ITT408_Unit#1_InformationSecurity_Fundamentals_STUDENTS.pptx

UNIT#1 Fundamental of Information A ssurance and Security

Objectives Discuss the history of information assurance and security. Define various security concepts Explain the security mindset and the role of paranoia Discuss why Information assurance and security must be built in to design Outline the system life-cycle and its relationship to security. Examine the MSR model and its components Discuss disaster recovery and contingency planning

Definition of KEY terms

Key Terms Information Assurance Refers to the steps involved in protecting information systems, like computer systems and networks. Five (5) key terms: Integrity Availability Authentication Confidentiality Nonrepudiation https:// www.techopedia.com /definition/5/information-assurance- ia

Key Terms Information security The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity, and availability. https:// www.novainfosec.com /2011/08/30/information-assurance-versus-information-security/

https:// www.novainfosec.com /2011/08/30/information-assurance-versus-information-security/

History of information security

History of Information Security Computer security began immediately after the first mainframes were developed. Groups developing code-breaking computations during World War II created the first modern computers. Multiple levels of security were implemented. Physical controls limiting access to sensitive military locations to authorized personnel Basic defence against physical theft, espionage, and sabotage 8

9 Figure 1-1 – The Enigma

The 1960s Advanced Research Project Agency ( ARPA ) began to examine the feasibility of redundant networked communications. Larry Roberts developed the ARPANET from its inception. 10

Figure 1-2 - ARPANET 11

The 1970s and 80s ARPANET grew in popularity, as did its potential for misuse. Fundamental problems with ARPANET security were identified. No safety procedures for dial-up connections to ARPANET Nonexistent user identification and authorization to system 12

The 1970s and 80s (cont’d) ‏ Information security began with Rand Report R-609 (paper that started the study of computer security and identified the role of management and policy issues in it) ‏ . The scope of computer security grew from physical security to include: Securing the data Limiting random and unauthorized access to data Involving personnel from multiple levels of the organization in information security 13

14

MULTICS Early focus of computer security research centered on a system called Multiplexed Information and Computing Service (MULTICS) ‏ . First operating system was created with security integrated into core functions. Mainframe, time-sharing OS was developed in the mid-1960s by General Electric (GE), Bell Labs, and Massachusetts Institute of Technology (MIT) ‏ . Several MULTICS key players created UNIX. Primary purpose of UNIX was text processing. Late 1970s: The microprocessor expanded computing capabilities and security threats. 15

The 1990s Networks of computers became more common, as did the need to connect them to each other. Internet became the first global network of networks. Initially, network connections were based on de facto standards. In early Internet deployments, security was treated as a low priority . In 1993, DEFCON conference was established for those interested in information security. 16

2000 to Present The Internet brings millions of unsecured computer networks into continuous communication with each other. The ability to secure a computer’s data was influenced by the security of every computer to which it is connected. Growing threat of cyber attacks has increased the awareness of need for improved security . Nation-states engaging in information warfare 17

18

Other Security Concepts

Other Security Concepts Threat Vulnerability Exploit Attack Counter measure Cryptography Forensics https:// www.techopedia.com /definition/25263/threat

Other Security Concepts Threat refers to anything that has the potential to cause serious harm to a computer system. Threats are potentials for vulnerabilities to turn into attacks . They can put computers and businesses at risk . https:// www.techopedia.com /definition/25263/threat

Other Security Concepts Vulnerability refers to a flaw or weakness in a system that can leave it open to attack . Goal: T o reduce --  provides fewer options for malicious users to gain access to secure information. Protect PC from vulnerabilities by: K eeping security patches up to date. Stay informed about current vulnerabilities https:// www.techopedia.com /definition/13484/vulnerability

Other Security Concepts Attack deliberate exploitation of computer systems and networks. Result in compromise of, and loss of data. https:// www.techopedia.com /definition/24748/cyberattack

Other Security Concepts Exploit is a general term for any method used by hackers to gain unauthorized access to computers, the act itself of a hacking attack or a hole in a system's security that opens a system to an attack. https:// https:// www.techopedia.com /definition/4275/exploit

Other Security Concepts Countermeasure is an action or method that is applied to prevent, avert or reduce potential threats to computers, servers, networks, operating systems (OS) or information systems (IS). Countermeasure tools include anti-virus software and firewalls. https:// www.techopedia.com /definition/49/countermeasure

Other Security Concepts Countermeasure Examples include: Anti-virus and anti-spyware applications : Protect against malicious software (malware), including viruses, Trojans and adware Behavioral techniques: Applied by users to deter threats, such as suspicious email attachments Firewalls: Facilitate authorized network access Intrusion detection systems (IDS): Prevent and/or block unauthorized system access Physical security (especially in enterprises): Prevents hacking and network subterfuge https:// www.techopedia.com /definition/49/countermeasure

Other Security Concepts Cryptography involves creating written or generated codes that allows information to be kept secret. It converts data into a format that is unreadable for an unauthorized user, allowing it to be transmitted without anyone decoding it back into a readable format, thus compromising the data.

Other Security Concepts Forensics is the process of uncovering and interpreting electronic data. The goal of the process is to investigate by collecting, identifying and validating the digital information for the purpose of reconstructing past events. Analysis that follows security attacks or other types of cybercrimes. https:// www.techopedia.com /definition/16122/network-forensics

The Security mindset

What is the Security Mindset?

Security Mindset “Security requires a particular mindset. Security professionals see the world differently...This kind of thinking is not natural for most people. It involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don’t have to exploit the vulnerabilities you find, but if you don’t see the world that way, you’ll never notice most security problems.” Bruce Schneier

Security Mindset Characteristics of individuals with a security mind-set: Passionate Curious Obsessed Enthused Think outside the “box”

Security Mindset Managed Paranoia They are out to get me.. How could they get me? Do I care? What is the real risk? What countermeasures can I apply to mitigate the risks (threats)? Where am I vulnerable? What will it cost to fix it? Is it worth it ? NOTE It is important to know you’ve been attacked! You must design and build security into a system, bolting it on after just doesn’t work.

Security Mindset The Security mindset involves circumventing the designers intent by violating designer's assumptions Most security vulnerabilities are "outside" of technical design ( Dahlin , n.d ).

Security Mindset All security person should know that: Technical solutions alone are insufficient A good designer needs to think about the big picture; need to consider how system will be developed, maintained, used As a security person, ask yourself: Can I trust this system ? Can I trust this environment? ( Dahlin , n.d ).

Security Mindset Benefits E xposure to security issues Naturally have security in mind Awareness of security bugs Minimize overlooking security bugs Introduction to simple attack/defense scenarios

The attack model. Threat: Something that might happen Vulnerability : point in the system where a Threat could compromise the system. Risk : The combination of the probability of an event and its consequences Attack : Application of a threat to a system. Exploit : A successful attack Remediation : security team tries to figure out what happened and come up with a fix to restore things and a countermeasure. Countermeasure : What you do to fix a vulnerability so the threat can’t be exploited.

Information Security fundamentals

What Is Security? “A state of being secure and free from danger or harm; the actions taken to make someone or something secure.” A successful organization should have multiple layers of security in place to protect: Operations Physical infrastructure People Functions Communications Information 39

What Is Security? (cont’d) ‏ The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information Includes information security management, data security, and network security C.I.A . triangle Is a standard based on confidentiality, integrity, and availability, now viewed as inadequate. Expanded model consists of a list of critical characteristics of information. 40

41

Key Information Security Concepts Access Asset Attack Control, safeguard, or countermeasure Exploit Exposure Loss 42 Protection profile or security posture Risk Subjects and objects Threat Threat agent Vulnerability

43

Key Information Security Concepts (cont’d) A computer can be the subject of an attack and/or the object of an attack. When the subject (attack tool) of an attack, the computer is used as an active tool to conduct attack. When the object (victim) of an attack, the computer is the entity being attacked. 44

Subject and Object of an Attack

Key Information Security Concepts (cont’d) Direct attack is when hacker uses a computer to break into a system Indirect attack is when a system is compromised and used to attack other systems, such as a botnet or other distributed denial-of-service attack

Critical Characteristics of Information The value of information comes from the characteristics it possesses: Availability Accuracy Authenticity Confidentiality Integrity Utility Possession 48

CIA Triad & McCumber Cube 49

Components of an Information System Information system (IS) is the entire set of people, procedures, and technology that enable business to use information. Software Hardware Data People Procedures Networks 50

Balancing Security & Access Impossible to obtain perfect information security—it is a process , not a goal . Security should be considered a balance between protection and availability. To achieve balance, the level of security must allow reasonable access, yet protect against threats. 51

Security design principles

Saltzer and Schroeder’s Principles Software development leaders J. H. Saltzer and M. D. Schroeder first identified security principles: Economy of mechanism Fail-safe defaults Complete mediation Open design Separation of privilege Least privilege Least common mechanism Psychological acceptability 53

Saltzer and Schroeder’s Principles Economy of mechanism: Keep the design as simple and small as possible. Fail-safe defaults: Base access decisions on permission rather than exclusion. Complete mediation: Every access to every object must be checked for authority. Open design: The design should not be secret. Separation of privilege: It’s safer if it takes two parties to agree to launch a missile than if one can do it alone. Least privilege: Operate with the minimal set of powers needed to get the job done . Least common mechanism: Minimize subsystems shared between or relied upon by mutually distrusting users. Psychological acceptability: Design security systems for ease of use. 54

System Security Life-cycle

The Security Systems Development Life Cycle ( SecSDLC ) The same phases used in traditional SDLC can be adapted to support implementation of an IS project. It involves identifying specific threats and creating specific controls to counter them. SecSDLC is a coherent program rather than a series of random, seemingly unconnected actions. 56

SDLC

58

Software Assurance—Security in the SDLC Many organizations recognize the need to include planning for security objectives in the SDLC used to create systems. Established procedures to create software that is more capable of being deployed in a secure fashion This approach is known as software assurance (SA). 59

Approaches to Securing the SDLC

The NIST Approach

The NIST Approach to Securing the SDLC NIST Special Publication Early integration of security in the SDLC enables agencies to maximize return on investment through: Early identification and mitigation of security vulnerabilities and misconfigurations Awareness of potential challenges Identification of security services and use of security strategies and tools Facilitation of informed executive decision making 62

The NIST Approach to Securing the SDLC Processes/steps: Initiation Development/Acquisition Implementation/Assessment Operations and Maintenance Disposal 63

The NIST Approach: Initiation Security at this point is looked at in terms of business risks: Key security activities include: Business requirements in terms of confidentiality, integrity, and availability Determination of information categorization Determination of any privacy requirements 64

The NIST Approach: Development/Acquisition Key security activities include: Conducting risk assessment and using results to supplement baseline security controls Analyzing security requirements Performing functional and security testing Designing security architecture 65

The NIST Approach: Implementation/Assessment System is installed and evaluated in operational environment. Key security activities include: Integrating information system into its environment Planning and conducting testing of security controls 66

The NIST Approach: Operations and Maintenance Systems are in place and operating, enhancements and/or modifications to the system are developed and tested, and hardware and/or software are added or replaced. Key security activities include: Continuous monitoring of information system’s security controls 67

The NIST Approach: Disposal Provides for disposal of system and closeout of any contracts in place 68

Microsoft’s Approach 69

70 Microsoft’s Approach

Defense-in-Depth

Defense-in-Depth Defense in depth is the coordinated use of multiple security countermeasures to protect the integrity of the information assets in an enterprise. The strategy is based on the military principle that it is more difficult for an enemy to defeat a complex and multi-layered defense system than to penetrate a single barrier http://searchsecurity.techtarget.com/definition/defense-in-depth

Defense -in-Depth The idea behind defense in depth is to manage risk with diverse defensive strategies, so that if one layer of defense turns out to be inadequate, another layer of defense will hopefully prevent a full breach. This principle is well known: to have a series of defenses so that if an error isn't caught by one, it will probably be caught by another . https://buildsecurityin.us-cert.gov/articles/knowledge/principles/defense-in-depth

Defense -in-Depth The principle of defense -in-depth is that layered security mechanisms increase security of the system as a whole. If an attack causes one security mechanism to fail, other mechanisms may still provide the necessary security to protect the system. https://www.owasp.org/index.php/Defense_in_depth

Defense -in-Depth For example, it is not a good idea to totally rely on a firewall to provide security, as firewalls can usually be circumvented by a determined attacker (even if it requires a physical attack or a social engineering attack). Other security mechanisms should be added to complement the protection of a firewall ( e.g., surveillance cameras, and security awareness training) that address different attacks. https://www.owasp.org/index.php/Defense_in_depth

Security implementation mechanisms

Security Implementation M echanisms Physical Security Measures Authentication Authorization Audit Trails Data encryption Firewalls Intrusion Detection/ Intrusion Prevention Systems

Security Implementation M echanisms Physical security Guns Gates And Guards http:// www.ciscopress.com /articles/ article.asp?p =1626588&seqNum=2

Security Implementation M echanisms Physical Security Physical security refers to limiting access to key network resources by keeping the resources behind a locked door It can also protect the network from hackers, competitors, and terrorists walking in off the street and changing equipment configurations http:// www.ciscopress.com /articles/ article.asp?p =1626588&seqNum=2

Security Implementation Mechanisms Authentication identifies who is requesting network services. The term authentication usually refers to authenticating users but can also refer to authenticating devices or software processes. http:// www.ciscopress.com /articles/ article.asp?p =1626588&seqNum=2

Security Implementation Mechanisms Authorization Whereas authentication controls who can access network resources, authorization says what they can do after they have accessed the resources. Authorization grants privileges to processes and users. Authorization lets a security administrator control parts of a network (for example, directories and files on servers). http:// www.ciscopress.com /articles/ article.asp?p =1626588&seqNum=2

Security Implementation Mechanisms Accounting (Auditing) Refers to collecting network activity data. Audit data should include all attempts to achieve authentication and authorization It is especially important to log "anonymous" or "guest" access to public servers. The data should also log all attempts by users to change their access rights. http:// www.ciscopress.com /articles/ article.asp?p =1626588&seqNum=2

Security Implementation Mechanisms Data Encryption Encryption is a process that scrambles data to protect it from being read by anyone but the intended receiver. An encryption device encrypts data before placing it on a network. A decryption device decrypts the data before passing it to an application. http:// www.ciscopress.com /articles/ article.asp?p =1626588&seqNum=2

Security Implementation Mechanisms Firewalls is a device that enforces security policies at the boundary between two or more networks. A firewall can be a router, a dedicated hardware appliance, or software http:// www.ciscopress.com /articles/ article.asp?p =1626588&seqNum=2

Security Implementation Mechanisms Intrusion Detection and Prevention Systems An intrusion detection system (IDS) detects malicious events and notifies an administrator, using email, paging, or logging of the occurrence. An intrusion prevention system (IPS) can dynamically block traffic by adding rules to a firewall or by being configured to inspect (and deny or allow) traffic as it enters a firewall. http:// www.ciscopress.com /articles/ article.asp?p =1626588&seqNum=2

Information Assurance Analysis Model

Information Assurance “Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.”

Maconachy , Schou , Ragsdale ( MSR ) Cube Maconachy, Schou, Ragsdale and Welch, A Model for Information Assurance: An Integrated Approach , Proceedings of the 2001 IEEE Workshop on IAS, USMA, West Point, NY 5-6 June 2001.

Security Services: What types of problems can occur? Confidentiality Integrity Availability Authentication Non Repudiation

Information States: Where is the data? Transmission Storage Processing

Security Countermeasures: Who can enforce/check security? People Policy and Practice Technology

Disaster recovery

Key Terms Incident Event or occurrence that result in the misuse, abuse or compromise of confidential, sensitive , personal information . Disaster an event or incident that has unfortunate consequences . https:// www.techopedia.com /definition/13767/business-continuity-and-disaster-recovery- bcdr

Key Terms Main Category of Disasters: Natural Man-made

Key Terms The contingency planning team must decide which actions constitute disasters and which constitute incidents . When situations are classified as disasters: plans change as to how to respond; take action to secure most valuable assets to preserve value for the longer term.

96

Contingency Planning (CP) Process Includes the following steps: Develop CP policy statement Conduct business impact analysis Identify preventive controls Create contingency strategies Develop contingency plan Ensure plan testing, training, and exercises Ensure plan maintenance 97

98

Business Impact Analysis (BIA) Investigation and assessment of various adverse events that can affect organization Assumes security controls have been bypassed, have failed, or have proven ineffective, and attack has succeeded Organization should consider scope, plan, balance, knowledge of objectives, and follow-ups 99

Incident Response Planning Incident response planning includes identification of, classification of, and response to an incident. Attacks classified as incidents if they: Are directed against information assets Have a realistic chance of success Could threaten confidentiality, integrity, or availability of information resources Incident response (IR) is more reactive than proactive 100

Incident Response Planning (cont’d) Incident detection Incident reaction Notification of key personnel Documentation of the incident Incident containment strategies Containment of incident’s scope or impact as first priority; must then determine which information systems are affected Organization can stop incident and attempt to recover control through a number or strategies. Incident recovery Damage assessment Repairs vulnerabilities, addresses any shortcomings in safeguards, and restores data and services of the systems. 101

Disaster Recovery Planning Disaster recovery planning (DRP) is preparation for and recovery from a disaster. DRP strives to reestablish operations Disaster recovery personnel must know their roles without any supporting documentation. Preparation Training Rehearsal 102

Crisis Management Actions taken in response to an emergency to minimize injury/loss of life, preserve organization’s image/market share, and complement disaster recovery/business continuity processes What may truly distinguish an incident from a disaster are the actions of the response teams. 103

Crisis Management Supporting personnel and families during crisis Determining impact on normal business operations and, if necessary, making disaster declaration Keeping the public informed Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, the media, and other interested parties 104

Business Continuity Planning Prepares the organization to reestablish or relocate critical business operations during a disaster that affects operations If disaster has rendered the current location unusable, there must be a plan to allow business to continue functioning. Development of BCP is somewhat simpler than IRP or DRP. Consists primarily of selecting a continuity strategy and integrating off-site data storage and recovery functions into this strategy 105

Continuity Strategies Incident response plans (IRPs); disaster recovery plans (DRPs); business continuity plans (BCPs) Primary functions of above plans: IRP focuses on immediate response; if attack escalates or is disastrous, process changes to disaster recovery and BCP. DRP typically focuses on restoring systems after disasters occur; as such, it is closely associated with BCP. BCP occurs concurrently with DRP when damage is major or ongoing, requiring more than simple restoration of information and information resources. 106

Law Enforcement Involvement When incident at hand constitutes a violation of law, the organization may determine involving law enforcement is necessary. 107

Organizations of interest

CNSS CNSS The Committee on National Security Systems ( CNSS ) is a United States intergovernmental organization that sets policy for the security of the US security systems. The CNSS holds discussions on policy issues, sets national policy, directions, operational procedures, and guidance for the information systems operated by the U.S. Government, its contractors or agents. https:// www.niap-ccevs.org / NIAP_Evolution / faqs /nstissp-11/

NIST NIST - National Institute of Standards and Technology. Agency of the U.S. Department of Commerce, NIST is one of the nation's oldest physical science laboratories . NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. 110 http:// www.nist.gov / public_affairs / general_information.cfm

SANS SANS System Administration, Networking, and Security Institute. The SANS Institute was established in 1989 as a cooperative research and education organization. Its programs now reach more than 165,000 security professionals around the world. A range of individuals from auditors and network administrators, to chief information security officers are sharing the lessons they learn and are jointly finding solutions to the challenges they face. https:// www.sans.org /about/

Security Certifications

Security Certifications Top 5 InfoSec Certs. CompTIA Security+ CEH : Certified Ethical Hacker. GSEC : SANS GIAC Security Essentials. CISSP : Certified Information Systems Security Professional. CISM : Certified Information Security Manager. http:// www.tomsitpro.com /articles/information-security-certifications,2-205.html

References History of Information security Retrieved from http :// www.scmagazine.com /a-brief-history-of-internet-security/article/149611/ Retrieved from https :// duo.com /blog/a-history-of-hacking-timeline-infographic Security Mind-set Retrieved from https :// www.youtube.com / watch?v =eZNzMKS7zjo Retrieved from https :// securityintelligence.com /security- mindset -data-breach/ Retrieved from http :// www.tripwire.com /state-of-security/off-topic/the-security- mindset -the-key-to-success-in-the-security-field / Dahlin , M. ( n.d ). Intro to security: “The security mindset ”. Retrieved from https:// www.cs.utexas.edu /~ dahlin /Classes/439/lectures/sec1.pdf Retrieved from https :// www.schneier.com /blog/archives/2008/03/the_security_mi_1.html

References Defense in Depth Retrieved from https:// www.owasp.org/index.php/Defense_in_depth Retrieved from https ://buildsecurityin.us-cert.gov/articles/knowledge/principles/defense-in-depth Retrieved from http :// searchsecurity.techtarget.com/definition/defense-in-depth Design Principles http://www.cs.ucsb.edu/~kemm/courses/cs177/principles.pdf Information Assurance Model Retrieved from http:// grothoff.org/christian/teaching/2007/3704/w2c3.pdf Retrieved from https://www.lynda.com/Security-tutorials/information-assurance-model/184142/189039-4.html MSR model Retrieved from Rhttp ://reports- archive.adm.cs.cmu.edu /anon/ qatar /CMU-CS-QTR-108.pdf

References Video: Enigma https :// www.youtube.com / watch?v =G2_Q9FoD-oQ Whitman, M. E. and Mattord , H. J. (2014). Principles of Information Security. Cengage Learning. Pfleeger C.P . (2015). Security in computing . Pearson Education.

ITT408_Unit#1_InformationSecurity_Fundamentals_STUDENTS.pptx

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

ITT408_Unit#1_InformationSecurity_Fundamentals_STUDENTS.pptx

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77