Testing

785 views

Published on

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
785
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • These three will be talked about throughout the course. Referred to as the InfoSec Triad, C.I. A. Confidentiality attempts to prevent the intentional or unintentional unauthorized disclosure of a messages contents. Loss of confidentiality can occur in many ways, intentional release of private company information or through misapplication of network user rights. Integrity ensures that: modifications are not made to data by unauthorized personnel or processes. Unauthorized modifications are not made to data by authorized personnel of processes, the data are internally and externally consistent among all sub-entities and that the internal information is consistent with the real world, external situation Availability ensures the reliable and timely access to data or computing resources by the appropriate personnel. Availability guarantees that the systems are up and running when they are needed. D.A.D is the opposite of C.I.A. Disclosure, alteration, and destruction.
  • Loss of confidentiality can occur in many ways, intentional release of private company information or through misapplication of network user rights. the data are internally and externally consistent among all sub-entities and that the internal information is consistent with the real world, external situation Availability guarantees that the systems are up and running when they are needed
  • Unclassified: Public release of this information does not violate any confidence. Sensitive but unclassified, test answers, health care information. Confidential: the unauthorized disclosure of this information could cause some damage Secret: unauthorized disclosure of this information could cause serious damage Top Secret:Could cause exceptionally grave damage (presidential level information)
  • An asset is a resource, process, product, computing infrastructure that must be protected. Threat is the occurrence of any event that causes an undesirable impact on the enterprise. Vulnerability is the spot where there is a weakness or the absence of a safeguard. Safeguard is a control or countermeasure used to reduce the risk of a given threat. Exposure factor represents the percentage of loss a realized threat would have on a specific asset. Single Loss Expectancy is the dollar amount assigned to a single event. The asset value times the Exposure Factor. Annualized rate of occurrence is the number that represents the estimated frequency in which a threat is expected to occur. Deriving this number can be tricky. A meteor hitting the site may only happen once in 100,000 years so the ARO would be .00001. But users attempting to access unauthorized data could happen 6 times a year, if you had 100 operators then the ARO would be 600. Annualized Loss Expectancy is a dollar value calculated from the single loss expectancy times ARO
  • Recovery Ability: Reset after using safeguard: no asset destruction during activation or reset no covert channel access to or through the control during reset no security loss or increase in exposure after activation or reset defaults to a state that does not enable any operator access or rights until the controls are fully operational
  • Testing

    1. 1. Cyber Security Principles for Managers Module 1 MIS 645
    2. 2. Course Outline <ul><li>This course will look at the security needs across 10 domains that are important to an IT manager. </li></ul><ul><li>These domains include: </li></ul><ul><li>Security Management Practices </li></ul><ul><li>Access Control Systems and the methodology to secure them </li></ul><ul><li>Telecommunications and Network Security </li></ul><ul><li>Cryptography </li></ul><ul><li>Security Architecture and Models </li></ul><ul><li>Computer Operations Security </li></ul><ul><li>Application and Systems Development Security </li></ul><ul><li>Business Continuity Planning and Disaster Recovery Planning </li></ul><ul><li>Law, Investigation and Ethics </li></ul><ul><li>Physical Security </li></ul>
    3. 3. Basic Security Principles <ul><li>Information assurance supports the mission of the organization </li></ul><ul><li>Security requires Auditability and accountability </li></ul><ul><li>Security requires access control </li></ul><ul><li>Security requires confidentiality </li></ul><ul><li>Security requires integrity </li></ul><ul><li>Security requires asset availability </li></ul><ul><li>Security is an integral part of sound management </li></ul><ul><li>Security should be cost effective </li></ul><ul><li>Security requires risk management </li></ul><ul><li>Security requires a comprehensive and integrated approach </li></ul><ul><li>Security requires life-cycle management </li></ul><ul><li>Security responsibilities and accountability should be made explicit </li></ul><ul><li>Security requires training and awareness </li></ul><ul><li>Security requires continual reassessment </li></ul><ul><li>Security must respect ethical and democratic rights </li></ul>
    4. 4. Interrelationships of elements People Technology Operation Training & Awareness Security Admin. Personal Security Physical Security Risk Management Auditing and Monitoring Incident & Response Contingency & Recovery
    5. 5. Security Management Practices <ul><li>From the published goals for the Certified Information Systems Security Professional candidate should know: </li></ul><ul><li>Basic information about security management concepts </li></ul><ul><li>The difference between policies, standards, guidelines, and procedures </li></ul><ul><li>Security awareness concepts </li></ul><ul><li>Risk management practices </li></ul><ul><li>Basic information on classification levels </li></ul>
    6. 6. Management Concepts <ul><li>Confidentiality, Integrity, Availability </li></ul><ul><li>Identification, Authentication, Accountability, Authorization, Privacy </li></ul><ul><li>Security Controls-Reduce the impact of threats and the likelihood of their occurrence </li></ul>
    7. 7. <ul><li>Confidentiality: attempts to prevent the intentional or unintentional unauthorized disclosure of a messages contents. </li></ul><ul><li>Integrity: modifications are not made to data by unauthorized personnel or processes. Unauthorized modifications are not made to data by authorized personnel of processes, </li></ul><ul><li>Availability: the reliable and timely access to data or computing resources by the appropriate personnel. </li></ul>Management Concepts
    8. 8. <ul><li>Identification: How the user identifies themselves to the system </li></ul><ul><li>Authentication: How the user and system reconcile the users identity </li></ul><ul><li>Accountability: Audit trails and logs of user activity </li></ul><ul><li>Authorization: Rights and permissions granted to a user </li></ul><ul><li>Privacy: Level of confidentiality a user is given in a system. </li></ul>Management Concepts
    9. 9. <ul><li>Security Controls: Used to reduce the effects of threats and the damage they could do. </li></ul><ul><ul><li>Determine what the threats are, </li></ul></ul><ul><ul><li>Look at likelihood of that the threat could occur </li></ul></ul><ul><ul><li>What would the impact be ($ amount) </li></ul></ul>Management Concepts
    10. 10. Information Classification <ul><li>Objectives </li></ul><ul><li>Some concepts </li></ul><ul><li>Roles </li></ul>
    11. 11. Objectives <ul><li>Some information is more valuable than others </li></ul><ul><ul><li>Strategic decision makers </li></ul></ul><ul><ul><li>Trade secrets, formulas, new product information </li></ul></ul><ul><li>In the government sector </li></ul><ul><ul><li>Prevent the unauthorized disclosure of information </li></ul></ul><ul><li>Privacy laws </li></ul><ul><ul><li>Protect customer information, regulatory laws </li></ul></ul><ul><ul><li>Protect employee information </li></ul></ul>
    12. 12. Concepts <ul><li>Government Classification Terms: </li></ul><ul><ul><li>Unclassified </li></ul></ul><ul><ul><li>Sensitive but unclassified </li></ul></ul><ul><ul><li>Confidential </li></ul></ul><ul><ul><li>Secret </li></ul></ul><ul><ul><li>Top Secret </li></ul></ul>
    13. 13. Concepts <ul><li>Private Sector Classification Terms: </li></ul><ul><ul><li>Public: Information that is safe to disclose </li></ul></ul><ul><ul><li>Sensitive: Information that should be protected from loss of confidentiality and loss of integrity </li></ul></ul><ul><ul><li>Private: Information that is of a personal nature (about employees, salary, medical) </li></ul></ul><ul><ul><li>Confidential: Very sensitive, intended for internal use only (new product information) </li></ul></ul>
    14. 14. Classification Criteria <ul><li>Value </li></ul><ul><ul><li>If the information has value to the organization or its competitors </li></ul></ul><ul><li>Age </li></ul><ul><ul><li>As data ages it becomes less valuable and should be reclassified </li></ul></ul><ul><li>Useful life </li></ul><ul><ul><li>When new information replaces old or changes to the business change the usefulness of data </li></ul></ul><ul><li>Personal association </li></ul><ul><ul><li>Information associated with specific individuals </li></ul></ul>
    15. 15. Distribution of Classified Information <ul><li>Information may need to be shared externally </li></ul><ul><li>Court order </li></ul><ul><li>Government contract </li></ul><ul><li>Senior-level approval </li></ul>
    16. 16. Classification Roles <ul><li>Owner: executive or manager of an organization. Responsible for the information that needs to be protected. May be liable for negligence if data is not protected. </li></ul><ul><ul><li>Original determination of classification level </li></ul></ul><ul><ul><li>Conduct periodic reviews </li></ul></ul><ul><ul><li>Delegate responsibility for data safety </li></ul></ul>
    17. 17. Roles-continued <ul><li>Information custodian is responsible for protecting the information. </li></ul><ul><ul><li>Running regular backups and testing validity of backup. </li></ul></ul><ul><ul><li>Perform data restoration when necessary. </li></ul></ul><ul><ul><li>Maintain records in accordance with the established policy. </li></ul></ul>
    18. 18. Roles-continued <ul><li>User is anyone that routinely uses the information as part of their job function. </li></ul><ul><ul><li>Must follow operating procedures as defined by security policy guidelines. </li></ul></ul><ul><ul><li>Must take “due care” to preserve data integrity and prevent “open view”. </li></ul></ul><ul><ul><li>Must use company computing resources only for company business. </li></ul></ul>
    19. 19. Security Policy <ul><li>What are your policies, standards, guidelines and procedures? </li></ul><ul><li>Why do you use policies, standards, guidelines and procedures? </li></ul><ul><li>What are some common policy types? </li></ul>
    20. 20. Policies <ul><li>Senior management statement of policy: A general high level statement that contains: </li></ul><ul><ul><li>Acknowledgement of the importance of the computing resources to the business model </li></ul></ul><ul><ul><li>Support for information security throughout the enterprise </li></ul></ul><ul><ul><li>Commitment to authorize and manage the definition of standards, guidelines and procedures </li></ul></ul>
    21. 21. Policies <ul><li>Regulatory policies are required to be implemented to support compliance, regulation or other legal needs of publicly held companies. </li></ul><ul><ul><li>Ensure that the organization is following the standard procedure or base practices of operation in its specific industry. </li></ul></ul><ul><ul><li>Give an organization the confidence that they are following the standard and accepted industry policies. </li></ul></ul>
    22. 22. Policies <ul><li>Advisory policies </li></ul><ul><ul><li>Not mandated, but strongly suggested </li></ul></ul><ul><li>Informative policies </li></ul><ul><ul><li>Exist to support or inform employees or external vendors. </li></ul></ul>
    23. 23. Standards, Guidelines and Procedures <ul><li>Contain the actual details of the security policy, how they should be implemented, which ones should be used. </li></ul><ul><li>Standards refer to specific technologies in a uniform way. </li></ul><ul><li>Guidelines refer to the methodologies of securing systems but are not mandatory. </li></ul><ul><li>Procedures contain the detailed steps that are followed to perform a specific task. </li></ul>
    24. 24. Roles and Responsibilities Examines security Auditor Performs tasks in accordance with the stated policies User/Operator Preserves the information’s Confidentiality,Integrity, Availability Custodian Determines the data classification Owner Functional responsibility for security Information Security Officer Ultimate responsibility for security Senior Manager Responsibility Role
    25. 25. Risk Management <ul><li>Identification of risk to an organization: </li></ul><ul><ul><li>The actual threat </li></ul></ul><ul><ul><li>Consequences of a realized threat </li></ul></ul><ul><ul><li>Probable frequency of occurrence of threat </li></ul></ul><ul><ul><li>Confidence that the threat will happen </li></ul></ul><ul><li>The elimination of risk can never be accomplishes. Maybe calling it Risk Mitigation is more appropriate. </li></ul>
    26. 26. Terms in Risk Analysis <ul><li>Asset </li></ul><ul><li>Threat </li></ul><ul><li>Vulnerability </li></ul><ul><li>Safeguard </li></ul><ul><li>Exposure Factor-% of asset loss caused by threat </li></ul><ul><li>Single Loss Expectancy-Asset value x Exposure Factor </li></ul><ul><li>Annualized Rate of Occurrence-Frequency of threat occurrence per year </li></ul><ul><li>Annualized Loss Expectancy-Single loss expectancy x Annualized Rate of Occurrence </li></ul>
    27. 27. Risk Analysis <ul><li>Quantitative Analysis- attempts to assign independently objective numeric values to the components of the risk assessment. </li></ul><ul><li>Qualitative Analysis- address the intangible values of a data loss. </li></ul><ul><li>Asset Valuation Process </li></ul><ul><li>Safeguard Selection </li></ul>
    28. 28. Types of threats <ul><li>Data Classification. </li></ul><ul><li>Information warfare. </li></ul><ul><li>Personnel. </li></ul><ul><li>Application/Operational. </li></ul><ul><li>Criminal. </li></ul><ul><li>Environmental. </li></ul><ul><li>Computer Infrastructure. </li></ul><ul><li>Delayed Processing. </li></ul>
    29. 29. Risk Analysis Results <ul><li>Valuations of critical assets in hard costs. </li></ul><ul><li>A detailed listing of significant threats. </li></ul><ul><li>Threat likelihood and occurrence rate. </li></ul><ul><li>Loss potential by threat. </li></ul><ul><li>Recommended measures and safeguards. </li></ul>
    30. 30. Safeguard Selection Criteria <ul><li>Cost/Benefit Analysis: </li></ul><ul><ul><li>Purchase, development and/or licensing costs of safeguard. </li></ul></ul><ul><ul><li>Physical installation costs and cost of disruption during installation. </li></ul></ul><ul><ul><li>Operating costs, resource costs, maintenance/repair costs. </li></ul></ul><ul><li>(ALE before safeguard)-(ALE after safeguard)-(annual safeguard cost) = Value of safeguard to organization </li></ul>
    31. 31. Safeguard Selection Criteria <ul><li>Level of Manual Operations </li></ul><ul><ul><li>Don’t forget that even automated systems will need manual intervention in case of emergency </li></ul></ul><ul><li>Auditability and Accountability </li></ul><ul><li>Recovery Ability </li></ul><ul><li>Vendor Relations </li></ul>
    32. 32. Security Awareness <ul><li>People are often the weakest link in the security process. </li></ul><ul><li>Training and education </li></ul><ul><ul><li>Awareness training </li></ul></ul><ul><ul><li>Technical training </li></ul></ul><ul><ul><li>Security training </li></ul></ul>

    ×