1
Information Security: The Big Picture - SANS GIAC
© 2000
1
Information Security:
The Big Picture – Part VI
Stephen Fried
2
Information Security: The Big Picture - SANS GIAC
© 2000
2
Certificates
• Certificates match an identity with a
public key
• Similar to a driver’s license or passport
• Validated by a Certificate Authority
• Certificates have many uses
–Encryption
– Authentication
– Verification
Most of us have either a drivers license or a passport. These are official government documents that
match an external representation of yourself (in this case, your picture) with an official recognition
of your identity, for example a government or state seal. By using one of these documents you are
reasonably able to prove your identity to someone. (OK, many of us had fake drivers licenses when
we were kids, but let’s ignore those for now.)
There is an equivalent concept in the information security world. It’s called a “certificate.” A
certificate is a small piece of code that matches an external representation of yourself (in this case
your public key) with an official recognition of your identity. So, for example, you might have a
certificate that says “Public Key 12345 belongs to Alice Smith.” Like the Motor Vehicle Agency in
the real world, there is an agency that certifies certificates in the computer world. It’s called a
Certificate Authority, or CA. A CA is a group or agency that certifies and manages collections of

certificates for use in encryption and verification purposes. We’ll talk more about Certificate
Authorities in the next slide.
There are many uses for certificates, and more are being found every day. Essentially, every time
you need access to someone’s public key, you can look up that person in the CA’s registry to get
their key. And because the CA is supposed to validate the identity of the person before certifying
their key, you can be reasonably assured that the key is legitimate for that person. Likewise, when
you get a key and certificate from someone you can look them up in the CA to see if the key you got
is indeed the legitimate key for that person.
3
Information Security: The Big Picture - SANS GIAC
© 2000
3
X.509
• ISO Authentication Framework
• Provides for authentication across networks
• Binds unique name for a user to public key
• Provides structure for public key certificates
• Contains identifying info
– version, algorithm, CA name, valid dates, etc.
If the world is moving toward the use of certificates, there must be some formal standard for
specifying the use and format of certificates. There is, and it’s called the ISO Authentication
Framework, more commonly known as the X.509 protocols. The X.509 standard provides the
framework for handling authentication across systems and networks.
X.509 also defines a structure that public key certificates must follow in order to be universally
accepted. There are three primary pieces of information contained in an X.509 certificate. The first is
called the Distinguished Name, or DN. The DN is a unique name assigned to each user. The second
is the user’s public key. Finally, the third important piece of information contained in an X.509
certificate is the digital signature of the Certificate Authority that has issued and certified the
certificate. Without these three vital pieces of information, the certificate is useless in an
authentication or repudiation sense.

These are not the only pieces of information contained in a certificate. A valid certificate also
contains the version number of the certificate. There have been several versions of the X.509 format.
The current version is version 3. There is also an identifier to indicate the encryption and signature
algorithm used to sign the certificate. Without knowing what algorithm was used to sign the
certificate there is no way of verifying the signature.
A certificate also contains validation dates. These are the dates that the certificate was issued and the
date it expires. Applications should always check to make sure a certificate it is using or accepting is
still valid.
4
Information Security: The Big Picture - SANS GIAC
© 2000
4
Certificate Issues
• Multiple CAs
• CA Trust
Like everything else in the information security world, the use of certificates is not as clean and easy
as you might first think. This slide will describe some of the issues you may need to be concerned
with before you begin using certificates.
The first, and most important fact is that there is no single Certificate Authority for everyone. Maybe
someday there will be, but for now we must deal with the fact that there will be multiple CAs for a
long time to come. There can also be many different forms of CAs. You may have a CA run by your
employer that certifies keys for your business dealings, you may have a second CA run by your bank
that certifies your keys for handling Internet purchases, and you may have a third CA run by your
brokerage for your stock trading account. Consider the situation as similar to the credit card industry
today. You probably have more than one credit card and you use each for different types of
purchases. However, the credit card industry is mature enough that you can pretty much be assured
that whatever card you use, it will most likely be accepted by any merchant. Of course, there are still
the odd cards that are used for specialty applications. For example, the card issued by your wholesale
grocery club probably won’t be accepted for the purchase of an airline ticket. By and large, most of
the major cards are accepted everywhere.

Unfortunately, the CA industry is not that mature. For now, each CA must issue and manage its own
certificates. So, for instance, you generally can not assume that the key managed by your business
CA will be recognized by your bank’s CA and vice versa. The good news is that the situation is
changing slowly. We are beginning to see small alliances of CAs that will trust each other’s
certificates. For instance, two companies that do a lot of work together might instruct their respective
CAs to accept and trust certificates from either of the companies. In this way, a person from
Company A can send a certificate to a person in Company B. The person in Company B will look up
the certificate in Company B’s CA. Company B’s CA will recognize that the certificate was issued
by Company A and, since it trusts Company A’s authority to issue certificate, sends back a reply to
the Company B person that the certificate is legitimate.
5
Information Security: The Big Picture - SANS GIAC
© 2000
5
Certificate Issues
• Certificate chaining
• Certificate revocation
• The Public Key Infrastructure
Certificate chaining is another issue that must be dealt with. To show an example of certificate chaining, imagine that
HiTech, Inc., a PC manufacturing company, wants to set up their own in-house CA. Unfortunately, none of the
software in use at HiTech will recognize HiTech as a CA. So, they contract with CertCo, a commercial Certificate
Authority, to set up the HiTech CA. In order to allow applications to recognize the HiTech CA automatically, they
chain their certificates to CertCo. So, when a HiTech user tries to verify a certificate issued by the HiTech CA, it will
not initially trust it. However, if it starts going up the CA chain it will see that the issuing CA for HiTech is CertCo.
Now there’s a name it can trust! I could probably go further, but I think you get the idea. Although this is a bit of a
contrived example, certificate and CA chaining can be a practical solution in situations where technical, geographic,
organizational, or legal restrictions prevent the use of a single CA for everybody.
As people begin to use certificates more and more, there will be a need to revoke certificates. People will move, change
names, job functions, have their certificates stolen, and so on, and the certificates associated with their former roles will
need to be revoked and replaced with new certificates. This process is called certificate revocation. In theory,

certificate revocation should be easy, but in actually it’s very hard. A large part of this is that the Certificate Authority
“industry” (for lack of a better term) is still in its infancy.
Some of you may be old enough to remember back when credit cards were first coming into widespread use. When you
went to a merchant and handed them your card, they didn’t swipe it through a reader and wait for a reply from credit
card central to see if your card was valid or not. In those days, each merchant had a little booklet full of thousands of
invalid or revoked card numbers. They would look up your number in the book and if it was there it meant your card
was invalid. If your number wasn’t there it meant the card was OK and they would continue to process your charge. It
was a large, manual, painful system for both the merchant and the customer, but it worked because new technology
hadn’t yet been developed to automate the transaction. Well, Certificate Authority technology is in the same stage of
development as credit card books were in. There are many processes that are difficult, manual, and sometimes painful
to go through, but eventually, somebody will develop technology that will tie it all together. Let’s just hope that day
comes sooner, rather than later.
Finally, a last word about encryption and certificates. All the things we have discussed in the last few slides – the
encryption, certificates, certificate authorities, trust, chaining, revocation, etc – are all part of a concept called the
Public Key Infrastructure, or PKI. PKI is a concept used to describe all the processes, policies, procedures and
technologies used to enable the use of certificates for identification, authorization, and encryption. The deployment of a
successful PKI is an essential step for anybody who wants to deploy a successful e-commerce service.
6
Information Security: The Big Picture - SANS GIAC
© 2000
6
Encryption Export/Import
Issues
• Many governments regulate encryption
–Import
–Export
–Domestic Use
• Check with legal counsel before
importing or exporting your encryption
technology

If you plan to use encryption globally for your business you should be aware that many countries,
including the United States, restrict the use of encryption technology in some form or another. The
term “encryption technology” is somewhat vague and is interpreted differently by different
countries, but it usually means either hardware or software that can be used to encrypt information
for storage or transmission.
The restrictions usually fall into one of three categories.
First is import. Some countries restrict the importation of encryption technology. This means you
can’t bring encryption devices or software into the country without some sort of license or permit
from the government. Some countries do not allow any encryption at all to be imported.
The second area is export. Some countries restrict the export of encryption technology out of the
country. The US is among these, but recent changes in the export laws have relaxed the restrictions
somewhat.
The final area is called domestic use. Some countries restrict the use of encryption within its
borders, either by its citizens or by non-resident foreign nationals.
As stated before, the laws and regulations change from country to country, they often change without
notice, and understanding the various laws takes a lot of skill and education. If you are planning to
use or distribute any product or service that uses encryption you should always consult an attorney
that specializes in export laws before proceeding. Failing to do so can result in delayed distribution
for your product, fines for your company, or even jail in some extreme cases.
7
Information Security: The Big Picture - SANS GIAC
© 2000
7
Privacy
• “The right to be left alone”
• Interpreted differently in different countries
• Is often mandated by law
• Is often expected on the Internet
• Personal privacy vs. corporate privacy
• Companies should have a “privacy policy”

for customer information
• Individuals should expect one
Privacy means many things to many people. Supreme Court Justice Louis Brandeis once stated that “privacy is
the right to be left alone.” However, that is just one facet of privacy. Generally, privacy is the expectation that
personal information about yourself (for example your physical characteristics, your friends, your medical
information, or your political beliefs, etc.) are your property and the decision as to whether anyone else has the
right to know that information should be yours and yours alone.
Privacy is also interpreted differently in different legal systems. In the United States, the right to privacy is not
explicitly granted in the Constitution, but court cases and legal precedents have given US citizens certain
specific rights to privacy. In other countries, privacy is an explicit right given to the people by their
governments. Unfortunately, however, there are still some countries where citizens have no right to privacy at
all.
There is also a difference in your privacy rights when you are acting as an employee of a company. Although
you may have privacy protection under your country’s laws, many companies specifically tell their employees
that within their roles as employees they have no privacy. The company may have the right to examine your
work, your e-mail, your phone conversations, or anything else you may do as an employee of the company. You
should check with your employer to see what your company’s policy is.
Whether or not a specific country or company affords its people privacy rights, privacy is something citizens of
the Internet have come to expect in many of the transactions that occur every day, particularly when dealing
with business or financial transactions. As you wander through the Internet, you leave little traces of yourself
and your travels at every site you visit. However, there are many services available which will allow you to
retain some of your privacy on the internet. Anonymous remailers will alter your e-mail so that the recipient will
not know who it was sent by. And Web anonymizers will strip out all identifying information from your browser
transmissions so that web sites you visit can not identify you.
Over the past few years, the concept of a “privacy policy” has come into existence. A privacy policy tells
customers or associates of a company how that company will use personal information about them. Privacy
policies vary from company to company, but most deal with collection of personal information, giving or selling
of that information to other companies, and giving the customer the option of correcting or removing their
information from the company’s databases. As the concept becomes more and more prevalent, customers will
begin expecting to see them on the web sites they visit, and begin to avoid web sites that do not have them.

Privacy is a sensitive and sometimes controversial issue, and one that will be around for a long time to come.
8
Information Security: The Big Picture - SANS GIAC
© 2000
8
OECD Privacy Guidelines
• “Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data”
• Regulate collection and flow of personal
information between EU countries
• Provides that member countries must conform to
existing privacy laws
– Extends to those exchanging personal data with
member countries
• “Personal Data” means any information relating to
an identified or identifiable individual
In response to the growing concern over privacy on the web, and the apparent lack of care that many
organizations take to protect the privacy of their customers and employees, the Organization for Economic
Cooperation and Development (OECD) developed the “Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data,” more commonly known as the EU (for the European Union) Privacy
Directive. The Privacy Directive was one of the first organized international attempts to make protection of
personal information a matter of law and subject to legal, and more importantly, economic penalties for failure
to afford such protections. The guidelines were originally developed in 1980 and became fully effective in the
fall of 1998.
The overall principle of the Guidelines is that organizations must regulate the collection and flow of personal
information about people. This includes protecting the information within an organization and particularly when
transferring the information between EU countries and between EU Members and non-EU members. The
Guidelines state that EU member countries must abide by existing national and international privacy laws. This
also extends to non-member countries that need to exchange personal data with member countries.
The EU Guidelines center around the concept of “Personal Data.” This is also often referred to as Personally

Identifiable Information (PII). Personal Data is any information that relates to an identified person, or that can
easily lead to the identification of an unknown person. Thus, information such as “half the people in this group
have a rare disease” is not necessarily considered Personal Data, whereas “John, Mary, and Sue have a rare
disease” would be considered personally identifiable information. Another example would be to say that the
statement “the person living at 123 Main Street is a Communist” contains personal data, because even though a
specific person was not named, if there is only one person living at 123 Main Street you’ve pretty much got
them pegged.
The Privacy Directive states that member countries must take all reasonable and appropriate steps to ensure that
transborder flows of personal information are uninterrupted and secure. They must permit free flow to countries
who comply with the guidelines, but they may restrict certain types of data. In addition, member countries must
avoid developing laws that would create obstacles to transborder flows of personal data that are overly
excessive. They must provide the means by which individuals can enforce their privacy rights and ensure that
there is no unfair discrimination against the subjects of data collection.
9
Information Security: The Big Picture - SANS GIAC
© 2000
9
OECD Privacy Directive Principles
• Collection Limitation
• Data Quality
• Purpose Specification
• Use Limitation
•Security Safeguards
• Openness
• Individual Participation
• Accountability
The Privacy Directives have 8 distinct principles that EU members must abide by.
The Collection Limitation Principle states that there should be no limits to the collection of personal data, any
such data should be obtained by lawful and fair means and, where appropriate, with the consent of the data
subject.

The Data Quality Principle states that personal Data should be relevant to the purposes for which it is to be
used and should be accurate, complete, and kept up-to-date.
The Purpose Specification Principle states that the purposes for which personal data are collected should be
specified not later than at the time the data is collected. In addition, subsequent use should be limited to the
fulfillment of those purposes.
The Use Limitation Principle states that personal data should not be disclosed, made available or otherwise
used for purposes other than those specified without the consent of the data subject or by authority of law.
The Security Safeguard Principle states that personal data should be protected by reasonable security
safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure.
The Openness Principle states that there should be a general policy of openness about developments, practices
and policies with respect to personal data. Means should be readily available of establishing the existence and
nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data
controller.
The Individual Participation Principle states that an individual should have the right to find out if there is
personal data collected about them, to obtain this information at a reasonable charge, to appeal any denial of
access to such information, and to challenge data relating to him and, if successful, to have the data erased,
rectified, completed, or amended.
The Accountability Principle states that a data controller should be accountable for complying with measures
which are related to the other principles.
10
Information Security: The Big Picture - SANS GIAC
© 2000
10
Privacy’s “Safe Harbor”
• US approach is different from the EU
approach
• Concerns with “adequacy” standard
• Organizations within the “Safe Harbor”
would be presumed “adequate”
• Organizations can come within Safe

Harbor by self-certification
While the OECD guidelines work fine for members of the European Union, it does not necessarily
coincide with practices in other parts of the world, particularly in the US. The US approach to
privacy is markedly different from the EU. In the US, citizens have an expectation of privacy in
many circumstances and that expectation has been upheld by several landmark court cases.
However, the US does not have a national privacy law as do many European countries. Privacy laws
are mostly left up to the various states to implement, making national enforcement next to
impossible. The end result is that different organizations in the US treat privacy differently.
Unfortunately, the OECD guidelines specify that member states should not transfer personal data to
any country that does not provide an adequate level of privacy protection. Since there is no
standardization of privacy policies in the US, most US companies technically would not pass this
adequacy standard. It is for this reason that the US Department of Commerce began discussions with
the European Commission to create a “safe harbor” for US companies that choose to voluntarily
adhere to certain privacy principles.
According to the proposal, organizations within the safe harbor would have a presumption of
adequacy, and transfers from the European Community to them could continue. Organizations could
come within the safe harbor by self-certifying that they adhere to certain privacy principles.
According to the safe harbor proponents, the proposal has several advantages. First, they provide for
adequate privacy protection for European citizens. They also reflect the US views on privacy and
allow for relevant US legislation and public interest requirements. Finally, it provides a predictable
and cost-effective framework for the private sector.
The Safe Harbor principles have been in discussion for over a year and talks have stalled several
times. If passed, it would open up a large opportunity for US companies that are now threatened with
an inability to share information with their European counterparts.
11
Information Security: The Big Picture - SANS GIAC
© 2000
11
Privacy Organizations
• TRUSTe (www.truste.org)

• EPIC (www.epic.org)
• Privacy Alliance
(www.privacyalliance.org)
• EFF (www.eff.org)
There are may organizations that are concerned with privacy issues, both in the on-line and off-line worlds. This
slide lists several of them, although there are others. Information about these organizations was taken primarily
from each organization’s web site.
TRUSTe is an independent, non-profit privacy organization whose mission is to build users' trust and
confidence on the Internet and, in doing so, accelerate growth of the Internet industry. A cornerstone of the
TRUSTe privacy program is the branded online seal, or "trustmark." TRUSTe awards the seal to web sites that
adhere to established privacy principles and agree to comply with their oversight and consumer resolution
process. A displayed trustmark signifies to online users that the web site will openly share, at a minimum, what
personal information is being gathered, how it will be used, with whom it will be shared, and whether the user
has an option to control its dissemination. Based on such disclosure, users can make informed decisions about
whether or not to release their personally identifiable information (e.g. credit card numbers) to the web site.
The Electronic Privacy Information Center (EPIC) is a public interest research center in Washington, D.C. It
was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the
First Amendment, and constitutional values.
The Online Privacy Alliance is a cross-industry coalition of more than 80 global companies and associations
committed to promoting the privacy of individuals online. The Alliance is an ad hoc organization. Its sole
purpose is to work over the coming year to define privacy policy for the new electronic medium and to foster an
online environment that respects consumer privacy. Alliance supporters include some of the biggest names in e-
commerce, as well as smaller start-up ventures and companies not routinely associated with cyberspace. The
group's stated mission is to lead and support self-regulatory initiatives that create an environment of trust and
that foster the protection of individuals' privacy online and in electronic commerce.
The Electronic Frontier Foundation (EFF) is a non-profit, non-partisan organization working in the public
interest to protect fundamental civil liberties, including privacy and freedom of expression, in the arena of
computers and the Internet. EFF was founded in 1990, and is based in San Francisco, California, with offices in
Washington, DC, and New York City. The Electronic Frontier Foundation has been established to help civilize
the electronic frontier; to make it truly useful and beneficial not just to a technical elite, but to everyone.

12
Information Security: The Big Picture - SANS GIAC
© 2000
12
Agenda
• General Security Introduction
• Telecommunications Fundamentals
•Network Fundamentals
•Network Security
• World Wide Web Security
• Information Secrecy & Privacy
•
Identification and Access Control
• Programmatic Security
•Conclusion
Identification and Access Control are two fundamental concepts in information security. In this
section we will examine both concepts, discuss their differences and relationships, and look at
various methods for handling both in a real-world environment.
13
Information Security: The Big Picture - SANS GIAC
© 2000
13
Identity: Who Are You?
• Identification – describing who
you are
• Authentication – proving you are
who you say you are
• Authorization – determining
where you can go
A large part of information security is based on being able to identify yourself, proving that identity, and then using that identity to enable you to

access the systems, information, and resources you need.
Identification is the process of describing who you are. In real life you may have many different identities. Depending on the situation, a typical
person might have the following identities.
• Angela Marie Smith – the name on her passport
• Angie Smith – The name her friends call her
• A M Smith – The name on her business card
• 135-35-1275 – Her Social Security number (I just made this up, by the way)
• asmith – All one word, her user ID on her computer
And so on. All these identifiers can be used to describe the same person. How do you tell them apart. And how do you keep from confusing one
Angela Smith from another? The answer is in the concept of authentication.
Authentication is the process of taking an identifier and combining it with some piece of information that is unique to the identifier and that only
the one person associated with that identifier would know. The most common type of authentication is the password. When you log into a computer
you give it an identifier. For this example we will use the identifier asmith. The computer has a listing for asmith but it needs some way of verifying
you are really asmith before letting you in. So, it then asks you for a password. You give it one, and the computer checks that password against the
one it has stored for asmith. If they match, it knows that you are asmith and it knows this with a pretty high degree of certainty because you know
asmith’s password.
There are many other forms of authentication used in our every day lives. When you call the customer service number at a bank, you may be asked
to provide your mother’s maiden name or your Social Security number. Many secret clubs have a secret code word or handshake to prove the user
belongs in the club. No matter what form the authentication takes, they all serve to prove the identity of the person.
Once you know who someone is, and you have reasonably proven they are who they say they are, you need some way to tell you where they can go
in your system or service and what they can do there. The process of describing these restrictions is called authorization. For example, you may
want to keep your research people out of the accounting group’s files. You instruct the computer to place a little marker tag onthe files the
accounting group users indicating that the research department is not authorized to see those files. When someone in your research department logs
into the computer and is authenticated, their ID will be tagged as belonging to the research department. If they try to access the accounting files, the
computer will compare the two tags and see that the research ID is not authorized for accounting files, so the computer will not allow this user to see
them. This is a simplified example and authorization schemes can get quite complex.
Identification, authentication, and authorization are some of the most fundamental concepts in information security and much of what you will do
will be based around these principles. You will sometimes hear them mistakenly used interchangeably, but know that each is very different and each
has a distinct use and purpose.
14

Information Security: The Big Picture - SANS GIAC
© 2000
14
Password Problems
• Passwords are easy to guess
• People choose bad
passwords
• Dictionary attacks
• How to choose good
passwords
Passwords have been around as long as people have needed to prove who they are. Passwords work because
they are easy for people to understand. Unfortunately, because people want them to be easy to remember, they
usually pick passwords that are easy to guess. How many of you use passwords or PIN numbers that are based
on your name, your spouse’s name, your dog’s name, your birthday, anniversary date, etc? We use these because
we can remember them. However, all a potential attacker needs to do is find out some basic information about
you (which is not that difficult to do) and start trying to guess your password from there. In addition, many
people use simple, ordinary words as passwords. So all an attacker needs to do is use a process called a
dictionary attack. A dictionary attack takes a dictionary and systematically tries every word in that dictionary
trying to guess the password. Since people tend to use simple words, dictionary attacks are incredibly successful.
So how do you stop dictionary attacks? The best way is to use a password that is difficult to guess. Use the
maximum number of characters for your password that your system will allow. Use numbers or special
characters, such as ampersands, asterisks, parentheses, etc. Replace letters with numbers, for example use a ‘3’
instead of an ‘E’, use a dollar sign instead of an “S,” and so on. Anything you can do to make the process of
guessing your password more difficult is a good thing.
You should also change your password regularly. If you change your password often, you are more likely to
notice if someone else has changed it. Also, passwords that change regularly trip up attackers that are using your
password without your knowledge.
Never give out your password to anyone, not even your friends or co-workers. If you absolutely must give it to
someone, like a help desk or support technician, be sure to change it immediately )as soon as they are done
doing whatever it is that they need your password for).

A good rule of thumb for passwords is this: Passwords are like a toothbrush – Use it daily, change it regularly,
and don’t share it with a friend.
There are some other, more advanced alternatives to passwords, and they will be covered in the next slide.