Introduction to Information Security CSE
BurhanKhan774154
28 views
51 slides
May 19, 2024
Slide 1 of 51
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
About This Presentation
This is a lecture by Dr Karen
Slide Content
CS 620
Introduction to Information
Security
Dr. Karen Forcht
Department of Computer Science
James Madison University
Introduction to Information
Security
Dr. Karen Forcht
Department of Computer Science
James Madison University
Part I
(Overview, Access, Control,
Cryptography, Risk Analysis)
Part II
(Business Continuity Planning,
Data Classification, Security
Awareness, Computer and
System Security)
(Overview, Access, Control,
Cryptography, Risk Analysis)
Part II
(Business Continuity Planning,
Data Classification, Security
Awareness, Computer and
System Security)
Part III
(Telecommunications Security,
Organization Architecture, Legal
Regulatory Investigation)
Part IV
(Investigation, Application
program Security, Physical
Security, Operations Security)
(Telecommunications Security,
Organization Architecture, Legal
Regulatory Investigation)
Part IV
(Investigation, Application
program Security, Physical
Security, Operations Security)
Part V
(Information Ethics, Policy
Development)
(Information Ethics, Policy
Development)
Computer Security Act of 1987
Requires:
•Sensitive systems and data
must be identified
•Plans for ensuring security
and control of such
systems must be created
•Personnel training
programs must be
developed and in place
Requires:
•Sensitive systems and data
must be identified
•Plans for ensuring security
and control of such
systems must be created
•Personnel training
programs must be
developed and in place
Development of Security
Program
•Objectives
•Policies
•Connectivity, Corporate Structure, and
Security
•Plans
•Responsibilities
Program
•Objectives
•Policies
•Connectivity, Corporate Structure, and
Security
•Plans
•Responsibilities
Security Policy Goals
•Avoidance
•Deterrence
•Detection
•Correction
•Avoidance
•Deterrence
•Detection
•Correction
Risk Analysis
•Identify sensitivity of data
•Determine value of systems and information
•Assess threats and vulnerabilities (sabotage,
environment, errors)
•Identify sensitivity of data
•Determine value of systems and information
•Assess threats and vulnerabilities (sabotage,
environment, errors)
Purposes of Risk Analysis
•No significant intentional or accidental
threat is overlooked
•Assure that cost-benefit analysis is
reasonable
•No significant intentional or accidental
threat is overlooked
•Assure that cost-benefit analysis is
reasonable
Contingency Plan
•Purpose: Protect, detect, recover
•Criticality: Formulated, communicated to
ALL employees, tested regularly
•Purpose: Protect, detect, recover
•Criticality: Formulated, communicated to
ALL employees, tested regularly
Legal Issues
•Licenses
•Fraud/Misuse
•Privacy
•Copyright
•Trade Secrets
•Employee Agreements
•Licenses
•Fraud/Misuse
•Privacy
•Copyright
•Trade Secrets
•Employee Agreements
Access Control
Collection of mechanisms to restrain
or prohibit use of information and
systems
Includes: Functions, implementation,
good practices, environmental
constraints
Collection of mechanisms to restrain
or prohibit use of information and
systems
Includes: Functions, implementation,
good practices, environmental
constraints
Considerations
•Ownership of Data
•Custodian of Data
•Accountability
•Reconciliation
•Rule of Least Privilege
•Ownership of Data
•Custodian of Data
•Accountability
•Reconciliation
•Rule of Least Privilege
User Authentication and
Password Management
•Access Control
•Knowledge-Based Authentication
•Token-Based Authentication
•Characteristic-Based Authentication
•Password Management
Password Management
•Access Control
•Knowledge-Based Authentication
•Token-Based Authentication
•Characteristic-Based Authentication
•Password Management
Access Control
•Policies
•Procedures
•Standards
•Control
•Policies
•Procedures
•Standards
•Control
Cryptography
Definition: Use of secret codes to
provide integrity/confidentiality
of information during transfer
and storage
Considerations:
-Complexity
-Secrecy
-Characteristics of key
Definition: Use of secret codes to
provide integrity/confidentiality
of information during transfer
and storage
Considerations:
-Complexity
-Secrecy
-Characteristics of key
Definition:
Encryption: plaintext to
ciphertext
Decryption: From ciphertext to
plaintext
Encryption: plaintext to
ciphertext
Decryption: From ciphertext to
plaintext
Key Management
•Public vs. Private
•Selecting Key
•Management of the Keys
•Protection of Keys
•Testing of Keys
•Updating Keys
•Error Detection
•Public vs. Private
•Selecting Key
•Management of the Keys
•Protection of Keys
•Testing of Keys
•Updating Keys
•Error Detection
Risk Management
Includes ideas, models, methods,
techniques to control risk
Includes:
-Assessment
-Reduction
-Protective measures
-Risk Acceptance
-Insurance
Includes ideas, models, methods,
techniques to control risk
Includes:
-Assessment
-Reduction
-Protective measures
-Risk Acceptance
-Insurance
Considerations of Risk
Assessment
•Annual Loss Expectancy(ALE)
•Asset Valuation/Inventory
•Types of Attacks/Threats
•Availability of Resources/Denial of Service
•Detection
•Exposure
•Passive Threats
•Perils
•Prevention
•Analysis/Assessment/Management of Risk
•Data Valuation
Assessment
•Annual Loss Expectancy(ALE)
•Asset Valuation/Inventory
•Types of Attacks/Threats
•Availability of Resources/Denial of Service
•Detection
•Exposure
•Passive Threats
•Perils
•Prevention
•Analysis/Assessment/Management of Risk
•Data Valuation
Classification of People/Assets
Should Include:
-People
-Procedures
-Data/Information
-Software
-Hardware
Should Include:
-People
-Procedures
-Data/Information
-Software
-Hardware
Threat and Exposure Assessment
•Density/Volume of Information
•Accessibility of Systems
•Complexity
•Electronic Vulnerability
•Media Vulnerability
•Human Factors
•Density/Volume of Information
•Accessibility of Systems
•Complexity
•Electronic Vulnerability
•Media Vulnerability
•Human Factors
Safeguards and Counter
Measures
•Prevent Exposures
•Detect Attempted Threats
•Correct the Causes of Threats
Measures
•Prevent Exposures
•Detect Attempted Threats
•Correct the Causes of Threats
Business Continuity Planning (1)
•Planning and Analysis Methods
•Rates of Occurrence of Disabling Events
•Availability and Use of Planning Tools/Aids
•Identification of Business Success
factors(BSF) and Critical
capabilities(Critical or Key Success Factors
(CSF/KSF)
•Planning and Analysis Methods
•Rates of Occurrence of Disabling Events
•Availability and Use of Planning Tools/Aids
•Identification of Business Success
factors(BSF) and Critical
capabilities(Critical or Key Success Factors
(CSF/KSF)
Business Continuity Planning (2)
•Alternative Sources of Supply
•Legal and Regulatory Requirements
•Alternative Sources of Supply
•Legal and Regulatory Requirements
Backups and Procedures
•Importance for Recovery
•Data Value
•Manuals and Documentation
•Back Up Frequency
•On-Line Systems
•Equipment
•Importance for Recovery
•Data Value
•Manuals and Documentation
•Back Up Frequency
•On-Line Systems
•Equipment
The Three C’s
-Catastrophe
-Contingency
-Continuation
BE PREPARED!!!
-Catastrophe
-Contingency
-Continuation
BE PREPARED!!!
Off-site Backups and Storage
Two Control Points:
1. When backup material is being
transferred to/from the site
2. When backup material is stored at
the site
(also consider in-house storage)
Two Control Points:
1. When backup material is being
transferred to/from the site
2. When backup material is stored at
the site
(also consider in-house storage)
Data Classification
•Elements and Objectives of a Classification
Scheme
•Criteria used to Classify Data
•Procedures to be Used
•Differences Between Government and
Commercial Programs
•Limitations
•Program Implementation
•Elements and Objectives of a Classification
Scheme
•Criteria used to Classify Data
•Procedures to be Used
•Differences Between Government and
Commercial Programs
•Limitations
•Program Implementation
To Be Included:
•Distinguish Between Classification and Sensitivity
•Classified vs. Sensitive
•Data Elements
•Handling of Data
•Identify Criteria
•Classification Schemes
•Rule of Users Managers
•Effect of Data Aggregation on Classification
•Techniques for Avoiding Disclosure
•Distinguish Between Classification and Sensitivity
•Classified vs. Sensitive
•Data Elements
•Handling of Data
•Identify Criteria
•Classification Schemes
•Rule of Users Managers
•Effect of Data Aggregation on Classification
•Techniques for Avoiding Disclosure
Security Awareness
Include:
•Corporate Policies, Procedures, Intentions
•Areas Where Remedial Actions are Needed
•Assessment of Threats and Vulnerabilities
•Technology Trends
•Behaviors to be Encouraged
•User Motives
•Applicable Laws and Regulation
•Available/Applicable Communication
Channels/Media
Include:
•Corporate Policies, Procedures, Intentions
•Areas Where Remedial Actions are Needed
•Assessment of Threats and Vulnerabilities
•Technology Trends
•Behaviors to be Encouraged
•User Motives
•Applicable Laws and Regulation
•Available/Applicable Communication
Channels/Media
Administrative/Organizational
Controls
•Policies
•Awareness
•Employee Non-Disclosure Considerations
•Employee Training
•Telecommuting Considerations
•Effects of Technological Changes/Updates
Controls
•Policies
•Awareness
•Employee Non-Disclosure Considerations
•Employee Training
•Telecommuting Considerations
•Effects of Technological Changes/Updates
Personnel Considerations
•Human Motives for Criminal Action
•Employee Selection
•Professional Certificates
•Working Environment
•Technological Updates (Effect on Users)
•Employee Separation
•Human Motives for Criminal Action
•Employee Selection
•Professional Certificates
•Working Environment
•Technological Updates (Effect on Users)
•Employee Separation
Computer and System Security
Professionals Should Understand:
•Computer Organizations, Architectures,
Designs
•Source and Origin of Security Requirements
•Advantages/Disadvantages of Various
Architectures
•Security Features/Functions of Various
Components
•Choices to be Considered When Selecting
Components
Professionals Should Understand:
•Computer Organizations, Architectures,
Designs
•Source and Origin of Security Requirements
•Advantages/Disadvantages of Various
Architectures
•Security Features/Functions of Various
Components
•Choices to be Considered When Selecting
Components
Common Flaws and Penetration
Methods
•Operating Systems Flaws
•Penetration Techniques(Trojan Horses,
Virus, Salami Attack, Deception)
Methods
•Operating Systems Flaws
•Penetration Techniques(Trojan Horses,
Virus, Salami Attack, Deception)
Viruses
•Design
•Protection
•Recovery
•Prevention
•Counter Measures
•Design
•Protection
•Recovery
•Prevention
•Counter Measures
Telecommunications Security
•Objectives
•hazards and Exposures
•Effects of Topology, Media, Protocols,
Switching
•Hazards and Classes of Attack
•Defenses and Protective Measures
•Objectives
•hazards and Exposures
•Effects of Topology, Media, Protocols,
Switching
•Hazards and Classes of Attack
•Defenses and Protective Measures
Methods
•Aborted Connection
•Active Wiretapping
•Between -The -Lines Entry
•Call Back
•Emanations
•Covert Channel
•Cross-Talk
•Eavesdropping
•Electronic Funds Transfer(EFT)
•Handshaking
•Aborted Connection
•Active Wiretapping
•Between -The -Lines Entry
•Call Back
•Emanations
•Covert Channel
•Cross-Talk
•Eavesdropping
•Electronic Funds Transfer(EFT)
•Handshaking
Considerations
•Transmission Technologies
•Bandwidth
•Connectivity Potential
•Geographical Scope
•Noise Immunity
•Security
•Applications
•Relative Cost
•Transmission Technologies
•Bandwidth
•Connectivity Potential
•Geographical Scope
•Noise Immunity
•Security
•Applications
•Relative Cost
System Security Officer
•Organizational Knowledge (Structural and
Behavioral)
•Technical Knowledge
•Accounting/Audit Concepts
•Personnel Administration Matters
•Laws/Legislation
•Strategic/Tactical Planning
•Labor/Negotiation/Strategies/Tactics
•Organizational Knowledge (Structural and
Behavioral)
•Technical Knowledge
•Accounting/Audit Concepts
•Personnel Administration Matters
•Laws/Legislation
•Strategic/Tactical Planning
•Labor/Negotiation/Strategies/Tactics
Computer Security Incidence
Response
•Goals
•Constituency
•Structure
•Management Support/Funding
•Charter
•Handbook of Operations
•Staffing
Response
•Goals
•Constituency
•Structure
•Management Support/Funding
•Charter
•Handbook of Operations
•Staffing
Legal/Regulatory
•Federal Laws/Regulations
•State Laws/Regulations
•International Issues
•Organizational/Agency Considerations
•Personal Behavior
•Remedies to Constituents
•Civil vs. Criminal Law
•Pending Legislation
•Federal Laws/Regulations
•State Laws/Regulations
•International Issues
•Organizational/Agency Considerations
•Personal Behavior
•Remedies to Constituents
•Civil vs. Criminal Law
•Pending Legislation
Computer Crime
•Fraud
•Embezzlement
•Unauthorized Access
•“White Collar” Crime
•Theft of Hardware/Copying Software
•Physical Abuse
•Misuse of Information
•Privacy/Confidentiality Violations
•Intellectual Property
•Negligence
•License Agreements
•Fraud
•Embezzlement
•Unauthorized Access
•“White Collar” Crime
•Theft of Hardware/Copying Software
•Physical Abuse
•Misuse of Information
•Privacy/Confidentiality Violations
•Intellectual Property
•Negligence
•License Agreements
Investigation
•Legal Requirements for Maintaining a Trail
of Evidence
•Interrogation Techniques
•Legal Limits on Interrogation Methods
Permitted
•Legal Requirements for Maintaining a Trail
of Evidence
•Interrogation Techniques
•Legal Limits on Interrogation Methods
Permitted
Application Program Security
•Distribution of Controls Between
Application and System
•Controls Specific to Key, Common, or
Industry Applications
•Criteria for Selection and Application
•Tests for Adequacy
•Standards for Good Practice
•Distribution of Controls Between
Application and System
•Controls Specific to Key, Common, or
Industry Applications
•Criteria for Selection and Application
•Tests for Adequacy
•Standards for Good Practice
Software Controls
•Development
•Maintenance
•Assurance
•Specification and Verification
•Database Security Controls
•Accounting/Auditing
•Development
•Maintenance
•Assurance
•Specification and Verification
•Database Security Controls
•Accounting/Auditing
Physical Security
•Site/Building Location
•External characteristics/Appearance
•Location of Computer Centers
•Construction Standards
•Electrical Power(UPS)
•Water/Fire Considerations
•Traffic/Access Control
•Air Conditioning/Exhaust
•Entrances/Exits
•Furnishings
•Storage of Media/Supplies
•Site/Building Location
•External characteristics/Appearance
•Location of Computer Centers
•Construction Standards
•Electrical Power(UPS)
•Water/Fire Considerations
•Traffic/Access Control
•Air Conditioning/Exhaust
•Entrances/Exits
•Furnishings
•Storage of Media/Supplies
Operations Security
•Resources to be Protected
•Privileges to be Restricted
•Available Control Mechanisms
•Potential for Abuse of Access
•Appropriateness of Controls
•Acceptable Norms of Good Practice
•Resources to be Protected
•Privileges to be Restricted
•Available Control Mechanisms
•Potential for Abuse of Access
•Appropriateness of Controls
•Acceptable Norms of Good Practice
Information Ethics
Doing the Right Thing!!
•Privacy/Confidentiality
•Common Good
•Professional Societies
•Professional Certifications
Doing the Right Thing!!
•Privacy/Confidentiality
•Common Good
•Professional Societies
•Professional Certifications
Policy Development
Considerations:
•Have Longevity
•Be Jargon Free
•Be Independent of Jobs, Titles, or Positions
•Set Objectives
•Fix Responsibility
•Provide Resources
•Allocate Staff
•Be Implemented Using Standards and
Guidelines
Considerations:
•Have Longevity
•Be Jargon Free
•Be Independent of Jobs, Titles, or Positions
•Set Objectives
•Fix Responsibility
•Provide Resources
•Allocate Staff
•Be Implemented Using Standards and
Guidelines
That’s All Folks
(and not a minute too soon!!)
I’m Looking Forward to working
With You!!!!
(and not a minute too soon!!)
I’m Looking Forward to working
With You!!!!
Tags
Categories
BusinessDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 28
- Slides 51
- Age 563 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
31 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
31 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
31 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
27 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
29 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
32 views