2. Network Security Design
The 12 Step Program
1. Identify network assets
2. Analyze security risks
3. Analyze security requirements and
tradeoffs
4. Develop a security plan
5. Define a security policy
6. Develop procedures for applying security
policies
3. The 12 Step Program (continued)
7. Develop a technical implementation strategy
8. Achieve buy-in from users, managers, and technical
staff
9. Train users, managers, and technical staff
10. Implement the technical strategy and security
procedures
11. Test the security and update it if any problems are
found
12. Maintain security
5. Security Risks
• Hacked network devices
– Data can be intercepted, analyzed, altered, or
deleted
– User passwords can be compromised
– Device configurations can be changed
• Reconnaissance attacks
• Denial-of-service attacks
6. Security Tradeoffs
• Tradeoffs must be made between security
goals and other goals:
– Affordability
– Usability
– Performance
– Availability
– Manageability
7. A Security Plan
• High-level document that
proposes what an
organization is going to do to
meet security requirements
• Specifies time, people, and
other resources that will be
required to develop a security
policy and achieve
implementation of the policy
8. A Security Policy
• Per RFC 2196, “The Site Security Handbook,”
a security policy is a
– “Formal statement of the rules by which people
who are given access to an organization’s
technology and information assets must abide.”
• The policy should address
– Access, accountability, authentication, privacy,
and computer technology purchasing guidelines
10. Encryption for Confidentiality and
Integrity
Figure 8-1. Public/Private Key System for Ensuring Data Confidentiality
Figure 8-2. Public/Private Key System for Sending a Digital Signature
11. Modularizing Security Design
• Security defense in depth
– Network security should be multilayered with
many different techniques used to protect the
network
• Belt-and-suspenders approach
– Don’t get caught with your pants down
12. Modularizing Security Design
• Secure all components of a modular
design:
– Internet connections
– Public servers and e-commerce servers
– Remote access networks and VPNs
– Network services and network management
– Server farms
– User services
– Wireless networks
13. Cisco SAFE
• Cisco SAFE Security Reference Model addresses
security in every module of a modular network
architecture.
14. Securing Internet Connections
• Physical security
• Firewalls and packet filters
• Audit logs, authentication, authorization
• Well-defined exit and entry points
• Routing protocols that support authentication
15. Securing Public Servers
• Place servers in a DMZ that is protected via firewalls
• Run a firewall on the server itself
• Enable DoS protection
– Limit the number of connections per timeframe
• Use reliable operating systems with the latest security
patches
• Maintain modularity
– Front-end Web server doesn’t also run other services
19. Securing Network Services
• Treat each network device (routers,
switches, and so on) as a high-value host
and harden it against possible intrusions
• Require login IDs and passwords for
accessing devices
– Require extra authorization for risky
configuration commands
• Use SSH rather than Telnet
• Change the welcome banner to be less
welcoming
20. Securing Server Farms
• Deploy network and host IDSs to monitor server
subnets and individual servers
• Configure filters that limit connectivity from the
server in case the server is compromised
• Fix known security bugs in server operating systems
• Require authentication and authorization for server
access and management
• Limit root password to a few people
• Avoid guest accounts
21. Securing User Services
• Specify which applications are allowed to
run on networked PCs in the security policy
• Require personal firewalls and antivirus
software on networked PCs
– Implement written procedures that specify
how the software is installed and kept current
• Encourage users to log out when leaving
their desks
• Consider using 802.1X port-based security
on switches
22. Securing Wireless Networks
• Place wireless LANs (WLANs) in their own
subnet or VLAN
– Simplifies addressing and makes it easier to
configure packet filters
• Require all wireless (and wired) laptops to run
personal firewall and antivirus software
• Disable beacons that broadcast the SSID, and
require MAC address authentication
– Except in cases where the WLAN is used by
visitors
23. WLAN Security Options
• Wired Equivalent Privacy (WEP)
• IEEE 802.11i
• Wi-Fi Protected Access (WPA)
• IEEE 802.1X Extensible Authentication
Protocol (EAP)
– Lightweight EAP or LEAP (Cisco)
– Protected EAP (PEAP)
• Virtual Private Networks (VPNs)
• Any other acronyms we can think of? :-)
24. Wired Equivalent Privacy (WEP)
• Defined by IEEE 802.11
• Users must possess the appropriate WEP
key that is also configured on the access
point
– 64 or 128-bit key (or passphrase)
• WEP encrypts the data using the RC4
stream cipher method
• Infamous for being crackable
25. WEP Alternatives
• Vendor enhancements to WEP
• Temporal Key Integrity Protocol (TKIP)
– Every frame has a new and unique WEP key
• Advanced Encryption Standard (AES)
• IEEE 802.11i
• Wi-Fi Protected Access (WPA) from the Wi-
Fi Alliance
26. Extensible Authentication
Protocol (EAP)
• With 802.1X and EAP, devices take on one of
three roles:
– The supplicant resides on the wireless LAN client
– The authenticator resides on the access point
– An authentication server resides on a RADIUS
server
27. EAP (Continued)
• An EAP supplicant on the client obtains
credentials from the user, which could be a
user ID and password
• The credentials are passed by the
authenticator to the server and a session key
is developed
• Periodically the client must reauthenticate to
maintain network connectivity
• Reauthentication generates a new, dynamic
WEP key
28. Cisco’s Lightweight EAP (LEAP)
• Standard EAP plus mutual authentication
– The user and the access point must authenticate
• Used on Cisco and other vendors’ products
29. Other EAPs
• EAP-Transport Layer Security (EAP-TLS) was developed by
Microsoft
– Requires certificates for clients and servers.
• Protected EAP (PEAP) is supported by Cisco, Microsoft, and RSA
Security
– Uses a certificate for the client to authenticate the RADIUS server
– The server uses a username and password to authenticate the client
• EAP-MD5 has no key management features or dynamic key
generation
– Uses challenge text like basic WEP authentication
– Authentication is handled by RADIUS server
30. VPN Software on Wireless Clients
• Safest way to do wireless networking for
corporations
• Wireless client requires VPN software
• Connects to VPN concentrator at HQ
• Creates a tunnel for sending all traffic
• VPN security provides:
– User authentication
– Strong encryption of data
– Data integrity
33. How Much to Invest in Security?
How much is too much?
• Firewall
• Intrusion Detection/Prevention
• Guard
• Biometrics
• Virtual Private Network
• Encrypted Data & Transmission
• Card Readers
• Policies & Procedures
• Audit & Control Testing
• Antivirus / Spyware
• Wireless Security
How much is too little?
Hacker attack
Internal Fraud
Loss of Confidentiality
Stolen data
Loss of Reputation
Loss of Business
Penalties
Legal liability
Theft & Misappropriation
Security is a Balancing Act between Security Costs & Losses
34. Risk Management
Internal Factors External Factors
Regulation
Industry
Culture
Corporate History
Management’s
Risk Tolerance
Organizational
Maturity
Structure
Risk Mgmt Strategies are determined by both internal & external factors
Risk Tolerance or Appetite: The level of risk that management is comfortable with
35. Risk Management Process
Establish
Scope &
Boundaries
Identification
Analysis
Evaluation
Avoid Reduce Transfer Retain
Accept Residual Risk
RiskCommunication
&Monitoring
RiskAssessmentRisk
Treatment
What assets & risks exist?
What does this risk cost?
What priorities shall we set?
What controls can we use?
What to investigate?
What to consider?
36. Risk Appetite
• Do you operate your computer with or without antivirus
software?
• Do you have antispyware?
• Do you open emails with forwarded attachments from
friends or follow questionable web links?
• Have you ever given your bank account information to a
foreign emailer to make $$$?
What is your risk appetite?
If liberal, is it due to risk acceptance or ignorance?
Companies too have risk appetites, decided after evaluating risk
37. Continuous Risk Mgmt Process
Identify &
Assess Risks
Develop Risk
Mgmt Plan
Implement Risk
Mgmt Plan
Proactive
Monitoring
Risk
Appetite
Risks change with time as
business & environment changes
Controls degrade over time
and are subject to failure
Countermeasures may open
new risks
38. Security Evaluation:
Risk Assessment
Five Steps include:
1. Assign Values to Assets:
– Where are the Crown Jewels?
1. Determine Loss due to Threats & Vulnerabilities
– Confidentiality, Integrity, Availability
1. Estimate Likelihood of Exploitation
– Weekly, monthly, 1 year, 10 years?
1. Compute Expected Loss
– Loss = Downtime + Recovery + Liability + Replacement
– Risk Exposure = ProbabilityOfVulnerability * $Loss
1. Treat Risk
– Survey & Select New Controls
– Reduce, Transfer, Avoid or Accept Risk
– Risk Leverage = (Risk exposure before reduction) – (risk exposure after
reduction) / (cost of risk reduction)
39. Step 1:
Determine Value of Assets
Identify & Determine Value of Assets (Crown Jewels):
• Assets include:
– IT-Related: Information/data, hardware, software, services,
documents, personnel
– Other: Buildings, inventory, cash, reputation, sales opportunities
• What is the value of this asset to the company?
• How much of our income can we attribute to this asset?
• How much would it cost to recover this?
• How much liability would we be subject to if the asset were
compromised?
• Helpful websites: www.attrition.org
40. Determine Cost of Assets
Sales
Product A
Product B
Product C
Risk: Replacement Cost=
Cost of loss of integrity=
Cost of loss of availability=
Cost of loss of confidentiality=
Risk: Replacement Cost=
Cost of loss of integrity=
Cost of loss of availability=
Cost of loss of confidentiality=
Risk: Replacement Cost=
Cost of loss of integrity=
Cost of loss of availability=
Cost of loss of confidentiality=
Tangible $ Intangible: High/Med/Low
Costs
41. Matrix of Loss Scenario
Size
of
Loss
Repu-
tation
Law-
suit
Loss
Fines/
Reg.
Loss
Mar-
ket
Loss
Exp.
Yearly
Loss
Hacker steals customer
data; publicly blackmails
company
1-10K
Recor
ds
$1M-
$20M
$1M-
$10M
$1M-
$35M
$1M-
$5M
$10M
Employee steals strategic
plan; sells data to competitor
3-year Min. Min. Min. $20M $2M
Backup tapes and Cust.
data found in garbage;
makes front-page news
10M
Recor
ds
$20M $20M $10M $5M $200K
Contractor steals employee
data; sells data to hackers
10K
Recor
ds
$5M $10M Min. Min. $200K
42. Step 1:
Determine Value of Assets
Asset Name
$ Value
Direct Loss:
Replacement
$ Value
Consequential Financial
Loss
Confidentiality, Integrity, and
Availability Notes
Laptop $1,000 Mailings=
$130 x #Cust
Reputation
= $9,000
Conf., Avail.
Breach Notification
Law
Equipment $10,000 $2k per day in
income
Availability
(e.g., due to fire or
theft)
Work
book
43. Step 2: Determine Loss
Due to Threats
Natural: Flood, fire, cyclones,
rain/hail/snow, plagues and
earthquakes
Unintentional: Fire, water, building
damage/collapse, loss of utility
services, and equipment failure
Intentional: Fire, water, theft,
vandalism
Intentional, non-physical: Fraud,
espionage, hacking, identity
theft, malicious code, social
engineering, phishing, denial of
service
44. Threat Agent Types
Hackers/
Crackers
Challenge, rebellion Unauthorized
access
Criminals Financial gain,
Disclosure/ destruction of
info.
Fraud, computer
crimes
Terrorists Destruction/ revenge/
extortion
DOS, info warfare
Industry
Spies
Competitive advantage Info theft, econ.
exploitation
Insiders Opportunity, personal
issues
Fraud/ theft,
malware, abuse
46. Step 3:
Estimate Likelihood of Exploitation
Best sources:
• Past experience
• National & international standards &
guidelines: NIPC, OIG, FedCIRC, mass media
• Specialists and expert advice
• Economic, engineering, or other models
• Market research & analysis
• Experiments & prototypes
If no good numbers emerge, estimates can be
used, if management is notified of guesswork
48. Step 4: Compute Expected Loss Risk
Analysis Strategies
Qualitative: Prioritizes risks so that highest
risks can be addressed first
• Based on judgment, intuition, and experience
• May factor in reputation, goodwill,
nontangibles
Quantitative: Measures approximate cost of
impact in financial terms
Semiquantitative: Combination of Qualitative
& Quantitative techniques
49. Step 4: Compute Loss Using
Qualitative Analysis
Qualitative Analysis is used:
• As a preliminary look at risk
• With non-tangibles, such as reputation, image
-> market share, share value
• When there is insufficient information to
perform a more quantified analysis
51. Step 4: Compute Loss Using
Semi-Quantitative Analysis
Impact
1. Insignificant: No
meaningful impact
2. Minor: Impacts a small
part of the business, <
$1M
3. Major: Impacts company
brand, >$1M
4. Material: Requires
external reporting,
>$200M
5. Catastrophic: Failure or
downsizing of company
Likelihood
1. Rare
2. Unlikely: Not seen within
the last 5 years
3. Moderate: Occurred in
last 5 years, but not in
last year
4. Likely: Occurred in last
year
5. Frequent: Occurs on a
regular basis
Risk = Impact * Likelihood
52. SemiQuantitative Impact Matrix
Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5)
Catastrophic
(5)
Material
(4)
Major
(3)
Minor
(2)
Insignificant
(1)
SEVERE
HIG
H
M
EDIUM
LO
W
Likelihood
Impact
53. Step 4: Compute Loss Using Quantitative
Analysis
Single Loss Expectancy (SLE): The cost to the organization if
one threat occurs once
– Eg. Stolen laptop=
• Replacement cost +
• Cost of installation of special software and data
• Assumes no liability
– SLE = Asset Value (AV) x Exposure Factor (EF)
• With Stolen Laptop EF > 1.0
Annualized Rate of Occurrence (ARO): Probability or
frequency of the threat occurring in one year
– If a fire occurs once every 25 years, ARO=1/25
Annual Loss Expectancy (ALE): The annual expected
financial loss to an asset, resulting from a specific threat
– ALE = SLE x ARO
54. Risk Assessment Using Quantitative
Analysis
Quantitative:
• Cost of HIPAA accident with insufficient
protections
– SLE = $50K + (1 year in jail:) $100K = $150K
– Plus loss of reputation…
• Estimate of Time = 10 years or less = 0.1
• Annualized Loss Expectancy (ALE)=
– $150 x .1 =$15K
55. Annualized Loss Expectancy
Asset
Value->
$1K $10K $100K $1M
1 Yr 1K 10K 100K 1000K
5 Yrs 200 2K 20K 200K
10 Yrs 100 1K 10K 100K
20 Yrs 50 1K 5K 50K
Asset Costs $10K Risk of Loss 20% per Year
Over 5 years, average loss = $10K
Spend up to $2K each year to prevent loss
56. Quantitative
Risk
Asset Threat Single Loss
Expectancy
(SLE)
Annualized
Rate of
Occurrence
(ARO)
Annual Loss
Expectancy
(ALE)
Buildin
g
Fire $1M .05
(20 years)
$50K
Lapto
p
Stolen $1K + $9K
(breach notif)
0.2
(5 years)
$1K
Work
book
57. Step 5: Treat Risk
Risk Acceptance: Handle attack when necessary
• E.g.: Comet hits
• Ignore risk if risk exposure is negligible
Risk Avoidance: Stop doing risky behavior
• E.g.: Do not use Social Security Numbers
Risk Mitigation: Implement control to minimize vulnerability
• E.g. Purchase & configure a firewall
Risk Transference: Pay someone to assume risk for you
• E.g., Buy malpractice insurance (doctor)
• While financial impact can be transferred, legal responsibility
cannot
Risk Planning: Implement a set of controls
58. System Characterization
Identify Threats
Identify Vulnerabilities
Analyze Controls
Determine Likelihood
Analyze Impact
Determine Risk
Recommend Controls
Document Results Risk Assessment
Report
Recommended Controls
Documented Risks
Impact Rating
Likelihood Rating
List of current &
planned controls
List of threats
& vulnerabilities
System boundary
System functions
System/data criticality
System/data sensitivity
Activity Output
Company history
Intelligence agency
data: NIPC, OIG
Audit &
test results
Business Impact
Analysis
Data Criticality &
Sensitivity analysis
Input
NIST Risk
Assessment
Methodology
61. Controls & Countermeasures
• Cost of control should never exceed the
expected loss assuming no control
• Countermeasure = Targeted Control
– Aimed at a specific threat or vulnerability
– Problem: Firewall cannot process packets fast
enough due to IP packet attacks
– Solution: Add border router to eliminate invalid
accesses
62. Analysis of Risk vs. Controls
Workbook
Risk ALE or Score Control Cost of
Control
Stolen Laptop $1K
($9K Breach Notif. Law)
Encryption $60
Disk Failure $3K per day RAID $750
Hacker $9K Breach Notif. Law Firewall $1K
Cost of Some Controls is shown in Case Study Appendix
63. Extra Step:
Step 6: Risk Monitoring
Report to Mgmt status of security
• Metrics showing current performance
• Outstanding issues
• Newly arising issues
• How handled – when resolution is expected
Stolen Laptop In investigation $2k, legal issues
HIPAA Incident
Response
Procedure being defined –
incident response
$200K
Cost overruns Internal audit investigation $400K
HIPAA: Physical
security
Training occurred $200K
Security Dashboard, Heat chart or Stoplight Chart
64. Training
• Importance of following policies & procedures
• Clean desk policy
• Incident or emergency response
• Authentication & access control
• Privacy and confidentiality
• Recognizing and reporting security incidents
• Recognizing and dealing with social engineering
65. Security Control Baselines & Metrics
Baseline: A measurement of
performance
• Metrics are regularly and
consistently measured,
quantifiable, inexpensively
collected
• Leads to subsequent
performance evaluation
• E.g. How many viruses is
help desk reporting?
(Company data - Not real)
66. Risk Management
• Risk Management is aligned with business
strategy & direction
• Risk mgmt must be a joint effort between all
key business units & IS
• Business-Driven (not Technology-Driven)
Steering Committee:
• Sets risk management priorities
• Define Risk management objectives to
achieve business strategy
67. Risk Management Roles
Governance & Sr Mgmt:
Allocate resources, assess
& use risk assessment results
Chief Info Officer
IT planning, budget,
performance incl. risk
Info. Security Mgr
Develops, collaborates, and
manages IS risk mgmt process
Security Trainers
Develop appropriate
training materials, including
risk assessment, to
educate end users.
Business Managers
(Process Owners)
Make difficult decisions
relating to priority to
achieve business goals
System / Info Owners
Responsible to ensure
controls in place to
address CIA.
Sign off on changes
IT Security Practitioners
Implement security requirem.
into IT systems: network,
system, DB, app, admin.
68. Due Diligence
Due Diligence = Did careful risk assessment (RA)
Due Care = Implemented recommended controls from RA
Liability minimized if reasonable precautions taken
Senior Mgmt Support
Risk Assessment
Backup & Recovery
Policies & Procedures
Adequate Security Controls
Compliance
Monitoring
& Metrics Business Continuity &
Disaster Recovery
69. Question
Risk Assessment includes:
1. The steps: risk analysis, risk treatment, risk
acceptance, and risk monitoring
2. Answers the question: What risks are we prone
to, and what is the financial costs of these
risks?
3. Assesses controls after implementation
4. The identification, financial analysis, and
prioritization of risks, and evaluation of
controls
70. Question
Single Loss Expectancy refers to:
1. The probability that an attack will occur in
one year
2. The duration of time where a loss is
expected to occur (e.g., one month, one
year, one decade)
3. The cost of losing an asset once
4. The average cost of loss of this asset per
year
71. Question
The role(s) responsible for deciding whether
risks should be accepted, transferred, or
mitigated is:
1. The Chief Information Officer
2. The Chief Risk Officer
3. The Chief Information Security Officer
4. Enterprise governance and senior business
management
72. Question
Which of these risks is best measured using a
qualitative process?
1. Temporary power outage in an office building
2. Loss of consumer confidence due to a
malfunctioning website
3. Theft of an employee’s laptop while traveling
4. Disruption of supply deliveries due to flooding
73. Question
The risk that is assumed after implementing
controls is known as:
1. Accepted Risk
2. Annualized Loss Expectancy
3. Quantitative risk
4. Residual risk
74. Question
The primary purpose of risk management is
to:
1. Eliminate all risk
2. Find the most cost-effective controls
3. Reduce risk to an acceptable level
4. Determine budget for residual risk
75. Question
Due Diligence ensures that
1. An organization has exercised the best possible security
practices according to best practices
2. An organization has exercised acceptably reasonable
security practices addressing all major security areas
3. An organization has implemented risk management and
established the necessary controls
4. An organization has allocated a Chief Information Security
Officer who is responsible for securing the organization’s
information assets
76. Question
ALE is:
1. The average cost of loss of this asset, for a
single incident
2. An estimate using quantitative risk
management of the frequency of asset loss
due to a threat
3. An estimate using qualitative risk
management of the priority of the
vulnerability
4. ALE = SLE x ARO
77. Vocabulary to study
• Risk mgmt, risk appetite, risk analysis, risk
assessment, risk treatment, residual risk
• Risk avoidance, risk reduction/risk mitigation,
risk transference, risk retention/risk acceptance
• Threat, threat agent, vulnerability,
• Qualitative risk analysis, quantitative risk analysis
• SLE, ARO, ALE
• Due diligence, due care
78. HEALTH FIRST CASE STUDY
Analyzing Risk
Jamie Ramon MD
Doctor
Chris Ramon RD
Dietician
Terry
Medical Admin
Pat
Software Consultant
80. Step 1: Define Assets
Consider Consequential Financial Loss
Asset Name $ Value
Direct Loss:
Replacement
$ Value
Consequential
Financial Loss
Confidentiality, Integrity,
and Availability Notes
Medical DB C? I? A?
Daily Operation (DO)
Medical Malpractice (M)
HIPAA Liability (H)
Notification Law Liability (NL)
81. Step 1: Define Assets
Consider Consequential Financial Loss
Asset Name $ Value
Direct Loss:
Replacement
$ Value
Consequential
Financial Loss
Confidentiality, Integrity,
and Availability Notes
Medical DB DO+M_H+NL C I A
Daily Operation (DO) $
Medical Malpractice (M) $
HIPAA Liability (H) $
Notification Law Liability (NL) $
82. HIPAA Criminal Penalties
$ Penalty Imprison-
ment
Offense
Up to $50K Up to one
year
Wrongful disclosure of
individually identifiable health
information
Up to
$100K
Up to 5
years
…committed under false
pretenses
Up to
$500K
Up to 10
years
… with intent to sell, achieve
personal gain, or cause
malicious harm
Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims, …
83. Step 2: Estimate Potential Loss for Threats
Step 3: Estimate Likelihood of Exploitation
• Normal threats: Threats common to all
organizations
• Inherent threats: Threats particular to your
specific industry
• Known vulnerabilities: Previous audit reports
indicate deficiencies.
84. Step 2: Estimate Potential Loss for Threats
Step 3: Estimate Likelihood of Exploitation
85. Step 4: Compute Expected Loss
Step 5: Treat Risk
Step 4: Compute E(Loss)
ALE = SLE * ARO
Asset Threat Single
Loss
Expecta
ncy
(SLE)
Annualiz
ed Rate
of
Occurre
nce
(ARO)
Annual
Loss
Expecta
ncy
(ALE)
Step 5: Treat Risk
Risk Acceptance: Handle
attack when necessary
Risk Avoidance: Stop doing
risky behavior
Risk Mitigation: Implement
control to minimize vulnerability
Risk Transference: Pay
someone to assume risk for you
Risk Planning: Implement a set
of controls
87. Physical Security
• From (ISC)2 Candidate Information Bulletin:
– The Physical (Environmental) Security domain
addresses the threats, vulnerabilities, and
countermeasures that can be utilized to physically
protect an enterprise’s resources and sensitive
information. These resources include people, the
facility in which they work, and the data,
equipment, support systems, media, and supplies
they utilize.
87
88. Introduction
• Threats to physical security include:
– Interruption of services
– Theft
– Physical damage
– Unauthorized disclosure
– Loss of system integrity
88
89. Introduction
• Threats fall into many categories:
– Natural environmental threats (e.g., floods, fire)
– Supply system threats (e.g., power outages,
communication interruptions)
– Manmade threats (e.g., explosions, disgruntled
employees, fraud)
– Politically motivated threats (e.g., strikes, riots,
civil disobedience)
89
90. Introduction
• Primary consideration in physical security is
that nothing should impede “life safety
goals.”
– Ex.: Don’t lock the only fire exit door from the
outside.
• “Safety:” Deals with the protection of life and
assets against fire, natural disasters, and
devastating accidents.
• “Security:” Addresses vandalism, theft, and
attacks by individuals.
90
91. Physical Security Planning
• Physical security, like general information
security, should be based on a layered
defense model.
• Layers are implemented at the perimeter and
moving toward an asset.
• Layers include: Deterrence, Delaying,
Detection, Assessment, Response
91
92. Physical Security Planning
• A physical security program must address:
– Crime and disruption protection through deterrence
(fences, security guards, warning signs, etc.).
– Reduction of damages through the use of delaying
mechanisms (e.g., locks, security personnel, etc.).
– Crime or disruption detection (e.g., smoke detectors,
motion detectors, CCTV, etc.).
– Incident assessment through response to incidents and
determination of damage levels.
– Response procedures (fire suppression mechanisms,
emergency response processes, etc.).
92
93. Physical Security Planning
• Crime Prevention Through Environmental
Design (CPTED)
– Is a discipline that outlines how the proper design
of a physical environment can reduce crime by
directly affecting human behavior.
– Concepts developed in 1960’s.
– Think: Social Engineering
93
94. Physical Security Planning
• CPTED has three main strategies:
– Natural Access Control
– Natural Surveillance
– Territorial Reinforcement
94
95. Physical Security Planning
• Natural Access Control
– The guidance of people entering and leaving a
space by the placement of doors, fences, lighting,
and landscaping
– Be familiar with: bollards, use of security zones,
access barriers, use of natural access controls
95
96. Physical Security Planning
• Natural Surveillance
– Is the use and placement of physical
environmental features, personnel walkways, and
activity areas in ways that maximize visibility.
– The goal is to make criminals feel uncomfortable
and make all other people feel safe and
comfortable, through the use of observation.
96
97. Physical Security Planning
• Territorial Reinforcement
– Creates physical designs that highlight the
company’s area of influence to give legitimate
owners a sense of ownership.
– Accomplished through the use of walls, lighting,
landscaping, etc.
97
98. Physical Security Planning
• CPTED is not the same as “target hardening”
• Target hardening focuses on denying access
through physical and artificial barriers (can
lead to restrictions on use, enjoyment, and
aesthetics of the environment).
98
99. Physical Security Planning
• Issues with selecting a facility site:
– Visibility (terrain, neighbors, population of area,
building markings)
– Surrounding area and external factors (crime
rate, riots, terrorism, first responder locations)
– Accessibility (road access, traffic, proximity to
transportation services)
– Natural Disasters (floods, tornados, earthquakes)
99
100. Physical Security Planning
• Other facility considerations:
– Physical construction materials and structure
composition
• Be familiar with: load, light frame construction
material, heavy timber construction material,
incombustible material, dire resistant material (know
the fire ratings and construction properties).
100
101. Physical Security Planning
• “Mantrap:” A small room with two doors.
The first door is locked; a person is identified
and authenticated. Once the person is
authenticated and access is authorized, the
first door opens and allows the person into
the mantrap. The person has to be
authenticated again in order to open the
second door and access a critical area. The
mantrap area could have a weight sensing
floor as an additional control to prevent literal
piggybacking.
101
102. Physical Security Planning
• Automatic door lock configuration:
• “Fail safe:” If a power disruption occurs, the
door defaults to being unlocked.
• “Fail secure:” If a power disruption occurs,
the door defaults to being locked.
102
103. Physical Security Planning
• Windows can also be used to promote
physical security.
• Know the different types of glass:
– Standard
– Tempered
– Acrylic
– Wired
– Laminated
– Solar Window Film
– Security Film
103
104. Physical Security Planning
• Consider use of internal partitions carefully:
– True floor to true ceiling to counter security
issues
– Should never be used in areas that house
sensitive systems and devices
104
105. Internal Support Systems
• Power issues:
– A continuous supply of electricity assures the
availability of company resources.
– Data centers should be on a different power
supply from the rest of the building
– Redundant power supplies: two or more feeds
coming from two or more electrical substations
105
106. Internal Support Systems
• Power protection:
– UPS Systems
• Online UPS systems
• Standby UPS System
– Power line conditioners
– Backup Sources
106
107. Internal Support Systems
• Other power terms to know:
– Ground
– Noise
– Transient Noise
– Inrush Current
– Clean Power
– EMI
– RFI
107
108. Internal Support Systems
• Types of Voltage Fluctuations
– Power Excess
• Spike
• Surge
– Power Loss
• Fault
• Blackout
– Power Degradation
• Sag/dip
• Brownout
• Inrush Current
108
109. Internal Support Systems
• Environmental Issues
– Positive Drains
– Static Electricity
– Temperature
109
110. Internal Support Systems
• Environmental Issues: Positive Drains
– Contents flow out instead of in
– Important for water, steam, gas lines
110
111. Internal Support Systems
• Environmental Issues: Static Electricity
– To prevent:
• Use antistatic flooring in data processing areas
• Ensure proper humidity
• Proper grounding
• No carpeting in data centers
• Antistatic bands
111
112. Internal Support Systems
• Environmental Issues: Temperature
– Computing components can be affected by
temperature:
• Magnetic Storage devices: 100 Deg. F.
• Computer systems and peripherals: 175 Deg. F.
• Paper products: 350 Deg. F.
112
113. Internal Support Systems
• Ventilation
– Airborne materials and particle concentration
must be monitored for inappropriate levels.
– “Closed Loop”
– “Positive Pressurization”
113
114. Internal Support Systems
• Fire prevention, detection, suppression
• “Fire Prevention:” Includes training employees
on how to react, supplying the right equipment,
enabling fire suppression supply, proper storage
of combustible elements
• “Fire Detection:” Includes alarms, manual
detection pull boxes, automatic detection
response systems with sensors, etc.
• “Fire Suppression:” Is the use of a suppression
agent to put out a fire.
114
115. Internal Support Systems
• American Society for Testing and Materials
(ASTM) is the organization that creates the
standards that dictate how fire resistant
ratings tests should be carried out and how to
properly interpret results.
115
116. Internal Support Systems
• Fire needs oxygen and fuel to continue to
grow.
• Ignition sources can include the failure of an
electrical device, improper storage of
materials, malfunctioning heating devices,
arson, etc.
• Special note on “plenum areas:” The space
above drop down ceilings, wall cavities, and
under raised floors. Plenum areas should have
fire detectors and should only use plenum area
rated cabling.
116
118. Internal Support Systems
• Types of Fire Detectors
– Smoke Activated
– Heat Activated
– Know the types and properties of each general
category.
118
119. Internal Support Systems
• Different types of suppression agents:
– Water
– Halon and halon substitutes
– Foams
– Dry Powders
– CO2
– Soda Acid
– Know suppression agent properties and the types of fires
that each suppression agent combats
– Know the types of fire extinguishers (A,B,C, D) that
combat different types of fires
119
120. Internal Support Systems
• Types of Sprinklers
– Wet Pipe Systems (aka Closed Head System)
– Dry Pipe Systems
– Preaction Systems
– Deluge Systems
120
121. Perimeter Security
• The first line of defense is perimeter control
at the site location, to prevent unauthorized
access to the facility.
• Perimeter security has two modes:
– Normal facility operation
– Facility closed operation
121
122. Perimeter Security
• Proximity protection components put in place
to provide the following services:
– Control of pedestrian and vehicle traffic
– Various levels of protection for different security
zones
– Buffers and delaying mechanisms to protect
against forced entry
– Limit and control entry points
122
123. Perimeter Security
• Protection services can be provided by:
– Access Control Mechanisms
– Physical Barriers
– Intrusion Detection
– Assessment
– Response
– Deterrents
123
124. Perimeter Security
• Fences are “first line of de’fence’”
mechanisms. (Small Joke!)
• Varying heights, gauge, and mesh provides
security features (know them).
• Barbed wire direction makes a difference.
124
125. Perimeter Security
• Perimeter Intrusion Detection and
Assessment System (PIDAS):
– A type of fencing that has sensors on the wire
mesh and base of the fence.
– A passive cable vibration sensor sets off an
alarm if an intrusion is detected.
125
126. Perimeter Security
• Gates have 4 distinct types:
– Class I: Residential usage
– Class II: Commercial usage, where general public
access is expected (e.g., public parking lot, gated
community, self storage facility)
– Class III: Industrial usage, where limited access is
expected (e.g., warehouse property entrance not
intended to serve public)
– Class IV: Restricted access (e.g., a prison entrance that
is monitored either in person or via CCTV)
126
127. Perimeter Security
• Locks are inexpensive access control
mechanisms that are widely accepted and
used.
• Locks are considered delaying devices.
• Know your locks!
127
129. Perimeter Security
• Lock Strengths:
– Grade 1 (commercial and industrial use)
– Grade 2 (heavy duty residential/light duty commercial)
– Grade 3 (residential and consumer expendable)
• Cylinder Categories
– Low Security (no pick or drill resistance)
– Medium Security (some pick resistance)
– High Security (pick resistance through many different
mechanisms—used only in Grade 1 & 2 locks)
129
130. Perimeter Security
• Lighting
– Know lighting terms and types of lighting to use in
different situations (inside v. outside, security
posts, access doors, zones of illumination)
– It is important to have the correct lighting when
using various types of surveillance equipment.
– Lighting controls and switches should be in
protected, locked, and centralized areas.
130
131. Perimeter Security
• “Continuous lighting:” An array of lights that provide an even amount of
illumination across an area.
• “Controlled lighting:” An organization should erect lights and use
illumination in such a way that does not blind its neighbors or any passing
cars, trains, or planes.
• “Standby Lighting:” Lighting that can be configured to turn on and off at
different times so that potential intruders think that different areas of the
facility are populated.
• “Redundant” or “backup lighting:” Should be available in case of power
failures or emergencies.
• “Response Area Illumination:” Takes place when an IDS detects
suspicious activities and turns on the lights within the specified area.
131
132. Perimeter Security
• Surveillance Devices
– These devices usually work in conjunction with
guards or other monitoring mechanisms to
extend their capacity.
– Know the factors in choosing CCTV, focal length,
lens types (fixed v. zoom), iris, depth of field,
illumination requirements
132
133. Perimeter Security
• “Focal length:” The focal length of a lens
defines its effectiveness in viewing objects
from a horizontal and vertical view.
• The sizes of images that will be shown on a
monitor along with the area that can be
covered by one camera are defined by focal
length.
– Short focal length = wider angle views
– Long focal length = narrower views
133
134. Perimeter Security
• “Depth of field:” Refers to the portion of the
environment that is in focus
• “Shallow depth of focus:” Provides a softer
backdrop and leads viewers to the foreground
object
• “Greater depth of focus:” Not much
distinction between objects in the foreground
and background.
134
135. Perimeter Security
• Intrusion Detection systems are used to
detect unauthorized entries and to alert a
responsible entity to respond.
• Know the different types of IDS systems
(electro-mechanical v. volumetric) and
changes that can be detected by an IDS
system.
135
136. Perimeter Security
• Patrol Force and Guards
– Use in areas where critical reasoning skills are
required
• Auditing Physical Access
– Need to log and review:
• Date & time of access attempt
• Entry point
• User ID
• Unsuccessful access attempts
136
137. Physical Security
• Final Concept to Guide in Assessing Physical
Security Issues on Exam:
– Deterrence
– Delay
– Detection
– Assessment
– Response
137
139. Social Engineering
• Monday morning, 6am; the electric rooster is
telling you it's time to start a new work week. A
shower, some coffee, and you're in the car and
off. On the way to work you're thinking of all
you need to accomplished this week.
• Then, on top of that there's the recent merger
between your company and a competitor. One of
your associates told you, you better be on your
toes because rumors of layoff's are floating
around.
140. Social Engineering
• You arrive at the office and stop by the restroom
to make sure you look your best. You straighten
your tie, and turn to head to your cube when you
notice, sitting on the back of the sink, is a CD-
ROM. Someone must have left this behind by
accident. You pick it up and notice there is a label
on it. The label reads "2005 Financials &
Layoff's". You get a sinking feeling in your
stomach and hurry to your desk. It looks like
your associate has good reasons for concern, and
you're about to find out for your self.
141. And so
• The Game Is In Play: People Are The Easiest Target
You make it to your desk and insert the CD-ROM. You find
several files on the CD, including a spreadsheet which you
quickly open. The spreadsheet contains a list of employee
names, start dates, salaries, and a note field that says
"Release" or "Retain". You quickly search for your name but
cannot find it. In fact, many of the names don't seem
familiar. Why would they, this is pretty large company, you
don't know everyone.
Since your name is not on the list you feel a bit of relief. It's
time to turn this over to your boss. Your boss thanks you and
you head back to your desk.
142. Let's Take A Step Back In Time
•
The CD you found in the restroom, it was not left there by
accident. It was strategically placed there by me, or one of
Security Consulting employees.
• You see, a firm has been hired to perform a Network Security
Assessment on your company.
• In reality, they have been contracted to hack into your
company from the Internet and have been authorized to
utilize social engineering techniques.
143. Bingo - Gotcha
• The spreadsheet you opened was not the only thing
executing on your computer.
• The moment you open that file you caused a script to
execute which installed a few files on your computer.
• Those files were designed to call home and make a
connection to one of our servers on the Internet. Once the
connection was made the software on the Security firms
servers responded by pushing (or downloading) several
software tools to your computer.
• Tools designed to give the team complete control of your
computer. Now they have a platform, inside your company's
network, where they can continue to hack the network. And,
they can do it from inside without even being there.
144. This is what we call a 180 degree attack.
• Meaning, the security consulting team did not have to
defeat the security measures of your company's firewall from
the Internet.
• You took care of that for us.
• Many organizations give their employees unfettered access
(or impose limited control) to the Internet.
• Given this fact, the security firm devised a method for
attacking the network from within with the explicit purpose
of gaining control of a computer on the private network.
• All we had to do is get someone inside to do it for us.
145. Welcome to Social Engineering
• What would you have done if you found a CD
with this type of information on it?
• Yes it is people who are the weakest link in
any security system and Social Engineering
Exploits that ---
146.
147. Phisher Site Basics
•Thief sends e-mail to customer claiming to
be a legitimate company which has lost the
customer’s personal information
•Customer reads e-mail and goes to fake
website
•Customer enters credit card or other
personal information on website
•Thief steals personal information
148. Phisher Site E-mail Example (part 1)
From: EarthLink <billing@earthlink.net>
To: <thecustomer@earthlink.net>
Date: 7/6/2003 11:50:02 AM
Subject: Billing Department
Dear EarthLink User,
We regret to inform you, but due to a recent system
flush, the billing/personal information for your
account is temporally unavailable, and we need to
verify your identity.
<cont.>
149. Phisher Site E-mail Example (part 2)
In order to continue using your EarthLink account
and keeping it active, you must provide us with
your full information within 24 hours of receiving
this message.
To re-enter your account information and keep your
account active visit:
www.billingdepartment-el.net
Sincerely,
Sean Wright
EarthLink Billing Department
152. How to Spot Phisher Sites
TIP-OFFSTRICKS
• Claims of “lost”
information
• Unfamiliar URL
• Asks for credit card or
other personal info
• No log in or not secure
• Most companies will
not do this
• E-mail looks legit (at
first)
• Prompts you to act
quickly to keep
service
• Website, html or fax
form looks legit
153. Tips for Avoiding Phisher Sites
• Be suspicious of email asking for credit
card or other personal info
• URL should be familiar
• Should require log-in
• Should be a SECURE SITE
• Call the company when in doubt
• Always report spam/fraud to your ISP
154. 1
Since February 2001, complaint data have also been provided to the Clearinghouse by the Social Security Administration-Office of Inspector General.
2
Projections for calendar year 2003 are based on
complaints received from January through June 2003.
CY-
1999
CY-2000 CY-2001 CY-2002 CY-20032
Total:
1,380
Total: 31,117
Total: 86,197
Total: 161,886
Projected Total: 210,000
Projected Cumulative Complaint
Count 1999-2003: 490,000
Projection
(inthousands)
Federal Trade Commission
Identity Theft Data Clearinghouse Complaints1
Federal Trade Commission
155. Federal Trade Commission
Consumer Sentinel Complaints1
- Identity Theft Complaints
139,007
220,088
380,170
1
Percentages are based on the total number of Consumer Sentinel complaints by calendar year.
(inthousands)
- Fraud Complaints
107,890
133,891
31,117
86,197
218,284
161,886
Federal Trade Commission
159. And Another
• The easiest way to break into any computer
system is to use a valid username and
password and the easiest way to get that
information is to ask someone for it.
160. The Beginning
• Like many hacking techniques, social
engineering got its start in attacks against the
telephone company. The hacker (or phone
phreaks, as they used to be called) would dial-
up an operator and by using the right jargon,
convince him or her to make a connection or
share some information that should not have
been shared.
161. In Reality
• social engineering is probably as old as
speech, and goes back to the first lie.
• It is still successful today because people are
generally helpful, especially to someone who
is nice, knowledgeable, and / or insistent.
• No amount of technology can protect you
against a social engineering attack.
162. So How Do You Protect Yourself from
Yourself?
• Recognizing an Attack
– You can prepare your organization by teaching
people how to recognize a possible social
engineering attack. Do we have a Cyber Security
& Ethics 101 Class?
• Prevent a successful attack
– You can prepare a defense against this form of
social engineering by including instructions in
your security policy for handling it.
163. So How Do You Protect Yourself from
Yourself?
• Create a response plan
– Your response plan should include instructions on
how to deal with inquiries relating to passwords
or other classified information.
• Implement and Monitor the response plan
and continue to reinforce with Training
164. Target And Attack
• The basic goals of social engineering are the same as hacking
in general: to gain unauthorized access to systems or
information in order to commit fraud, network intrusion,
industrial espionage, identity theft, or simply to disrupt the
system or network.
• Typical targets include telephone companies and answering
services, big-name corporations and financial institutions,
military and government agencies, and hospitals.
• The Internet boom had its share of industrial engineering
attacks in start-ups as well, but attacks generally focus on
larger entities.
165. And Another
• One morning a few years back, a group of
strangers walked into a large shipping firm and
walked out with access to the firm’s entire
corporate network.
• How did they do it? By obtaining small amounts
of access, bit by bit, from a number of different
employees in that firm. First, they did research
about the company for two days before even
attempting to set foot on the premises.
166. And so on…
• For example, they learned key employees’
names by calling HR. Next, they pretended to
lose their key to the front door, and a man let
them in. Then they "lost" their identity badges
when entering the third floor secured area,
smiled, and a friendly employee opened the
door for them.
167. And so on…
• The strangers knew the CFO was out of town, so they were
able to enter his office and obtain financial data off his
unlocked computer.
• They dug through the corporate trash, finding all kinds of
useful documents.
• They asked a janitor for a garbage pail in which to place their
contents and carried all of this data out of the building in
their hands.
• The strangers had studied the CFO's voice, so they were able
to phone, pretending to be the CFO, in a rush, desperately in
need of his network password. From there, they used regular
technical hacking tools to gain super-user access into the
system.
168. Common Techniques
• Social Engineering by Phone
• Dumpster Diving
• On-line Social Engineering
• Persuasion
• Reverse Social Engineering
• And many more….
169. Defining The Term "Social Engineering"
• In the world of computers and technology, social engineering
is a technique used to obtain or attempt to obtain secure
information by tricking an individual into revealing the
information.
• Social engineering is normally quite successful because most
targets (or victims) want to trust people and provide as much
help as possible.
• Victims of social engineering typically have no idea they have
been conned out of useful information or have been tricked
into performing a particular task.
• The prey is not just you but your children and elders as well
170. A Challenge to the CSU
• This is the 21st
Century The Time of
CyberSpace
• Why is their No Formal GE Requirement for
CyberSecurity and Ethics which can not only
be taught at the CSU level but the CC level as
well?
• Why don’t we extend this education to K-12
and Senior Centers as well?
171. Mt. SAC and Cal Poly Efforts
• NSF Grant Project – Establishment of a Regional
Information Systems Security Center (RISSC see
http://rissc.mtsac.edu/RISSC_NEW/default.asp )
• Cal Poly’s Participation in the Title V Grant and
development of Network Security curriculum
• Cal Poly Pomona’s Establishment of a Center for
Information Assurance (see
http://www.bus.csupomona.edu/cfia.asp )
172. Please join US for
•
Information Assurance Symposium
Building Information Assurance Capacity and
Improving Infrastructure at Minority Serving
Institutions
December 8 - 10, 2005
Cal Poly Pomona
8:30 a.m. - 5:00 p.m.
173. Contribute to:
• Information Sharing
• Curriculum Development
• Awareness, Knowledge and Development of
initiatives to help others around us be better
at practicing good security techniques
• Our thanks to Educause, ISACA, ISSA, IIA and
HTCIA for their support
176. Group Discussion
• CryptographyCryptography
• Law, Investigations & EthicsLaw, Investigations & Ethics
• Access Control Systems & MethodologyAccess Control Systems & Methodology
• Security Management PracticesSecurity Management Practices
• Security Architecture & ModelsSecurity Architecture & Models
• Physical SecurityPhysical Security
• Business Continuity & Disaster Recovery PlanningBusiness Continuity & Disaster Recovery Planning
• Operations Security (Computers)Operations Security (Computers)
• Application & Systems DevelopmentApplication & Systems Development
• Telecommunications & Network SecurityTelecommunications & Network Security
177. Security Infrastructure
• Cryptography. - is the use of secret codes to achieve
desired levels of confidentiality and integrity. Two
categories focus on: (1) cryptographic applications and
uses and (2) crypto technology and implementations.
Included are basic technologies, encryption systems, and
key management methods.
178. Security Infrastructure
• Law, Investigation, and Ethics. Law involves the legal and
regulatory issues faced in an information security
environment. Investigation consists of guidelines and
principles necessary to successfully investigate security
incidents and preserve the integrity of evidence. Ethics
consists of knowledge of the difference between right and
wrong and the inclination to do the right thing.
179. Security Infrastructure
• Access Control. Access control consists of all of the various
mechanisms (physical, logical, and administrative) used to
ensure that only authorized persons or processes are
allowed to use or access a system. Three categories of
access control focus on: (1) access control principles and
objectives, (2) access control issues, and (3) access
control administration.
180. Security Infrastructure
• Security Management Policies, Standards, and
Organization. Policies are used to describe management
intent, standards provide a consistent level of security in an
organization, and an organization architecture enables the
accomplishment of security objectives. Four categories
include: (1) information classification, (2) security
awareness, (3) organization architecture, and (4) policy
development.
182. Security Infrastructure
• Security Architecture. Security architecture involves the
aspects of computer organization and configuration that
are employed to achieve computer security. In addition
implementing system security to ensure mechanisms are
used to maintain the security of system programs.
183. Cryptography
Public Key (RSA)
X.509 Certificates
Digital Signatures
Digital Envelopes
Hashing/Message Digest
Symmetric Encryption
Certificate Authorities
Security Infrastructure
DNS
DMZ, Firewalls
Directory Services
IDS
Virus Checkers
VPN
PKI
NAT
RADIUS, Remote Access
Web Servers
DHCP
Wireless
Application
Single Sign On
Kerberos/DCE
Mixed/Integrated Security
Smart Cards
Cryptographic APIs
PDAs (PocketPC, Palm Pilots)
Domain Trust Management
Directional Trust
Transitive Trust
Kerberos
NTLM
Security
Services
Protocols
IPSEC
SSL/TLS
Kerberos
L2TP
PPTP
PPP
Etc.
Security Goals
Authentication
Auditing
Availability
Authorization
Privacy
Integrity
Non-Repudiation
Security Attacks
Viruses
Trojan Horses
Bombs/Worms
Spoofing/Smurf
Sniffing and Tapping
DOS
Etc.
Security Architecture
184. Security Infrastructure
• Physical Security. Physical security involves the provision
of a safe environment for information processing activities
with a focus on preventing unauthorized physical access to
computing equipment. Three categories include: (1) threats
and facility requirements, (2) personnel physical access
control, and (3) microcomputer physical security.
185. Security Infrastructure
• Business Continuity Planning and Risk Management. Risk
management encompasses all activities involved in the
control of risk (risk assessment, risk reduction, protective
measures, risk acceptance, and risk assignment). Business
continuity planning involves the planning of specific,
coordinated actions to avoid or mitigate the effects of
disruptions to normal business information processing
functions.
186. Security Infrastructure
• Operations Security (Computer). Computer operations
security involves the controls over hardware, media and the
operators with access privileges to these. Several aspects
are included — notably, operator controls, hardware
controls, media controls trusted system operations, trusted
facility management, trusted recovery, and environmental
contamination control.
187. Security Infrastructure
• Application and System Development. Application and
system security involves the controls placed within the
application and system programs to support the security
policy of the organization. Topics discussed include threats,
applications development, availability issues, security
design, and application/data access control.
188. Security Infrastructure
• Telecommunications & Network Security. Communications
security involves ensuring the integrity and confidentiality of
information transmitted via telecommunications media as
well as ensuring the availability of the telecommunications
media itself. Three categories of communications security
are: (1) telecommunications security objectives, threats,
and countermeasures; (2) network security; and (3)
Internet security.
190. Security StrategiesSecurity Strategies DescriptionDescription
Least PrivilegeLeast Privilege This principle means the any object (e.g., user, administrator, program, system) should haveThis principle means the any object (e.g., user, administrator, program, system) should have
only the necessary security privilege required to perform its assigned tasks.only the necessary security privilege required to perform its assigned tasks.
Defense in DepthDefense in Depth This principle recommends that multiple layers of security defense be implemented. TheyThis principle recommends that multiple layers of security defense be implemented. They
should back each other up.should back each other up.
Choke PointChoke Point Forces everyone to use a narrow channel, which you can monitor and control. A firewall isForces everyone to use a narrow channel, which you can monitor and control. A firewall is
good example.good example.
Weakest LinkWeakest Link This principle suggests that attackers seek out weakest link in your security. As a result, youThis principle suggests that attackers seek out weakest link in your security. As a result, you
need to be aware of these weak links and take steps to eliminate them.need to be aware of these weak links and take steps to eliminate them.
Fail-Safe StanceFail-Safe Stance In the event your system fails, it should fail in a position that denies access to resources. MostIn the event your system fails, it should fail in a position that denies access to resources. Most
systems will adhere to a deny stance or permit stance.systems will adhere to a deny stance or permit stance.
Universal ParticipationUniversal Participation To achieve maximum effectiveness, security systems should require participation of allTo achieve maximum effectiveness, security systems should require participation of all
personnel.personnel.
Diversity of DefenseDiversity of Defense This principle suggests that security effectiveness is also dependent on the implementation ofThis principle suggests that security effectiveness is also dependent on the implementation of
similar products from different vendors. (This includes Circuit Diversity)similar products from different vendors. (This includes Circuit Diversity)
SimplicitySimplicity This principle suggests that by implementing simple things it is easier to manage.This principle suggests that by implementing simple things it is easier to manage.
Security through ObsolesceSecurity through Obsolesce This principle suggests that by implementing old technology no one will have the knowledge toThis principle suggests that by implementing old technology no one will have the knowledge to
compromise the system.compromise the system.
Security through ObscuritySecurity through Obscurity This principle recommends the hiding of things as a form of protection.This principle recommends the hiding of things as a form of protection.
Ten (10) Security Strategies
192. Stages of Information and Classification
DDisseminate
PProcess
AAccumulate (Collect)
SStore
TTransmit
D-PAST
193. N-Factor Authentication Methods
Someplace where you are located (SSITE).
Something that you HHAVE.
Something that you AARE.
Something that you NNEED.
Something that you KKNOW
SHANK
The first three steps were covered more in Chapter 2. Chapter 8 picks up that discussion and focuses on selecting the right security mechanisms for the different components of a modular network design.
Maintain security by scheduling periodic independent audits, reading audit logs, responding to incidents, reading current literature and agency alerts, installing patches and security fixes, continuing to test and train, and updating the security plan and policy.
An example of a tradeoff is that security can reduce network redundancy. If all traffic must go through an encryption device, for example, the device becomes a single point of failure. This makes it hard to meet availability goals.
This page was added on 9/01/10 to address the fact that early printings of the book had the wrong graphic for Figure 8-2.
Security experts recommend that FTP services not run on the same server as Web services. FTP users have more opportunities for reading and possibly changing files than Web users do. A hacker could use FTP to damage a company ’s Web pages, thus damaging the company’s image and possibly compromising Web-based electronic-commerce and other applications. In addition, any e-commerce database server that holds sensitive customer financial information should be separate from the front-end Web server that users see.
The items on the left cost money – so do the items on the right (e.g., loss in income)
The expected yearly loss serves to prioritize threats and determine what defenses are needed. The values above indicate ranges of losses expected in a given year assuming no controls are in place. Pay attention to the row and column headers.
The Breach Notification Law requires us to tell all customers if their private information was breached. On average, this costs $130 (or more) per customer in lawyers fees, mailings, etc. Direct Loss = Cost of Replacement Consequential Loss = Loss of income, reputation, fines, legal proceedings, etc. This slide is labeled ‘Workbook’ to indicate that you will encounter this within the Workbook. Only two rows are shown, but it may help as a reference as you work with the Workbook.
These threat types are useful to consider in naming threats to a business, as part of Step 2 of Risk Analysis. First column: Who also known as Threat Agents Second column: Motivation Third column: Result
Vulnerability = hole in security system, enabling threat to occur Threat refers to any entity or event that could cause damage to an enterprise. A vulnerability is a weak spot that would allow that damage to happen. A risk is a combination of the two; a threat without a relevant vulnerability (or vice versa) does not constitute a risk. Threat: burglar. Vulnerability: unlocked door. Risk: your TV will be stolen. There may be little an organization can do to affect threats directly, but by finding and minimizing vulnerabilities they can affect the impact of the threats.
What is the probability this threat will occur? What is the extent of the vulnerability? Vulnerabilities are not either/or; some may be more easily exploited than others, and controls may fully or partially mitigate them. Although there are good estimates out there, there is no accurate forecast, with past experience perhaps being the best – if you have experienced a problem before.
Qualitative Risk Analysis can use this graph and add/move threats as appropriate. The red area is high risk, with high cost/severity and high probability. The yellow areas are either high cost or high probability, but not both. The green area is low cost and low probability. You will do this for the case study. You can move threats (e.g, fire, terrorist) around as appropriate.
Alternatively, we can categorize the impact into five categories, and the likelihood into 5 categories, for Semi-Quantitative Analysis Semi-q involves assigning values to assets; they may not reflect real world values but should be approximately proportional. That is, you may not know exactly what something is going to cost but you can try to decide whether it ’s more or less costly than something else. If real-world values could be used then a quantitative analysis would be more appropriate.
The important thing to get out of this slide is that ALE = SLE x ARO. It is also important to understand each of the concepts: SLE, ARO, ALE. Exposure Factor: the maximum possible reduction in value from a threat (inherently or due to mitigating controls). For example, if the value of a building would be reduced from $400,000 to $100,000 by a fire, the exposure factor for the risk of fire to the building is 75%.
Estimate of Time is the frequency of this threat occurring or the ARO. ALE = SLE x ARO SLE is Single Loss Expectancy = cost of one single loss
This is a generalized table for consideration of asset risk, using SLE as column head. The rows show average frequency of loss or ARO. Thus, if a asset costs $1,000 and lost is once per year, the loss is $1K per year. (This becomes the ALE) But if loss is every 5 years, then 1K x .2 = $200. If loss is every 10 years, then 1K x .1 = $100.
Our case study will ask you to complete such a table. The Laptop loss costs that much due to Breach notification law ($9K)
This defines the different ways of treating risk: risk avoidance, risk mitigation, risk transference. See the examples. After a risk management plan is complete, whatever risk has not been covered by avoidance, mitigation or transference is called residual risk. If the residual risk is unacceptably high (this will be decided by management at the appropriate level – process owners or senior staff) then you need to go back to the plan and improve your controls until the residual risk is at a level the organization can live with, i.e. accept. That is, the residual risk is not bigger than the organization ’s risk appetite (discussed way back on slide 6, and this note could have gone up there instead). Acceptance should come before the cost of the controls exceeds the probable cost of an incident.
This shows how the risk is reduced by risk treatment, resulting in the final Residual Risk. Examples of Deterrent: threat of job loss, criminal prosecution Mitigating: firewall Detective: hash totals, access logs, IDS Preventive: not using SSNs, encryption, physical security procedures Corrective: contingency and recovery plans
Here, the border router is a countermeasure or targeted control to address the specific hacker threat of port mapping.
Here we compare the cost of our average losses versus the cost of controls (shown above as purchase price). In all cases, the cost of controls is less than the cost of encountering the risk – so we should go with the control. You will run into this table as part of the case study.
A report like this one is used to keep management informed of ongoing issues. Senior managers don ’t want to know about all the technical details. The red/yellow/green shows the overall status of an issue; other fields show a brief description and approximate cost. In the above chart, a flaw in physical security was fixed by training the personnel involved. That issue has been resolved and won’t appear on the next report. Some cost overruns are being investigated – that issue is underway. Finally a laptop has been stolen and a new procedure for HIPAA incidents is needed. Those are new issues for which remediation has not begun or is about to. This kind of reporting tool would not be used for serious incidents. It ’s a part of the ongoing risk management process.
Baseline can have two definitions: a measure of status now as compared to a desired future state, or the minimum amount of protection needed for a particular system. This slide refers to the former.
The best way to convince business management that risk and security is important, is to consider the impact of threats to the bottom line (or income of the organization).
The slide shows higher ranking positions on top, lower ranking on the bottom.
These terms have to do with liability; an organization must fully investigate its vulnerabilities and take reasonable steps to control them, or at least to minimize the potential damage, in order to protect itself.
4. High level business management is responsible for deciding and accepting risk.
B is the best answer.
4 – Residual risk: After eliminating, mitigating, and transferring risk, residual risk remains.
3. Reduce risk to an acceptable level
3
Annual Loss Expectancy = Single Loss Expectancy x Annual Rate of Occurrence
Many of our assets are listed in our Income Statement and the Balance Sheet.
Consider the Medical database, in terms of its requirements for Confidentiality, Integrity and Availability. If the DB were not available, it would impact Daily Operation and Medical Malpractice. Also, if the DB is not confidential, the office could be liable under HIPAA and Notification Law. Find the daily cost of not being in business, due to the medical DB not being available. Put this $ under Consequential Financial Loss, Daily Operation. Then in Medical DB, put DO in the Consequential Financial Loss column.
Find the daily cost of not being in business, due to the medical DB not being available. Put this $ under Consequential Financial Loss, Daily Operation. Then in Medical DB, put DO in the Consequential Financial Loss column.
As we can see (and from what I hear actually occurs) people are fined large amounts and can go to jail for not being careful with health information – or at least get fired.
Consider which threats are likely to have a financial impact on the firm, if they occurred. There are more threat ideas in the Workbook.
Do these threats look like they are in the correct quadrant? Are there inherent threats that should be added?
References are from: All in One Book (Shon Harris, 2005) Bollards : Short posts that are commonly used to prevent vehicular access and to protect a building or people walking on a sidewalk from vehicles. They can also be used to direct foot traffic. (346) Security Zones (CPTED model): Division of an environment ’s space into zones with different security levels depending upon who needs to be in the zone and the associated risk. (347) Zones are labeled as controlled, restricted, public, or sensitive. (347) Each zone should have a specific protection level that is required of it, which will help dictates the types of controls that should be put into place. (347) Following controls are commonly used for access controls within different organizations: (347) Limit the number of entry points Force all guests to go to a front desk and sign in before entering the environment Reduce the number of entry points even further after hours or during the weekend when not as many employees are around. Have a security guard validate a picture ID before allowing entrance Require guests to sign in and be escorted Encourage employees to question strangers Access barriers can be naturally created (cliffs, rivers, hills), existing manmade elements (railroad tracks, highways) or artificial forms designed specifically to impede movement (fences, closing streets). (347)
References are from: All in One Book (Shon Harris, 2005) Can prevent literal piggybacking as well. Piggybacking : When an individual gains unauthorized access by using someone else ’s legitimate credentials or access rights. The best preventative measures against this are to have security guards at access points and to educate employees about good security practices. (387)
Note that “fail safe” and “fail secure” terminology can be applied to other types of access control defaults, not merely terms for doors.
References are from: All in One Book (Shon Harris, 2005) pg. 358 Standard : No extra protection. Cheapest and lowest level of protection. Tempered : Glass is heated and then cooled suddenly to increase its integrity and strength. 5-7x stronger than regular glass. Acrylic : Type of plastic instead of glass. Polycarbonate acrylics are stronger than regular acrylics. Produces toxic fumes if burned, may be prohibited by fire codes. Very expensive. Wired : mesh of wire is embedded between two sheets of glass. This wire helps to prevent the glass from shattering. Laminated : Plastic layer between two outer glass layers. Plastic layer helps to increate the strength against breakage. The greater the depth, the more difficult to break. Solar window film : Provides extra security by being tinted and extra strength through the film ’s material. Security film : Transparent film is applied to the glass to increase its strength.
References are from: All in One Book (Shon Harris, 2005) pg. 358 Power protection (365) There are three main methods of protecting against power problems: (365) UPS Online UPS systems: Use AC line voltage to charge a bank of batteries. When in use the UPS has an inverter that changes the DC output from the batteries into the required AC form and regulates the voltage as it powers computer devices. (365) Have the normal primary power passing though them day in and day out. The constantly provide power from their own inverters, even when the electric power is in proper use. This UPS device is able to quickly detect when power failure takes place and can provide the necessary electricity and pick up the load after a power failure much more quickly then a standby UPS. (366) Standby UPS: Devices stay inactive until the power fails. The system has sensors that detect a power failure, and the load is then switched to the battery pack. (366) UPS factors that should be reviewed are the size of the electrical load the UPS can support, the speed with which it can assume the load when the primary source fails, and the amount of time it can support the load. (403) Power Line Conditioners Backup Sources Are necessary when there is a power failure and the outage will last longer than a UPS can last. Backup supplies can be a redundant line from another electrical substation, or from a motor generator, and can be used to supply main power or charge the batteries in a UPS system. (366)
References are from: All in One Book (Shon Harris, 2005) pg. 358 Ground : The pathway to the earth to enable excess voltage to dissipate. (367) Noise : Electromagnetic or frequency interference that disrupts the power flow and can cause fluctuations. (367) Transient Noise : Short duration of power line disruption. (367) Inrush Current : The initial surge of current required when there is an increase in power demand. (367) Clean power: Electrical current that does not fluctuate. (367) Types of interference (line noise): (366) EMI : Electromagnetic interference (367) Created by the difference between three wires: hot, neutral and ground and the magnetic field that they create. Lightning and electric motors can induce EMI. (366) RFI : Radio frequency interference (367) Can be caused by anything that creates radio waves. Fluorescent lighting is one of the main causes of RFI within buildings today. (366)
References are from: All in One Book (Shon Harris, 2005) pg. 358 Power Excess Spike : Momentary high voltage Surge : Prolonged high voltage Power Loss Fault : Momentary power loss Blackout : Sustained power loss Power Degredation Sag/dip : Momentary low voltage condition, from one cycle to a few seconds. Brownout : Prolonged power supply that is below normal voltage. Inrush Current : The initial surge of current required to start a load.
References are from: All in One Book (Shon Harris, 2005) Hygrometer : Used to monitor humidity. (372) High humidity can cause corrosion and low humidity can cause static electricity
References are from: All in One Book (Shon Harris, 2005) Hygrometer : Used to monitor humidity. (372)
References are from: All in One Book (Shon Harris, 2005) Closed Loop: means that the air within the building is reused after it has been properly filtered, instead of bringing outside air in. (373) Should be used to maintain air quality. (373) Positive pressurization: Means that when an employee opens a door, the air goes out and outside area does not come in. (373) Positive pressurization and ventilation should be implemented to control contamination. (373)
References are from: All in One Book (Shon Harris, 2005) **Need to know the fire resistant ratings that are used in the study guides. E.g., 5/8 inch thick drywall sheet installed on each side of a wood stud provides a one hour rating. If the thickness of the drywall were doubled, it would be a two hour rating. Fire resistance represents the ability of a laboratory constructed assembly to contain fire for a specific period of time.
References are from: All in One Book (Shon Harris, 2005) Smoke activated detectors (375) Good for early warning devices (375) Can be used to sound a warning alarm before the suppression system activates (375) Photoelectric Device (aka optical detector): Detects variation in light intensity. The detector produces a beam of light across a protected area, and if the beam is obstructed, the alarm sounds. (375) Heat Activated (376) Can be configured to sound an alarm either when a predefined temperature (fixed temperature) is reached or when the temperature increases over a period of time (rate of rise). (376) Rate of rise temperature sensors usually provide a quicker warning that fixed temperature sensors because they are more sensitive (but they can also sound more false alarms). (376)
References are from: All in One Book (Shon Harris, 2005) Water: Works by reducing temperature. (378) Halon and halon substitutes: Works by interfering with the chemical combustion of elements with a fire. (378) Halon depletes the ozone and when used on extremely hot fires degrades into toxic chemicals. (378) Was prohibited in Montreal Protocol in 1987 and has not been manufactured since 1992. FM-200 is a halon substitute. (404) Foams: Mainly water based and contain a foaming agent that allows them to float on top of a burning substance to exclude oxygen. (377) Dry powders: Used mainly for class B and C fires. Sodium or potassium bicarbonate, calcium carbonate: interrupts the chemical combustion of a fire. (377) Monoammonium phosphate: Excludes oxygen from the fuel. (377) CO2: Works by removing oxygen. (378) Colorless, odorless (404) Good for putting fires out, but bad for life forms because it removes oxygen from the air. A suppression system using this agent should have a delay mechanism. (377) Best used in unattended areas or facilities. (377) Soda Acid (378): Works by removing fuel. (378) Class A extinguishers are for ordinary combustible materials such as paper, wood, cardboard, and most plastics. The numerical rating on these types of extinguishers indicates the amount of water it holds and the amount of fire it can extinguish. Class B fires involve flammable or combustible liquids such as gasoline, kerosene, grease and oil. The numerical rating for class B extinguishers indicates the approximate number of square feet of fire it can extinguish. Class C fires involve electrical equipment, such as appliances, wiring, circuit breakers and outlets. Never use water to extinguish class C fires - the risk of electrical shock is far too great! Class C extinguishers do not have a numerical rating. The C classification means the extinguishing agent is non-conductive. Class D fire extinguishers are commonly found in a chemical laboratory. They are for fires that involve combustible metals, such as magnesium, titanium, potassium and sodium. These types of extinguishers also have no numerical rating, nor are they given a multi-purpose rating - they are designed for class D fires only.
References are from: All in One Book (Shon Harris, 2005) Wet Pipe Systems (aka Closed Head System): Always contain water in the pipes and are usually discharged by temperature control level sensors. One disadvantage is that the water in pipes may freeze in colder climates. Also, nozzle or pipe break could cause severe water damage. (379) Dry Pipe Systems: Water is not actually held in pipes, it is contained in a holding tank until released. The pipes contain pressurized air, which is reduced when a fire or smoke alarm is activated, allowing the water value to be opened by the water pressure. Best used in colder climates because the pipes will not freeze. (379) Actual fire must be detected, usually by a heat or smoke senor being activated. (379) Preaction Systems: Similar to dry pipe systems in that the water is not held in pipes but is released when the pressurized air within the pipes is reduced. In this system water is not released right away, but will be released when a thermal-fusible link on the sprinkler head melts. (380) This gives people more time to respond to small fires or false alarms that can be handled by other means. (380) Deluge System: Has its sprinkler heads wide open to allow for a larger volume of water to be released in a shorter period. (380) Not usually used in data processing environments. (380)
References are from: All in One Book (Shon Harris, 2005) Access control mechanisms: Locks and keys, electronic card access, personnel awareness. Physical barriers: Fences, gates, walls, doors, windows, protected vents, vehicle barriers. Intrusion Detection: Perimeter sensors, interior sensors, annunciation mechanisms Assessment: guards, CCTV cameras. Response: Guards, local law enforcement Deterrents: Signs, lighting, environmental design
References are from: All in One Book (Shon Harris, 2005) Fence posts should be buried deep in ground and secured with concrete to ensure that they cannot be dug up or pulled out with vehicles. (390) 3-4 ft high: Only deter casual trespassers 6-7 ft high: Considered too high to climb easily 8 ft high w/ strands of barbed or razor write at the top: serious property protection, may deter the more determined intruder. Fencing gauge & mesh: (390) The lower the gauge number, the thicker the wire diameter: 11 gauge = .120 inch diameter 9 gauge = .148 inch diameter 6 gauge = .192 inch diameter Mesh sizing Typically are 2 inch, 1 inch, 3/8 inch. It is more difficult to climb fences with smaller mesh sizes. Strength levels of the most common gauge and mesh sizes used in fencing industry: Extremely high security: 3/8 in. mesh, 11 gauge Very high security: 1 inch mesh, 9 gauge High security: 1 inch mesh, 11 gauge Greater security: 2 inch mesh, 6 gauge Normal industrial security: 2 inch mesh, 9 gauge Barbed wire tilted in (e.g. prison): makes it harder for people to get out. (390) Barbed wire tilted out (e.g. military base): makes it harder for people to get in. (390)
References are from: All in One Book (Shon Harris, 2005) Each gate classification has a long list of implementation and maintenance guidelines to ensure the necessary level of protection. Guidelines are developed by Underwriters Laboratory (UL) which is a nonprofit organization that tests, inspects and classified electronic devices, fire protection equipment, and specific construction materials. (391) For physical security realm, we look to UL for best practices and industry standards. (391) Bollards : small concrete pillars places next to sides of buildings that have the most immediate threat of someone driving a vehicle through an exterior wall. (391)
References are from: All in One Book (Shon Harris, 2005) Two main types of mechanical locks: (382) Warded Lock: Basic padlock. These are the cheapest locks, and because of their lack of sophistication, are the easiest to pick. (382) See diagram page 383. Tumbler Lock: Has more pieces and parts than a warded lock. Three types: (383) Pin Tumbler Most commonly used tumbler lock. (383) Wafer Tumbler (aka disc tumbler locks) Does not provide much protection because it can be easily circumvented. (383) Often used as car or desk locks. (383) Lever Tumbler Combination Locks: Require the correct combination of numbers to unlock them. (384) Cipher Locks (aka Programmable Locks): Keyless and use a keypad to control access into an area or facility. Compared to traditional locks, provide a much higher level of security and control of who can access a facility. (384) Smart Locks: More sophisticated cipher locks that allow for specific codes to be assigned to unique individuals. Allows entry and exit activities to be logged by person. (385) Functionalities available on many cipher combination locks that improve access controls and security: (384-85) Door Delay: If a door is held open for a given time, an alarm will trigger to alert personnel of suspicious activity. (384) Key Override : A specific combination can be programmed to be used in emergency situations to override normal procedures or for supervisory overrides. (384) Master Keying: Enables supervisory personnel to change access codes and other features of the cipher lock. (385) Hostage Alarm: If an individual is under duress and/or held hostage, a combination he enters can communicate this situation to the guard station or police station. (385) Device Locks (385) Cable Locks: consist of a vinyl coated steel cable that can secure a computer or peripheral to a desk or other stationary component. (385) Switch Controls: Cover on/off power switches. (386) Slot Locks: Secure the system to a stationary component by the use of steel cable that is connected to a bracket that is mounted in a spare expansion slot. (386) Port Controls: Block Access to disk drives or unused serial or parallel ports. (386) Peripheral Switch Controls: Secure a keyboard by inserting an on/off switch between the system unit and the keyboard input slot. (386) Cable traps: prevent the removal of input/output devices by passing their cables through a lockable unit. (386)
References are from: All in One Book (Shon Harris, 2005) Continuous lighting: An array of lights that provides an even amount of illumination across an area. (393) Controlled lighting: An organization should erect lights and use illumination in such a way that does not blind its neighbors or any passing cars, trains, or planes. (393) Standby Lighting: Lighting that can be configured to turn on and off at different times so that potential intruders think that different areas of the facility are populated. (393) Redundant or backup lighting should be available in case of power failures or emergencies. Response Area Illumination: Takes place when an IDS detects suspicious activities and turns on the lights within the specified area. (393)
Annunciator system: An indicator that listens for noise and activates electrical devices. Will alert a security guard if movement is detected on a screen. (397)
Depth of field varies depending upon the size of the lens opening, the distance of the object being focused upon, and the focal length of the lens. (396) Increases as the size of the lens opening decreases, the subject distance increases, or the focal length of the lens decreases. So if you want to cover a large area and not focus on specific items use a: Wide angle lens (short focal length) with a Small lens opening
IDS Characteristics: Expensive and requires human intervention to respond to alarms Redundant power supply and emergency backup power are necessary Can be linked to a centralized security system Should have a fail safe configuration, which should default to activated Should detect and be resistant to tampering IDSs can be used to detect changes in the following: (398) Beams of light Sounds and vibrations Motion Different types of fields (microwave, ultrasonic, and electrostatic) Electrical Circuit
The International Information Systems Security Certification Consortium, or (ISC)², working with a professional testing service, has developed a certification examination based on the information systems security Common Body of Knowledge (CBK). The information systems security test domains are: Cryptography Law, Investigations & Ethics Access Control Systems & Methodology Security Management Practices Security Architecture & Models Physical Security Business Continuity & Disaster Recovery Planning Operations Security (Computers) Application & Systems Development Telecommunications & Network Security Domain 1 addresses cryptography . Cryptography is the use of secret codes to achieve desired levels of confidentiality and integrity. Two categories focus on: (1) cryptographic applications and uses and (2) crypto technology and implementations. Included are basic technologies, encryption systems, and key management methods. Domain 2 addresses law, investigation, and ethics . Law involves the legal and regulatory issues faced in an information security environment. Investigation consists of guidelines and principles necessary to successfully investigate security incidents and preserve the integrity of evidence. Ethics consists of knowledge of the difference between right and wrong and the inclination to do the right thing. Domain 3 addresses access control . Access control consists of all of the various mechanisms (physical, logical, and administrative) used to ensure that only authorized persons or processes are allowed to use or access a system. Three categories of access control focus on: (1) access control principles and objectives, (2) access control issues, and (3) access control administration. Domain 4 addresses security management policies, standards, and organization . Policies are used to describe management intent, standards provide a consistent level of security in an organization, and an organization architecture enables the accomplishment of security objectives. Four categories include: (1) information classification, (2) security awareness, (3) organization architecture, and (4) policy development. Domain 5 addresses security architecture and system security . Computer architecture involves the aspects of computer organization and configuration that are employed to achieve computer security while system security involves the mechanisms that are used to maintain the security of system programs. Domain 6 addresses physical security . Physical security involves the provision of a safe environment for information processing activities with a focus on preventing unauthorized physical access to computing equipment. Three categories include: (1) threats and facility requirements, (2) personnel physical access control, and (3) microcomputer physical security. Domain 7 addresses business continuity planning and risk management . Risk management encompasses all activities involved in the control of risk (risk assessment, risk reduction, protective measures, risk acceptance, and risk assignment). Business continuity planning involves the planning of specific, coordinated actions to avoid or mitigate the effects of disruptions to normal business information processing functions. Domain 8 addresses (computer) operations security . Computer operations security involves the controls over hardware, media and the operators with access privileges to these. Several aspects are included — notably, operator controls, hardware controls, media controls trusted system operations, trusted facility management, trusted recovery, and environmental contamination control. Domain 9 addresses application and system development . Application and system security involves the controls placed within the application and system programs to support the security policy of the organization. Topics discussed include threats, applications development, availability issues, security design, and application/data access control. Domain 10 addresses Telecommunications & Network Security . Communications security involves ensuring the integrity and confidentiality of information transmitted via telecommunications media as well as ensuring the availability of the telecommunications media itself. Three categories of communications security are: (1) telecommunications security objectives, threats, and countermeasures; (2) network security; and (3) Internet security.