Building a Successful Security Infrastructure Terrence V. Lillard T. Lillard Consulting, Inc.
Ten Security Domains Cryptography Law, Investigations, and Ethics Telecommunication & Network Security Access Control Application/System Security Security Management Operations Security Business Continuation & Disaster Recovery Planning Security Architecture Physical Security
Group Discussion Cryptography Law, Investigations & Ethics Access Control Systems & Methodology Security Management Practices Security Architecture & Models Physical Security Business Continuity & Disaster Recovery Planning Operations Security (Computers) Application & Systems Development Telecommunications & Network Security The International Information Systems Security Certification Consortium, or (ISC)², working with a professional testing service, has developed a certification examination based on the information systems security Common Body of Knowledge (CBK). The information systems security test domains are: Cryptography Law, Investigations & Ethics Access Control Systems & Methodology Security Management Practices Security Architecture & Models Physical Security Business Continuity & Disaster Recovery Planning Operations Security (Computers) Application & Systems Development Telecommunications & Network Security Domain 1 addresses cryptography. Cryptography is the use of secret codes to achieve desired levels of confidentiality and integrity. Two categories focus on: (1) cryptographic applications and uses and (2) crypto technology and implementations. Included are basic technologies, encryption systems, and key management methods. Domain 2 addresses law, investigation, and ethics. Law involves the legal and regulatory issues faced in an information security environment. Investigation consists of guidelines and principles necessary to successfully investigate security incidents and preserve the integrity of evidence. Ethics consists of knowledge of the difference between right and wrong and the inclination to do the right thing. Domain 3 addresses access control. Access control consists of all of the various mechanisms (physical, logical, and administrative) used to ensure that only authorized persons or processes are allowed to use or access a system. Three categories of access control focus on: (1) access control principles and objectives, (2) access control issues, and (3) access control administration. Domain 4 addresses security management policies, standards, and organization. Policies are used to describe management intent, standards provide a consistent level of security in an organization, and an organization architecture enables the accomplishment of security objectives. Four categories include: (1) information classification, (2) security awareness, (3) organization architecture, and (4) policy development. Domain 5 addresses security architecture and system security. Computer architecture involves the aspects of computer organization and configuration that are employed to achieve computer security while system security involves the mechanisms that are used to maintain the security of system programs. Domain 6 addresses physical security. Physical security involves the provision of a safe environment for information processing activities with a focus on preventing unauthorized physical access to computing equipment. Three categories include: (1) threats and facility requirements, (2) personnel physical access control, and (3) microcomputer physical security. Domain 7 addresses business continuity planning and risk management. Risk management encompasses all activities involved in the control of risk (risk assessment, risk reduction, protective measures, risk acceptance, and risk assignment). Business continuity planning involves the planning of specific, coordinated actions to avoid or mitigate the effects of disruptions to normal business information processing functions. Domain 8 addresses (computer) operations security. Computer operations security involves the controls over hardware, media and the operators with access privileges to these. Several aspects are included — notably, operator controls, hardware controls, media controls trusted system operations, trusted facility management, trusted recovery, and environmental contamination control. Domain 9 addresses application and system development. Application and system security involves the controls placed within the application and system programs to support the security policy of the organization. Topics discussed include threats, applications development, availability issues, security design, and application/data access control. Domain 10 addresses Telecommunications & Network Security. Communications security involves ensuring the integrity and confidentiality of information transmitted via telecommunications media as well as ensuring the availability of the telecommunications media itself. Three categories of communications security are: (1) telecommunications security objectives, threats, and countermeasures; (2) network security; and (3) Internet security.
Security Infrastructure Cryptography. - is the use of secret codes to achieve desired levels of confidentiality and integrity. Two categories focus on: (1) cryptographic applications and uses and (2) crypto technology and implementations. Included are basic technologies, encryption systems, and key management methods.
Security Infrastructure Law, Investigation, and Ethics. Law involves the legal and regulatory issues faced in an information security environment. Investigation consists of guidelines and principles necessary to successfully investigate security incidents and preserve the integrity of evidence. Ethics consists of knowledge of the difference between right and wrong and the inclination to do the right thing.
Security Infrastructure Access Control. Access control consists of all of the various mechanisms (physical, logical, and administrative) used to ensure that only authorized persons or processes are allowed to use or access a system. Three categories of access control focus on: (1) access control principles and objectives, (2) access control issues, and (3) access control administration.
Security Infrastructure Security Management Policies, Standards, and Organization. Policies are used to describe management intent, standards provide a consistent level of security in an organization, and an organization architecture enables the accomplishment of security objectives. Four categories include: (1) information classification, (2) security awareness, (3) organization architecture, and (4) policy development.
Security Challenges? Secured Infrastructure
Security Infrastructure Security Architecture. Security architecture involves the aspects of computer organization and configuration that are employed to achieve computer security. In addition implementing system security to ensure mechanisms are used to maintain the security of system programs.
Security Architecture Cryptography Public Key (RSA) X.509 Certificates Digital Signatures Digital Envelopes Hashing/Message Digest Symmetric Encryption Certificate Authorities Security Attacks Viruses Trojan Horses Bombs/Worms Spoofing/Smurf Sniffing and Tapping DOS Etc. Domain Trust Management Directional Trust Transitive Trust Kerberos NTLM Security Services Security Infrastructure DNS DMZ, Firewalls Directory Services IDS Virus Checkers VPN PKI NAT RADIUS, Remote Access Web Servers DHCP Wireless Security Goals Authentication Auditing Availability Authorization Privacy Integrity Non-Repudiation Application Single Sign On Kerberos/DCE Mixed/Integrated Security Smart Cards Cryptographic APIs PDAs (PocketPC, Palm Pilots) Protocols IPSEC SSL/TLS Kerberos L2TP PPTP PPP Etc.
Security Infrastructure Physical Security. Physical security involves the provision of a safe environment for information processing activities with a focus on preventing unauthorized physical access to computing equipment. Three categories include: (1) threats and facility requirements, (2) personnel physical access control, and (3) microcomputer physical security.
Security Infrastructure Business Continuity Planning and Risk Management. Risk management encompasses all activities involved in the control of risk (risk assessment, risk reduction, protective measures, risk acceptance, and risk assignment). Business continuity planning involves the planning of specific, coordinated actions to avoid or mitigate the effects of disruptions to normal business information processing functions.
Security Infrastructure Operations Security (Computer). Computer operations security involves the controls over hardware, media and the operators with access privileges to these. Several aspects are included — notably, operator controls, hardware controls, media controls trusted system operations, trusted facility management, trusted recovery, and environmental contamination control.
Security Infrastructure Application and System Development. Application and system security involves the controls placed within the application and system programs to support the security policy of the organization. Topics discussed include threats, applications development, availability issues, security design, and application/data access control.
Security Infrastructure Telecommunications & Network Security. Communications security involves ensuring the integrity and confidentiality of information transmitted via telecommunications media as well as ensuring the availability of the telecommunications media itself. Three categories of communications security are: (1) telecommunications security objectives, threats, and countermeasures; (2) network security; and (3) Internet security.
Multiple Combined Security Strategies
Ten (10) Security Strategies Description Least Privilege This principle means the any object (e.g., user, administrator, program, system) should have only the necessary security privilege required to perform its assigned tasks. Defense in Depth This principle recommends that multiple layers of security defense be implemented. They should back each other up. Choke Point Forces everyone to use a narrow channel, which you can monitor and control. A firewall is good example. Weakest Link This principle suggests that attackers seek out weakest link in your security. As a result, you need to be aware of these weak links and take steps to eliminate them. Fail-Safe Stance In the event your system fails, it should fail in a position that denies access to resources. Most systems will adhere to a deny stance or permit stance. Universal Participation To achieve maximum effectiveness, security systems should require participation of all personnel. Diversity of Defense This principle suggests that security effectiveness is also dependent on the implementation of similar products from different vendors. (This includes Circuit Diversity) Simplicity This principle suggests that by implementing simple things it is easier to manage. Security through Obsolesce This principle suggests that by implementing old technology no one will have the knowledge to compromise the system. Security through Obscurity This principle recommends the hiding of things as a form of protection.
Security Requirements Authentication Availability Auditing Authorization Privacy/Confidentiality Integrity Non-repudiation 4APIN
Stages of Information and Classification Disseminate Process Accumulate (Collect) Store Transmit D-PAST
N-Factor Authentication Methods Someplace where you are located (SITE). Something that you HAVE. Something that you ARE. Something that you NEED. Something that you KNOW SHANK
TLC’s Security Stoplight Chart Security Assurance Domains Red Yellow Green 1. Cryptography 2. Law, Investigations & Ethics 3. Access Control Systems & Methodology 4. Security Management Practices 5. Security Architecture & Models 6. Physical Security 7. Business Continuity & Disaster Recovery Planning 8. Operations Security (Computers) 9. Application & Systems Development 10. Telecommunications & Network Security
Security Controls Types of Control Preventive Detective Corrective Deterrent Recovery Compensating
Security Infrastructure Questions/Answers