SlideShare a Scribd company logo

crisc_wk_5.pptx

D
dotco

The document discusses key concepts related to information technology security including confidentiality, integrity, and availability (CIA triad), security architecture, network layers (OSI model and TCP/IP), common network devices and cabling, intrusion detection systems, and honey pots. The CIA triad focuses on preventing unauthorized access, modification, or disruption of data and systems. Security architecture provides an overview of how security is implemented across an organization's systems.

Education
1 of 29
Information Technology and Security
Confidentiality, Integrity, and Availability • Confidentiality, integrity, and availability (CIA) are typically viewed as the primary goals and objectives of a security infrastructure. • Commonly referenced by the term CIA Triad. • The order of the acronym may change (some prefer AIC, perhaps to avoid association with a certain intelligence agency), but that is not important; what is critical is understanding each concept. • These three principles are considered the most important within the realm of security. • However important each specific principle is to a specific organization depends on the organization’s security goals and requirements and on the extent to which the organization’s security might be threatened. • An object is the passive element in a security relationship, such as files, computers, network connections, and applications. • A subject is the active element in a security relationship, such as users, programs, and computers.
Confidentiality • Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. In other words, unauthorized disclosure of information; • The goal of confidentiality protection is to prevent or minimize unauthorized access to data. • Confidentiality protection provides a means for authorized users to access and interact with resources, but it actively prevents unauthorized users from doing so. • For confidentiality to be maintained on a network, data must be protected from unauthorized access, use, or disclosure while in storage, in process, and in transit. • Attacks - capturing network traffic and stealing password files as well as social engineering, port scanning, shoulder surfing, eavesdropping, sniffing, escalation of privileges, and so on.  Countermeasures - encryption, network traffic padding, strict access control, rigorous authentication procedures, data classification, and extensive personnel training
Integrity • Integrity seeks to prevent unauthorized modification of information. In other words, integrity seeks to prevent unauthorized write access to data. • It ensures that data remains correct, unaltered, and preserved. • Properly implemented integrity protection provides a means for authorized changes while protecting against intended and malicious unauthorized activities (such as viruses and intrusions) as well as mistakes made by authorized users (such as mistakes or oversights). • data integrity and system integrity. Data integrity seeks to protect information from unauthorized modification, while system integrity seeks to protect a system. from unauthorized modification. • Attacks - viruses, logic bombs, unauthorized access, errors in coding and applications, malicious modification, intentional replacement, and system back doors. • countermeasures - strict access control, rigorous authentication procedures, intrusion detection systems, object/data encryption, hash total verifications, interface restrictions, input/function checks, and extensive personnel training.
Availability • Availability ensures that information is available when needed. • Aauthorized subjects are granted timely and uninterrupted access to objects. • Availability also implies that the supporting infrastructure—including network services, communications, and access control mechanisms—is functional and allows authorized users to gain authorized access. • Attacks - DoS attacks, object destruction, and communication interruptions. • Countermeasures - designing intermediary delivery systems, properly, using access controls effectively, monitoring performance and network traffic, using firewalls and routers to prevent DoS attacks, implementing redundancy for critical systems, and maintaining and testing backup systems. Disclosure, alteration, and destruction • Disclosure is the unauthorized release of information. • Alteration is the unauthorized modification of data. • Destruction is making systems or data unavailable.
CIA Priority • Every organization has unique security requirements and Knowing which tenet or asset is more important than another guides the creation of a security stance and ultimately the deployment of a security solution. • Example - in many cases military and government organizations tend to prioritize confidentiality above integrity and availability, whereas private companies tend to prioritize availability above confidentiality and integrity. • Although such prioritization focuses efforts on one aspect of security over another, it does not imply that the second or third prioritized items are ignored or improperly addressed. Other Security Concepts • Identification: Claiming to be an identity when attempting to access a secured area or system • Authentication: Proving that you are that identity. eg passwords. • Authorization: describes the actions you can perform on a system once you have been identified and authenticated. Actions may include reading, writing, or executing files or programs. • Auditing: Recording a log of the events and activities related to the system and subjects • Accounting (aka accountability): Accountability holds users accountable for their actions. This is typically done by logging and analysing audit data. • Nonrepudiation: Nonrepudiation means a user cannot deny (repudiate) having performed a transaction. It combines authentication and integrity.
Enterprise Architecture • Enterprise Architecture (EA) defines the structure and operations of the organization. • The objective of EA is to determine how an organization can achieve its current as well as future objectives. • Following are the prime objectives of an enterprise architecture: • To understand the current state of IT • To understand vision for a future state of IT • To design strategy to move from current state to future state • Enterprise view of the IT helps the risk practitioner to identify the linkage between IT and organizational objectives. • Commonly used EA • The Open Group Architecture Framework (TOGAF) • Zachman Framework • Department of Defence Architecture Framework (DODAF) - used for military enterprises • Federal Enterprise Architecture Framework ((FEAF) - used for civilian agencies
Security Architecture • Security architecture provides overview and relationship between systems and hence it is very useful in complex security deployment. • Primary purpose for developing a security architecture is to align the security strategy between the functional areas of the organization and external parties. • Organizations should purchase the IT equipment from trusted vendors to avoid the risk of infected devices. • Also, new devices should be tested thoroughly before implementation. This helps to address the risk of hardware infected with back doors and security vulnerabilities during the manufacturing or delivery process. • Vendors provided default accounts and passwords should be disabled or changed. • Strong authentication is required for privilege accounts such as administration. • Operating software should be hardened to disable all the unused services.
Security Architecture • Patch should be tested before deployment – Patch management Policy. • In exceptional cases, pre-testing of patches may not be feasible due to business emergency, in such cases organization should have a rollback plan to roll back the patches from the system in case of adverse impact of patch deployment. • Adoption of secure coding practices is necessary to address the flaws or bugs in the coding of the application. – Application Security. • Organizations should study the common vulnerabilities published by the Open Web Application Security Project (www.owasp.org) and should address these vulnerabilities.
Security Architecture • Applications can be made secured by adopting following practices: • Sensitive data should be masked • Restricted access for the users (segregation of duty and need to know) • Input controls such as range checks, reasonableness checks etc. • Reconciliation and balancing for proper processing of transaction • Use of digital certificates for authentication • Encryption of stored as well as in transit data • Secure coding practices • Use of middleware to isolate direct access and manage data input/output • Network isolation and secure communications channels
Security Architecture • Absence of validation checks for data input fields is a major vulnerability. It provides an opportunity for attackers to exploit the system by way of SQL injection attack. • Error messages should not be displayed in such a way that they might provide information to an attacker that can be used to modify the attack. • Use of multiple factors of authentication for critical systems such as biometric access and a password. • User accounts should be automatically locked out after a number of failed login attempts. • When an application is developed from a third party, it is always recommended to conduct a security code review for the entire application to detect all the malware including back doors.
Maturity Models • Maturity models are useful to determine the maturity level of the risk management process • Maturity models identify the gaps between the current state of process and the desired state to help the organization to determine necessary remediation steps for improvement. • Maturity model is best technique to enable a peer review of an organization's risk management process. • A matured organization is much more likely to prevent incidents, detect incidents sooner and recover rapidly from incidents. • The Capability Maturity Model (CMM) is a methodology used to develop and refine an organization's software development process. It is widely used model by commercial organizations. • 0 – Incomplete: Process is not implemented or does not achieve its intended purpose. • 1 – Performed: Now the process is able to achieve its intended purpose. • 2 – Managed: Process is able to achieve its intended purpose. Also, the process is appropriately planned, monitored and controlled. • 3 – Established: Now the process is able to achieve its intended purpose. Also, the process is appropriately planned, monitored and controlled. Also, there is a well defined, documented and established process to manage the process. • 4 – Predictable: Process is predictable and operates within defined parameters and limits to achieve its intended purpose. • 5 - Optimized Process is continuously improved to meet current as well as projected goals.
Organizational Processes Change Control/Management • The goal of change management is to ensure that any change does not lead to reduced or compromised security. Change management is also responsible for making it possible to roll back any change to a previous secured state. • Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. The only way to maintain security in the face of change is to systematically manage change. Data Classification • Data classification, or categorization, is the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality. • Declassification is required once an asset no longer warrants or needs the protection of its currently assigned classification or sensitivity level. • Government: Top Secret, Secret, Confidential, Sensitive But Unclassified, Unclassified • Commercial Business: Confidential, Private, Sensitive, Public
Network - TCP / IP & OSI Layers • TCP stands for transmission control protocol and IP stands for internet protocol. • TCP/IP specifies the standard rules for exchange of data over internet and specifies how data is broken into packets, addressed, transmitted, routed and received at the destination. • TCP/IP is based on an Open system interconnection (OSI) model. OSI model has 7 layers where as TCP/IP has five layers. OSI Layers • The OSI model explains the layered steps for the network. In an OSI model, each layer is defined according to a specific function to perform. • All seven layers work in a collaborative manner to transmit the data from one layer to another.
OSI Layers
• Physical: Associated with the cables and other hardware for the physical connection of the device to the network. • Data Link Layer: Converts the electrical voltage into a data packet and it is forwarded to the network layer. • Network Layer: To insert the IP address into the packet header and route the packet to their destination. • Transport Layer : To provide an end-to-end data transport service and establishes a logical connection between the two devices. • Session Layer: To establish a connection between two applications, maintaining the connection and terminating the connection. • Presentation Layer: To translate the data as per the format of the application. • Application layer: To provide an interface and communicate directly with the end user OSI Layers
• Transmission Control Protocol (TCP) and User Data Protocol (UDP) are the protocols operating at the transport layer. • TCP is considered a reliable and connection-oriented protocol. TCP ensures that data packets are delivered to the destination. • UDP is considered a connectionless protocol. UDP has unreliable service and data packets may arrive out of order, be corrupted, or may get dropped, and the destination does not acknowledge every packet it receives. TCP/UDP
TCP/IP Model
Network Cabling • Fiber optic cables are considered to be more secure than copper wire. • Fiber optic is the preferred choice for managing long-distance networks and handling high volumes of data. • Fiber optic is not impacted or affected by electromagnetic interference (EMI). Fiber optic cables have very marginal transmission loss. • Fiber optic is regarded as the most secure cable for the purposes of data transmission. • Twisted pair (copper circuit): Shielded twisted pair (STP) and the Unshielded twisted pair (UTP). • STPs are less prone to EMI and cross-talks and so are more reliable than UTPs. • A UTP is more sensitive to the effects of EMI and cross talk. • The parallel installation of UTPs should be avoided for long distances since one cable can interfere with the signals of adjacent cables - cross talk. • Attenuation: loss or weakening of signal transmission. • EMI: Interference or disturbance that impacts the quality of electrical signals. Major causes of EMI are electrical storms or noisy electrical equipment (for example, motors, fluorescent lighting, and radio transmitters).
Network Devices Repeaters: • Repeaters are used to address the risk of attenuation (weakening of the signal). • A repeater receives the signal from one network and it amplifies and regenerates the weak signal. Hubs and switches • Hubs and switches are used to connect different devices for the exchange of data. • A hub operates at layer 1 (physical layer), whereas a switch operates at layer 2 (data link layer) of the OSI model. A switch is regarded as a more advanced/intelligent version of the hub. Bridges • Bridges have the same functionality as switches. They both operate at layer 2 (data link layer) of the OSI model. Routers • A router is regarded as a more advanced/intelligent version of the switch. It operates at layer 3 (network layer) of the OSI model. • Devices operating at higher levels will be more intelligent and capable compared with devices operating at lower levels. A CRISC aspirant should be aware of the layer at which various devices operate:
Network Devices • Firewall, DMZ and Proxy • A firewall is a network security system designed to prevent unauthorized access to networks. It monitors and controls incoming and outgoing network traffic as per defined rules. • A firewall can be implemented either in software or hardware form. • A packet filtering router tracks the IP address and port number of both the destination and source and takes action (either to allow or deny the connection) as per defined rules. A packet filtering router operates at the network layer of the OSI framework. • A stateful inspection firewall monitors and tracks the destination of each packet that is being sent from the internal network. A stateful inspection firewall operates at the network layer of the OSI. • A circuit-level firewall works on the concept of a bastion host and proxy server. It provides the same proxy for all services. It operates at the session layer of the OSI. • An application-level firewall is regarded as the most secure type of firewall. It operates at the application layer of the OSI.
Bastion Host, Proxy and DMZ • A proxy stands in between the internal and external networks. • No direct communication will be allowed between the internal and external networks. • All communication will pass through the proxy server. • Demilitarized zone (DMZ) is the area which is accessible to the external network. • Objective of setting up a DMZ is to prevent the external traffic to have direct access to critical systems of the organization. • All the systems placed in DMZ should be hardened and all required functionality should be disabled – Bastian Host
Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) • Intrusion detection system helps to monitor a network (network-based IDS) or a single system (host-based IDS) with an objective to recognize and detect an intrusion activity. • Components of IDS • Sensors: Function of the sensors is to collect the data. • Analyzers: Function of analyzer is to analyze the data and determine the intrusion activity. • Administration Console: Administration console helps the administrator to control and monitor IDS rules and functions. • User Interface: User interface supports the user to view the results and carry out required task. Limitation: • IDS operates on the basis of policy definition. • Weakness of policy definitions weakens the function of IDS. • IDS cannot control application-level vulnerabilities. • IDS cannot control back door into an application. • IDS cannot analyse the data which is tunnelled into an encrypted connection.
Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) Types of IDS • Signature based: IDS looks for specific predefined patterns to detect intrusion. • Also known as rule based IDS. • Don’t detect new attacks methods for which signatures have not yet been developed. • Statistical based IDS: attempts to identify abnormal behavior by analyzing the statistical algorithm. • Statistical IDS generates the most false positive as compared to other type of IDS. • Neural Network: works on same principle as statistical based IDS. However, they have advanced functionality of self-learning. • If criteria is not properly tuned, IDS may generate false alarms or may miss to identify the actual abnormality. Most effective way to determine whether IDS are properly tuned is to simulate various attack scenarios and review the performance of the IDS. • If IDS is installed between firewall and external network, it will be able to identify all the intrusion attempts irrespective of whether intrusion packets bypassed the firewall or not. • If IDS is installed between firewall and internal network, it will be able to detect only those attempts which bypassed the firewall rules.
Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) • Intrusion prevention systems have ability to not only detect the intrusion attempts but also to prevent the impact of the intrusion attack. • Honey Pots and Honey Nets • A honey pot is a decoy system set up to attract the hacker and intruders. • Purpose of setting a honey pot is to capture the details of intruders in order to proactively strengthen the security controls. • A honey net is a combination of linked honey pots. Honey net is used for large network setups. • Domain name system (DNS) provides a simple cross-reference between domain name and related IP address. • In pharming attack, malware changes domain name system (DNS) server settings and redirects users to malicious sites.
Wireless Access Point • A wireless network is a computer network that uses wireless data connections between communication endpoints (nodes). Cell phone networks and wireless local area networks are examples of wireless networks. • An SSID is the name of a wireless network broadcast by a router. • Wi-Fi Protected Access (WPA) and Wired Equivalent Privacy (WEP) are the two main types of encryption. WPA 2 is the strongest encryption standard for wireless connection. • Common attack methods • Rogue Access Point A rogue access point is a wireless access point that has been installed on a secure network without authorization by a malicious attacker. • War driving/Walking/Chalking: technique used by a hacker to search wireless networks from a moving car or vehicle by using a laptop or other wireless devices with hacking tools or software. • A virtual private network (VPN) is used to extend a private network through use of the internet in a secured manner. It provides a platform for remote users to get connected to the organization's private network. • A VPN uses IPSec tunnel mode or IPSec transport mode. IPSec tunnel mode is used to encrypt the entire packet, including the header. The IPSec transport mode is used to encrypt only the data portion of the packet.
Cloud computing • Cloud computing is the practice of using remote servers hosted on the internet to store, manage, and process data, rather than a local server or a personal computer. • Cloud computing simply means the use of computing resources as a service through networks, typically the internet. Cloud computing deployment models: • Private cloud: • A private cloud is used for the exclusive benefit of the organization. A private cloud is considered the most secure type of deployment as it can be controlled and centralized by the organization. • Public cloud • The public cloud is open to all on the basis of pay per use. The public cloud is considered highly scalable as services can be reduced or increased as per the requirements of the organization. • Requirements: Legal and regulatory compliance (such as data localization), Backup, Right to audit and Security requirements. • The community cloud: Cloud services are used by specific communities of consumers who have shared concerns. • The hybrid cloud: combination of the private and the public cloud.
Cloud computing • Types of cloud services • Infrastructure as a Service (IaaS): IaaS provides computing resources such as processing power, memory, storage, and networks for users. • Software as a Service (SaaS): SaaS provides ability to the end users to access an application over the Internet. • Platform as a Service (PaaS): PaaS provides platform to the users to develop and deploy an application on the development platform provided by the service provider. • Risks and security control for a cloud arrangement: • Ensure compliance with relevant laws, regulations, and standards. • Ensure compliance with privacy laws that restrict the movement of personal data to an offshore location. • To ensure the availability of information systems and data on a continuous basis. • To evaluate the business continuity and disaster recovery plan of the cloud service provider. • To ensure the integrity and confidentiality of information and sensitive data while stored and in transit. • To ensure that the SLA includes clauses with respect to data ownership, data custody, and security administration related to cloud deployment models. • To ensure the inclusion of the right to audit clause in the SLA.
Project Management • A project is defined as a sequence of activities that must be completed to achieve required outcome. • Project management is the formal process of organization, administering and implementation of the project. • Objective of a structured project management is to deliver value by creating some specific deliverables in an effective and efficient manner. • Project is a specific, single task that delivers a tangible output, while a program is a collection of related projects. Success factors: • Risk practitioners should be involved in all the above phases of SDLC and security requirements should be integrated into all SDLC phases. • Security requirements should be validated and tested to ensure that it addresses the risk associated with confidentiality, integrity and availability. Project members should be made aware about the risk implications on the project. • A project should have clear definition of required outcome. Clearly defined scope and objectives will prevent the scope creep. • Resources required to implement the project should be identified during the planning stage to ensure cost efficiency of the project. Appropriate monitoring and control procedure should be established to determine the performance of the project at different milestone.

Recommended

Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxdotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxTechnocracy2
 
Information Security
Information SecurityInformation Security
Information SecurityDhilsath Fathima
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROLshinydey
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Knoldus Inc.
 
Unit 1.pptx
Unit 1.pptxUnit 1.pptx
Unit 1.pptxMsVaishaliKumar
 
Lecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptLecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptDrBasemMohamedElomda
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 

Recommended

Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxdotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxTechnocracy2
 
Information Security
Information SecurityInformation Security
Information SecurityDhilsath Fathima
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROLshinydey
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Knoldus Inc.
 
Unit 1.pptx
Unit 1.pptxUnit 1.pptx
Unit 1.pptxMsVaishaliKumar
 
Lecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptLecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptDrBasemMohamedElomda
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
System Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxSystem Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxrahulkumarcscsf21
 
CISM_WK_3.pptx
CISM_WK_3.pptxCISM_WK_3.pptx
CISM_WK_3.pptxdotco
 
Cyber Security # Lec 5
Cyber Security # Lec 5Cyber Security # Lec 5
Cyber Security # Lec 5Kabul Education University
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
Vulenerability Management.pptx
Vulenerability Management.pptxVulenerability Management.pptx
Vulenerability Management.pptxThavaselviMunusamy1
 
Chapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxChapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxLokNathRegmi1
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxTikdiPatel
 
Ch5-20_CISA.ppt About CISA Certification
Ch5-20_CISA.ppt About CISA CertificationCh5-20_CISA.ppt About CISA Certification
Ch5-20_CISA.ppt About CISA CertificationRahulBhole12
 
Information Security Bachelor in Information technology unit 1
Information Security Bachelor in Information technology unit 1Information Security Bachelor in Information technology unit 1
Information Security Bachelor in Information technology unit 1ssuserf35ac9
 
Security Architecture
Security ArchitectureSecurity Architecture
Security ArchitecturePriyank Hada
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksjayussuryawan
 
Chapter 1 introduction(web security)
Chapter 1 introduction(web security)Chapter 1 introduction(web security)
Chapter 1 introduction(web security)Kirti Ahirrao
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
Security (IM).ppt
Security (IM).pptSecurity (IM).ppt
Security (IM).pptGooglePay16
 
Network Security of Windows Servers
Network Security of Windows ServersNetwork Security of Windows Servers
Network Security of Windows ServersGerardo T. Ortega Carrasquillo
 
LOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGLOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGSri Latha
 
Presentation2 (2)
Presentation2 (2)Presentation2 (2)
Presentation2 (2)ITNet
 
Week-09-10-11-12 Fundamentals of Cybersecurity.pptx
Week-09-10-11-12 Fundamentals of Cybersecurity.pptxWeek-09-10-11-12 Fundamentals of Cybersecurity.pptx
Week-09-10-11-12 Fundamentals of Cybersecurity.pptxyasirkhokhar7
 
Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfdotco
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptxdotco
 

More Related Content

Similar to crisc_wk_5.pptx

System Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxSystem Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxrahulkumarcscsf21
 
CISM_WK_3.pptx
CISM_WK_3.pptxCISM_WK_3.pptx
CISM_WK_3.pptxdotco
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
Chapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxChapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxLokNathRegmi1
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxTikdiPatel
 
Ch5-20_CISA.ppt About CISA Certification
Ch5-20_CISA.ppt About CISA CertificationCh5-20_CISA.ppt About CISA Certification
Ch5-20_CISA.ppt About CISA CertificationRahulBhole12
 
Information Security Bachelor in Information technology unit 1
Information Security Bachelor in Information technology unit 1Information Security Bachelor in Information technology unit 1
Information Security Bachelor in Information technology unit 1ssuserf35ac9
 
Security Architecture
Security ArchitectureSecurity Architecture
Security ArchitecturePriyank Hada
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksjayussuryawan
 
Chapter 1 introduction(web security)
Chapter 1 introduction(web security)Chapter 1 introduction(web security)
Chapter 1 introduction(web security)Kirti Ahirrao
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
Security (IM).ppt
Security (IM).pptSecurity (IM).ppt
Security (IM).pptGooglePay16
 
LOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGLOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGSri Latha
 
Presentation2 (2)
Presentation2 (2)Presentation2 (2)
Presentation2 (2)ITNet
 
Week-09-10-11-12 Fundamentals of Cybersecurity.pptx
Week-09-10-11-12 Fundamentals of Cybersecurity.pptxWeek-09-10-11-12 Fundamentals of Cybersecurity.pptx
Week-09-10-11-12 Fundamentals of Cybersecurity.pptxyasirkhokhar7
 

Similar to crisc_wk_5.pptx (20)

System Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxSystem Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptx
 
CISM_WK_3.pptx
CISM_WK_3.pptxCISM_WK_3.pptx
CISM_WK_3.pptx
 
Cyber Security # Lec 5
Cyber Security # Lec 5Cyber Security # Lec 5
Cyber Security # Lec 5
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
Vulenerability Management.pptx
Vulenerability Management.pptxVulenerability Management.pptx
Vulenerability Management.pptx
 
Chapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxChapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptx
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptx
 
Ch5-20_CISA.ppt About CISA Certification
Ch5-20_CISA.ppt About CISA CertificationCh5-20_CISA.ppt About CISA Certification
Ch5-20_CISA.ppt About CISA Certification
 
Information Security Bachelor in Information technology unit 1
Information Security Bachelor in Information technology unit 1Information Security Bachelor in Information technology unit 1
Information Security Bachelor in Information technology unit 1
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networks
 
Chapter 1 introduction(web security)
Chapter 1 introduction(web security)Chapter 1 introduction(web security)
Chapter 1 introduction(web security)
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
Security (IM).ppt
Security (IM).pptSecurity (IM).ppt
Security (IM).ppt
 
Network Security of Windows Servers
Network Security of Windows ServersNetwork Security of Windows Servers
Network Security of Windows Servers
 
LOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGLOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODING
 
Presentation2 (2)
Presentation2 (2)Presentation2 (2)
Presentation2 (2)
 
Week-09-10-11-12 Fundamentals of Cybersecurity.pptx
Week-09-10-11-12 Fundamentals of Cybersecurity.pptxWeek-09-10-11-12 Fundamentals of Cybersecurity.pptx
Week-09-10-11-12 Fundamentals of Cybersecurity.pptx
 

More from dotco

Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfdotco
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptxdotco
 
crisc_wk_6.pptx
crisc_wk_6.pptxcrisc_wk_6.pptx
crisc_wk_6.pptxdotco
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptxdotco
 
crisc_wk_4.pptx
crisc_wk_4.pptxcrisc_wk_4.pptx
crisc_wk_4.pptxdotco
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdfdotco
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptxdotco
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptxdotco
 
CISA_WK_2.pptx
CISA_WK_2.pptxCISA_WK_2.pptx
CISA_WK_2.pptxdotco
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptxdotco
 
CISA_WK_3.pptx
CISA_WK_3.pptxCISA_WK_3.pptx
CISA_WK_3.pptxdotco
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptxdotco
 

More from dotco (12)

Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdf
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
 
crisc_wk_6.pptx
crisc_wk_6.pptxcrisc_wk_6.pptx
crisc_wk_6.pptx
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
 
crisc_wk_4.pptx
crisc_wk_4.pptxcrisc_wk_4.pptx
crisc_wk_4.pptx
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdf
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptx
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptx
 
CISA_WK_2.pptx
CISA_WK_2.pptxCISA_WK_2.pptx
CISA_WK_2.pptx
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptx
 
CISA_WK_3.pptx
CISA_WK_3.pptxCISA_WK_3.pptx
CISA_WK_3.pptx
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptx
 

Recently uploaded

Industrial Training Report- AKTU Industrial Training Report
Industrial Training Report- AKTU Industrial Training ReportIndustrial Training Report- AKTU Industrial Training Report
Industrial Training Report- AKTU Industrial Training ReportAvinash Rai
 
Open Educational Resources Primer PowerPoint
Open Educational Resources Primer PowerPointOpen Educational Resources Primer PowerPoint
Open Educational Resources Primer PowerPointELaRue0
 
Benefits and Challenges of Using Open Educational Resources
Benefits and Challenges of Using Open Educational ResourcesBenefits and Challenges of Using Open Educational Resources
Benefits and Challenges of Using Open Educational Resourcesdimpy50
 
Pragya Champions Chalice 2024 Prelims & Finals Q/A set, General Quiz
Pragya Champions Chalice 2024 Prelims & Finals Q/A set, General QuizPragya Champions Chalice 2024 Prelims & Finals Q/A set, General Quiz
Pragya Champions Chalice 2024 Prelims & Finals Q/A set, General QuizPragya - UEM Kolkata Quiz Club
 
The Benefits and Challenges of Open Educational Resources
The Benefits and Challenges of Open Educational ResourcesThe Benefits and Challenges of Open Educational Resources
The Benefits and Challenges of Open Educational Resourcesaileywriter
 
UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...
UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...
UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...Sayali Powar
 
PART A. Introduction to Costumer Service
PART A. Introduction to Costumer ServicePART A. Introduction to Costumer Service
PART A. Introduction to Costumer ServicePedroFerreira53928
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaasiemaillard
 
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdfINU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdfbu07226
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345beazzy04
 
How to Manage Notification Preferences in the Odoo 17
How to Manage Notification Preferences in the Odoo 17How to Manage Notification Preferences in the Odoo 17
How to Manage Notification Preferences in the Odoo 17Celine George
 
Instructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxInstructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
 
Application of Matrices in real life. Presentation on application of matrices
Application of Matrices in real life. Presentation on application of matricesApplication of Matrices in real life. Presentation on application of matrices
Application of Matrices in real life. Presentation on application of matricesRased Khan
 
Salient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptxSalient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptxakshayaramakrishnan21
 
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptxStudents, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptxEduSkills OECD
 
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdfDanh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdfQucHHunhnh
 
Basic_QTL_Marker-assisted_Selection_Sourabh.ppt
Basic_QTL_Marker-assisted_Selection_Sourabh.pptBasic_QTL_Marker-assisted_Selection_Sourabh.ppt
Basic_QTL_Marker-assisted_Selection_Sourabh.pptSourabh Kumar
 
size separation d pharm 1st year pharmaceutics
size separation d pharm 1st year pharmaceuticssize separation d pharm 1st year pharmaceutics
size separation d pharm 1st year pharmaceuticspragatimahajan3
 

Recently uploaded (20)

B.ed spl. HI pdusu exam paper-2023-24.pdf
B.ed spl. HI pdusu exam paper-2023-24.pdfB.ed spl. HI pdusu exam paper-2023-24.pdf
B.ed spl. HI pdusu exam paper-2023-24.pdf
 
Industrial Training Report- AKTU Industrial Training Report
Industrial Training Report- AKTU Industrial Training ReportIndustrial Training Report- AKTU Industrial Training Report
Industrial Training Report- AKTU Industrial Training Report
 
Mattingly "AI & Prompt Design: Limitations and Solutions with LLMs"
Mattingly "AI & Prompt Design: Limitations and Solutions with LLMs"Mattingly "AI & Prompt Design: Limitations and Solutions with LLMs"
Mattingly "AI & Prompt Design: Limitations and Solutions with LLMs"
 
Open Educational Resources Primer PowerPoint
Open Educational Resources Primer PowerPointOpen Educational Resources Primer PowerPoint
Open Educational Resources Primer PowerPoint
 
Benefits and Challenges of Using Open Educational Resources
Benefits and Challenges of Using Open Educational ResourcesBenefits and Challenges of Using Open Educational Resources
Benefits and Challenges of Using Open Educational Resources
 
Pragya Champions Chalice 2024 Prelims & Finals Q/A set, General Quiz
Pragya Champions Chalice 2024 Prelims & Finals Q/A set, General QuizPragya Champions Chalice 2024 Prelims & Finals Q/A set, General Quiz
Pragya Champions Chalice 2024 Prelims & Finals Q/A set, General Quiz
 
The Benefits and Challenges of Open Educational Resources
The Benefits and Challenges of Open Educational ResourcesThe Benefits and Challenges of Open Educational Resources
The Benefits and Challenges of Open Educational Resources
 
UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...
UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...
UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...
 
PART A. Introduction to Costumer Service
PART A. Introduction to Costumer ServicePART A. Introduction to Costumer Service
PART A. Introduction to Costumer Service
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdfINU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345
 
How to Manage Notification Preferences in the Odoo 17
How to Manage Notification Preferences in the Odoo 17How to Manage Notification Preferences in the Odoo 17
How to Manage Notification Preferences in the Odoo 17
 
Instructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxInstructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptx
 
Application of Matrices in real life. Presentation on application of matrices
Application of Matrices in real life. Presentation on application of matricesApplication of Matrices in real life. Presentation on application of matrices
Application of Matrices in real life. Presentation on application of matrices
 
Salient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptxSalient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptx
 
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptxStudents, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
 
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdfDanh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
 
Basic_QTL_Marker-assisted_Selection_Sourabh.ppt
Basic_QTL_Marker-assisted_Selection_Sourabh.pptBasic_QTL_Marker-assisted_Selection_Sourabh.ppt
Basic_QTL_Marker-assisted_Selection_Sourabh.ppt
 
size separation d pharm 1st year pharmaceutics
size separation d pharm 1st year pharmaceuticssize separation d pharm 1st year pharmaceutics
size separation d pharm 1st year pharmaceutics
 

crisc_wk_5.pptx

  • 2. Confidentiality, Integrity, and Availability • Confidentiality, integrity, and availability (CIA) are typically viewed as the primary goals and objectives of a security infrastructure. • Commonly referenced by the term CIA Triad. • The order of the acronym may change (some prefer AIC, perhaps to avoid association with a certain intelligence agency), but that is not important; what is critical is understanding each concept. • These three principles are considered the most important within the realm of security. • However important each specific principle is to a specific organization depends on the organization’s security goals and requirements and on the extent to which the organization’s security might be threatened. • An object is the passive element in a security relationship, such as files, computers, network connections, and applications. • A subject is the active element in a security relationship, such as users, programs, and computers.
  • 3. Confidentiality • Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. In other words, unauthorized disclosure of information; • The goal of confidentiality protection is to prevent or minimize unauthorized access to data. • Confidentiality protection provides a means for authorized users to access and interact with resources, but it actively prevents unauthorized users from doing so. • For confidentiality to be maintained on a network, data must be protected from unauthorized access, use, or disclosure while in storage, in process, and in transit. • Attacks - capturing network traffic and stealing password files as well as social engineering, port scanning, shoulder surfing, eavesdropping, sniffing, escalation of privileges, and so on.  Countermeasures - encryption, network traffic padding, strict access control, rigorous authentication procedures, data classification, and extensive personnel training
  • 4. Integrity • Integrity seeks to prevent unauthorized modification of information. In other words, integrity seeks to prevent unauthorized write access to data. • It ensures that data remains correct, unaltered, and preserved. • Properly implemented integrity protection provides a means for authorized changes while protecting against intended and malicious unauthorized activities (such as viruses and intrusions) as well as mistakes made by authorized users (such as mistakes or oversights). • data integrity and system integrity. Data integrity seeks to protect information from unauthorized modification, while system integrity seeks to protect a system. from unauthorized modification. • Attacks - viruses, logic bombs, unauthorized access, errors in coding and applications, malicious modification, intentional replacement, and system back doors. • countermeasures - strict access control, rigorous authentication procedures, intrusion detection systems, object/data encryption, hash total verifications, interface restrictions, input/function checks, and extensive personnel training.
  • 5. Availability • Availability ensures that information is available when needed. • Aauthorized subjects are granted timely and uninterrupted access to objects. • Availability also implies that the supporting infrastructure—including network services, communications, and access control mechanisms—is functional and allows authorized users to gain authorized access. • Attacks - DoS attacks, object destruction, and communication interruptions. • Countermeasures - designing intermediary delivery systems, properly, using access controls effectively, monitoring performance and network traffic, using firewalls and routers to prevent DoS attacks, implementing redundancy for critical systems, and maintaining and testing backup systems. Disclosure, alteration, and destruction • Disclosure is the unauthorized release of information. • Alteration is the unauthorized modification of data. • Destruction is making systems or data unavailable.
  • 6. CIA Priority • Every organization has unique security requirements and Knowing which tenet or asset is more important than another guides the creation of a security stance and ultimately the deployment of a security solution. • Example - in many cases military and government organizations tend to prioritize confidentiality above integrity and availability, whereas private companies tend to prioritize availability above confidentiality and integrity. • Although such prioritization focuses efforts on one aspect of security over another, it does not imply that the second or third prioritized items are ignored or improperly addressed. Other Security Concepts • Identification: Claiming to be an identity when attempting to access a secured area or system • Authentication: Proving that you are that identity. eg passwords. • Authorization: describes the actions you can perform on a system once you have been identified and authenticated. Actions may include reading, writing, or executing files or programs. • Auditing: Recording a log of the events and activities related to the system and subjects • Accounting (aka accountability): Accountability holds users accountable for their actions. This is typically done by logging and analysing audit data. • Nonrepudiation: Nonrepudiation means a user cannot deny (repudiate) having performed a transaction. It combines authentication and integrity.
  • 7. Enterprise Architecture • Enterprise Architecture (EA) defines the structure and operations of the organization. • The objective of EA is to determine how an organization can achieve its current as well as future objectives. • Following are the prime objectives of an enterprise architecture: • To understand the current state of IT • To understand vision for a future state of IT • To design strategy to move from current state to future state • Enterprise view of the IT helps the risk practitioner to identify the linkage between IT and organizational objectives. • Commonly used EA • The Open Group Architecture Framework (TOGAF) • Zachman Framework • Department of Defence Architecture Framework (DODAF) - used for military enterprises • Federal Enterprise Architecture Framework ((FEAF) - used for civilian agencies
  • 8. Security Architecture • Security architecture provides overview and relationship between systems and hence it is very useful in complex security deployment. • Primary purpose for developing a security architecture is to align the security strategy between the functional areas of the organization and external parties. • Organizations should purchase the IT equipment from trusted vendors to avoid the risk of infected devices. • Also, new devices should be tested thoroughly before implementation. This helps to address the risk of hardware infected with back doors and security vulnerabilities during the manufacturing or delivery process. • Vendors provided default accounts and passwords should be disabled or changed. • Strong authentication is required for privilege accounts such as administration. • Operating software should be hardened to disable all the unused services.
  • 9. Security Architecture • Patch should be tested before deployment – Patch management Policy. • In exceptional cases, pre-testing of patches may not be feasible due to business emergency, in such cases organization should have a rollback plan to roll back the patches from the system in case of adverse impact of patch deployment. • Adoption of secure coding practices is necessary to address the flaws or bugs in the coding of the application. – Application Security. • Organizations should study the common vulnerabilities published by the Open Web Application Security Project (www.owasp.org) and should address these vulnerabilities.
  • 10. Security Architecture • Applications can be made secured by adopting following practices: • Sensitive data should be masked • Restricted access for the users (segregation of duty and need to know) • Input controls such as range checks, reasonableness checks etc. • Reconciliation and balancing for proper processing of transaction • Use of digital certificates for authentication • Encryption of stored as well as in transit data • Secure coding practices • Use of middleware to isolate direct access and manage data input/output • Network isolation and secure communications channels
  • 11. Security Architecture • Absence of validation checks for data input fields is a major vulnerability. It provides an opportunity for attackers to exploit the system by way of SQL injection attack. • Error messages should not be displayed in such a way that they might provide information to an attacker that can be used to modify the attack. • Use of multiple factors of authentication for critical systems such as biometric access and a password. • User accounts should be automatically locked out after a number of failed login attempts. • When an application is developed from a third party, it is always recommended to conduct a security code review for the entire application to detect all the malware including back doors.
  • 12. Maturity Models • Maturity models are useful to determine the maturity level of the risk management process • Maturity models identify the gaps between the current state of process and the desired state to help the organization to determine necessary remediation steps for improvement. • Maturity model is best technique to enable a peer review of an organization's risk management process. • A matured organization is much more likely to prevent incidents, detect incidents sooner and recover rapidly from incidents. • The Capability Maturity Model (CMM) is a methodology used to develop and refine an organization's software development process. It is widely used model by commercial organizations. • 0 – Incomplete: Process is not implemented or does not achieve its intended purpose. • 1 – Performed: Now the process is able to achieve its intended purpose. • 2 – Managed: Process is able to achieve its intended purpose. Also, the process is appropriately planned, monitored and controlled. • 3 – Established: Now the process is able to achieve its intended purpose. Also, the process is appropriately planned, monitored and controlled. Also, there is a well defined, documented and established process to manage the process. • 4 – Predictable: Process is predictable and operates within defined parameters and limits to achieve its intended purpose. • 5 - Optimized Process is continuously improved to meet current as well as projected goals.
  • 13. Organizational Processes Change Control/Management • The goal of change management is to ensure that any change does not lead to reduced or compromised security. Change management is also responsible for making it possible to roll back any change to a previous secured state. • Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. The only way to maintain security in the face of change is to systematically manage change. Data Classification • Data classification, or categorization, is the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality. • Declassification is required once an asset no longer warrants or needs the protection of its currently assigned classification or sensitivity level. • Government: Top Secret, Secret, Confidential, Sensitive But Unclassified, Unclassified • Commercial Business: Confidential, Private, Sensitive, Public
  • 14. Network - TCP / IP & OSI Layers • TCP stands for transmission control protocol and IP stands for internet protocol. • TCP/IP specifies the standard rules for exchange of data over internet and specifies how data is broken into packets, addressed, transmitted, routed and received at the destination. • TCP/IP is based on an Open system interconnection (OSI) model. OSI model has 7 layers where as TCP/IP has five layers. OSI Layers • The OSI model explains the layered steps for the network. In an OSI model, each layer is defined according to a specific function to perform. • All seven layers work in a collaborative manner to transmit the data from one layer to another.
  • 16. • Physical: Associated with the cables and other hardware for the physical connection of the device to the network. • Data Link Layer: Converts the electrical voltage into a data packet and it is forwarded to the network layer. • Network Layer: To insert the IP address into the packet header and route the packet to their destination. • Transport Layer : To provide an end-to-end data transport service and establishes a logical connection between the two devices. • Session Layer: To establish a connection between two applications, maintaining the connection and terminating the connection. • Presentation Layer: To translate the data as per the format of the application. • Application layer: To provide an interface and communicate directly with the end user OSI Layers
  • 17. • Transmission Control Protocol (TCP) and User Data Protocol (UDP) are the protocols operating at the transport layer. • TCP is considered a reliable and connection-oriented protocol. TCP ensures that data packets are delivered to the destination. • UDP is considered a connectionless protocol. UDP has unreliable service and data packets may arrive out of order, be corrupted, or may get dropped, and the destination does not acknowledge every packet it receives. TCP/UDP
  • 19. Network Cabling • Fiber optic cables are considered to be more secure than copper wire. • Fiber optic is the preferred choice for managing long-distance networks and handling high volumes of data. • Fiber optic is not impacted or affected by electromagnetic interference (EMI). Fiber optic cables have very marginal transmission loss. • Fiber optic is regarded as the most secure cable for the purposes of data transmission. • Twisted pair (copper circuit): Shielded twisted pair (STP) and the Unshielded twisted pair (UTP). • STPs are less prone to EMI and cross-talks and so are more reliable than UTPs. • A UTP is more sensitive to the effects of EMI and cross talk. • The parallel installation of UTPs should be avoided for long distances since one cable can interfere with the signals of adjacent cables - cross talk. • Attenuation: loss or weakening of signal transmission. • EMI: Interference or disturbance that impacts the quality of electrical signals. Major causes of EMI are electrical storms or noisy electrical equipment (for example, motors, fluorescent lighting, and radio transmitters).
  • 20. Network Devices Repeaters: • Repeaters are used to address the risk of attenuation (weakening of the signal). • A repeater receives the signal from one network and it amplifies and regenerates the weak signal. Hubs and switches • Hubs and switches are used to connect different devices for the exchange of data. • A hub operates at layer 1 (physical layer), whereas a switch operates at layer 2 (data link layer) of the OSI model. A switch is regarded as a more advanced/intelligent version of the hub. Bridges • Bridges have the same functionality as switches. They both operate at layer 2 (data link layer) of the OSI model. Routers • A router is regarded as a more advanced/intelligent version of the switch. It operates at layer 3 (network layer) of the OSI model. • Devices operating at higher levels will be more intelligent and capable compared with devices operating at lower levels. A CRISC aspirant should be aware of the layer at which various devices operate:
  • 21. Network Devices • Firewall, DMZ and Proxy • A firewall is a network security system designed to prevent unauthorized access to networks. It monitors and controls incoming and outgoing network traffic as per defined rules. • A firewall can be implemented either in software or hardware form. • A packet filtering router tracks the IP address and port number of both the destination and source and takes action (either to allow or deny the connection) as per defined rules. A packet filtering router operates at the network layer of the OSI framework. • A stateful inspection firewall monitors and tracks the destination of each packet that is being sent from the internal network. A stateful inspection firewall operates at the network layer of the OSI. • A circuit-level firewall works on the concept of a bastion host and proxy server. It provides the same proxy for all services. It operates at the session layer of the OSI. • An application-level firewall is regarded as the most secure type of firewall. It operates at the application layer of the OSI.
  • 22. Bastion Host, Proxy and DMZ • A proxy stands in between the internal and external networks. • No direct communication will be allowed between the internal and external networks. • All communication will pass through the proxy server. • Demilitarized zone (DMZ) is the area which is accessible to the external network. • Objective of setting up a DMZ is to prevent the external traffic to have direct access to critical systems of the organization. • All the systems placed in DMZ should be hardened and all required functionality should be disabled – Bastian Host
  • 23. Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) • Intrusion detection system helps to monitor a network (network-based IDS) or a single system (host-based IDS) with an objective to recognize and detect an intrusion activity. • Components of IDS • Sensors: Function of the sensors is to collect the data. • Analyzers: Function of analyzer is to analyze the data and determine the intrusion activity. • Administration Console: Administration console helps the administrator to control and monitor IDS rules and functions. • User Interface: User interface supports the user to view the results and carry out required task. Limitation: • IDS operates on the basis of policy definition. • Weakness of policy definitions weakens the function of IDS. • IDS cannot control application-level vulnerabilities. • IDS cannot control back door into an application. • IDS cannot analyse the data which is tunnelled into an encrypted connection.
  • 24. Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) Types of IDS • Signature based: IDS looks for specific predefined patterns to detect intrusion. • Also known as rule based IDS. • Don’t detect new attacks methods for which signatures have not yet been developed. • Statistical based IDS: attempts to identify abnormal behavior by analyzing the statistical algorithm. • Statistical IDS generates the most false positive as compared to other type of IDS. • Neural Network: works on same principle as statistical based IDS. However, they have advanced functionality of self-learning. • If criteria is not properly tuned, IDS may generate false alarms or may miss to identify the actual abnormality. Most effective way to determine whether IDS are properly tuned is to simulate various attack scenarios and review the performance of the IDS. • If IDS is installed between firewall and external network, it will be able to identify all the intrusion attempts irrespective of whether intrusion packets bypassed the firewall or not. • If IDS is installed between firewall and internal network, it will be able to detect only those attempts which bypassed the firewall rules.
  • 25. Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) • Intrusion prevention systems have ability to not only detect the intrusion attempts but also to prevent the impact of the intrusion attack. • Honey Pots and Honey Nets • A honey pot is a decoy system set up to attract the hacker and intruders. • Purpose of setting a honey pot is to capture the details of intruders in order to proactively strengthen the security controls. • A honey net is a combination of linked honey pots. Honey net is used for large network setups. • Domain name system (DNS) provides a simple cross-reference between domain name and related IP address. • In pharming attack, malware changes domain name system (DNS) server settings and redirects users to malicious sites.
  • 26. Wireless Access Point • A wireless network is a computer network that uses wireless data connections between communication endpoints (nodes). Cell phone networks and wireless local area networks are examples of wireless networks. • An SSID is the name of a wireless network broadcast by a router. • Wi-Fi Protected Access (WPA) and Wired Equivalent Privacy (WEP) are the two main types of encryption. WPA 2 is the strongest encryption standard for wireless connection. • Common attack methods • Rogue Access Point A rogue access point is a wireless access point that has been installed on a secure network without authorization by a malicious attacker. • War driving/Walking/Chalking: technique used by a hacker to search wireless networks from a moving car or vehicle by using a laptop or other wireless devices with hacking tools or software. • A virtual private network (VPN) is used to extend a private network through use of the internet in a secured manner. It provides a platform for remote users to get connected to the organization's private network. • A VPN uses IPSec tunnel mode or IPSec transport mode. IPSec tunnel mode is used to encrypt the entire packet, including the header. The IPSec transport mode is used to encrypt only the data portion of the packet.
  • 27. Cloud computing • Cloud computing is the practice of using remote servers hosted on the internet to store, manage, and process data, rather than a local server or a personal computer. • Cloud computing simply means the use of computing resources as a service through networks, typically the internet. Cloud computing deployment models: • Private cloud: • A private cloud is used for the exclusive benefit of the organization. A private cloud is considered the most secure type of deployment as it can be controlled and centralized by the organization. • Public cloud • The public cloud is open to all on the basis of pay per use. The public cloud is considered highly scalable as services can be reduced or increased as per the requirements of the organization. • Requirements: Legal and regulatory compliance (such as data localization), Backup, Right to audit and Security requirements. • The community cloud: Cloud services are used by specific communities of consumers who have shared concerns. • The hybrid cloud: combination of the private and the public cloud.
  • 28. Cloud computing • Types of cloud services • Infrastructure as a Service (IaaS): IaaS provides computing resources such as processing power, memory, storage, and networks for users. • Software as a Service (SaaS): SaaS provides ability to the end users to access an application over the Internet. • Platform as a Service (PaaS): PaaS provides platform to the users to develop and deploy an application on the development platform provided by the service provider. • Risks and security control for a cloud arrangement: • Ensure compliance with relevant laws, regulations, and standards. • Ensure compliance with privacy laws that restrict the movement of personal data to an offshore location. • To ensure the availability of information systems and data on a continuous basis. • To evaluate the business continuity and disaster recovery plan of the cloud service provider. • To ensure the integrity and confidentiality of information and sensitive data while stored and in transit. • To ensure that the SLA includes clauses with respect to data ownership, data custody, and security administration related to cloud deployment models. • To ensure the inclusion of the right to audit clause in the SLA.
  • 29. Project Management • A project is defined as a sequence of activities that must be completed to achieve required outcome. • Project management is the formal process of organization, administering and implementation of the project. • Objective of a structured project management is to deliver value by creating some specific deliverables in an effective and efficient manner. • Project is a specific, single task that delivers a tangible output, while a program is a collection of related projects. Success factors: • Risk practitioners should be involved in all the above phases of SDLC and security requirements should be integrated into all SDLC phases. • Security requirements should be validated and tested to ensure that it addresses the risk associated with confidentiality, integrity and availability. Project members should be made aware about the risk implications on the project. • A project should have clear definition of required outcome. Clearly defined scope and objectives will prevent the scope creep. • Resources required to implement the project should be identified during the planning stage to ensure cost efficiency of the project. Appropriate monitoring and control procedure should be established to determine the performance of the project at different milestone.