Defense-in-Depth What Is It?

Slides:



Advertisements
Similar presentations
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
Advertisements

Ethics, Privacy and Information Security
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Lecture 1: Overview modified from slides of Lawrie Brown.
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Role-Based Access Control (RBAC) Approach for Defense-in-Depth Peter Leight and Richard.
Security+ Guide to Network Security Fundamentals
Introducing Computer and Network Security
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Lecture 11 Reliability and Security in IT infrastructure.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Stephen S. Yau CSE , Fall Security Strategies.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Firewalls and the Campus Grid: an Overview Bruce Beckles University of Cambridge Computing Service.
Introduction to Network Defense
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Information Security Technological Security Implementation and Privacy Protection.
Mike Hager Enterprise Security Advisor Unisys Corporation It’s All About The Data.
SEC835 Database and Web application security Information Security Architecture.
CHAPTER 3 Information Privacy and Security. CHAPTER OUTLINE  Ethical Issues in Information Systems  Threats to Information Security  Protecting Information.
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
IT GENERAL CONTROLS & THE PREVENTION OF FRAUD Ed Tobias, CISA, CIA, CFE May 11, 2011.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
Staying Safe Online Keep your Information Secure.
Chapter 12 by Lisa Reeves Bertin Securing Information in a Network.
Chapter 6 of the Executive Guide manual Technology.
Chapter 8 Technology and Auditing Systems: Hardware and Software Defenses.
1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.
Center of Excellence for IT at Bellevue College. Cyber security and information assurance refer to measures for protecting computer systems, networks,
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Security Mark A. Magumba. Definitions Security implies the minimization of threats and vulnerabilities A security threat is a harmful event or object.
Information Systems Security Operational Control for Information Security.
Mobile Banking By: Chenyu Gong, Jalal Hafidi, Harika Malineni.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Rebecca Pritchard.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
Information Systems Security
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.
Information Security What is Information Security?
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Information Systems, Security, and e-Commerce* ACCT7320, Controllership C. Bailey *Ch in Controllership : The Work of the Managerial Accountant,
Introduction to Information Security
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Module 2: Designing Network Security
The Digital Crime Scene: A Software Perspective Written By: David Aucsmith Presented By: Maria Baron.
Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.
CONTROLLING INFORMATION SYSTEMS
Computer Security By Duncan Hall.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Computer threats, Attacks and Assets upasana pandit T.E comp.
C OMPUTER THREATS, ATTACKS AND ASSETS DONE BY NISHANT NARVEKAR TE COMP
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
IS3220 Information Technology Infrastructure Security
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Information Management System Ali Saeed Khan 29 th April, 2016.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
CS457 Introduction to Information Security Systems
Securing Information Systems
Securing Network Servers
Critical Security Controls
Security+ All-In-One Edition Chapter 1 – General Security Concepts
INFORMATION SYSTEMS SECURITY and CONTROL
IBM GTS Storage Security and Compliance overview.
Cybersecurity Threat Assessment
Mohammad Alauthman Computer Security Mohammad Alauthman
Presentation transcript:

Defense-in-Depth What Is It? Peter Leight and Richard Hammer August 2006

What is Defense-in-Depth? There is no “silver bullet” when it comes to network security Any layer of protection might fail Multiple levels of protection must be deployed Measures must be across a wide range of controls (preventive and detective measures)

Focus of Security is Risk Security deals with managing risk to your critical assets Security is basically an exercise in loss reduction Impossible to totally eliminate risk, we settle for residual risk Risk is the probability of a threat crossing or touching a vulnerability Risk is managed by utilizing defense-in-depth (DiD) Risk = threat x vulnerabilities

Key Focus of Risk Confidentiality / Disclosure Integrity / Alteration Availability / Destruction Confidentiality Integrity Availability

Prioritizing CIA While all three areas of CIA are important to an organization, there is always one area that is more critical than others Confidentiality Health Care Organizations Hospitals Integrity Financial Institutions Banks Availability E-commerce based organizations Online banking

What is a Threat? Possible danger Protect against the ones that are most likely or most worrisome based on: Intellectual property Validated data Business goals Past history Main point of exposure Malware Insider 5 Primary Threats Health Epidemic Terrorism Natural Disasters

Vulnerabilities Weaknesses in a system Vulnerabilities are inherent in complex systems, they will always be present The majority of vulnerabilities are the result of poor coding practices Lack of error checking Vulnerabilities are the gateway by which threats are manifested Vulnerabilities fall into two categories: Known, those you can protect against Unknown or “zero day”

Approaches to DiD Deploy measures to reduce, eliminate or transfer risk Five basic approaches uniform protection protected enclaves information centric threat vector analysis role-based access control

Uniform Protection - DiD Most common approach to Defense-in-Depth Firewall, VPN, Intrusion Detection, Anti-virus etc All parts of the organization receive equal protection Particularly vulnerable to malicious insider attacks

Protected Enclaves DiD Work groups that require additional protection are segmented from the rest of the internal organization Restricting access to critical segments DOE “unclean” network System of VPNs Internal Firewalls VLANs and ACLs

Information Centric Defense-in-Depth Identify critical assets and provide layered protection Data is accessed by applications Applications reside on hosts Hosts operate on networks Network Host Application Info

Vector Oriented DiD The threat requires a vector to cross the vulnerability Stop the ability of the threat to use the vector USB Thumb Drives – Disable USB Floppy Drives – Disable Auto Answer Modems – Digital phone PBX

Role-Based Access Control People identified by their roles Data is accessed by roles not people People can have more than one role More than one role can access the same data

Identity, Authentication, Authorization & Accountability Identity is who you claim to be Authentication is a process by which you prove you are who you say you are: Something you know Something you have Something you are Some place you are Authorization is determining what someone has access to or is allowed to do, after they have been properly authenticated Accountability deals with knowing who did what and when

Controlling Access Least Privilege Need to Know Separation of Duties Give someone the least amount of access they need to do their job Need to Know Only give them the access when they need it and take it away when it is no longer required Separation of Duties Break critical tasks across multiple people to limit your points of exposure Rotation of Duties Change jobs on a regular basis to prevent anyone from being able to get comfortable in a position and be able to cover their tracks