• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Material best practices in network security using ethical hacking
 

Material best practices in network security using ethical hacking

on

  • 1,066 views

 

Statistics

Views

Total Views
1,066
Views on SlideShare
1,066
Embed Views
0

Actions

Likes
0
Downloads
42
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • The first three steps were covered more in Chapter 2. Chapter 8 picks up that discussion and focuses on selecting the right security mechanisms for the different components of a modular network design.
  • Maintain security by scheduling periodic independent audits, reading audit logs, responding to incidents, reading current literature and agency alerts, installing patches and security fixes, continuing to test and train, and updating the security plan and policy.
  • An example of a tradeoff is that security can reduce network redundancy. If all traffic must go through an encryption device, for example, the device becomes a single point of failure. This makes it hard to meet availability goals.
  • This page was added on 9/01/10 to address the fact that early printings of the book had the wrong graphic for Figure 8-2.
  • Security experts recommend that FTP services not run on the same server as Web services. FTP users have more opportunities for reading and possibly changing files than Web users do. A hacker could use FTP to damage a company ’s Web pages, thus damaging the company’s image and possibly compromising Web-based electronic-commerce and other applications. In addition, any e-commerce database server that holds sensitive customer financial information should be separate from the front-end Web server that users see.
  • The items on the left cost money – so do the items on the right (e.g., loss in income)
  • A number of areas affect risk management. Internal factors are factors that are company-specific. External factors also affect risk. Management ’s risk tolerance is an example of an internal factor. Some people just like to take risks, while others don’t. Industry also affects risk. If you are in the banking industry, you are a target of crackers and of legislation to protect consumers. Source:  CISM® Review Manual 2009 , © 2008, ISACA. All rights reserved. Used by permission. Cism09 2.5
  • Definitions: Risk Management is the entire process Risk Assessment is the Risk Identification, Analysis, & Evaluation process Risk Analysis is the detailed analysis of costs of risk. Treat risk is to implement controls to minimize the occurrence of risk – or to accept risk Transfer risk is to purchase insurance or hire another company to manage the risk for you. Residual risk is the remaining risk after you have implemented actions to reduce or eliminate risk. Cism09 2.8.1 Here are the steps of risk: risk mgmt: definition of scope: establish performance expectations of risk mgmt (what is it supposed to accomplish?), account for both internal and external factors risk assessment: methodically identify, analyze and evaluate risks – emphasis on methodically risk treatment: select and implement measures - could be avoidance, reduction, transfer, or acceptance risk communication: share risk information between decision makers and other stakeholders monitor and review: measure efficiency and effectiveness of risk mgmt - ensure plans are up to date, ensure compliance Source:  CISM® Review Manual 2009 , © 2008, ISACA. All rights reserved. Used by permission.
  • This explains or defines Risk Appetite, an important concept.
  • Risk Management is a continuing process consisting of these 4 steps. Source:  CISM® Review Manual 2009 , © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.3
  • Actually, Risk Assessment with Treat Risk. The next slides go into more detail of this process.
  • Step 1 is Determine Value of Assets. In testing for CISA or CISM, there is often a question: what is the first step to assessing risk?
  • Replacement cost: how much to replace or rebuild? Loss of integrity: unauthorized changes are made to data or systems, could result in faulty decisionmaking or be a steppingstone for further attacks Loss of availability: a system crashes, or a hard drive is corrupted and data can ’t be retrieved– loss of productivity, decreased sales Loss of confidentiality: customer information or trade secrets are compromised – decline in consumer confidence or market competitiveness, also possible legal ramifications (HIPAA) Source:  CISM® Review Manual 2009 , © 2008, ISACA. All rights reserved. Used by permission. Cism09 2.12.4
  • The expected yearly loss serves to prioritize threats and determine what defenses are needed. The values above indicate ranges of losses expected in a given year assuming no controls are in place. Pay attention to the row and column headers.
  • The Breach Notification Law requires us to tell all customers if their private information was breached. On average, this costs $130 (or more) per customer in lawyers fees, mailings, etc. Direct Loss = Cost of Replacement Consequential Loss = Loss of income, reputation, fines, legal proceedings, etc. This slide is labeled ‘Workbook’ to indicate that you will encounter this within the Workbook. Only two rows are shown, but it may help as a reference as you work with the Workbook.
  • When considering loss due to threats, you can use this list and others on following pages as potential threats. Source:  CISM® Review Manual 2009 , © 2008, ISACA. All rights reserved. Used by permission. Cism09 2.10.5
  • These threat types are useful to consider in naming threats to a business, as part of Step 2 of Risk Analysis. First column: Who also known as Threat Agents Second column: Motivation Third column: Result
  • Vulnerability = hole in security system, enabling threat to occur Threat refers to any entity or event that could cause damage to an enterprise. A vulnerability is a weak spot that would allow that damage to happen. A risk is a combination of the two; a threat without a relevant vulnerability (or vice versa) does not constitute a risk. Threat: burglar. Vulnerability: unlocked door. Risk: your TV will be stolen. There may be little an organization can do to affect threats directly, but by finding and minimizing vulnerabilities they can affect the impact of the threats.
  • What is the probability this threat will occur? What is the extent of the vulnerability? Vulnerabilities are not either/or; some may be more easily exploited than others, and controls may fully or partially mitigate them. Although there are good estimates out there, there is no accurate forecast, with past experience perhaps being the best – if you have experienced a problem before.
  • Trying to come up with a probability is easier if you have past history. Source:  CISM® Review Manual 2009 , © 2008, ISACA. All rights reserved. Used by permission. Exhibit 2.11
  • These are described in the next slides.
  • Qualitative Risk Analysis can use this graph and add/move threats as appropriate. The red area is high risk, with high cost/severity and high probability. The yellow areas are either high cost or high probability, but not both. The green area is low cost and low probability. You will do this for the case study. You can move threats (e.g, fire, terrorist) around as appropriate.
  • Alternatively, we can categorize the impact into five categories, and the likelihood into 5 categories, for Semi-Quantitative Analysis Semi-q involves assigning values to assets; they may not reflect real world values but should be approximately proportional. That is, you may not know exactly what something is going to cost but you can try to decide whether it ’s more or less costly than something else. If real-world values could be used then a quantitative analysis would be more appropriate.
  • Red risks are the ones we should spend the most resources on. Green ones we may accept without mitigation, possibly. Source:  CISM® Review Manual 2009 , © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.12
  • The important thing to get out of this slide is that ALE = SLE x ARO. It is also important to understand each of the concepts: SLE, ARO, ALE. Exposure Factor: the maximum possible reduction in value from a threat (inherently or due to mitigating controls). For example, if the value of a building would be reduced from $400,000 to $100,000 by a fire, the exposure factor for the risk of fire to the building is 75%.
  • Estimate of Time is the frequency of this threat occurring or the ARO. ALE = SLE x ARO SLE is Single Loss Expectancy = cost of one single loss
  • This is a generalized table for consideration of asset risk, using SLE as column head. The rows show average frequency of loss or ARO. Thus, if a asset costs $1,000 and lost is once per year, the loss is $1K per year. (This becomes the ALE) But if loss is every 5 years, then 1K x .2 = $200. If loss is every 10 years, then 1K x .1 = $100.
  • Our case study will ask you to complete such a table. The Laptop loss costs that much due to Breach notification law ($9K)
  • This defines the different ways of treating risk: risk avoidance, risk mitigation, risk transference. See the examples. After a risk management plan is complete, whatever risk has not been covered by avoidance, mitigation or transference is called residual risk. If the residual risk is unacceptably high (this will be decided by management at the appropriate level – process owners or senior staff) then you need to go back to the plan and improve your controls until the residual risk is at a level the organization can live with, i.e. accept. That is, the residual risk is not bigger than the organization ’s risk appetite (discussed way back on slide 6, and this note could have gone up there instead). Acceptance should come before the cost of the controls exceeds the probable cost of an incident.
  • This is a NIST (National Institute for Science and Technology) table, showing inputs, processes, and outputs. Source:  CISM® Review Manual 2009 , © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.6
  • Compensating Control: The ideal or expected control is not feasible. Therefore, a different control which approaches the effectiveness of the expected control is used instead. For example, separation of duties may not be possible, but perhaps an overview report is possible. Source:  CISM® Review Manual 2009 , © 2008, ISACA. All rights reserved. Used by permission. CISM Exhibit 2.14
  • This shows how the risk is reduced by risk treatment, resulting in the final Residual Risk. Examples of Deterrent: threat of job loss, criminal prosecution Mitigating: firewall Detective: hash totals, access logs, IDS Preventive: not using SSNs, encryption, physical security procedures Corrective: contingency and recovery plans
  • Here, the border router is a countermeasure or targeted control to address the specific hacker threat of port mapping.
  • Here we compare the cost of our average losses versus the cost of controls (shown above as purchase price). In all cases, the cost of controls is less than the cost of encountering the risk – so we should go with the control. You will run into this table as part of the case study.
  • A report like this one is used to keep management informed of ongoing issues. Senior managers don ’t want to know about all the technical details. The red/yellow/green shows the overall status of an issue; other fields show a brief description and approximate cost. In the above chart, a flaw in physical security was fixed by training the personnel involved. That issue has been resolved and won’t appear on the next report. Some cost overruns are being investigated – that issue is underway. Finally a laptop has been stolen and a new procedure for HIPAA incidents is needed. Those are new issues for which remediation has not begun or is about to. This kind of reporting tool would not be used for serious incidents. It ’s a part of the ongoing risk management process.
  • Training should also be part of an ongoing management process. Periodic training events to remind staff of their security responsibilities helps to create a security-conscious environment and a security-friendly culture in an organization. Source:  CISM® Review Manual 2009 , © 2008, ISACA. All rights reserved. Used by permission. Cism09 2.17
  • Baseline can have two definitions: a measure of status now as compared to a desired future state, or the minimum amount of protection needed for a particular system. This slide refers to the former.
  • The best way to convince business management that risk and security is important, is to consider the impact of threats to the bottom line (or income of the organization).
  • The slide shows higher ranking positions on top, lower ranking on the bottom.
  • These terms have to do with liability; an organization must fully investigate its vulnerabilities and take reasonable steps to control them, or at least to minimize the potential damage, in order to protect itself.
  • 1= Risk Management 2= Risk Analysis 3= Proactive Monitoring 4= Risk Assessment
  • 3 – The cost of losing an asset once.
  • 4. High level business management is responsible for deciding and accepting risk.
  • B is the best answer.
  • 4 – Residual risk: After eliminating, mitigating, and transferring risk, residual risk remains.
  • 3. Reduce risk to an acceptable level
  • 3
  • Annual Loss Expectancy = Single Loss Expectancy x Annual Rate of Occurrence
  • Many of our assets are listed in our Income Statement and the Balance Sheet.
  • Consider the Medical database, in terms of its requirements for Confidentiality, Integrity and Availability. If the DB were not available, it would impact Daily Operation and Medical Malpractice. Also, if the DB is not confidential, the office could be liable under HIPAA and Notification Law. Find the daily cost of not being in business, due to the medical DB not being available. Put this $ under Consequential Financial Loss, Daily Operation. Then in Medical DB, put DO in the Consequential Financial Loss column.
  • Find the daily cost of not being in business, due to the medical DB not being available. Put this $ under Consequential Financial Loss, Daily Operation. Then in Medical DB, put DO in the Consequential Financial Loss column.
  • As we can see (and from what I hear actually occurs) people are fined large amounts and can go to jail for not being careful with health information – or at least get fired.
  • Consider which threats are likely to have a financial impact on the firm, if they occurred. There are more threat ideas in the Workbook.
  • Do these threats look like they are in the correct quadrant? Are there inherent threats that should be added?
  • References are from: All in One Book (Shon Harris, 2005) Bollards : Short posts that are commonly used to prevent vehicular access and to protect a building or people walking on a sidewalk from vehicles. They can also be used to direct foot traffic. (346) Security Zones (CPTED model): Division of an environment ’s space into zones with different security levels depending upon who needs to be in the zone and the associated risk. (347) Zones are labeled as controlled, restricted, public, or sensitive. (347) Each zone should have a specific protection level that is required of it, which will help dictates the types of controls that should be put into place. (347) Following controls are commonly used for access controls within different organizations: (347) Limit the number of entry points Force all guests to go to a front desk and sign in before entering the environment Reduce the number of entry points even further after hours or during the weekend when not as many employees are around. Have a security guard validate a picture ID before allowing entrance Require guests to sign in and be escorted Encourage employees to question strangers Access barriers can be naturally created (cliffs, rivers, hills), existing manmade elements (railroad tracks, highways) or artificial forms designed specifically to impede movement (fences, closing streets). (347)
  • References are from: All in One Book (Shon Harris, 2005) Can prevent literal piggybacking as well. Piggybacking : When an individual gains unauthorized access by using someone else ’s legitimate credentials or access rights. The best preventative measures against this are to have security guards at access points and to educate employees about good security practices. (387)
  • Note that “fail safe” and “fail secure” terminology can be applied to other types of access control defaults, not merely terms for doors.
  • References are from: All in One Book (Shon Harris, 2005) pg. 358 Standard : No extra protection. Cheapest and lowest level of protection. Tempered : Glass is heated and then cooled suddenly to increase its integrity and strength. 5-7x stronger than regular glass. Acrylic : Type of plastic instead of glass. Polycarbonate acrylics are stronger than regular acrylics. Produces toxic fumes if burned, may be prohibited by fire codes. Very expensive. Wired : mesh of wire is embedded between two sheets of glass. This wire helps to prevent the glass from shattering. Laminated : Plastic layer between two outer glass layers. Plastic layer helps to increate the strength against breakage. The greater the depth, the more difficult to break. Solar window film : Provides extra security by being tinted and extra strength through the film ’s material. Security film : Transparent film is applied to the glass to increase its strength.
  • References are from: All in One Book (Shon Harris, 2005) pg. 358 Power protection (365) There are three main methods of protecting against power problems: (365) UPS Online UPS systems: Use AC line voltage to charge a bank of batteries. When in use the UPS has an inverter that changes the DC output from the batteries into the required AC form and regulates the voltage as it powers computer devices. (365) Have the normal primary power passing though them day in and day out. The constantly provide power from their own inverters, even when the electric power is in proper use. This UPS device is able to quickly detect when power failure takes place and can provide the necessary electricity and pick up the load after a power failure much more quickly then a standby UPS. (366) Standby UPS: Devices stay inactive until the power fails. The system has sensors that detect a power failure, and the load is then switched to the battery pack. (366) UPS factors that should be reviewed are the size of the electrical load the UPS can support, the speed with which it can assume the load when the primary source fails, and the amount of time it can support the load. (403) Power Line Conditioners Backup Sources Are necessary when there is a power failure and the outage will last longer than a UPS can last. Backup supplies can be a redundant line from another electrical substation, or from a motor generator, and can be used to supply main power or charge the batteries in a UPS system. (366)
  • References are from: All in One Book (Shon Harris, 2005) pg. 358 Ground : The pathway to the earth to enable excess voltage to dissipate. (367) Noise : Electromagnetic or frequency interference that disrupts the power flow and can cause fluctuations. (367) Transient Noise : Short duration of power line disruption. (367) Inrush Current : The initial surge of current required when there is an increase in power demand. (367) Clean power: Electrical current that does not fluctuate. (367) Types of interference (line noise): (366) EMI : Electromagnetic interference (367) Created by the difference between three wires: hot, neutral and ground and the magnetic field that they create. Lightning and electric motors can induce EMI. (366) RFI : Radio frequency interference (367) Can be caused by anything that creates radio waves. Fluorescent lighting is one of the main causes of RFI within buildings today. (366)
  • References are from: All in One Book (Shon Harris, 2005) pg. 358 Power Excess Spike : Momentary high voltage Surge : Prolonged high voltage Power Loss Fault : Momentary power loss Blackout : Sustained power loss Power Degredation Sag/dip : Momentary low voltage condition, from one cycle to a few seconds. Brownout : Prolonged power supply that is below normal voltage. Inrush Current : The initial surge of current required to start a load.
  • References are from: All in One Book (Shon Harris, 2005) Hygrometer : Used to monitor humidity. (372) High humidity can cause corrosion and low humidity can cause static electricity
  • References are from: All in One Book (Shon Harris, 2005) Hygrometer : Used to monitor humidity. (372)
  • References are from: All in One Book (Shon Harris, 2005) Closed Loop: means that the air within the building is reused after it has been properly filtered, instead of bringing outside air in. (373) Should be used to maintain air quality. (373) Positive pressurization: Means that when an employee opens a door, the air goes out and outside area does not come in. (373) Positive pressurization and ventilation should be implemented to control contamination. (373)
  • References are from: All in One Book (Shon Harris, 2005) **Need to know the fire resistant ratings that are used in the study guides. E.g., 5/8 inch thick drywall sheet installed on each side of a wood stud provides a one hour rating. If the thickness of the drywall were doubled, it would be a two hour rating. Fire resistance represents the ability of a laboratory constructed assembly to contain fire for a specific period of time.
  • References are from: All in One Book (Shon Harris, 2005) Smoke activated detectors (375) Good for early warning devices (375) Can be used to sound a warning alarm before the suppression system activates (375) Photoelectric Device (aka optical detector): Detects variation in light intensity. The detector produces a beam of light across a protected area, and if the beam is obstructed, the alarm sounds. (375) Heat Activated (376) Can be configured to sound an alarm either when a predefined temperature (fixed temperature) is reached or when the temperature increases over a period of time (rate of rise). (376) Rate of rise temperature sensors usually provide a quicker warning that fixed temperature sensors because they are more sensitive (but they can also sound more false alarms). (376)
  • References are from: All in One Book (Shon Harris, 2005) Water: Works by reducing temperature. (378) Halon and halon substitutes: Works by interfering with the chemical combustion of elements with a fire. (378) Halon depletes the ozone and when used on extremely hot fires degrades into toxic chemicals. (378) Was prohibited in Montreal Protocol in 1987 and has not been manufactured since 1992. FM-200 is a halon substitute. (404) Foams: Mainly water based and contain a foaming agent that allows them to float on top of a burning substance to exclude oxygen. (377) Dry powders: Used mainly for class B and C fires. Sodium or potassium bicarbonate, calcium carbonate: interrupts the chemical combustion of a fire. (377) Monoammonium phosphate: Excludes oxygen from the fuel. (377) CO2: Works by removing oxygen. (378) Colorless, odorless (404) Good for putting fires out, but bad for life forms because it removes oxygen from the air. A suppression system using this agent should have a delay mechanism. (377) Best used in unattended areas or facilities. (377) Soda Acid (378): Works by removing fuel. (378) Class A extinguishers are for ordinary combustible materials such as paper, wood, cardboard, and most plastics. The numerical rating on these types of extinguishers indicates the amount of water it holds and the amount of fire it can extinguish. Class B fires involve flammable or combustible liquids such as gasoline, kerosene, grease and oil. The numerical rating for class B extinguishers indicates the approximate number of square feet of fire it can extinguish. Class C fires involve electrical equipment, such as appliances, wiring, circuit breakers and outlets. Never use water to extinguish class C fires - the risk of electrical shock is far too great! Class C extinguishers do not have a numerical rating. The C classification means the extinguishing agent is non-conductive. Class D fire extinguishers are commonly found in a chemical laboratory. They are for fires that involve combustible metals, such as magnesium, titanium, potassium and sodium. These types of extinguishers also have no numerical rating, nor are they given a multi-purpose rating - they are designed for class D fires only.
  • References are from: All in One Book (Shon Harris, 2005) Wet Pipe Systems (aka Closed Head System): Always contain water in the pipes and are usually discharged by temperature control level sensors. One disadvantage is that the water in pipes may freeze in colder climates. Also, nozzle or pipe break could cause severe water damage. (379) Dry Pipe Systems: Water is not actually held in pipes, it is contained in a holding tank until released. The pipes contain pressurized air, which is reduced when a fire or smoke alarm is activated, allowing the water value to be opened by the water pressure. Best used in colder climates because the pipes will not freeze. (379) Actual fire must be detected, usually by a heat or smoke senor being activated. (379) Preaction Systems: Similar to dry pipe systems in that the water is not held in pipes but is released when the pressurized air within the pipes is reduced. In this system water is not released right away, but will be released when a thermal-fusible link on the sprinkler head melts. (380) This gives people more time to respond to small fires or false alarms that can be handled by other means. (380) Deluge System: Has its sprinkler heads wide open to allow for a larger volume of water to be released in a shorter period. (380) Not usually used in data processing environments. (380)
  • References are from: All in One Book (Shon Harris, 2005) Access control mechanisms: Locks and keys, electronic card access, personnel awareness. Physical barriers: Fences, gates, walls, doors, windows, protected vents, vehicle barriers. Intrusion Detection: Perimeter sensors, interior sensors, annunciation mechanisms Assessment: guards, CCTV cameras. Response: Guards, local law enforcement Deterrents: Signs, lighting, environmental design
  • References are from: All in One Book (Shon Harris, 2005) Fence posts should be buried deep in ground and secured with concrete to ensure that they cannot be dug up or pulled out with vehicles. (390) 3-4 ft high: Only deter casual trespassers 6-7 ft high: Considered too high to climb easily 8 ft high w/ strands of barbed or razor write at the top: serious property protection, may deter the more determined intruder. Fencing gauge & mesh: (390) The lower the gauge number, the thicker the wire diameter: 11 gauge = .120 inch diameter 9 gauge = .148 inch diameter 6 gauge = .192 inch diameter Mesh sizing Typically are 2 inch, 1 inch, 3/8 inch. It is more difficult to climb fences with smaller mesh sizes. Strength levels of the most common gauge and mesh sizes used in fencing industry: Extremely high security: 3/8 in. mesh, 11 gauge Very high security: 1 inch mesh, 9 gauge High security: 1 inch mesh, 11 gauge Greater security: 2 inch mesh, 6 gauge Normal industrial security: 2 inch mesh, 9 gauge Barbed wire tilted in (e.g. prison): makes it harder for people to get out. (390) Barbed wire tilted out (e.g. military base): makes it harder for people to get in. (390)
  • References are from: All in One Book (Shon Harris, 2005) Each gate classification has a long list of implementation and maintenance guidelines to ensure the necessary level of protection. Guidelines are developed by Underwriters Laboratory (UL) which is a nonprofit organization that tests, inspects and classified electronic devices, fire protection equipment, and specific construction materials. (391) For physical security realm, we look to UL for best practices and industry standards. (391) Bollards : small concrete pillars places next to sides of buildings that have the most immediate threat of someone driving a vehicle through an exterior wall. (391)
  • References are from: All in One Book (Shon Harris, 2005) Two main types of mechanical locks: (382) Warded Lock: Basic padlock. These are the cheapest locks, and because of their lack of sophistication, are the easiest to pick. (382) See diagram page 383. Tumbler Lock: Has more pieces and parts than a warded lock. Three types: (383) Pin Tumbler Most commonly used tumbler lock. (383) Wafer Tumbler (aka disc tumbler locks) Does not provide much protection because it can be easily circumvented. (383) Often used as car or desk locks. (383) Lever Tumbler Combination Locks: Require the correct combination of numbers to unlock them. (384) Cipher Locks (aka Programmable Locks): Keyless and use a keypad to control access into an area or facility. Compared to traditional locks, provide a much higher level of security and control of who can access a facility. (384) Smart Locks: More sophisticated cipher locks that allow for specific codes to be assigned to unique individuals. Allows entry and exit activities to be logged by person. (385) Functionalities available on many cipher combination locks that improve access controls and security: (384-85) Door Delay: If a door is held open for a given time, an alarm will trigger to alert personnel of suspicious activity. (384) Key Override : A specific combination can be programmed to be used in emergency situations to override normal procedures or for supervisory overrides. (384) Master Keying: Enables supervisory personnel to change access codes and other features of the cipher lock. (385) Hostage Alarm: If an individual is under duress and/or held hostage, a combination he enters can communicate this situation to the guard station or police station. (385) Device Locks (385) Cable Locks: consist of a vinyl coated steel cable that can secure a computer or peripheral to a desk or other stationary component. (385) Switch Controls: Cover on/off power switches. (386) Slot Locks: Secure the system to a stationary component by the use of steel cable that is connected to a bracket that is mounted in a spare expansion slot. (386) Port Controls: Block Access to disk drives or unused serial or parallel ports. (386) Peripheral Switch Controls: Secure a keyboard by inserting an on/off switch between the system unit and the keyboard input slot. (386) Cable traps: prevent the removal of input/output devices by passing their cables through a lockable unit. (386)
  • References are from: All in One Book (Shon Harris, 2005) Continuous lighting: An array of lights that provides an even amount of illumination across an area. (393) Controlled lighting: An organization should erect lights and use illumination in such a way that does not blind its neighbors or any passing cars, trains, or planes. (393) Standby Lighting: Lighting that can be configured to turn on and off at different times so that potential intruders think that different areas of the facility are populated. (393) Redundant or backup lighting should be available in case of power failures or emergencies. Response Area Illumination: Takes place when an IDS detects suspicious activities and turns on the lights within the specified area. (393)
  • Annunciator system: An indicator that listens for noise and activates electrical devices. Will alert a security guard if movement is detected on a screen. (397)
  • Depth of field varies depending upon the size of the lens opening, the distance of the object being focused upon, and the focal length of the lens. (396) Increases as the size of the lens opening decreases, the subject distance increases, or the focal length of the lens decreases. So if you want to cover a large area and not focus on specific items use a: Wide angle lens (short focal length) with a Small lens opening
  • IDS Characteristics: Expensive and requires human intervention to respond to alarms Redundant power supply and emergency backup power are necessary Can be linked to a centralized security system Should have a fail safe configuration, which should default to activated Should detect and be resistant to tampering IDSs can be used to detect changes in the following: (398) Beams of light Sounds and vibrations Motion Different types of fields (microwave, ultrasonic, and electrostatic) Electrical Circuit
  • The International Information Systems Security Certification Consortium, or (ISC)², working with a professional testing service, has developed a certification examination based on the information systems security Common Body of Knowledge (CBK). The information systems security test domains are: Cryptography Law, Investigations & Ethics Access Control Systems & Methodology Security Management Practices Security Architecture & Models Physical Security Business Continuity & Disaster Recovery Planning Operations Security (Computers) Application & Systems Development Telecommunications & Network Security Domain 1 addresses cryptography . Cryptography is the use of secret codes to achieve desired levels of confidentiality and integrity. Two categories focus on: (1) cryptographic applications and uses and (2) crypto technology and implementations. Included are basic technologies, encryption systems, and key management methods. Domain 2 addresses law, investigation, and ethics . Law involves the legal and regulatory issues faced in an information security environment. Investigation consists of guidelines and principles necessary to successfully investigate security incidents and preserve the integrity of evidence. Ethics consists of knowledge of the difference between right and wrong and the inclination to do the right thing. Domain 3 addresses access control . Access control consists of all of the various mechanisms (physical, logical, and administrative) used to ensure that only authorized persons or processes are allowed to use or access a system. Three categories of access control focus on: (1) access control principles and objectives, (2) access control issues, and (3) access control administration. Domain 4 addresses security management policies, standards, and organization . Policies are used to describe management intent, standards provide a consistent level of security in an organization, and an organization architecture enables the accomplishment of security objectives. Four categories include: (1) information classification, (2) security awareness, (3) organization architecture, and (4) policy development. Domain 5 addresses security architecture and system security . Computer architecture involves the aspects of computer organization and configuration that are employed to achieve computer security while system security involves the mechanisms that are used to maintain the security of system programs. Domain 6 addresses physical security . Physical security involves the provision of a safe environment for information processing activities with a focus on preventing unauthorized physical access to computing equipment. Three categories include: (1) threats and facility requirements, (2) personnel physical access control, and (3) microcomputer physical security. Domain 7 addresses business continuity planning and risk management . Risk management encompasses all activities involved in the control of risk (risk assessment, risk reduction, protective measures, risk acceptance, and risk assignment). Business continuity planning involves the planning of specific, coordinated actions to avoid or mitigate the effects of disruptions to normal business information processing functions. Domain 8 addresses (computer) operations security . Computer operations security involves the controls over hardware, media and the operators with access privileges to these. Several aspects are included — notably, operator controls, hardware controls, media controls trusted system operations, trusted facility management, trusted recovery, and environmental contamination control. Domain 9 addresses application and system development . Application and system security involves the controls placed within the application and system programs to support the security policy of the organization. Topics discussed include threats, applications development, availability issues, security design, and application/data access control. Domain 10 addresses Telecommunications & Network Security . Communications security involves ensuring the integrity and confidentiality of information transmitted via telecommunications media as well as ensuring the availability of the telecommunications media itself. Three categories of communications security are: (1) telecommunications security objectives, threats, and countermeasures; (2) network security; and (3) Internet security.

Material best practices in network security using ethical hacking Material best practices in network security using ethical hacking Presentation Transcript

  • BEST PRACTICES IN NETWORK SECURITY USING ETHICAL HACKING
  • Network Security Design The 12 Step Program 1. Identify network assets 2. Analyze security risks 3. Analyze security requirements and tradeoffs 4. Develop a security plan 5. Define a security policy 6. Develop procedures for applying security policies
  • The 12 Step Program (continued) 7. Develop a technical implementation strategy 8. Achieve buy-in from users, managers, and technical staff 9. Train users, managers, and technical staff 10. Implement the technical strategy and security procedures 11. Test the security and update it if any problems are found 12. Maintain security
  • Network Assets • Hardware • Software • Applications • Data • Intellectual property • Trade secrets • Company’s reputation
  • Security Risks • Hacked network devices – Data can be intercepted, analyzed, altered, or deleted – User passwords can be compromised – Device configurations can be changed • Reconnaissance attacks • Denial-of-service attacks
  • Security Tradeoffs • Tradeoffs must be made between security goals and other goals: – Affordability – Usability – Performance – Availability – Manageability
  • A Security Plan • High-level document that proposes what an organization is going to do to meet security requirements • Specifies time, people, and other resources that will be required to develop a security policy and achieve implementation of the policy
  • A Security Policy • Per RFC 2196, “The Site Security Handbook,” a security policy is a – “Formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.” • The policy should address – Access, accountability, authentication, privacy, and computer technology purchasing guidelines
  • Security Mechanisms • Physical security • Authentication • Authorization • Accounting (Auditing) • Data encryption • Packet filters • Firewalls • Intrusion Detection Systems (IDS) • Intrusion Prevention Systems (IPS)
  • Encryption for Confidentiality and Integrity Figure 8-1. Public/Private Key System for Ensuring Data Confidentiality Figure 8-2. Public/Private Key System for Sending a Digital Signature
  • Modularizing Security Design • Security defense in depth – Network security should be multilayered with many different techniques used to protect the network • Belt-and-suspenders approach – Don’t get caught with your pants down
  • Modularizing Security Design • Secure all components of a modular design: – Internet connections – Public servers and e-commerce servers – Remote access networks and VPNs – Network services and network management – Server farms – User services – Wireless networks
  • Cisco SAFE • Cisco SAFE Security Reference Model addresses security in every module of a modular network architecture.
  • Securing Internet Connections • Physical security • Firewalls and packet filters • Audit logs, authentication, authorization • Well-defined exit and entry points • Routing protocols that support authentication
  • Securing Public Servers • Place servers in a DMZ that is protected via firewalls • Run a firewall on the server itself • Enable DoS protection – Limit the number of connections per timeframe • Use reliable operating systems with the latest security patches • Maintain modularity – Front-end Web server doesn’t also run other services
  • Security Topologies Enterprise Network DMZ Web, File, DNS, Mail Servers Internet
  • Security Topologies Internet Enterprise Network DMZ Web, File, DNS, Mail Servers Firewall
  • Securing Remote-Access and Virtual Private Networks • Physical security • Firewalls • Authentication, authorization, and auditing • Encryption • One-time passwords • Security protocols – CHAP – RADIUS – IPSec
  • Securing Network Services • Treat each network device (routers, switches, and so on) as a high-value host and harden it against possible intrusions • Require login IDs and passwords for accessing devices – Require extra authorization for risky configuration commands • Use SSH rather than Telnet • Change the welcome banner to be less welcoming
  • Securing Server Farms • Deploy network and host IDSs to monitor server subnets and individual servers • Configure filters that limit connectivity from the server in case the server is compromised • Fix known security bugs in server operating systems • Require authentication and authorization for server access and management • Limit root password to a few people • Avoid guest accounts
  • Securing User Services • Specify which applications are allowed to run on networked PCs in the security policy • Require personal firewalls and antivirus software on networked PCs – Implement written procedures that specify how the software is installed and kept current • Encourage users to log out when leaving their desks • Consider using 802.1X port-based security on switches
  • Securing Wireless Networks • Place wireless LANs (WLANs) in their own subnet or VLAN – Simplifies addressing and makes it easier to configure packet filters • Require all wireless (and wired) laptops to run personal firewall and antivirus software • Disable beacons that broadcast the SSID, and require MAC address authentication – Except in cases where the WLAN is used by visitors
  • WLAN Security Options • Wired Equivalent Privacy (WEP) • IEEE 802.11i • Wi-Fi Protected Access (WPA) • IEEE 802.1X Extensible Authentication Protocol (EAP) – Lightweight EAP or LEAP (Cisco) – Protected EAP (PEAP) • Virtual Private Networks (VPNs) • Any other acronyms we can think of? :-)
  • Wired Equivalent Privacy (WEP) • Defined by IEEE 802.11 • Users must possess the appropriate WEP key that is also configured on the access point – 64 or 128-bit key (or passphrase) • WEP encrypts the data using the RC4 stream cipher method • Infamous for being crackable
  • WEP Alternatives • Vendor enhancements to WEP • Temporal Key Integrity Protocol (TKIP) – Every frame has a new and unique WEP key • Advanced Encryption Standard (AES) • IEEE 802.11i • Wi-Fi Protected Access (WPA) from the Wi- Fi Alliance
  • Extensible Authentication Protocol (EAP) • With 802.1X and EAP, devices take on one of three roles: – The supplicant resides on the wireless LAN client – The authenticator resides on the access point – An authentication server resides on a RADIUS server
  • EAP (Continued) • An EAP supplicant on the client obtains credentials from the user, which could be a user ID and password • The credentials are passed by the authenticator to the server and a session key is developed • Periodically the client must reauthenticate to maintain network connectivity • Reauthentication generates a new, dynamic WEP key
  • Cisco’s Lightweight EAP (LEAP) • Standard EAP plus mutual authentication – The user and the access point must authenticate • Used on Cisco and other vendors’ products
  • Other EAPs • EAP-Transport Layer Security (EAP-TLS) was developed by Microsoft – Requires certificates for clients and servers. • Protected EAP (PEAP) is supported by Cisco, Microsoft, and RSA Security – Uses a certificate for the client to authenticate the RADIUS server – The server uses a username and password to authenticate the client • EAP-MD5 has no key management features or dynamic key generation – Uses challenge text like basic WEP authentication – Authentication is handled by RADIUS server
  • VPN Software on Wireless Clients • Safest way to do wireless networking for corporations • Wireless client requires VPN software • Connects to VPN concentrator at HQ • Creates a tunnel for sending all traffic • VPN security provides: – User authentication – Strong encryption of data – Data integrity
  • • ENTER THE JED1 “ THE DEMO”
  • 32 Risk Management
  • How Much to Invest in Security? How much is too much? • Firewall • Intrusion Detection/Prevention • Guard • Biometrics • Virtual Private Network • Encrypted Data & Transmission • Card Readers • Policies & Procedures • Audit & Control Testing • Antivirus / Spyware • Wireless Security How much is too little?  Hacker attack  Internal Fraud  Loss of Confidentiality  Stolen data  Loss of Reputation  Loss of Business  Penalties  Legal liability  Theft & Misappropriation Security is a Balancing Act between Security Costs & Losses
  • Risk Management Internal Factors External Factors Regulation Industry Culture Corporate History Management’s Risk Tolerance Organizational Maturity Structure Risk Mgmt Strategies are determined by both internal & external factors Risk Tolerance or Appetite: The level of risk that management is comfortable with
  • Risk Management Process Establish Scope & Boundaries Identification Analysis Evaluation Avoid Reduce Transfer Retain Accept Residual Risk RiskCommunication &Monitoring RiskAssessmentRisk Treatment What assets & risks exist? What does this risk cost? What priorities shall we set? What controls can we use? What to investigate? What to consider?
  • Risk Appetite • Do you operate your computer with or without antivirus software? • Do you have antispyware? • Do you open emails with forwarded attachments from friends or follow questionable web links? • Have you ever given your bank account information to a foreign emailer to make $$$? What is your risk appetite? If liberal, is it due to risk acceptance or ignorance? Companies too have risk appetites, decided after evaluating risk
  • Continuous Risk Mgmt Process Identify & Assess Risks Develop Risk Mgmt Plan Implement Risk Mgmt Plan Proactive Monitoring Risk Appetite Risks change with time as business & environment changes Controls degrade over time and are subject to failure Countermeasures may open new risks
  • Security Evaluation: Risk Assessment Five Steps include: 1. Assign Values to Assets: – Where are the Crown Jewels? 1. Determine Loss due to Threats & Vulnerabilities – Confidentiality, Integrity, Availability 1. Estimate Likelihood of Exploitation – Weekly, monthly, 1 year, 10 years? 1. Compute Expected Loss – Loss = Downtime + Recovery + Liability + Replacement – Risk Exposure = ProbabilityOfVulnerability * $Loss 1. Treat Risk – Survey & Select New Controls – Reduce, Transfer, Avoid or Accept Risk – Risk Leverage = (Risk exposure before reduction) – (risk exposure after reduction) / (cost of risk reduction)
  • Step 1: Determine Value of Assets Identify & Determine Value of Assets (Crown Jewels): • Assets include: – IT-Related: Information/data, hardware, software, services, documents, personnel – Other: Buildings, inventory, cash, reputation, sales opportunities • What is the value of this asset to the company? • How much of our income can we attribute to this asset? • How much would it cost to recover this? • How much liability would we be subject to if the asset were compromised? • Helpful websites: www.attrition.org
  • Determine Cost of Assets Sales Product A Product B Product C Risk: Replacement Cost= Cost of loss of integrity= Cost of loss of availability= Cost of loss of confidentiality= Risk: Replacement Cost= Cost of loss of integrity= Cost of loss of availability= Cost of loss of confidentiality= Risk: Replacement Cost= Cost of loss of integrity= Cost of loss of availability= Cost of loss of confidentiality= Tangible $ Intangible: High/Med/Low Costs
  • Matrix of Loss Scenario Size of Loss Repu- tation Law- suit Loss Fines/ Reg. Loss Mar- ket Loss Exp. Yearly Loss Hacker steals customer data; publicly blackmails company 1-10K Recor ds $1M- $20M $1M- $10M $1M- $35M $1M- $5M $10M Employee steals strategic plan; sells data to competitor 3-year Min. Min. Min. $20M $2M Backup tapes and Cust. data found in garbage; makes front-page news 10M Recor ds $20M $20M $10M $5M $200K Contractor steals employee data; sells data to hackers 10K Recor ds $5M $10M Min. Min. $200K
  • Step 1: Determine Value of Assets Asset Name $ Value Direct Loss: Replacement $ Value Consequential Financial Loss Confidentiality, Integrity, and Availability Notes Laptop $1,000 Mailings= $130 x #Cust Reputation = $9,000 Conf., Avail. Breach Notification Law Equipment $10,000 $2k per day in income Availability (e.g., due to fire or theft) Work book
  • Step 2: Determine Loss Due to Threats Natural: Flood, fire, cyclones, rain/hail/snow, plagues and earthquakes Unintentional: Fire, water, building damage/collapse, loss of utility services, and equipment failure Intentional: Fire, water, theft, vandalism Intentional, non-physical: Fraud, espionage, hacking, identity theft, malicious code, social engineering, phishing, denial of service
  • Threat Agent Types Hackers/ Crackers Challenge, rebellion Unauthorized access Criminals Financial gain, Disclosure/ destruction of info. Fraud, computer crimes Terrorists Destruction/ revenge/ extortion DOS, info warfare Industry Spies Competitive advantage Info theft, econ. exploitation Insiders Opportunity, personal issues Fraud/ theft, malware, abuse
  • Step 2: Determine Threats Due to Vulnerabilities System Vulnerabilities Behavioral: Disgruntled employee, uncontrolled processes, poor network design, improperly configured equipment Misinterpretation: Poorly-defined procedures, employee error, Insufficient staff, Inadequate mgmt, Inadequate compliance enforcement Coding Problems: Security ignorance, poorly-defined requirements, defective software, unprotected communication Physical Vulnerabilities: Fire, flood, negligence, theft, kicked terminals, no redundancy
  • Step 3: Estimate Likelihood of Exploitation Best sources: • Past experience • National & international standards & guidelines: NIPC, OIG, FedCIRC, mass media • Specialists and expert advice • Economic, engineering, or other models • Market research & analysis • Experiments & prototypes If no good numbers emerge, estimates can be used, if management is notified of guesswork
  • Likelihood of Exploitation: Sources of Losses Source: 2006 Annual Study: Cost of a Data Breach, PGP/Vontu Evaluation of 31 organizations
  • Step 4: Compute Expected Loss Risk Analysis Strategies Qualitative: Prioritizes risks so that highest risks can be addressed first • Based on judgment, intuition, and experience • May factor in reputation, goodwill, nontangibles Quantitative: Measures approximate cost of impact in financial terms Semiquantitative: Combination of Qualitative & Quantitative techniques
  • Step 4: Compute Loss Using Qualitative Analysis Qualitative Analysis is used: • As a preliminary look at risk • With non-tangibles, such as reputation, image -> market share, share value • When there is insufficient information to perform a more quantified analysis
  • Vulnerability Assessment Quadrant Map Threat (Probability) Vulnerability (Severity) 1 2 34 Hacker/Criminal Malware Disgruntled Employee Fire Terrorist Flood Spy Snow emergency Intruder Work book
  • Step 4: Compute Loss Using Semi-Quantitative Analysis Impact 1. Insignificant: No meaningful impact 2. Minor: Impacts a small part of the business, < $1M 3. Major: Impacts company brand, >$1M 4. Material: Requires external reporting, >$200M 5. Catastrophic: Failure or downsizing of company Likelihood 1. Rare 2. Unlikely: Not seen within the last 5 years 3. Moderate: Occurred in last 5 years, but not in last year 4. Likely: Occurred in last year 5. Frequent: Occurs on a regular basis Risk = Impact * Likelihood
  • SemiQuantitative Impact Matrix Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5) Catastrophic (5) Material (4) Major (3) Minor (2) Insignificant (1) SEVERE HIG H M EDIUM LO W Likelihood Impact
  • Step 4: Compute Loss Using Quantitative Analysis Single Loss Expectancy (SLE): The cost to the organization if one threat occurs once – Eg. Stolen laptop= • Replacement cost + • Cost of installation of special software and data • Assumes no liability – SLE = Asset Value (AV) x Exposure Factor (EF) • With Stolen Laptop EF > 1.0 Annualized Rate of Occurrence (ARO): Probability or frequency of the threat occurring in one year – If a fire occurs once every 25 years, ARO=1/25 Annual Loss Expectancy (ALE): The annual expected financial loss to an asset, resulting from a specific threat – ALE = SLE x ARO
  • Risk Assessment Using Quantitative Analysis Quantitative: • Cost of HIPAA accident with insufficient protections – SLE = $50K + (1 year in jail:) $100K = $150K – Plus loss of reputation… • Estimate of Time = 10 years or less = 0.1 • Annualized Loss Expectancy (ALE)= – $150 x .1 =$15K
  • Annualized Loss Expectancy Asset Value-> $1K $10K $100K $1M 1 Yr 1K 10K 100K 1000K 5 Yrs 200 2K 20K 200K 10 Yrs 100 1K 10K 100K 20 Yrs 50 1K 5K 50K Asset Costs $10K Risk of Loss 20% per Year Over 5 years, average loss = $10K Spend up to $2K each year to prevent loss
  • Quantitative Risk Asset Threat Single Loss Expectancy (SLE) Annualized Rate of Occurrence (ARO) Annual Loss Expectancy (ALE) Buildin g Fire $1M .05 (20 years) $50K Lapto p Stolen $1K + $9K (breach notif) 0.2 (5 years) $1K Work book
  • Step 5: Treat Risk Risk Acceptance: Handle attack when necessary • E.g.: Comet hits • Ignore risk if risk exposure is negligible Risk Avoidance: Stop doing risky behavior • E.g.: Do not use Social Security Numbers Risk Mitigation: Implement control to minimize vulnerability • E.g. Purchase & configure a firewall Risk Transference: Pay someone to assume risk for you • E.g., Buy malpractice insurance (doctor) • While financial impact can be transferred, legal responsibility cannot Risk Planning: Implement a set of controls
  • System Characterization Identify Threats Identify Vulnerabilities Analyze Controls Determine Likelihood Analyze Impact Determine Risk Recommend Controls Document Results Risk Assessment Report Recommended Controls Documented Risks Impact Rating Likelihood Rating List of current & planned controls List of threats & vulnerabilities System boundary System functions System/data criticality System/data sensitivity Activity Output Company history Intelligence agency data: NIPC, OIG Audit & test results Business Impact Analysis Data Criticality & Sensitivity analysis Input NIST Risk Assessment Methodology
  • Control Types Threat Compensating Control Impact Vulnerability Corrective Control Deterrent Control Detective Control Preventive Control Attack Reduces likelihood of Decreases Results in Reduces Protects Creates Reduces likelihood of Triggers Discovers
  • Deterrent control Mitigating control Detective control Preventive control Corrective controlV U L N E R A B IL I T Y I M P A C T Residual risk R is k P ro b a bi lit y THREAT
  • Controls & Countermeasures • Cost of control should never exceed the expected loss assuming no control • Countermeasure = Targeted Control – Aimed at a specific threat or vulnerability – Problem: Firewall cannot process packets fast enough due to IP packet attacks – Solution: Add border router to eliminate invalid accesses
  • Analysis of Risk vs. Controls Workbook Risk ALE or Score Control Cost of Control Stolen Laptop $1K ($9K Breach Notif. Law) Encryption $60 Disk Failure $3K per day RAID $750 Hacker $9K Breach Notif. Law Firewall $1K Cost of Some Controls is shown in Case Study Appendix
  • Extra Step: Step 6: Risk Monitoring Report to Mgmt status of security • Metrics showing current performance • Outstanding issues • Newly arising issues • How handled – when resolution is expected Stolen Laptop In investigation $2k, legal issues HIPAA Incident Response Procedure being defined – incident response $200K Cost overruns Internal audit investigation $400K HIPAA: Physical security Training occurred $200K Security Dashboard, Heat chart or Stoplight Chart
  • Training • Importance of following policies & procedures • Clean desk policy • Incident or emergency response • Authentication & access control • Privacy and confidentiality • Recognizing and reporting security incidents • Recognizing and dealing with social engineering
  • Security Control Baselines & Metrics Baseline: A measurement of performance • Metrics are regularly and consistently measured, quantifiable, inexpensively collected • Leads to subsequent performance evaluation • E.g. How many viruses is help desk reporting? (Company data - Not real)
  • Risk Management • Risk Management is aligned with business strategy & direction • Risk mgmt must be a joint effort between all key business units & IS • Business-Driven (not Technology-Driven) Steering Committee: • Sets risk management priorities • Define Risk management objectives to achieve business strategy
  • Risk Management Roles Governance & Sr Mgmt: Allocate resources, assess & use risk assessment results Chief Info Officer IT planning, budget, performance incl. risk Info. Security Mgr Develops, collaborates, and manages IS risk mgmt process Security Trainers Develop appropriate training materials, including risk assessment, to educate end users. Business Managers (Process Owners) Make difficult decisions relating to priority to achieve business goals System / Info Owners Responsible to ensure controls in place to address CIA. Sign off on changes IT Security Practitioners Implement security requirem. into IT systems: network, system, DB, app, admin.
  • Due Diligence Due Diligence = Did careful risk assessment (RA) Due Care = Implemented recommended controls from RA Liability minimized if reasonable precautions taken Senior Mgmt Support Risk Assessment Backup & Recovery Policies & Procedures Adequate Security Controls Compliance Monitoring & Metrics Business Continuity & Disaster Recovery
  • Question Risk Assessment includes: 1. The steps: risk analysis, risk treatment, risk acceptance, and risk monitoring 2. Answers the question: What risks are we prone to, and what is the financial costs of these risks? 3. Assesses controls after implementation 4. The identification, financial analysis, and prioritization of risks, and evaluation of controls
  • Question Single Loss Expectancy refers to: 1. The probability that an attack will occur in one year 2. The duration of time where a loss is expected to occur (e.g., one month, one year, one decade) 3. The cost of losing an asset once 4. The average cost of loss of this asset per year
  • Question The role(s) responsible for deciding whether risks should be accepted, transferred, or mitigated is: 1. The Chief Information Officer 2. The Chief Risk Officer 3. The Chief Information Security Officer 4. Enterprise governance and senior business management
  • Question Which of these risks is best measured using a qualitative process? 1. Temporary power outage in an office building 2. Loss of consumer confidence due to a malfunctioning website 3. Theft of an employee’s laptop while traveling 4. Disruption of supply deliveries due to flooding
  • Question The risk that is assumed after implementing controls is known as: 1. Accepted Risk 2. Annualized Loss Expectancy 3. Quantitative risk 4. Residual risk
  • Question The primary purpose of risk management is to: 1. Eliminate all risk 2. Find the most cost-effective controls 3. Reduce risk to an acceptable level 4. Determine budget for residual risk
  • Question Due Diligence ensures that 1. An organization has exercised the best possible security practices according to best practices 2. An organization has exercised acceptably reasonable security practices addressing all major security areas 3. An organization has implemented risk management and established the necessary controls 4. An organization has allocated a Chief Information Security Officer who is responsible for securing the organization’s information assets
  • Question ALE is: 1. The average cost of loss of this asset, for a single incident 2. An estimate using quantitative risk management of the frequency of asset loss due to a threat 3. An estimate using qualitative risk management of the priority of the vulnerability 4. ALE = SLE x ARO
  • Vocabulary to study • Risk mgmt, risk appetite, risk analysis, risk assessment, risk treatment, residual risk • Risk avoidance, risk reduction/risk mitigation, risk transference, risk retention/risk acceptance • Threat, threat agent, vulnerability, • Qualitative risk analysis, quantitative risk analysis • SLE, ARO, ALE • Due diligence, due care
  • HEALTH FIRST CASE STUDY Analyzing Risk Jamie Ramon MD Doctor Chris Ramon RD Dietician Terry Medical Admin Pat Software Consultant
  • Step 1: Define Assets
  • Step 1: Define Assets Consider Consequential Financial Loss Asset Name $ Value Direct Loss: Replacement $ Value Consequential Financial Loss Confidentiality, Integrity, and Availability Notes Medical DB C? I? A? Daily Operation (DO) Medical Malpractice (M) HIPAA Liability (H) Notification Law Liability (NL)
  • Step 1: Define Assets Consider Consequential Financial Loss Asset Name $ Value Direct Loss: Replacement $ Value Consequential Financial Loss Confidentiality, Integrity, and Availability Notes Medical DB DO+M_H+NL C I A Daily Operation (DO) $ Medical Malpractice (M) $ HIPAA Liability (H) $ Notification Law Liability (NL) $
  • HIPAA Criminal Penalties $ Penalty Imprison- ment Offense Up to $50K Up to one year Wrongful disclosure of individually identifiable health information Up to $100K Up to 5 years …committed under false pretenses Up to $500K Up to 10 years … with intent to sell, achieve personal gain, or cause malicious harm Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims, …
  • Step 2: Estimate Potential Loss for Threats Step 3: Estimate Likelihood of Exploitation • Normal threats: Threats common to all organizations • Inherent threats: Threats particular to your specific industry • Known vulnerabilities: Previous audit reports indicate deficiencies.
  • Step 2: Estimate Potential Loss for Threats Step 3: Estimate Likelihood of Exploitation
  • Step 4: Compute Expected Loss Step 5: Treat Risk Step 4: Compute E(Loss) ALE = SLE * ARO Asset Threat Single Loss Expecta ncy (SLE) Annualiz ed Rate of Occurre nce (ARO) Annual Loss Expecta ncy (ALE) Step 5: Treat Risk  Risk Acceptance: Handle attack when necessary  Risk Avoidance: Stop doing risky behavior  Risk Mitigation: Implement control to minimize vulnerability  Risk Transference: Pay someone to assume risk for you  Risk Planning: Implement a set of controls
  • 86 Physical (Environmental) Security
  • Physical Security • From (ISC)2 Candidate Information Bulletin: – The Physical (Environmental) Security domain addresses the threats, vulnerabilities, and countermeasures that can be utilized to physically protect an enterprise’s resources and sensitive information. These resources include people, the facility in which they work, and the data, equipment, support systems, media, and supplies they utilize. 87
  • Introduction • Threats to physical security include: – Interruption of services – Theft – Physical damage – Unauthorized disclosure – Loss of system integrity 88
  • Introduction • Threats fall into many categories: – Natural environmental threats (e.g., floods, fire) – Supply system threats (e.g., power outages, communication interruptions) – Manmade threats (e.g., explosions, disgruntled employees, fraud) – Politically motivated threats (e.g., strikes, riots, civil disobedience) 89
  • Introduction • Primary consideration in physical security is that nothing should impede “life safety goals.” – Ex.: Don’t lock the only fire exit door from the outside. • “Safety:” Deals with the protection of life and assets against fire, natural disasters, and devastating accidents. • “Security:” Addresses vandalism, theft, and attacks by individuals. 90
  • Physical Security Planning • Physical security, like general information security, should be based on a layered defense model. • Layers are implemented at the perimeter and moving toward an asset. • Layers include: Deterrence, Delaying, Detection, Assessment, Response 91
  • Physical Security Planning • A physical security program must address: – Crime and disruption protection through deterrence (fences, security guards, warning signs, etc.). – Reduction of damages through the use of delaying mechanisms (e.g., locks, security personnel, etc.). – Crime or disruption detection (e.g., smoke detectors, motion detectors, CCTV, etc.). – Incident assessment through response to incidents and determination of damage levels. – Response procedures (fire suppression mechanisms, emergency response processes, etc.). 92
  • Physical Security Planning • Crime Prevention Through Environmental Design (CPTED) – Is a discipline that outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior. – Concepts developed in 1960’s. – Think: Social Engineering 93
  • Physical Security Planning • CPTED has three main strategies: – Natural Access Control – Natural Surveillance – Territorial Reinforcement 94
  • Physical Security Planning • Natural Access Control – The guidance of people entering and leaving a space by the placement of doors, fences, lighting, and landscaping – Be familiar with: bollards, use of security zones, access barriers, use of natural access controls 95
  • Physical Security Planning • Natural Surveillance – Is the use and placement of physical environmental features, personnel walkways, and activity areas in ways that maximize visibility. – The goal is to make criminals feel uncomfortable and make all other people feel safe and comfortable, through the use of observation. 96
  • Physical Security Planning • Territorial Reinforcement – Creates physical designs that highlight the company’s area of influence to give legitimate owners a sense of ownership. – Accomplished through the use of walls, lighting, landscaping, etc. 97
  • Physical Security Planning • CPTED is not the same as “target hardening” • Target hardening focuses on denying access through physical and artificial barriers (can lead to restrictions on use, enjoyment, and aesthetics of the environment). 98
  • Physical Security Planning • Issues with selecting a facility site: – Visibility (terrain, neighbors, population of area, building markings) – Surrounding area and external factors (crime rate, riots, terrorism, first responder locations) – Accessibility (road access, traffic, proximity to transportation services) – Natural Disasters (floods, tornados, earthquakes) 99
  • Physical Security Planning • Other facility considerations: – Physical construction materials and structure composition • Be familiar with: load, light frame construction material, heavy timber construction material, incombustible material, dire resistant material (know the fire ratings and construction properties). 100
  • Physical Security Planning • “Mantrap:” A small room with two doors. The first door is locked; a person is identified and authenticated. Once the person is authenticated and access is authorized, the first door opens and allows the person into the mantrap. The person has to be authenticated again in order to open the second door and access a critical area. The mantrap area could have a weight sensing floor as an additional control to prevent literal piggybacking. 101
  • Physical Security Planning • Automatic door lock configuration: • “Fail safe:” If a power disruption occurs, the door defaults to being unlocked. • “Fail secure:” If a power disruption occurs, the door defaults to being locked. 102
  • Physical Security Planning • Windows can also be used to promote physical security. • Know the different types of glass: – Standard – Tempered – Acrylic – Wired – Laminated – Solar Window Film – Security Film 103
  • Physical Security Planning • Consider use of internal partitions carefully: – True floor to true ceiling to counter security issues – Should never be used in areas that house sensitive systems and devices 104
  • Internal Support Systems • Power issues: – A continuous supply of electricity assures the availability of company resources. – Data centers should be on a different power supply from the rest of the building – Redundant power supplies: two or more feeds coming from two or more electrical substations 105
  • Internal Support Systems • Power protection: – UPS Systems • Online UPS systems • Standby UPS System – Power line conditioners – Backup Sources 106
  • Internal Support Systems • Other power terms to know: – Ground – Noise – Transient Noise – Inrush Current – Clean Power – EMI – RFI 107
  • Internal Support Systems • Types of Voltage Fluctuations – Power Excess • Spike • Surge – Power Loss • Fault • Blackout – Power Degradation • Sag/dip • Brownout • Inrush Current 108
  • Internal Support Systems • Environmental Issues – Positive Drains – Static Electricity – Temperature 109
  • Internal Support Systems • Environmental Issues: Positive Drains – Contents flow out instead of in – Important for water, steam, gas lines 110
  • Internal Support Systems • Environmental Issues: Static Electricity – To prevent: • Use antistatic flooring in data processing areas • Ensure proper humidity • Proper grounding • No carpeting in data centers • Antistatic bands 111
  • Internal Support Systems • Environmental Issues: Temperature – Computing components can be affected by temperature: • Magnetic Storage devices: 100 Deg. F. • Computer systems and peripherals: 175 Deg. F. • Paper products: 350 Deg. F. 112
  • Internal Support Systems • Ventilation – Airborne materials and particle concentration must be monitored for inappropriate levels. – “Closed Loop” – “Positive Pressurization” 113
  • Internal Support Systems • Fire prevention, detection, suppression • “Fire Prevention:” Includes training employees on how to react, supplying the right equipment, enabling fire suppression supply, proper storage of combustible elements • “Fire Detection:” Includes alarms, manual detection pull boxes, automatic detection response systems with sensors, etc. • “Fire Suppression:” Is the use of a suppression agent to put out a fire. 114
  • Internal Support Systems • American Society for Testing and Materials (ASTM) is the organization that creates the standards that dictate how fire resistant ratings tests should be carried out and how to properly interpret results. 115
  • Internal Support Systems • Fire needs oxygen and fuel to continue to grow. • Ignition sources can include the failure of an electrical device, improper storage of materials, malfunctioning heating devices, arson, etc. • Special note on “plenum areas:” The space above drop down ceilings, wall cavities, and under raised floors. Plenum areas should have fire detectors and should only use plenum area rated cabling. 116
  • Internal Support Systems • Types of Fire: – A: Common Combustibles • Elements: Wood products, paper, laminates • Suppression: Water, foam – B: Liquid • Elements: Petroleum products and coolants • Suppression: Gas, CO2, foam, dry powders – C: Electrical • Elements: Electrical equipment and wires • Suppression: Gas, CO2, dry powders – D: Combustible Metals • Elements: magnesium, sodium, potassium • Suppression: Dry powder – K: Commercial Kitchens • Elements: Cooking oil fires • Suppression: Wet chemicals such as potassium acetate. 117
  • Internal Support Systems • Types of Fire Detectors – Smoke Activated – Heat Activated – Know the types and properties of each general category. 118
  • Internal Support Systems • Different types of suppression agents: – Water – Halon and halon substitutes – Foams – Dry Powders – CO2 – Soda Acid – Know suppression agent properties and the types of fires that each suppression agent combats – Know the types of fire extinguishers (A,B,C, D) that combat different types of fires 119
  • Internal Support Systems • Types of Sprinklers – Wet Pipe Systems (aka Closed Head System) – Dry Pipe Systems – Preaction Systems – Deluge Systems 120
  • Perimeter Security • The first line of defense is perimeter control at the site location, to prevent unauthorized access to the facility. • Perimeter security has two modes: – Normal facility operation – Facility closed operation 121
  • Perimeter Security • Proximity protection components put in place to provide the following services: – Control of pedestrian and vehicle traffic – Various levels of protection for different security zones – Buffers and delaying mechanisms to protect against forced entry – Limit and control entry points 122
  • Perimeter Security • Protection services can be provided by: – Access Control Mechanisms – Physical Barriers – Intrusion Detection – Assessment – Response – Deterrents 123
  • Perimeter Security • Fences are “first line of de’fence’” mechanisms. (Small Joke!) • Varying heights, gauge, and mesh provides security features (know them). • Barbed wire direction makes a difference. 124
  • Perimeter Security • Perimeter Intrusion Detection and Assessment System (PIDAS): – A type of fencing that has sensors on the wire mesh and base of the fence. – A passive cable vibration sensor sets off an alarm if an intrusion is detected. 125
  • Perimeter Security • Gates have 4 distinct types: – Class I: Residential usage – Class II: Commercial usage, where general public access is expected (e.g., public parking lot, gated community, self storage facility) – Class III: Industrial usage, where limited access is expected (e.g., warehouse property entrance not intended to serve public) – Class IV: Restricted access (e.g., a prison entrance that is monitored either in person or via CCTV) 126
  • Perimeter Security • Locks are inexpensive access control mechanisms that are widely accepted and used. • Locks are considered delaying devices. • Know your locks! 127
  • Perimeter Security • Types of Locks – Mechanical Locks • Warded & Tumbler – Combination Locks – Cipher Locks (aka programmable locks) • Smart locks – Device Locks • Cable locks, switch controls, slot locks, port controls, peripheral switch controls, cable traps 128
  • Perimeter Security • Lock Strengths: – Grade 1 (commercial and industrial use) – Grade 2 (heavy duty residential/light duty commercial) – Grade 3 (residential and consumer expendable) • Cylinder Categories – Low Security (no pick or drill resistance) – Medium Security (some pick resistance) – High Security (pick resistance through many different mechanisms—used only in Grade 1 & 2 locks) 129
  • Perimeter Security • Lighting – Know lighting terms and types of lighting to use in different situations (inside v. outside, security posts, access doors, zones of illumination) – It is important to have the correct lighting when using various types of surveillance equipment. – Lighting controls and switches should be in protected, locked, and centralized areas. 130
  • Perimeter Security • “Continuous lighting:” An array of lights that provide an even amount of illumination across an area. • “Controlled lighting:” An organization should erect lights and use illumination in such a way that does not blind its neighbors or any passing cars, trains, or planes. • “Standby Lighting:” Lighting that can be configured to turn on and off at different times so that potential intruders think that different areas of the facility are populated. • “Redundant” or “backup lighting:” Should be available in case of power failures or emergencies. • “Response Area Illumination:” Takes place when an IDS detects suspicious activities and turns on the lights within the specified area. 131
  • Perimeter Security • Surveillance Devices – These devices usually work in conjunction with guards or other monitoring mechanisms to extend their capacity. – Know the factors in choosing CCTV, focal length, lens types (fixed v. zoom), iris, depth of field, illumination requirements 132
  • Perimeter Security • “Focal length:” The focal length of a lens defines its effectiveness in viewing objects from a horizontal and vertical view. • The sizes of images that will be shown on a monitor along with the area that can be covered by one camera are defined by focal length. – Short focal length = wider angle views – Long focal length = narrower views 133
  • Perimeter Security • “Depth of field:” Refers to the portion of the environment that is in focus • “Shallow depth of focus:” Provides a softer backdrop and leads viewers to the foreground object • “Greater depth of focus:” Not much distinction between objects in the foreground and background. 134
  • Perimeter Security • Intrusion Detection systems are used to detect unauthorized entries and to alert a responsible entity to respond. • Know the different types of IDS systems (electro-mechanical v. volumetric) and changes that can be detected by an IDS system. 135
  • Perimeter Security • Patrol Force and Guards – Use in areas where critical reasoning skills are required • Auditing Physical Access – Need to log and review: • Date & time of access attempt • Entry point • User ID • Unsuccessful access attempts 136
  • Physical Security • Final Concept to Guide in Assessing Physical Security Issues on Exam: – Deterrence – Delay – Detection – Assessment – Response 137
  • Social Engineering: A Test of Your Common Sense
  • Social Engineering • Monday morning, 6am; the electric rooster is telling you it's time to start a new work week. A shower, some coffee, and you're in the car and off. On the way to work you're thinking of all you need to accomplished this week. • Then, on top of that there's the recent merger between your company and a competitor. One of your associates told you, you better be on your toes because rumors of layoff's are floating around.
  • Social Engineering • You arrive at the office and stop by the restroom to make sure you look your best. You straighten your tie, and turn to head to your cube when you notice, sitting on the back of the sink, is a CD- ROM. Someone must have left this behind by accident. You pick it up and notice there is a label on it. The label reads "2005 Financials & Layoff's". You get a sinking feeling in your stomach and hurry to your desk. It looks like your associate has good reasons for concern, and you're about to find out for your self.
  • And so • The Game Is In Play: People Are The Easiest Target You make it to your desk and insert the CD-ROM. You find several files on the CD, including a spreadsheet which you quickly open. The spreadsheet contains a list of employee names, start dates, salaries, and a note field that says "Release" or "Retain". You quickly search for your name but cannot find it. In fact, many of the names don't seem familiar. Why would they, this is pretty large company, you don't know everyone. Since your name is not on the list you feel a bit of relief. It's time to turn this over to your boss. Your boss thanks you and you head back to your desk.
  • Let's Take A Step Back In Time • The CD you found in the restroom, it was not left there by accident. It was strategically placed there by me, or one of Security Consulting employees. • You see, a firm has been hired to perform a Network Security Assessment on your company. • In reality, they have been contracted to hack into your company from the Internet and have been authorized to utilize social engineering techniques.
  • Bingo - Gotcha • The spreadsheet you opened was not the only thing executing on your computer. • The moment you open that file you caused a script to execute which installed a few files on your computer. • Those files were designed to call home and make a connection to one of our servers on the Internet. Once the connection was made the software on the Security firms servers responded by pushing (or downloading) several software tools to your computer. • Tools designed to give the team complete control of your computer. Now they have a platform, inside your company's network, where they can continue to hack the network. And, they can do it from inside without even being there.
  • This is what we call a 180 degree attack. • Meaning, the security consulting team did not have to defeat the security measures of your company's firewall from the Internet. • You took care of that for us. • Many organizations give their employees unfettered access (or impose limited control) to the Internet. • Given this fact, the security firm devised a method for attacking the network from within with the explicit purpose of gaining control of a computer on the private network. • All we had to do is get someone inside to do it for us.
  • Welcome to Social Engineering • What would you have done if you found a CD with this type of information on it? • Yes it is people who are the weakest link in any security system and Social Engineering Exploits that ---
  • Phisher Site Basics •Thief sends e-mail to customer claiming to be a legitimate company which has lost the customer’s personal information •Customer reads e-mail and goes to fake website •Customer enters credit card or other personal information on website •Thief steals personal information
  • Phisher Site E-mail Example (part 1) From: EarthLink <billing@earthlink.net> To: <thecustomer@earthlink.net> Date: 7/6/2003 11:50:02 AM Subject: Billing Department Dear EarthLink User, We regret to inform you, but due to a recent system flush, the billing/personal information for your account is temporally unavailable, and we need to verify your identity. <cont.>
  • Phisher Site E-mail Example (part 2) In order to continue using your EarthLink account and keeping it active, you must provide us with your full information within 24 hours of receiving this message. To re-enter your account information and keep your account active visit: www.billingdepartment-el.net Sincerely, Sean Wright EarthLink Billing Department
  • Phisher Site Example
  • The Real EarthLink Web Site
  • How to Spot Phisher Sites TIP-OFFSTRICKS • Claims of “lost” information • Unfamiliar URL • Asks for credit card or other personal info • No log in or not secure • Most companies will not do this • E-mail looks legit (at first) • Prompts you to act quickly to keep service • Website, html or fax form looks legit
  • Tips for Avoiding Phisher Sites • Be suspicious of email asking for credit card or other personal info • URL should be familiar • Should require log-in • Should be a SECURE SITE • Call the company when in doubt • Always report spam/fraud to your ISP
  • 1 Since February 2001, complaint data have also been provided to the Clearinghouse by the Social Security Administration-Office of Inspector General. 2 Projections for calendar year 2003 are based on complaints received from January through June 2003. CY- 1999 CY-2000 CY-2001 CY-2002 CY-20032 Total: 1,380 Total: 31,117 Total: 86,197 Total: 161,886 Projected Total: 210,000 Projected Cumulative Complaint Count 1999-2003: 490,000 Projection (inthousands) Federal Trade Commission Identity Theft Data Clearinghouse Complaints1 Federal Trade Commission
  • Federal Trade Commission Consumer Sentinel Complaints1 - Identity Theft Complaints 139,007 220,088 380,170 1 Percentages are based on the total number of Consumer Sentinel complaints by calendar year. (inthousands) - Fraud Complaints 107,890 133,891 31,117 86,197 218,284 161,886 Federal Trade Commission
  • 1-877-IDTHEFT 1-877-FTC-HELP www.consumer.gov/idtheft www.consumer.gov/sentinel Federal Trade Commission
  • And Another • The easiest way to break into any computer system is to use a valid username and password and the easiest way to get that information is to ask someone for it.
  • The Beginning • Like many hacking techniques, social engineering got its start in attacks against the telephone company. The hacker (or phone phreaks, as they used to be called) would dial- up an operator and by using the right jargon, convince him or her to make a connection or share some information that should not have been shared.
  • In Reality • social engineering is probably as old as speech, and goes back to the first lie. • It is still successful today because people are generally helpful, especially to someone who is nice, knowledgeable, and / or insistent. • No amount of technology can protect you against a social engineering attack.
  • So How Do You Protect Yourself from Yourself? • Recognizing an Attack – You can prepare your organization by teaching people how to recognize a possible social engineering attack. Do we have a Cyber Security & Ethics 101 Class? • Prevent a successful attack – You can prepare a defense against this form of social engineering by including instructions in your security policy for handling it.
  • So How Do You Protect Yourself from Yourself? • Create a response plan – Your response plan should include instructions on how to deal with inquiries relating to passwords or other classified information. • Implement and Monitor the response plan and continue to reinforce with Training
  • Target And Attack • The basic goals of social engineering are the same as hacking in general: to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network. • Typical targets include telephone companies and answering services, big-name corporations and financial institutions, military and government agencies, and hospitals. • The Internet boom had its share of industrial engineering attacks in start-ups as well, but attacks generally focus on larger entities.
  • And Another • One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm’s entire corporate network. • How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the company for two days before even attempting to set foot on the premises.
  • And so on… • For example, they learned key employees’ names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them.
  • And so on… • The strangers knew the CFO was out of town, so they were able to enter his office and obtain financial data off his unlocked computer. • They dug through the corporate trash, finding all kinds of useful documents. • They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. • The strangers had studied the CFO's voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system.
  • Common Techniques • Social Engineering by Phone • Dumpster Diving • On-line Social Engineering • Persuasion • Reverse Social Engineering • And many more….
  • Defining The Term "Social Engineering" • In the world of computers and technology, social engineering is a technique used to obtain or attempt to obtain secure information by tricking an individual into revealing the information. • Social engineering is normally quite successful because most targets (or victims) want to trust people and provide as much help as possible. • Victims of social engineering typically have no idea they have been conned out of useful information or have been tricked into performing a particular task. • The prey is not just you but your children and elders as well
  • A Challenge to the CSU • This is the 21st Century The Time of CyberSpace • Why is their No Formal GE Requirement for CyberSecurity and Ethics which can not only be taught at the CSU level but the CC level as well? • Why don’t we extend this education to K-12 and Senior Centers as well?
  • Mt. SAC and Cal Poly Efforts • NSF Grant Project – Establishment of a Regional Information Systems Security Center (RISSC see http://rissc.mtsac.edu/RISSC_NEW/default.asp ) • Cal Poly’s Participation in the Title V Grant and development of Network Security curriculum • Cal Poly Pomona’s Establishment of a Center for Information Assurance (see http://www.bus.csupomona.edu/cfia.asp )
  • Please join US for • Information Assurance Symposium Building Information Assurance Capacity and Improving Infrastructure at Minority Serving Institutions December 8 - 10, 2005 Cal Poly Pomona 8:30 a.m. - 5:00 p.m.
  • Contribute to: • Information Sharing • Curriculum Development • Awareness, Knowledge and Development of initiatives to help others around us be better at practicing good security techniques • Our thanks to Educause, ISACA, ISSA, IIA and HTCIA for their support
  • Building a Successful Security Infrastructure
  • Security Domains Application/System Security Operations Security Telecommunication & Network Security Physical Security Cryptography Security Architecture Security Management Access Control Law, Investigations, and Ethics Business Continuation & Disaster Recovery Planning Ten Security Domains
  • Group Discussion • CryptographyCryptography • Law, Investigations & EthicsLaw, Investigations & Ethics • Access Control Systems & MethodologyAccess Control Systems & Methodology • Security Management PracticesSecurity Management Practices • Security Architecture & ModelsSecurity Architecture & Models • Physical SecurityPhysical Security • Business Continuity & Disaster Recovery PlanningBusiness Continuity & Disaster Recovery Planning • Operations Security (Computers)Operations Security (Computers) • Application & Systems DevelopmentApplication & Systems Development • Telecommunications & Network SecurityTelecommunications & Network Security
  • Security Infrastructure • Cryptography. - is the use of secret codes to achieve desired levels of confidentiality and integrity. Two categories focus on: (1) cryptographic applications and uses and (2) crypto technology and implementations. Included are basic technologies, encryption systems, and key management methods.
  • Security Infrastructure • Law, Investigation, and Ethics. Law involves the legal and regulatory issues faced in an information security environment. Investigation consists of guidelines and principles necessary to successfully investigate security incidents and preserve the integrity of evidence. Ethics consists of knowledge of the difference between right and wrong and the inclination to do the right thing.
  • Security Infrastructure • Access Control. Access control consists of all of the various mechanisms (physical, logical, and administrative) used to ensure that only authorized persons or processes are allowed to use or access a system. Three categories of access control focus on: (1) access control principles and objectives, (2) access control issues, and (3) access control administration.
  • Security Infrastructure • Security Management Policies, Standards, and Organization. Policies are used to describe management intent, standards provide a consistent level of security in an organization, and an organization architecture enables the accomplishment of security objectives. Four categories include: (1) information classification, (2) security awareness, (3) organization architecture, and (4) policy development.
  • People/Organization Technologies Processes Policies Secured Infrastructure Security Challenges?
  • Security Infrastructure • Security Architecture. Security architecture involves the aspects of computer organization and configuration that are employed to achieve computer security. In addition implementing system security to ensure mechanisms are used to maintain the security of system programs.
  • Cryptography Public Key (RSA) X.509 Certificates Digital Signatures Digital Envelopes Hashing/Message Digest Symmetric Encryption Certificate Authorities Security Infrastructure DNS DMZ, Firewalls Directory Services IDS Virus Checkers VPN PKI NAT RADIUS, Remote Access Web Servers DHCP Wireless Application Single Sign On Kerberos/DCE Mixed/Integrated Security Smart Cards Cryptographic APIs PDAs (PocketPC, Palm Pilots) Domain Trust Management Directional Trust Transitive Trust Kerberos NTLM Security Services Protocols IPSEC SSL/TLS Kerberos L2TP PPTP PPP Etc. Security Goals Authentication Auditing Availability Authorization Privacy Integrity Non-Repudiation Security Attacks Viruses Trojan Horses Bombs/Worms Spoofing/Smurf Sniffing and Tapping DOS Etc. Security Architecture
  • Security Infrastructure • Physical Security. Physical security involves the provision of a safe environment for information processing activities with a focus on preventing unauthorized physical access to computing equipment. Three categories include: (1) threats and facility requirements, (2) personnel physical access control, and (3) microcomputer physical security.
  • Security Infrastructure • Business Continuity Planning and Risk Management. Risk management encompasses all activities involved in the control of risk (risk assessment, risk reduction, protective measures, risk acceptance, and risk assignment). Business continuity planning involves the planning of specific, coordinated actions to avoid or mitigate the effects of disruptions to normal business information processing functions.
  • Security Infrastructure • Operations Security (Computer). Computer operations security involves the controls over hardware, media and the operators with access privileges to these. Several aspects are included — notably, operator controls, hardware controls, media controls trusted system operations, trusted facility management, trusted recovery, and environmental contamination control.
  • Security Infrastructure • Application and System Development. Application and system security involves the controls placed within the application and system programs to support the security policy of the organization. Topics discussed include threats, applications development, availability issues, security design, and application/data access control.
  • Security Infrastructure • Telecommunications & Network Security. Communications security involves ensuring the integrity and confidentiality of information transmitted via telecommunications media as well as ensuring the availability of the telecommunications media itself. Three categories of communications security are: (1) telecommunications security objectives, threats, and countermeasures; (2) network security; and (3) Internet security.
  • Multiple Combined Security Strategies External Border Network Perimeter Security Internal Network (LAN/WAN) Perimeter Security Server Security Desktop Security User/Social Engineering Security
  • Security StrategiesSecurity Strategies DescriptionDescription Least PrivilegeLeast Privilege This principle means the any object (e.g., user, administrator, program, system) should haveThis principle means the any object (e.g., user, administrator, program, system) should have only the necessary security privilege required to perform its assigned tasks.only the necessary security privilege required to perform its assigned tasks. Defense in DepthDefense in Depth This principle recommends that multiple layers of security defense be implemented. TheyThis principle recommends that multiple layers of security defense be implemented. They should back each other up.should back each other up. Choke PointChoke Point Forces everyone to use a narrow channel, which you can monitor and control. A firewall isForces everyone to use a narrow channel, which you can monitor and control. A firewall is good example.good example. Weakest LinkWeakest Link This principle suggests that attackers seek out weakest link in your security. As a result, youThis principle suggests that attackers seek out weakest link in your security. As a result, you need to be aware of these weak links and take steps to eliminate them.need to be aware of these weak links and take steps to eliminate them. Fail-Safe StanceFail-Safe Stance In the event your system fails, it should fail in a position that denies access to resources. MostIn the event your system fails, it should fail in a position that denies access to resources. Most systems will adhere to a deny stance or permit stance.systems will adhere to a deny stance or permit stance. Universal ParticipationUniversal Participation To achieve maximum effectiveness, security systems should require participation of allTo achieve maximum effectiveness, security systems should require participation of all personnel.personnel. Diversity of DefenseDiversity of Defense This principle suggests that security effectiveness is also dependent on the implementation ofThis principle suggests that security effectiveness is also dependent on the implementation of similar products from different vendors. (This includes Circuit Diversity)similar products from different vendors. (This includes Circuit Diversity) SimplicitySimplicity This principle suggests that by implementing simple things it is easier to manage.This principle suggests that by implementing simple things it is easier to manage. Security through ObsolesceSecurity through Obsolesce This principle suggests that by implementing old technology no one will have the knowledge toThis principle suggests that by implementing old technology no one will have the knowledge to compromise the system.compromise the system. Security through ObscuritySecurity through Obscurity This principle recommends the hiding of things as a form of protection.This principle recommends the hiding of things as a form of protection. Ten (10) Security Strategies
  • Security Requirements • AAuthentication • AAvailability • AAuditing • AAuthorization • PPrivacy/Confidentiality • IIntegrity • NNon-repudiation 4APIN
  • Stages of Information and Classification DDisseminate PProcess AAccumulate (Collect) SStore TTransmit D-PAST
  • N-Factor Authentication Methods Someplace where you are located (SSITE). Something that you HHAVE. Something that you AARE. Something that you NNEED. Something that you KKNOW SHANK
  • Security Assurance DomainsSecurity Assurance Domains RedRed YellowYellow GreenGreen 1. Cryptography1. Cryptography 2. Law, Investigations & Ethics2. Law, Investigations & Ethics 3. Access Control Systems & Methodology3. Access Control Systems & Methodology 4. Security Management Practices4. Security Management Practices 5. Security Architecture & Models5. Security Architecture & Models 6. Physical Security6. Physical Security 7. Business Continuity & Disaster Recovery Planning7. Business Continuity & Disaster Recovery Planning 8. Operations Security (Computers)8. Operations Security (Computers) 9. Application & Systems Development9. Application & Systems Development 10. Telecommunications & Network Security10. Telecommunications & Network Security TLC’s Security Stoplight Chart
  • Security Controls Types of Control • Preventive • Detective • Corrective • Deterrent • Recovery • Compensating
  • Questions/Answers Security Infrastructure