MSIA Introduction to Information Systems Security Training and Policy Week 1 Live Session Presentation
MSIA Information Systems Security Purpose: Confidentiality Integrity Availability Also:Authenticity Non-Repudiation Full security is achieved through: physical, administrative, and technical safeguards common sense
MSIA Who Should Be Trained? Management End Users (First Line of Defense) InfoSec Staff (ISSPM, ISSM, NSM, ISSO, TASO, NSO) System Administrators Infrastructure Support Services Who Should Be Trained?
MSIA Awareness Training Secure Password Selection Password Security “Least Privilege” Policy Understanding Workstation security - Terminal Timeout How to Report Incidents for appropriate action WARNING Banner Pages Roles for Contingency Actions Anti-Virus Precautions and Reactions Regular Backups and Off-Site Storage Review and Act upon CERT/CIRT Alerts Event Reporting Chain “Social Engineering” Awareness
MSIA Advanced Training Apply as required for the group. Management need to understand the risks, and the need for advance capabilities toward Protection, Detection Response and recovery. SysAdmins on Patches, Security Log config and review, OS config, Least Priviledge, etc. Security Staff keep up to date on advanced issues
MSIA Computer Incident/Emergency Response Centers/Teams, and occasionally vendors, responsibly send out Alerts or Advisories to warn activities and agencies of identified vulnerabilities that may be exploited, and how to proceed to “close the hole”. Examples include: CERT-CCFEDCIRCFIRST Government CERTS Keep up on Patches Often, you can learn of new exploits before the CERTs warn subscribers by getting on SecurityFocus lists (Bugtraq, VulnDev, etc) ‚„ ‚‚„„ ‚‚„„
MSIA Key Issues to Effective Network Security Management support Personnel training Cost-effective, planned, security measures Network Security Policy Adopt “Defense-in-Depth” Roles and responsibilities Processes and procedures
MSIA Security Policy “The first step is to conduct a risk assessment” “best protect your most valuable assets” “evaluate each security threat” “compare the measures taken to protect that asset and ensure the measures do not cost more than…” Slide Comments taken from: Network Security Policy – A Manager’s Perspective Ernest D. Hernandez November 22, 2000
MSIA “The security-related decisions you make, or fail to make, as administrator largely determines how secure or insecure your network is, how much functionality your network offers, and how easy your network is to use. However, you cannot make good decisions about security without first determining what your security goals are. Until you determine what your security goals are, you cannot make effective use of any collection of security tools because you simply will not know what to check for and what restrictions to impose.” Security Policy Guide to Writing Network Security Policy: ~ Site Security Handbook
MSIA Network Security Plan What are we trying to protect? - Assets? From whom are we trying to protect? What are our Threats? What are our Vulnerabilities? What is likelihood of Threat occurrence? What is the detrimental impact from occurrence? What Safeguards do we have/do we need? How do we implement security policy cost-effectively?
MSIA DESIGN DEVEL IMPLE-MENT OPERATEOPERATE Test Security Features, Train Identify & Include Security Features Risk Analysis ST&E Security Procedures Disaster Recovery Plan Train Patch Emerging Problems Identify Addn’l Needs Audit for Compliance Review/Update Train Risk Management For our purposes “accredit” means “approve for operation/connection/use”
MSIA What are some Policy issues? ??
MSIA File Backups Scheduling / Impact to normal operations Cost over Speed and Recoverability Off-Site Rotations: Son - Father - Grandfather
MSIA Asynch Session Readings Discussion: Malicious Software and Hoaxes Note: 2 are not on syllabus! Little Black Book of Viruses (download from website)