use these because
we can remember them. However, all a potential attacker needs to do is find out some basic information about
you (which is not that difficult to do) and start trying to guess your password from there. In addition, many
people use simple, ordinary words as passwords. So all an attacker needs to do is use a process called a
dictionary attack. A dictionary attack takes a dictionary and systematically tries every word in that dictionary
trying to guess the password. Since people tend to use simple words, dictionary attacks are incredibly successful.
So how do you stop dictionary attacks? The best way is to use a password that is difficult to guess. Use the
maximum number of characters for your password that your system will allow. Use numbers or special
characters, such as ampersands, asterisks, parentheses, etc. Replace letters with numbers, for example use a ‘3’
instead of an ‘E’, use a dollar sign instead of an “S,” and so on. Anything you can do to make the process of
guessing your password more difficult is a good thing.
You should also change your password regularly. If you change your password often, you are more likely to
notice if someone else has changed it. Also, passwords that change regularly trip up attackers that are using your
password without your knowledge.
Never give out your password to anyone, not even your friends or co-workers. If you absolutely must give it to
someone, like a help desk or support technician, be sure to change it immediately )as soon as they are done
doing whatever it is that they need your password for).