TEL382 Greene Chapter 5

Outline What Are We Trying To Protect? Information Classification Information Ownership Policy Information Classification Footprinting & Four-Step Hacking Process Information Classification Policy Information Classification Labeling and Handling Information Classification Program Lifecycle Classification Handling and Labeling Policy Value and Criticality of Information Systems Inventory of Information Systems Assets Policy 2/25/2019

Introduction How to protect something when we don’t know what it is worth and how sensitive it is How to determine how much time, effort and funds should we spend securing the asset 2/25/2019

What Are We Trying To Protect? Databases Data Files Intellectual Property Operational & Support Procedures Research Documentation Archived Information Business Plans 2/25/2019

Information Ownership Policy Information Custodian Manages Day-to-Day Controls Responsible for providing CIA for information ISO 17799 Recommends the Need for a Policy Information Security Officer (ISO) Provides Direction and Guidance 2/25/2019

Information Classification Military Unclassified Confidential Secret Top Secret Commercial Public (Annual Reports, Product Documents, White Papers, etc.) Restricted (Policy Documentation, Procedure Manuals, Employee Lists, etc.) Sensitive (Personal/Privileged – Patient or Employee Records) Confidential (Business Strategies, Financial Position/Plans, Schematics, Formulas, Patents) 2/25/2019

Information Classification Labeling and Handling Labels (Electronic, Print, Audio, Visual) Clear, Universally Understood Handle Information in Accordance with Its Classification Information Owner Defines Protection Information Custodian Implements Protection Information User Uses Information In Accordance with Label 2/25/2019

Information Classification Program Lifecycle Information Classification Procedures Define asset and supporting information systems Characterize criticality of information system Identify information owner and information custodian Assign classification level Determine and implement corresponding level of controls Label information and information system appropriately Document handling procedures, including disposal Integrate handling procedures into information user security awareness program Declassify information when (and if) appropriate Information may be reclassified or declassified 2/25/2019

Value and Criticality of Information Systems In Calculating Asset Value, Consider: Cost to acquire or develop Cost to maintain and protect Cost to replace Importance to owner Competitive advantage of information Marketability of information Impact on delivery of product or services Reputation Liability issues Regulatory compliance requirements 2/25/2019

Inventory of Information Systems Assets Policy Hardware Computer Equipment Communication Equipment Storage Media Infrastructure Equipment Software OS Productivity Applications 2/25/2019

Asset Attributes Unique Identifier Asset Description Manufacturer Imprint Physical and Logical Address Controlling Entity 2/25/2019

System Characterization Understanding of System System Boundaries HW & SW Information Stored, Processed or Passing Through Ranking By: Protection Level – Safeguards Required Operations Importance (System Impact – How Important) 2/25/2019

Review Risk Assessment 2/25/2019

TEL382 Greene Chapter 9

Outline What is a Security Posture? Managing User Access Access Control Policy Managing User Access User Access Management Policy Keeping Passwords Secure Password Use Policy User Authentication for Remote Connections User Authentication for Remote Connections Policy Mobile Computing Mobile Computing Policy Telecommunting Telecommunting Policy Monitoring System Access and Use Monitoring System Access and Use Policy 2/25/2019

Introduction Controlling Who (What) has Access to Which Information Concepts Deny/Allow All Least Privilege Need-to-Know Etc. Methods Accounts Authentication Password Management 2/25/2019

What is a Security Posture? Organization’s Attitude Toward Security Default Positions Secure (Default Deny) Reactive (Default Permit) Least Privilege Give User Least Amount of Access Required to Perform Job Functions Need-to-Know Demonstrated and Authorized Reasons for Access Few People Have Access to Critical Business Operations Individual Users Don’t Know More Than They Should 2/25/2019

Access Control Policy Access Models Classification Models MAC DAC RBAC Classification Models TS, S, C, U R, S, C, P Security Clearance Level, Access Privilege, Need-to-Know 2/25/2019

Managing User Access User Access Management Starting Work Promotions, Terminations, Transfers, etc. 2/25/2019

Keeping Passwords Secure Don’t Share Don’t Write It Down Anywhere Change Frequently Change From Admin Assigned Value Immediately Process for Reissuing (I Forgot!!) Change if Compromise is Suspected Don’t Allow Applications or Web Sites to Remember Don’t Use Same Password for Different Purposes 2/25/2019

User Authentication for Remote Connections Risk Assessment Dial-Up vs. Internet Access VPN IPSec Authentication Server RADIUS TACACS+ Hardware Tokens Private Lines Dial-back 2/25/2019

Mobile Computing Risk Assessment Approved Devices How Data is Stored on Portable Devices Mandating Connectivity Means Protection Malware Theft/Loss 2/25/2019

Telecommunting Controls Ensuring CIA (Same as “on-premises”) Secure Equipment from Accidental and Intentional Misuse Equipment Not to be Used For Non-business Purposes Classification Guidelines Equipment Must be Physically Secured 2/25/2019

Monitoring System Access and Use Parameters to Monitor Authorized Access Privileged Operations Unauthorized Attempts System Alerts or Failures Review and Retention Legalities 2/25/2019

TEL382 Greene Chapter 10

Outline What Are The Risks to the Organization? Security Requirements of Systems Security Requirements of Systems Policy The Things That Should Never Happen To Sensitive Data Sloppy Code vs. Secure Code Security in Applications Systems Policy Risk Assessments and Cryptography Breaking the Caesar Cipher Cryptographic Controls Policy Operating System and Application Software Stability Security of System Files, Development, and Support Processes Policy 2/25/2019

What Are The Risks to the Organization? Business and Mission-Critical Applications Organizational Risks Loss of Productivity Loss of Trust Systems Development Systems Maintenance 2/25/2019

Security Requirements of Systems Risk Assessments Third-Party Consultants Advantages/Disadvantages Separation of Duties Adding Controls After Implementation 2/25/2019

The Things That Should Never Happen To Sensitive Data Loss Modification Misuse 2/25/2019

Code Sloppy vs. Secure System Owner Responsibilities Techniques Input Validation Data Validation Output Validation 2/25/2019

Cryptography Risk Assessments CIA Plus Non-repudiation Key Management Digital Signatures Key Management 2/25/2019

Operating System and Application Software Stability Thorough Testing Testing Environment No Live Data Only Stable Versions Updates Rollback Policy When To/Who Install(s) Updates 2/25/2019