1. BEST PRACTICES IN
NETWORK SECURITY
USING ETHICAL HACKING

2. Network Security Design
The 12 Step Program
1. Identify network assets
2. Analyze security risks
3. Analyze security requirements and
tradeoffs
4. Develop a security plan
5. Define a security policy
6. Develop procedures for applying security
policies

3. The 12 Step Program (continued)
7. Develop a technical implementation strategy
8. Achieve buy-in from users, managers, and technical
staff
9. Train users, managers, and technical staff
10. Implement the technical strategy and security
procedures
11. Test the security and update it if any problems are
found
12. Maintain security

4. Network Assets
• Hardware
• Software
• Applications
• Data
• Intellectual property
• Trade secrets
• Company’s reputation

5. Security Risks
• Hacked network devices
– Data can be intercepted, analyzed, altered, or
deleted
– User passwords can be compromised
– Device configurations can be changed
• Reconnaissance attacks
• Denial-of-service attacks

6. Security Tradeoffs
• Tradeoffs must be made between security
goals and other goals:
– Affordability
– Usability
– Performance
– Availability
– Manageability

7. A Security Plan
• High-level document that
proposes what an
organization is going to do to
meet security requirements
• Specifies time, people, and
other resources that will be
required to develop a security
policy and achieve
implementation of the policy

8. A Security Policy
• Per RFC 2196, “The Site Security Handbook,”
a security policy is a
– “Formal statement of the rules by which people
who are given access to an organization’s
technology and information assets must abide.”
• The policy should address
– Access, accountability, authentication, privacy,
and computer technology purchasing guidelines

9. Security Mechanisms
• Physical security
• Authentication
• Authorization
• Accounting (Auditing)
• Data encryption
• Packet filters
• Firewalls
• Intrusion Detection Systems (IDS)
• Intrusion Prevention Systems (IPS)

10. Encryption for Confidentiality and
Integrity
Figure 8-1. Public/Private Key System for Ensuring Data Confidentiality
Figure 8-2. Public/Private Key System for Sending a Digital Signature

11. Modularizing Security Design
• Security defense in depth
– Network security should be multilayered with
many different techniques used to protect the
network
• Belt-and-suspenders approach
– Don’t get caught with your pants down

12. Modularizing Security Design
• Secure all components of a modular
design:
– Internet connections
– Public servers and e-commerce servers
– Remote access networks and VPNs
– Network services and network management
– Server farms
– User services
– Wireless networks

13. Cisco SAFE
• Cisco SAFE Security Reference Model addresses
security in every module of a modular network
architecture.

14. Securing Internet Connections
• Physical security
• Firewalls and packet filters
• Audit logs, authentication, authorization
• Well-defined exit and entry points
• Routing protocols that support authentication

15. Securing Public Servers
• Place servers in a DMZ that is protected via firewalls
• Run a firewall on the server itself
• Enable DoS protection
– Limit the number of connections per timeframe
• Use reliable operating systems with the latest security
patches
• Maintain modularity
– Front-end Web server doesn’t also run other services

16. Security Topologies
Enterprise
Network
DMZ
Web, File, DNS, Mail Servers
Internet

17. Security Topologies
Internet
Enterprise Network
DMZ
Web, File, DNS, Mail Servers
Firewall

18. Securing Remote-Access and Virtual
Private Networks
• Physical security
• Firewalls
• Authentication, authorization, and auditing
• Encryption
• One-time passwords
• Security protocols
– CHAP
– RADIUS
– IPSec

19. Securing Network Services
• Treat each network device (routers,
switches, and so on) as a high-value host
and harden it against possible intrusions
• Require login IDs and passwords for
accessing devices
– Require extra authorization for risky
configuration commands
• Use SSH rather than Telnet
• Change the welcome banner to be less
welcoming

20. Securing Server Farms
• Deploy network and host IDSs to monitor server
subnets and individual servers
• Configure filters that limit connectivity from the
server in case the server is compromised
• Fix known security bugs in server operating systems
• Require authentication and authorization for server
access and management
• Limit root password to a few people
• Avoid guest accounts

21. Securing User Services
• Specify which applications are allowed to
run on networked PCs in the security policy
• Require personal firewalls and antivirus
software on networked PCs
– Implement written procedures that specify
how the software is installed and kept current
• Encourage users to log out when leaving
their desks
• Consider using 802.1X port-based security
on switches

22. Securing Wireless Networks
• Place wireless LANs (WLANs) in their own
subnet or VLAN
– Simplifies addressing and makes it easier to
configure packet filters
• Require all wireless (and wired) laptops to run
personal firewall and antivirus software
• Disable beacons that broadcast the SSID, and
require MAC address authentication
– Except in cases where the WLAN is used by
visitors

23. WLAN Security Options
• Wired Equivalent Privacy (WEP)
• IEEE 802.11i
• Wi-Fi Protected Access (WPA)
• IEEE 802.1X Extensible Authentication
Protocol (EAP)
– Lightweight EAP or LEAP (Cisco)
– Protected EAP (PEAP)
• Virtual Private Networks (VPNs)
• Any other acronyms we can think of? :-)

24. Wired Equivalent Privacy (WEP)
• Defined by IEEE 802.11
• Users must possess the appropriate WEP
key that is also configured on the access
point
– 64 or 128-bit key (or passphrase)
• WEP encrypts the data using the RC4
stream cipher method
• Infamous for being crackable

25. WEP Alternatives
• Vendor enhancements to WEP
• Temporal Key Integrity Protocol (TKIP)
– Every frame has a new and unique WEP key
• Advanced Encryption Standard (AES)
• IEEE 802.11i
• Wi-Fi Protected Access (WPA) from the Wi-
Fi Alliance

26. Extensible Authentication
Protocol (EAP)
• With 802.1X and EAP, devices take on one of
three roles:
– The supplicant resides on the wireless LAN client
– The authenticator resides on the access point
– An authentication server resides on a RADIUS
server

27. EAP (Continued)
• An EAP supplicant on the client obtains
credentials from the user, which could be a
user ID and password
• The credentials are passed by the
authenticator to the server and a session key
is developed
• Periodically the client must reauthenticate to
maintain network connectivity
• Reauthentication generates a new, dynamic
WEP key

28. Cisco’s Lightweight EAP (LEAP)
• Standard EAP plus mutual authentication
– The user and the access point must authenticate
• Used on Cisco and other vendors’ products

29. Other EAPs
• EAP-Transport Layer Security (EAP-TLS) was developed by
Microsoft
– Requires certificates for clients and servers.
• Protected EAP (PEAP) is supported by Cisco, Microsoft, and RSA
Security
– Uses a certificate for the client to authenticate the RADIUS server
– The server uses a username and password to authenticate the client
• EAP-MD5 has no key management features or dynamic key
generation
– Uses challenge text like basic WEP authentication
– Authentication is handled by RADIUS server

30. VPN Software on Wireless Clients
• Safest way to do wireless networking for
corporations
• Wireless client requires VPN software
• Connects to VPN concentrator at HQ
• Creates a tunnel for sending all traffic
• VPN security provides:
– User authentication
– Strong encryption of data
– Data integrity

31. • ENTER THE JED1 “ THE DEMO”

32. 32
Risk
Management

33. How Much to Invest in Security?
How much is too much?
• Firewall
• Intrusion Detection/Prevention
• Guard
• Biometrics
• Virtual Private Network
• Encrypted Data & Transmission
• Card Readers
• Policies & Procedures
• Audit & Control Testing
• Antivirus / Spyware
• Wireless Security
How much is too little?
 Hacker attack
 Internal Fraud
 Loss of Confidentiality
 Stolen data
 Loss of Reputation
 Loss of Business
 Penalties
 Legal liability
 Theft & Misappropriation
Security is a Balancing Act between Security Costs & Losses

34. Risk Management
Internal Factors External Factors
Regulation
Industry
Culture
Corporate History
Management’s
Risk Tolerance
Organizational
Maturity
Structure
Risk Mgmt Strategies are determined by both internal & external factors
Risk Tolerance or Appetite: The level of risk that management is comfortable with

35. Risk Management Process
Establish
Scope &
Boundaries
Identification
Analysis
Evaluation
Avoid Reduce Transfer Retain
Accept Residual Risk
RiskCommunication
&Monitoring
RiskAssessmentRisk
Treatment
What assets & risks exist?
What does this risk cost?
What priorities shall we set?
What controls can we use?
What to investigate?
What to consider?

36. Risk Appetite
• Do you operate your computer with or without antivirus
software?
• Do you have antispyware?
• Do you open emails with forwarded attachments from
friends or follow questionable web links?
• Have you ever given your bank account information to a
foreign emailer to make $$$?
What is your risk appetite?
If liberal, is it due to risk acceptance or ignorance?
Companies too have risk appetites, decided after evaluating risk

37. Continuous Risk Mgmt Process
Identify &
Assess Risks
Develop Risk
Mgmt Plan
Implement Risk
Mgmt Plan
Proactive
Monitoring
Risk
Appetite
Risks change with time as
business & environment changes
Controls degrade over time
and are subject to failure
Countermeasures may open
new risks

38. Security Evaluation:
Risk Assessment
Five Steps include:
1. Assign Values to Assets:
– Where are the Crown Jewels?
1. Determine Loss due to Threats & Vulnerabilities
– Confidentiality, Integrity, Availability
1. Estimate Likelihood of Exploitation
– Weekly, monthly, 1 year, 10 years?
1. Compute Expected Loss
– Loss = Downtime + Recovery + Liability + Replacement
– Risk Exposure = ProbabilityOfVulnerability * $Loss
1. Treat Risk
– Survey & Select New Controls
– Reduce, Transfer, Avoid or Accept Risk
– Risk Leverage = (Risk exposure before reduction) – (risk exposure after
reduction) / (cost of risk reduction)

39. Step 1:
Determine Value of Assets
Identify & Determine Value of Assets (Crown Jewels):
• Assets include:
– IT-Related: Information/data, hardware, software, services,
documents, personnel
– Other: Buildings, inventory, cash, reputation, sales opportunities
• What is the value of this asset to the company?
• How much of our income can we attribute to this asset?
• How much would it cost to recover this?
• How much liability would we be subject to if the asset were
compromised?
• Helpful websites: www.attrition.org

40. Determine Cost of Assets
Sales
Product A
Product B
Product C
Risk: Replacement Cost=
Cost of loss of integrity=
Cost of loss of availability=
Cost of loss of confidentiality=
Risk: Replacement Cost=
Cost of loss of integrity=
Cost of loss of availability=
Cost of loss of confidentiality=
Risk: Replacement Cost=
Cost of loss of integrity=
Cost of loss of availability=
Cost of loss of confidentiality=
Tangible $ Intangible: High/Med/Low
Costs

41. Matrix of Loss Scenario
Size
of
Loss
Repu-
tation
Law-
suit
Loss
Fines/
Reg.
Loss
Mar-
ket
Loss
Exp.
Yearly
Loss
Hacker steals customer
data; publicly blackmails
company
1-10K
Recor
ds
$1M-
$20M
$1M-
$10M
$1M-
$35M
$1M-
$5M
$10M
Employee steals strategic
plan; sells data to competitor
3-year Min. Min. Min. $20M $2M
Backup tapes and Cust.
data found in garbage;
makes front-page news
10M
Recor
ds
$20M $20M $10M $5M $200K
Contractor steals employee
data; sells data to hackers
10K
Recor
ds
$5M $10M Min. Min. $200K

42. Step 1:
Determine Value of Assets
Asset Name
$ Value
Direct Loss:
Replacement
$ Value
Consequential Financial
Loss
Confidentiality, Integrity, and
Availability Notes
Laptop $1,000 Mailings=
$130 x #Cust
Reputation
= $9,000
Conf., Avail.
Breach Notification
Law
Equipment $10,000 $2k per day in
income
Availability
(e.g., due to fire or
theft)
Work
book

43. Step 2: Determine Loss
Due to Threats
Natural: Flood, fire, cyclones,
rain/hail/snow, plagues and
earthquakes
Unintentional: Fire, water, building
damage/collapse, loss of utility
services, and equipment failure
Intentional: Fire, water, theft,
vandalism
Intentional, non-physical: Fraud,
espionage, hacking, identity
theft, malicious code, social
engineering, phishing, denial of
service

44. Threat Agent Types
Hackers/
Crackers
Challenge, rebellion Unauthorized
access
Criminals Financial gain,
Disclosure/ destruction of
info.
Fraud, computer
crimes
Terrorists Destruction/ revenge/
extortion
DOS, info warfare
Industry
Spies
Competitive advantage Info theft, econ.
exploitation
Insiders Opportunity, personal
issues
Fraud/ theft,
malware, abuse

45. Step 2: Determine Threats
Due to Vulnerabilities
System
Vulnerabilities
Behavioral:
Disgruntled employee,
uncontrolled processes,
poor network design,
improperly configured
equipment
Misinterpretation:
Poorly-defined
procedures,
employee error,
Insufficient staff,
Inadequate mgmt,
Inadequate compliance
enforcement
Coding
Problems:
Security ignorance,
poorly-defined
requirements,
defective software,
unprotected
communication
Physical
Vulnerabilities:
Fire, flood,
negligence, theft,
kicked terminals,
no redundancy

46. Step 3:
Estimate Likelihood of Exploitation
Best sources:
• Past experience
• National & international standards &
guidelines: NIPC, OIG, FedCIRC, mass media
• Specialists and expert advice
• Economic, engineering, or other models
• Market research & analysis
• Experiments & prototypes
If no good numbers emerge, estimates can be
used, if management is notified of guesswork

47. Likelihood of Exploitation:
Sources of Losses
Source: 2006 Annual Study: Cost of a Data Breach, PGP/Vontu
Evaluation of 31 organizations

48. Step 4: Compute Expected Loss Risk
Analysis Strategies
Qualitative: Prioritizes risks so that highest
risks can be addressed first
• Based on judgment, intuition, and experience
• May factor in reputation, goodwill,
nontangibles
Quantitative: Measures approximate cost of
impact in financial terms
Semiquantitative: Combination of Qualitative
& Quantitative techniques

49. Step 4: Compute Loss Using
Qualitative Analysis
Qualitative Analysis is used:
• As a preliminary look at risk
• With non-tangibles, such as reputation, image
-> market share, share value
• When there is insufficient information to
perform a more quantified analysis

50. Vulnerability Assessment
Quadrant Map
Threat
(Probability)
Vulnerability
(Severity)
1
2
34
Hacker/Criminal
Malware
Disgruntled Employee
Fire
Terrorist
Flood
Spy
Snow emergency
Intruder
Work
book

51. Step 4: Compute Loss Using
Semi-Quantitative Analysis
Impact
1. Insignificant: No
meaningful impact
2. Minor: Impacts a small
part of the business, <
$1M
3. Major: Impacts company
brand, >$1M
4. Material: Requires
external reporting,
>$200M
5. Catastrophic: Failure or
downsizing of company
Likelihood
1. Rare
2. Unlikely: Not seen within
the last 5 years
3. Moderate: Occurred in
last 5 years, but not in
last year
4. Likely: Occurred in last
year
5. Frequent: Occurs on a
regular basis
Risk = Impact * Likelihood

52. SemiQuantitative Impact Matrix
Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5)
Catastrophic
(5)
Material
(4)
Major
(3)
Minor
(2)
Insignificant
(1)
SEVERE
HIG
H
M
EDIUM
LO
W
Likelihood
Impact

53. Step 4: Compute Loss Using Quantitative
Analysis
Single Loss Expectancy (SLE): The cost to the organization if
one threat occurs once
– Eg. Stolen laptop=
• Replacement cost +
• Cost of installation of special software and data
• Assumes no liability
– SLE = Asset Value (AV) x Exposure Factor (EF)
• With Stolen Laptop EF > 1.0
Annualized Rate of Occurrence (ARO): Probability or
frequency of the threat occurring in one year
– If a fire occurs once every 25 years, ARO=1/25
Annual Loss Expectancy (ALE): The annual expected
financial loss to an asset, resulting from a specific threat
– ALE = SLE x ARO

54. Risk Assessment Using Quantitative
Analysis
Quantitative:
• Cost of HIPAA accident with insufficient
protections
– SLE = $50K + (1 year in jail:) $100K = $150K
– Plus loss of reputation…
• Estimate of Time = 10 years or less = 0.1
• Annualized Loss Expectancy (ALE)=
– $150 x .1 =$15K

55. Annualized Loss Expectancy
Asset
Value->
$1K $10K $100K $1M
1 Yr 1K 10K 100K 1000K
5 Yrs 200 2K 20K 200K
10 Yrs 100 1K 10K 100K
20 Yrs 50 1K 5K 50K
Asset Costs $10K Risk of Loss 20% per Year
Over 5 years, average loss = $10K
Spend up to $2K each year to prevent loss

56. Quantitative
Risk
Asset Threat Single Loss
Expectancy
(SLE)
Annualized
Rate of
Occurrence
(ARO)
Annual Loss
Expectancy
(ALE)
Buildin
g
Fire $1M .05
(20 years)
$50K
Lapto
p
Stolen $1K + $9K
(breach notif)
0.2
(5 years)
$1K
Work
book

57. Step 5: Treat Risk
Risk Acceptance: Handle attack when necessary
• E.g.: Comet hits
• Ignore risk if risk exposure is negligible
Risk Avoidance: Stop doing risky behavior
• E.g.: Do not use Social Security Numbers
Risk Mitigation: Implement control to minimize vulnerability
• E.g. Purchase & configure a firewall
Risk Transference: Pay someone to assume risk for you
• E.g., Buy malpractice insurance (doctor)
• While financial impact can be transferred, legal responsibility
cannot
Risk Planning: Implement a set of controls

58. System Characterization
Identify Threats
Identify Vulnerabilities
Analyze Controls
Determine Likelihood
Analyze Impact
Determine Risk
Recommend Controls
Document Results Risk Assessment
Report
Recommended Controls
Documented Risks
Impact Rating
Likelihood Rating
List of current &
planned controls
List of threats
& vulnerabilities
System boundary
System functions
System/data criticality
System/data sensitivity
Activity Output
Company history
Intelligence agency
data: NIPC, OIG
Audit &
test results
Business Impact
Analysis
Data Criticality &
Sensitivity analysis
Input
NIST Risk
Assessment
Methodology

59. Control Types
Threat
Compensating
Control
Impact
Vulnerability
Corrective
Control
Deterrent
Control
Detective
Control
Preventive
Control
Attack
Reduces
likelihood of
Decreases
Results
in
Reduces
Protects
Creates
Reduces
likelihood of
Triggers
Discovers

60. Deterrent
control
Mitigating
control
Detective
control
Preventive
control
Corrective
controlV
U
L
N
E
R
A
B
IL
I
T
Y
I
M
P
A
C
T
Residual
risk
R
is
k
P
ro
b
a
bi
lit
y
THREAT

61. Controls & Countermeasures
• Cost of control should never exceed the
expected loss assuming no control
• Countermeasure = Targeted Control
– Aimed at a specific threat or vulnerability
– Problem: Firewall cannot process packets fast
enough due to IP packet attacks
– Solution: Add border router to eliminate invalid
accesses

62. Analysis of Risk vs. Controls
Workbook
Risk ALE or Score Control Cost of
Control
Stolen Laptop $1K
($9K Breach Notif. Law)
Encryption $60
Disk Failure $3K per day RAID $750
Hacker $9K Breach Notif. Law Firewall $1K
Cost of Some Controls is shown in Case Study Appendix

63. Extra Step:
Step 6: Risk Monitoring
Report to Mgmt status of security
• Metrics showing current performance
• Outstanding issues
• Newly arising issues
• How handled – when resolution is expected
Stolen Laptop In investigation $2k, legal issues
HIPAA Incident
Response
Procedure being defined –
incident response
$200K
Cost overruns Internal audit investigation $400K
HIPAA: Physical
security
Training occurred $200K
Security Dashboard, Heat chart or Stoplight Chart

64. Training
• Importance of following policies & procedures
• Clean desk policy
• Incident or emergency response
• Authentication & access control
• Privacy and confidentiality
• Recognizing and reporting security incidents
• Recognizing and dealing with social engineering

65. Security Control Baselines & Metrics
Baseline: A measurement of
performance
• Metrics are regularly and
consistently measured,
quantifiable, inexpensively
collected
• Leads to subsequent
performance evaluation
• E.g. How many viruses is
help desk reporting?
(Company data - Not real)

66. Risk Management
• Risk Management is aligned with business
strategy & direction
• Risk mgmt must be a joint effort between all
key business units & IS
• Business-Driven (not Technology-Driven)
Steering Committee:
• Sets risk management priorities
• Define Risk management objectives to
achieve business strategy

67. Risk Management Roles
Governance & Sr Mgmt:
Allocate resources, assess
& use risk assessment results
Chief Info Officer
IT planning, budget,
performance incl. risk
Info. Security Mgr
Develops, collaborates, and
manages IS risk mgmt process
Security Trainers
Develop appropriate
training materials, including
risk assessment, to
educate end users.
Business Managers
(Process Owners)
Make difficult decisions
relating to priority to
achieve business goals
System / Info Owners
Responsible to ensure
controls in place to
address CIA.
Sign off on changes
IT Security Practitioners
Implement security requirem.
into IT systems: network,
system, DB, app, admin.

68. Due Diligence
Due Diligence = Did careful risk assessment (RA)
Due Care = Implemented recommended controls from RA
Liability minimized if reasonable precautions taken
Senior Mgmt Support
Risk Assessment
Backup & Recovery
Policies & Procedures
Adequate Security Controls
Compliance
Monitoring
& Metrics Business Continuity &
Disaster Recovery

69. Question
Risk Assessment includes:
1. The steps: risk analysis, risk treatment, risk
acceptance, and risk monitoring
2. Answers the question: What risks are we prone
to, and what is the financial costs of these
risks?
3. Assesses controls after implementation
4. The identification, financial analysis, and
prioritization of risks, and evaluation of
controls

70. Question
Single Loss Expectancy refers to:
1. The probability that an attack will occur in
one year
2. The duration of time where a loss is
expected to occur (e.g., one month, one
year, one decade)
3. The cost of losing an asset once
4. The average cost of loss of this asset per
year

71. Question
The role(s) responsible for deciding whether
risks should be accepted, transferred, or
mitigated is:
1. The Chief Information Officer
2. The Chief Risk Officer
3. The Chief Information Security Officer
4. Enterprise governance and senior business
management

72. Question
Which of these risks is best measured using a
qualitative process?
1. Temporary power outage in an office building
2. Loss of consumer confidence due to a
malfunctioning website
3. Theft of an employee’s laptop while traveling
4. Disruption of supply deliveries due to flooding

73. Question
The risk that is assumed after implementing
controls is known as:
1. Accepted Risk
2. Annualized Loss Expectancy
3. Quantitative risk
4. Residual risk

74. Question
The primary purpose of risk management is
to:
1. Eliminate all risk
2. Find the most cost-effective controls
3. Reduce risk to an acceptable level
4. Determine budget for residual risk

75. Question
Due Diligence ensures that
1. An organization has exercised the best possible security
practices according to best practices
2. An organization has exercised acceptably reasonable
security practices addressing all major security areas
3. An organization has implemented risk management and
established the necessary controls
4. An organization has allocated a Chief Information Security
Officer who is responsible for securing the organization’s
information assets

76. Question
ALE is:
1. The average cost of loss of this asset, for a
single incident
2. An estimate using quantitative risk
management of the frequency of asset loss
due to a threat
3. An estimate using qualitative risk
management of the priority of the
vulnerability
4. ALE = SLE x ARO

77. Vocabulary to study
• Risk mgmt, risk appetite, risk analysis, risk
assessment, risk treatment, residual risk
• Risk avoidance, risk reduction/risk mitigation,
risk transference, risk retention/risk acceptance
• Threat, threat agent, vulnerability,
• Qualitative risk analysis, quantitative risk analysis
• SLE, ARO, ALE
• Due diligence, due care

78. HEALTH FIRST CASE STUDY
Analyzing Risk
Jamie Ramon MD
Doctor
Chris Ramon RD
Dietician
Terry
Medical Admin
Pat
Software Consultant

79. Step 1: Define Assets

80. Step 1: Define Assets
Consider Consequential Financial Loss
Asset Name $ Value
Direct Loss:
Replacement
$ Value
Consequential
Financial Loss
Confidentiality, Integrity,
and Availability Notes
Medical DB C? I? A?
Daily Operation (DO)
Medical Malpractice (M)
HIPAA Liability (H)
Notification Law Liability (NL)

81. Step 1: Define Assets
Consider Consequential Financial Loss
Asset Name $ Value
Direct Loss:
Replacement
$ Value
Consequential
Financial Loss
Confidentiality, Integrity,
and Availability Notes
Medical DB DO+M_H+NL C I A
Daily Operation (DO) $
Medical Malpractice (M) $
HIPAA Liability (H) $
Notification Law Liability (NL) $

82. HIPAA Criminal Penalties
$ Penalty Imprison-
ment
Offense
Up to $50K Up to one
year
Wrongful disclosure of
individually identifiable health
information
Up to
$100K
Up to 5
years
…committed under false
pretenses
Up to
$500K
Up to 10
years
… with intent to sell, achieve
personal gain, or cause
malicious harm
Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims, …

83. Step 2: Estimate Potential Loss for Threats
Step 3: Estimate Likelihood of Exploitation
• Normal threats: Threats common to all
organizations
• Inherent threats: Threats particular to your
specific industry
• Known vulnerabilities: Previous audit reports
indicate deficiencies.

84. Step 2: Estimate Potential Loss for Threats
Step 3: Estimate Likelihood of Exploitation

85. Step 4: Compute Expected Loss
Step 5: Treat Risk
Step 4: Compute E(Loss)
ALE = SLE * ARO
Asset Threat Single
Loss
Expecta
ncy
(SLE)
Annualiz
ed Rate
of
Occurre
nce
(ARO)
Annual
Loss
Expecta
ncy
(ALE)
Step 5: Treat Risk
 Risk Acceptance: Handle
attack when necessary
 Risk Avoidance: Stop doing
risky behavior
 Risk Mitigation: Implement
control to minimize vulnerability
 Risk Transference: Pay
someone to assume risk for you
 Risk Planning: Implement a set
of controls

86. 86
Physical (Environmental) Security

87. Physical Security
• From (ISC)2 Candidate Information Bulletin:
– The Physical (Environmental) Security domain
addresses the threats, vulnerabilities, and
countermeasures that can be utilized to physically
protect an enterprise’s resources and sensitive
information. These resources include people, the
facility in which they work, and the data,
equipment, support systems, media, and supplies
they utilize.
87

88. Introduction
• Threats to physical security include:
– Interruption of services
– Theft
– Physical damage
– Unauthorized disclosure
– Loss of system integrity
88

89. Introduction
• Threats fall into many categories:
– Natural environmental threats (e.g., floods, fire)
– Supply system threats (e.g., power outages,
communication interruptions)
– Manmade threats (e.g., explosions, disgruntled
employees, fraud)
– Politically motivated threats (e.g., strikes, riots,
civil disobedience)
89

90. Introduction
• Primary consideration in physical security is
that nothing should impede “life safety
goals.”
– Ex.: Don’t lock the only fire exit door from the
outside.
• “Safety:” Deals with the protection of life and
assets against fire, natural disasters, and
devastating accidents.
• “Security:” Addresses vandalism, theft, and
attacks by individuals.
90

91. Physical Security Planning
• Physical security, like general information
security, should be based on a layered
defense model.
• Layers are implemented at the perimeter and
moving toward an asset.
• Layers include: Deterrence, Delaying,
Detection, Assessment, Response
91

92. Physical Security Planning
• A physical security program must address:
– Crime and disruption protection through deterrence
(fences, security guards, warning signs, etc.).
– Reduction of damages through the use of delaying
mechanisms (e.g., locks, security personnel, etc.).
– Crime or disruption detection (e.g., smoke detectors,
motion detectors, CCTV, etc.).
– Incident assessment through response to incidents and
determination of damage levels.
– Response procedures (fire suppression mechanisms,
emergency response processes, etc.).
92

93. Physical Security Planning
• Crime Prevention Through Environmental
Design (CPTED)
– Is a discipline that outlines how the proper design
of a physical environment can reduce crime by
directly affecting human behavior.
– Concepts developed in 1960’s.
– Think: Social Engineering
93

94. Physical Security Planning
• CPTED has three main strategies:
– Natural Access Control
– Natural Surveillance
– Territorial Reinforcement
94

95. Physical Security Planning
• Natural Access Control
– The guidance of people entering and leaving a
space by the placement of doors, fences, lighting,
and landscaping
– Be familiar with: bollards, use of security zones,
access barriers, use of natural access controls
95

96. Physical Security Planning
• Natural Surveillance
– Is the use and placement of physical
environmental features, personnel walkways, and
activity areas in ways that maximize visibility.
– The goal is to make criminals feel uncomfortable
and make all other people feel safe and
comfortable, through the use of observation.
96

97. Physical Security Planning
• Territorial Reinforcement
– Creates physical designs that highlight the
company’s area of influence to give legitimate
owners a sense of ownership.
– Accomplished through the use of walls, lighting,
landscaping, etc.
97

98. Physical Security Planning
• CPTED is not the same as “target hardening”
• Target hardening focuses on denying access
through physical and artificial barriers (can
lead to restrictions on use, enjoyment, and
aesthetics of the environment).
98

99. Physical Security Planning
• Issues with selecting a facility site:
– Visibility (terrain, neighbors, population of area,
building markings)
– Surrounding area and external factors (crime
rate, riots, terrorism, first responder locations)
– Accessibility (road access, traffic, proximity to
transportation services)
– Natural Disasters (floods, tornados, earthquakes)
99

100. Physical Security Planning
• Other facility considerations:
– Physical construction materials and structure
composition
• Be familiar with: load, light frame construction
material, heavy timber construction material,
incombustible material, dire resistant material (know
the fire ratings and construction properties).
100

101. Physical Security Planning
• “Mantrap:” A small room with two doors.
The first door is locked; a person is identified
and authenticated. Once the person is
authenticated and access is authorized, the
first door opens and allows the person into
the mantrap. The person has to be
authenticated again in order to open the
second door and access a critical area. The
mantrap area could have a weight sensing
floor as an additional control to prevent literal
piggybacking.
101

102. Physical Security Planning
• Automatic door lock configuration:
• “Fail safe:” If a power disruption occurs, the
door defaults to being unlocked.
• “Fail secure:” If a power disruption occurs,
the door defaults to being locked.
102

103. Physical Security Planning
• Windows can also be used to promote
physical security.
• Know the different types of glass:
– Standard
– Tempered
– Acrylic
– Wired
– Laminated
– Solar Window Film
– Security Film
103

104. Physical Security Planning
• Consider use of internal partitions carefully:
– True floor to true ceiling to counter security
issues
– Should never be used in areas that house
sensitive systems and devices
104

105. Internal Support Systems
• Power issues:
– A continuous supply of electricity assures the
availability of company resources.
– Data centers should be on a different power
supply from the rest of the building
– Redundant power supplies: two or more feeds
coming from two or more electrical substations
105

106. Internal Support Systems
• Power protection:
– UPS Systems
• Online UPS systems
• Standby UPS System
– Power line conditioners
– Backup Sources
106

107. Internal Support Systems
• Other power terms to know:
– Ground
– Noise
– Transient Noise
– Inrush Current
– Clean Power
– EMI
– RFI
107

108. Internal Support Systems
• Types of Voltage Fluctuations
– Power Excess
• Spike
• Surge
– Power Loss
• Fault
• Blackout
– Power Degradation
• Sag/dip
• Brownout
• Inrush Current
108

109. Internal Support Systems
• Environmental Issues
– Positive Drains
– Static Electricity
– Temperature
109

110. Internal Support Systems
• Environmental Issues: Positive Drains
– Contents flow out instead of in
– Important for water, steam, gas lines
110

111. Internal Support Systems
• Environmental Issues: Static Electricity
– To prevent:
• Use antistatic flooring in data processing areas
• Ensure proper humidity
• Proper grounding
• No carpeting in data centers
• Antistatic bands
111

112. Internal Support Systems
• Environmental Issues: Temperature
– Computing components can be affected by
temperature:
• Magnetic Storage devices: 100 Deg. F.
• Computer systems and peripherals: 175 Deg. F.
• Paper products: 350 Deg. F.
112

113. Internal Support Systems
• Ventilation
– Airborne materials and particle concentration
must be monitored for inappropriate levels.
– “Closed Loop”
– “Positive Pressurization”
113

114. Internal Support Systems
• Fire prevention, detection, suppression
• “Fire Prevention:” Includes training employees
on how to react, supplying the right equipment,
enabling fire suppression supply, proper storage
of combustible elements
• “Fire Detection:” Includes alarms, manual
detection pull boxes, automatic detection
response systems with sensors, etc.
• “Fire Suppression:” Is the use of a suppression
agent to put out a fire.
114

115. Internal Support Systems
• American Society for Testing and Materials
(ASTM) is the organization that creates the
standards that dictate how fire resistant
ratings tests should be carried out and how to
properly interpret results.
115

116. Internal Support Systems
• Fire needs oxygen and fuel to continue to
grow.
• Ignition sources can include the failure of an
electrical device, improper storage of
materials, malfunctioning heating devices,
arson, etc.
• Special note on “plenum areas:” The space
above drop down ceilings, wall cavities, and
under raised floors. Plenum areas should have
fire detectors and should only use plenum area
rated cabling.
116

117. Internal Support Systems
• Types of Fire:
– A: Common Combustibles
• Elements: Wood products, paper, laminates
• Suppression: Water, foam
– B: Liquid
• Elements: Petroleum products and coolants
• Suppression: Gas, CO2, foam, dry powders
– C: Electrical
• Elements: Electrical equipment and wires
• Suppression: Gas, CO2, dry powders
– D: Combustible Metals
• Elements: magnesium, sodium, potassium
• Suppression: Dry powder
– K: Commercial Kitchens
• Elements: Cooking oil fires
• Suppression: Wet chemicals such as potassium acetate.
117

118. Internal Support Systems
• Types of Fire Detectors
– Smoke Activated
– Heat Activated
– Know the types and properties of each general
category.
118

119. Internal Support Systems
• Different types of suppression agents:
– Water
– Halon and halon substitutes
– Foams
– Dry Powders
– CO2
– Soda Acid
– Know suppression agent properties and the types of fires
that each suppression agent combats
– Know the types of fire extinguishers (A,B,C, D) that
combat different types of fires
119

120. Internal Support Systems
• Types of Sprinklers
– Wet Pipe Systems (aka Closed Head System)
– Dry Pipe Systems
– Preaction Systems
– Deluge Systems
120

121. Perimeter Security
• The first line of defense is perimeter control
at the site location, to prevent unauthorized
access to the facility.
• Perimeter security has two modes:
– Normal facility operation
– Facility closed operation
121

122. Perimeter Security
• Proximity protection components put in place
to provide the following services:
– Control of pedestrian and vehicle traffic
– Various levels of protection for different security
zones
– Buffers and delaying mechanisms to protect
against forced entry
– Limit and control entry points
122

123. Perimeter Security
• Protection services can be provided by:
– Access Control Mechanisms
– Physical Barriers
– Intrusion Detection
– Assessment
– Response
– Deterrents
123

124. Perimeter Security
• Fences are “first line of de’fence’”
mechanisms. (Small Joke!)
• Varying heights, gauge, and mesh provides
security features (know them).
• Barbed wire direction makes a difference.
124

125. Perimeter Security
• Perimeter Intrusion Detection and
Assessment System (PIDAS):
– A type of fencing that has sensors on the wire
mesh and base of the fence.
– A passive cable vibration sensor sets off an
alarm if an intrusion is detected.
125

126. Perimeter Security
• Gates have 4 distinct types:
– Class I: Residential usage
– Class II: Commercial usage, where general public
access is expected (e.g., public parking lot, gated
community, self storage facility)
– Class III: Industrial usage, where limited access is
expected (e.g., warehouse property entrance not
intended to serve public)
– Class IV: Restricted access (e.g., a prison entrance that
is monitored either in person or via CCTV)
126

127. Perimeter Security
• Locks are inexpensive access control
mechanisms that are widely accepted and
used.
• Locks are considered delaying devices.
• Know your locks!
127

128. Perimeter Security
• Types of Locks
– Mechanical Locks
• Warded & Tumbler
– Combination Locks
– Cipher Locks (aka programmable locks)
• Smart locks
– Device Locks
• Cable locks, switch controls, slot locks, port
controls, peripheral switch controls, cable traps
128

129. Perimeter Security
• Lock Strengths:
– Grade 1 (commercial and industrial use)
– Grade 2 (heavy duty residential/light duty commercial)
– Grade 3 (residential and consumer expendable)
• Cylinder Categories
– Low Security (no pick or drill resistance)
– Medium Security (some pick resistance)
– High Security (pick resistance through many different
mechanisms—used only in Grade 1 & 2 locks)
129

130. Perimeter Security
• Lighting
– Know lighting terms and types of lighting to use in
different situations (inside v. outside, security
posts, access doors, zones of illumination)
– It is important to have the correct lighting when
using various types of surveillance equipment.
– Lighting controls and switches should be in
protected, locked, and centralized areas.
130

131. Perimeter Security
• “Continuous lighting:” An array of lights that provide an even amount of
illumination across an area.
• “Controlled lighting:” An organization should erect lights and use
illumination in such a way that does not blind its neighbors or any passing
cars, trains, or planes.
• “Standby Lighting:” Lighting that can be configured to turn on and off at
different times so that potential intruders think that different areas of the
facility are populated.
• “Redundant” or “backup lighting:” Should be available in case of power
failures or emergencies.
• “Response Area Illumination:” Takes place when an IDS detects
suspicious activities and turns on the lights within the specified area.
131

132. Perimeter Security
• Surveillance Devices
– These devices usually work in conjunction with
guards or other monitoring mechanisms to
extend their capacity.
– Know the factors in choosing CCTV, focal length,
lens types (fixed v. zoom), iris, depth of field,
illumination requirements
132

133. Perimeter Security
• “Focal length:” The focal length of a lens
defines its effectiveness in viewing objects
from a horizontal and vertical view.
• The sizes of images that will be shown on a
monitor along with the area that can be
covered by one camera are defined by focal
length.
– Short focal length = wider angle views
– Long focal length = narrower views
133

134. Perimeter Security
• “Depth of field:” Refers to the portion of the
environment that is in focus
• “Shallow depth of focus:” Provides a softer
backdrop and leads viewers to the foreground
object
• “Greater depth of focus:” Not much
distinction between objects in the foreground
and background.
134

135. Perimeter Security
• Intrusion Detection systems are used to
detect unauthorized entries and to alert a
responsible entity to respond.
• Know the different types of IDS systems
(electro-mechanical v. volumetric) and
changes that can be detected by an IDS
system.
135

136. Perimeter Security
• Patrol Force and Guards
– Use in areas where critical reasoning skills are
required
• Auditing Physical Access
– Need to log and review:
• Date & time of access attempt
• Entry point
• User ID
• Unsuccessful access attempts
136

137. Physical Security
• Final Concept to Guide in Assessing Physical
Security Issues on Exam:
– Deterrence
– Delay
– Detection
– Assessment
– Response
137

138. Social Engineering: A Test of
Your Common Sense

139. Social Engineering
• Monday morning, 6am; the electric rooster is
telling you it's time to start a new work week. A
shower, some coffee, and you're in the car and
off. On the way to work you're thinking of all
you need to accomplished this week.
• Then, on top of that there's the recent merger
between your company and a competitor. One of
your associates told you, you better be on your
toes because rumors of layoff's are floating
around.

140. Social Engineering
• You arrive at the office and stop by the restroom
to make sure you look your best. You straighten
your tie, and turn to head to your cube when you
notice, sitting on the back of the sink, is a CD-
ROM. Someone must have left this behind by
accident. You pick it up and notice there is a label
on it. The label reads "2005 Financials &
Layoff's". You get a sinking feeling in your
stomach and hurry to your desk. It looks like
your associate has good reasons for concern, and
you're about to find out for your self.

141. And so
• The Game Is In Play: People Are The Easiest Target
You make it to your desk and insert the CD-ROM. You find
several files on the CD, including a spreadsheet which you
quickly open. The spreadsheet contains a list of employee
names, start dates, salaries, and a note field that says
"Release" or "Retain". You quickly search for your name but
cannot find it. In fact, many of the names don't seem
familiar. Why would they, this is pretty large company, you
don't know everyone.
Since your name is not on the list you feel a bit of relief. It's
time to turn this over to your boss. Your boss thanks you and
you head back to your desk.

142. Let's Take A Step Back In Time
•
The CD you found in the restroom, it was not left there by
accident. It was strategically placed there by me, or one of
Security Consulting employees.
• You see, a firm has been hired to perform a Network Security
Assessment on your company.
• In reality, they have been contracted to hack into your
company from the Internet and have been authorized to
utilize social engineering techniques.

143. Bingo - Gotcha
• The spreadsheet you opened was not the only thing
executing on your computer.
• The moment you open that file you caused a script to
execute which installed a few files on your computer.
• Those files were designed to call home and make a
connection to one of our servers on the Internet. Once the
connection was made the software on the Security firms
servers responded by pushing (or downloading) several
software tools to your computer.
• Tools designed to give the team complete control of your
computer. Now they have a platform, inside your company's
network, where they can continue to hack the network. And,
they can do it from inside without even being there.

144. This is what we call a 180 degree attack.
• Meaning, the security consulting team did not have to
defeat the security measures of your company's firewall from
the Internet.
• You took care of that for us.
• Many organizations give their employees unfettered access
(or impose limited control) to the Internet.
• Given this fact, the security firm devised a method for
attacking the network from within with the explicit purpose
of gaining control of a computer on the private network.
• All we had to do is get someone inside to do it for us.

145. Welcome to Social Engineering
• What would you have done if you found a CD
with this type of information on it?
• Yes it is people who are the weakest link in
any security system and Social Engineering
Exploits that ---

147. Phisher Site Basics
•Thief sends e-mail to customer claiming to
be a legitimate company which has lost the
customer’s personal information
•Customer reads e-mail and goes to fake
website
•Customer enters credit card or other
personal information on website
•Thief steals personal information

148. Phisher Site E-mail Example (part 1)
From: EarthLink <billing@earthlink.net>
To: <thecustomer@earthlink.net>
Date: 7/6/2003 11:50:02 AM
Subject: Billing Department
Dear EarthLink User,
We regret to inform you, but due to a recent system
flush, the billing/personal information for your
account is temporally unavailable, and we need to
verify your identity.
<cont.>

149. Phisher Site E-mail Example (part 2)
In order to continue using your EarthLink account
and keeping it active, you must provide us with
your full information within 24 hours of receiving
this message.
To re-enter your account information and keep your
account active visit:
www.billingdepartment-el.net
Sincerely,
Sean Wright
EarthLink Billing Department

150. Phisher Site Example

151. The Real EarthLink Web Site

152. How to Spot Phisher Sites
TIP-OFFSTRICKS
• Claims of “lost”
information
• Unfamiliar URL
• Asks for credit card or
other personal info
• No log in or not secure
• Most companies will
not do this
• E-mail looks legit (at
first)
• Prompts you to act
quickly to keep
service
• Website, html or fax
form looks legit

153. Tips for Avoiding Phisher Sites
• Be suspicious of email asking for credit
card or other personal info
• URL should be familiar
• Should require log-in
• Should be a SECURE SITE
• Call the company when in doubt
• Always report spam/fraud to your ISP

154. 1
Since February 2001, complaint data have also been provided to the Clearinghouse by the Social Security Administration-Office of Inspector General.
2
Projections for calendar year 2003 are based on
complaints received from January through June 2003.
CY-
1999
CY-2000 CY-2001 CY-2002 CY-20032
Total:
1,380
Total: 31,117
Total: 86,197
Total: 161,886
Projected Total: 210,000
Projected Cumulative Complaint
Count 1999-2003: 490,000
Projection
(inthousands)
Federal Trade Commission
Identity Theft Data Clearinghouse Complaints1
Federal Trade Commission

155. Federal Trade Commission
Consumer Sentinel Complaints1
- Identity Theft Complaints
139,007
220,088
380,170
1
Percentages are based on the total number of Consumer Sentinel complaints by calendar year.
(inthousands)
- Fraud Complaints
107,890
133,891
31,117
86,197
218,284
161,886
Federal Trade Commission

156. 1-877-IDTHEFT
1-877-FTC-HELP
www.consumer.gov/idtheft
www.consumer.gov/sentinel
Federal Trade Commission

159. And Another
• The easiest way to break into any computer
system is to use a valid username and
password and the easiest way to get that
information is to ask someone for it.

160. The Beginning
• Like many hacking techniques, social
engineering got its start in attacks against the
telephone company. The hacker (or phone
phreaks, as they used to be called) would dial-
up an operator and by using the right jargon,
convince him or her to make a connection or
share some information that should not have
been shared.

161. In Reality
• social engineering is probably as old as
speech, and goes back to the first lie.
• It is still successful today because people are
generally helpful, especially to someone who
is nice, knowledgeable, and / or insistent.
• No amount of technology can protect you
against a social engineering attack.

162. So How Do You Protect Yourself from
Yourself?
• Recognizing an Attack
– You can prepare your organization by teaching
people how to recognize a possible social
engineering attack. Do we have a Cyber Security
& Ethics 101 Class?
• Prevent a successful attack
– You can prepare a defense against this form of
social engineering by including instructions in
your security policy for handling it.

163. So How Do You Protect Yourself from
Yourself?
• Create a response plan
– Your response plan should include instructions on
how to deal with inquiries relating to passwords
or other classified information.
• Implement and Monitor the response plan
and continue to reinforce with Training

164. Target And Attack
• The basic goals of social engineering are the same as hacking
in general: to gain unauthorized access to systems or
information in order to commit fraud, network intrusion,
industrial espionage, identity theft, or simply to disrupt the
system or network.
• Typical targets include telephone companies and answering
services, big-name corporations and financial institutions,
military and government agencies, and hospitals.
• The Internet boom had its share of industrial engineering
attacks in start-ups as well, but attacks generally focus on
larger entities.

165. And Another
• One morning a few years back, a group of
strangers walked into a large shipping firm and
walked out with access to the firm’s entire
corporate network.
• How did they do it? By obtaining small amounts
of access, bit by bit, from a number of different
employees in that firm. First, they did research
about the company for two days before even
attempting to set foot on the premises.

166. And so on…
• For example, they learned key employees’
names by calling HR. Next, they pretended to
lose their key to the front door, and a man let
them in. Then they "lost" their identity badges
when entering the third floor secured area,
smiled, and a friendly employee opened the
door for them.

167. And so on…
• The strangers knew the CFO was out of town, so they were
able to enter his office and obtain financial data off his
unlocked computer.
• They dug through the corporate trash, finding all kinds of
useful documents.
• They asked a janitor for a garbage pail in which to place their
contents and carried all of this data out of the building in
their hands.
• The strangers had studied the CFO's voice, so they were able
to phone, pretending to be the CFO, in a rush, desperately in
need of his network password. From there, they used regular
technical hacking tools to gain super-user access into the
system.

168. Common Techniques
• Social Engineering by Phone
• Dumpster Diving
• On-line Social Engineering
• Persuasion
• Reverse Social Engineering
• And many more….

169. Defining The Term "Social Engineering"
• In the world of computers and technology, social engineering
is a technique used to obtain or attempt to obtain secure
information by tricking an individual into revealing the
information.
• Social engineering is normally quite successful because most
targets (or victims) want to trust people and provide as much
help as possible.
• Victims of social engineering typically have no idea they have
been conned out of useful information or have been tricked
into performing a particular task.
• The prey is not just you but your children and elders as well

170. A Challenge to the CSU
• This is the 21st
Century The Time of
CyberSpace
• Why is their No Formal GE Requirement for
CyberSecurity and Ethics which can not only
be taught at the CSU level but the CC level as
well?
• Why don’t we extend this education to K-12
and Senior Centers as well?

171. Mt. SAC and Cal Poly Efforts
• NSF Grant Project – Establishment of a Regional
Information Systems Security Center (RISSC see
http://rissc.mtsac.edu/RISSC_NEW/default.asp )
• Cal Poly’s Participation in the Title V Grant and
development of Network Security curriculum
• Cal Poly Pomona’s Establishment of a Center for
Information Assurance (see
http://www.bus.csupomona.edu/cfia.asp )

172. Please join US for
•
Information Assurance Symposium
Building Information Assurance Capacity and
Improving Infrastructure at Minority Serving
Institutions
December 8 - 10, 2005
Cal Poly Pomona
8:30 a.m. - 5:00 p.m.

173. Contribute to:
• Information Sharing
• Curriculum Development
• Awareness, Knowledge and Development of
initiatives to help others around us be better
at practicing good security techniques
• Our thanks to Educause, ISACA, ISSA, IIA and
HTCIA for their support

174. Building a Successful
Security Infrastructure

175. Security
Domains
Application/System
Security
Operations
Security
Telecommunication &
Network Security
Physical Security
Cryptography
Security
Architecture
Security
Management
Access Control
Law, Investigations,
and Ethics
Business Continuation
& Disaster Recovery Planning
Ten Security Domains

176. Group Discussion
• CryptographyCryptography
• Law, Investigations & EthicsLaw, Investigations & Ethics
• Access Control Systems & MethodologyAccess Control Systems & Methodology
• Security Management PracticesSecurity Management Practices
• Security Architecture & ModelsSecurity Architecture & Models
• Physical SecurityPhysical Security
• Business Continuity & Disaster Recovery PlanningBusiness Continuity & Disaster Recovery Planning
• Operations Security (Computers)Operations Security (Computers)
• Application & Systems DevelopmentApplication & Systems Development
• Telecommunications & Network SecurityTelecommunications & Network Security

177. Security Infrastructure
• Cryptography. - is the use of secret codes to achieve
desired levels of confidentiality and integrity. Two
categories focus on: (1) cryptographic applications and
uses and (2) crypto technology and implementations.
Included are basic technologies, encryption systems, and
key management methods.

178. Security Infrastructure
• Law, Investigation, and Ethics. Law involves the legal and
regulatory issues faced in an information security
environment. Investigation consists of guidelines and
principles necessary to successfully investigate security
incidents and preserve the integrity of evidence. Ethics
consists of knowledge of the difference between right and
wrong and the inclination to do the right thing.

179. Security Infrastructure
• Access Control. Access control consists of all of the various
mechanisms (physical, logical, and administrative) used to
ensure that only authorized persons or processes are
allowed to use or access a system. Three categories of
access control focus on: (1) access control principles and
objectives, (2) access control issues, and (3) access
control administration.

180. Security Infrastructure
• Security Management Policies, Standards, and
Organization. Policies are used to describe management
intent, standards provide a consistent level of security in an
organization, and an organization architecture enables the
accomplishment of security objectives. Four categories
include: (1) information classification, (2) security
awareness, (3) organization architecture, and (4) policy
development.

181. People/Organization
Technologies
Processes
Policies
Secured
Infrastructure
Security Challenges?

182. Security Infrastructure
• Security Architecture. Security architecture involves the
aspects of computer organization and configuration that
are employed to achieve computer security. In addition
implementing system security to ensure mechanisms are
used to maintain the security of system programs.

183. Cryptography
Public Key (RSA)
X.509 Certificates
Digital Signatures
Digital Envelopes
Hashing/Message Digest
Symmetric Encryption
Certificate Authorities
Security Infrastructure
DNS
DMZ, Firewalls
Directory Services
IDS
Virus Checkers
VPN
PKI
NAT
RADIUS, Remote Access
Web Servers
DHCP
Wireless
Application
Single Sign On
Kerberos/DCE
Mixed/Integrated Security
Smart Cards
Cryptographic APIs
PDAs (PocketPC, Palm Pilots)
Domain Trust Management
Directional Trust
Transitive Trust
Kerberos
NTLM
Security
Services
Protocols
IPSEC
SSL/TLS
Kerberos
L2TP
PPTP
PPP
Etc.
Security Goals
Authentication
Auditing
Availability
Authorization
Privacy
Integrity
Non-Repudiation
Security Attacks
Viruses
Trojan Horses
Bombs/Worms
Spoofing/Smurf
Sniffing and Tapping
DOS
Etc.
Security Architecture

184. Security Infrastructure
• Physical Security. Physical security involves the provision
of a safe environment for information processing activities
with a focus on preventing unauthorized physical access to
computing equipment. Three categories include: (1) threats
and facility requirements, (2) personnel physical access
control, and (3) microcomputer physical security.

185. Security Infrastructure
• Business Continuity Planning and Risk Management. Risk
management encompasses all activities involved in the
control of risk (risk assessment, risk reduction, protective
measures, risk acceptance, and risk assignment). Business
continuity planning involves the planning of specific,
coordinated actions to avoid or mitigate the effects of
disruptions to normal business information processing
functions.

186. Security Infrastructure
• Operations Security (Computer). Computer operations
security involves the controls over hardware, media and the
operators with access privileges to these. Several aspects
are included — notably, operator controls, hardware
controls, media controls trusted system operations, trusted
facility management, trusted recovery, and environmental
contamination control.

187. Security Infrastructure
• Application and System Development. Application and
system security involves the controls placed within the
application and system programs to support the security
policy of the organization. Topics discussed include threats,
applications development, availability issues, security
design, and application/data access control.

188. Security Infrastructure
• Telecommunications & Network Security. Communications
security involves ensuring the integrity and confidentiality of
information transmitted via telecommunications media as
well as ensuring the availability of the telecommunications
media itself. Three categories of communications security
are: (1) telecommunications security objectives, threats,
and countermeasures; (2) network security; and (3)
Internet security.

189. Multiple Combined Security Strategies
External Border Network Perimeter Security
Internal Network (LAN/WAN) Perimeter Security
Server Security
Desktop Security
User/Social Engineering Security

190. Security StrategiesSecurity Strategies DescriptionDescription
Least PrivilegeLeast Privilege This principle means the any object (e.g., user, administrator, program, system) should haveThis principle means the any object (e.g., user, administrator, program, system) should have
only the necessary security privilege required to perform its assigned tasks.only the necessary security privilege required to perform its assigned tasks.
Defense in DepthDefense in Depth This principle recommends that multiple layers of security defense be implemented. TheyThis principle recommends that multiple layers of security defense be implemented. They
should back each other up.should back each other up.
Choke PointChoke Point Forces everyone to use a narrow channel, which you can monitor and control. A firewall isForces everyone to use a narrow channel, which you can monitor and control. A firewall is
good example.good example.
Weakest LinkWeakest Link This principle suggests that attackers seek out weakest link in your security. As a result, youThis principle suggests that attackers seek out weakest link in your security. As a result, you
need to be aware of these weak links and take steps to eliminate them.need to be aware of these weak links and take steps to eliminate them.
Fail-Safe StanceFail-Safe Stance In the event your system fails, it should fail in a position that denies access to resources. MostIn the event your system fails, it should fail in a position that denies access to resources. Most
systems will adhere to a deny stance or permit stance.systems will adhere to a deny stance or permit stance.
Universal ParticipationUniversal Participation To achieve maximum effectiveness, security systems should require participation of allTo achieve maximum effectiveness, security systems should require participation of all
personnel.personnel.
Diversity of DefenseDiversity of Defense This principle suggests that security effectiveness is also dependent on the implementation ofThis principle suggests that security effectiveness is also dependent on the implementation of
similar products from different vendors. (This includes Circuit Diversity)similar products from different vendors. (This includes Circuit Diversity)
SimplicitySimplicity This principle suggests that by implementing simple things it is easier to manage.This principle suggests that by implementing simple things it is easier to manage.
Security through ObsolesceSecurity through Obsolesce This principle suggests that by implementing old technology no one will have the knowledge toThis principle suggests that by implementing old technology no one will have the knowledge to
compromise the system.compromise the system.
Security through ObscuritySecurity through Obscurity This principle recommends the hiding of things as a form of protection.This principle recommends the hiding of things as a form of protection.
Ten (10) Security Strategies

191. Security Requirements
• AAuthentication
• AAvailability
• AAuditing
• AAuthorization
• PPrivacy/Confidentiality
• IIntegrity
• NNon-repudiation
4APIN

192. Stages of Information and Classification
DDisseminate
PProcess
AAccumulate (Collect)
SStore
TTransmit
D-PAST

193. N-Factor Authentication Methods
Someplace where you are located (SSITE).
Something that you HHAVE.
Something that you AARE.
Something that you NNEED.
Something that you KKNOW
SHANK

194. Security Assurance DomainsSecurity Assurance Domains RedRed YellowYellow GreenGreen
1. Cryptography1. Cryptography
2. Law, Investigations & Ethics2. Law, Investigations & Ethics
3. Access Control Systems & Methodology3. Access Control Systems & Methodology
4. Security Management Practices4. Security Management Practices
5. Security Architecture & Models5. Security Architecture & Models
6. Physical Security6. Physical Security
7. Business Continuity & Disaster Recovery Planning7. Business Continuity & Disaster Recovery Planning
8. Operations Security (Computers)8. Operations Security (Computers)
9. Application & Systems Development9. Application & Systems Development
10. Telecommunications & Network Security10. Telecommunications & Network Security
TLC’s Security Stoplight Chart

195. Security Controls
Types of Control
• Preventive
• Detective
• Corrective
• Deterrent
• Recovery
• Compensating

196. Questions/Answers
Security Infrastructure