Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Criteria, Certifications, and Training

Published byAubrie Hodges Modified over 6 years ago

Similar presentations

Presentation on theme: "Security Criteria, Certifications, and Training"— Presentation transcript:

1 Security Criteria, Certifications, and Training
Lesson 25

2 The “Rainbow Series” NSA Documents, varied color covers
Orange: Trusted System Security Evaluation Criteria Green: Password Management Yellow: Guidance for applying Orange Book Tan: Guide to understand audit in trusted system Red: Trusted Network Interpretation Purple: Formal Verification Aqua: Understanding Security Modeling Pink: Ratings Maintenance Phase Program Forest Green: Magnetic remanence

3 The “Orange Book” The NCSC (NSA) developed the Trusted Computer System Evaluation Criteria (TCSEC) Designed to meet three objectives to provide guidance to manufacturers as to what security features to build into their products to provide the DoD customers with a metric to evaluate the degree of trust they could place in a computer system to provide a basis for specifying security requirements in acquisition specifications

4 The Orange Book Particular emphasis is on preventing unauthorized disclosure of information. Based on Bell-La Padula security model Simple Security Condition allows a subject read access to an object only if the security level of the subject dominates the security level of the object. *-Property allows a subject write access to an object only if the security level of the subject is dominated by the security level of the object. Also known as the Confinement Property. “No Read Up/No Write Down”

5 The Orange Book “Trusted Computing Base” Concept 7 Levels
D: Minimal Protection C1: Discretionary Security Protection C2: Controlled Access Protection B1: Labeled Security Protection B2: Structured Protection B3: Security Domains A1: Verified Protection

6 The Orange Book

7 Division C Class C1

8 Division C Class C1

9 Division C Class C2

10 Division B Class B1

11 The “Red Book” Trusted Network Interpretation (TNI) Two parts
Interprets Orange book for networks interpretation rationale Describes additional security services that arise with networks.

12 Division C Class C1

13 The Network Security Services

14 Issues with Any Certification
Certifications take time thus they generally have a hefty price associated with them. By the time the product is evaluated, its obsolete. Who gets to do the evaluation? Lots of folks don’t want the government poking around their product, but can you trust some other company? Certifications are for a single release, if you release a new version it will need to be evaluated too.

15 The ITSEC and Common Criteria
After the TCSEC was published, several European countries issued their own criteria. The Information Technology Security Evaluation Criteria (ITSEC). Had a number of improvements. Permitted new feature definitions and functionalities. Accommodated commercial evaluation facilities Soon the U.S. was preparing to update the TCSEC. Instead of multiple standards, how about a joint one? Thus, the birth of the Common Criteria

16 Common Criteria

17 Common Criteria Has 7 Evaluation Assurance Levels (EAL)
EAL1: functionally tested EAL2: Structurally tested EAL3: Methodologically tested and checked EAL4: Methodologically designed, tested, & reviewed EAL5: Semiformally designed and tested EAL6: Semiformally verified design and tested EAL7: Formally verified design and tested Any collection of components can be combined with an EAL to form a Protection Profile. Defines an implementation-independent set of security requirements and objectives.

18 ICSA Certification ICSA Inc. initiated a program for certifying IT products against a set of industry accepted, de facto standards. Standards are developed with input from security experts, vendors, developers, and users. Targets threats that actually occur frequently, not postulated ones (think covert channels). Goal is criteria appropriate for 80% of customers. Has mechanism for certification of future versions.

19 ICSA

20 ICSA

21 ICSA

22 Security Awareness and Training
We keep saying that people are the biggest problem, so… Why not train them so we can get rid of (or reduce) the problem???? What types of things would be useful? General security training passwords, social engineering, viruses Administrator training specialized training for specific OS and security devices (e.g. firewalls, IDS…), vulnerability/risk assessments,

23 Type of training Formal Courses Online Courses CD-based instruction
(Security Awareness Programs)

24 Checkpoint Firewall Training
The first class yields a Check Point Certified Security Administrator (CCSA) degree. It provides a complete overview of FireWall-1 and focuses the hands-on training on stand-alone systems. This class is for end-users and resellers who need a good technical understanding of FireWall-1 and need to install and set up simple configurations. The second more advanced class yields a Check Point Certified Security Engineer (CCSE) degree and dwells more in depth on setting up multiple firewall systems, using different encryption schemes, alternative key management schemes, certificate of authorities, etc., and includes hands-on practice of many of these advanced security techniques. The CCSA degree is a pre-requisite to sign up for this class. This advanced class is for end-users who have sophisticated security requirements for their enterprise networks and for resellers who seek Certified Check Point Partner status.

25 Foundstone

26 Training Courses

27 SecureInfo

28 MIS Training Institute
Auditing Your Web Server Internet and Web Security Introduction to Network Security Network Intrusion Detection Protecting Your Networks with Firewalls Remote Access Services and Virtual Private Network Security Securing TCP/IP Networks Security and Audit of TCP/IP Networks SWITS Network Security Advanced Class Audit and Security of Windows NT Server V.4 Control Analysis of Enterprise-wide Telecommunications Controlling and Securing Unix-Based Operating Systems Controlling and Securing Windows 2000 Controlling Client/Server Environments Unix Workshop

29 Training as a Business There is a bunch of money to be made in training: let’s assume 50 hour work weeks, 48 work weeks a year for a consultant, at $200/hour, 75% utilization = $360,000/year 2 weeks/month teaching, 2 weeks preparing for a trainer, 20 students/course, $1500/student = $720,000/year Obviously there are other considerations, marketing & sales overhead competition and demand

30 (ISC)2 (ISC)2 - International Information Systems Security Certifications Consortium (ISC)² offers two certification examinations: the Certified Information Systems Security Professional (CISSP) the Systems Security Certified Practitioner (SSCP) The CISSP program certifies IT professionals who are responsible for developing the information security policies, standards, and procedures and managing their implementation across an organization. The SSCP program certifies network and systems administrators who implement those policies, standards, and procedures on the various hardware and software programs for which they are responsible.

31 CISSP The (ISC)², working with a professional testing service, has developed a certification examination based on the information systems security Common Body of Knowledge (CBK). Candidates have up to 6 hours to complete the examination which consists of 250 multiple choice questions that address the ten topical test domains of the CBK. The information systems security test domains are: Access Control Systems & Methodology {Computer} Operations Security Application & Systems Development Business Continuity & Disaster Recovery Planning Telecommunications & Network Security Security Architecture & Models Physical Security -- Cryptography Security Management Practices -- Law, Investigations & Ethics

32 SSCP The (ISC)², working with a professional testing service, has developed a certification examination based on the SSCP Common Body of Knowledge (CBK). Candidates have up to 3 hours to complete the examination which consists of multiple choice questions that address the seven topical test domains of the CBK. The information systems security test domains are: Access Control Administration Audit and Monitoring Risk, Response, and Recovery Cryptography Data Communications Malicious Code

33 SANS Institute Conferences – Ontario, May 13-18
GIAC Training and Certification Program SANS' GIAC Training and Certification Program is designed to serve the people who are or will be responsible for managing and protecting important information systems and networks. GIAC course specifications were developed through a consensus process that involved more than a hundred members of SANS' faculty and other experienced security practitioners. They combine the opinions, knowledge, and expertise of many of the world's most experienced front-line security and system administrators, intrusion detection analysts, consultants, auditors, and managers. The GIAC certification program consists of: Information Security KickStart LevelOne Security Essentials LevelTwo subject area modules

34 SANS Institute

35 GIAC Training Information Security KickStart
Are you looking for a way to "break in" to the information security field? Did your manager just walk up to you and say, "Congratulations, you are the new security officer"? Then Information Security KickStart is for you! KickStart was designed for the professional who needs to get up to speed fast on the terminology, concepts, issues, tools, and technology of the field. A student who completes the Information Security KickStart and GIAC Security Essentials Certification possesses the foundational skills that no information security professional should be without. KickStart and Security Essentials also prepare you for the more advanced, in-depth LevelTwo training.

36 GIAC Training Welcome to SANS Security Essentials
SANS Security Essentials offers a strong technical foundation for all areas of system and network security. Similar to KickStart, Security Essentials provides broad coverage of information security topics, but begins to go more in-depth. Each of the eighteen course units offers practical, from-the-trenches, "how-to" information, not just theory. Security Essentials includes the following units: 1: Information Assurance Foundations 2: IP Concepts 3: IP Behavior 4: Internet Threat 5: Basic Security Policy 6: Malicious Software and Anti-Virus Tools 7: Host Based Perimeter Protection 8: Windows NT Password Management 9: Unix Password Management 10: Introduction To Pretty Good Privacy (PGP) 11: Introduction To Cryptography : Introduction To Cryptography 2 13: Securing Windows NT Step-by-Step 14: Securing Linux Step-by-Step 15: Backups For Windows NT 16: Backups For Linux 17: Basic Windows NT Auditing 18: Basic Linux Auditing SANS Security Essentials is available through a three-day class.

37 GIAC Training Intrusion Detection in Depth On-Line Training is one of SANS’ signature courses, and offers an immersion in the world of intrusion detection. Like all GIAC programs, Intrusion Detection in Depth is continually revised to include the latest attack patterns. We strongly recommend that students spend some time getting familiar with tcpdump, Windump, or other network analyzer output before taking this course. Intrusion Detection in Depth covers: Essential TCP/IP concepts for intrusion detection and network traffic analysis Configuration and use of tcpdump, the most widely used freeware traffic analysis tool Log file interpretation and analysis Configuration and use of Snort, the freeware intrusion detection system for both UNIX and Windows Intrusion detection signatures and analysis, including samples and explanation of numerous real-world traces

38 GIAC Training

39 Security+ Certification

Download ppt "Security Criteria, Certifications, and Training"

Similar presentations

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Security and Personnel

Security and Personnel
IT Security Evaluation By Sandeep Joshi

IT Security Evaluation By Sandeep Joshi
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Secure Operating Systems Lesson 0x11h: Systems Assurance.

Secure Operating Systems Lesson 0x11h: Systems Assurance.
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense
Information Assurance & Network Security Certificate Prof. Rafael M. Rivera Universidad del Turabo School of Engineering Institute of Telecommunications.

Information Assurance & Network Security Certificate Prof. Rafael M. Rivera Universidad del Turabo School of Engineering Institute of Telecommunications.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
Security Controls – What Works

Security Controls – What Works
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.

Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Security Certification

Security Certification
What is CISSP Anyway? A Presentation by: George L. McMullin II, CISSP COO, CorpNet Security, Inc. Executive Director, NEbraskaCERT.

What is CISSP Anyway? A Presentation by: George L. McMullin II, CISSP COO, CorpNet Security, Inc. Executive Director, NEbraskaCERT.
Certification and Training Presented by Sam Jeyandran.

Certification and Training Presented by Sam Jeyandran.
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Maintaining a Microsoft SQL Server 2008 Database SQLServer-Training.com.

Maintaining a Microsoft SQL Server 2008 Database SQLServer-Training.com.

Similar presentations

Ads by Google