Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building a Successful Security Infrastructure

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Building a Successful Security Infrastructure"— Presentation transcript:

1 Building a Successful Security Infrastructure
Terrence V. Lillard T. Lillard Consulting, Inc.

2 Ten Security Domains Cryptography Law, Investigations, and Ethics
Telecommunication & Network Security Access Control Application/System Security Security Management Operations Security Business Continuation & Disaster Recovery Planning Security Architecture Physical Security

3 Group Discussion Cryptography Law, Investigations & Ethics
Access Control Systems & Methodology Security Management Practices Security Architecture & Models Physical Security Business Continuity & Disaster Recovery Planning Operations Security (Computers) Application & Systems Development Telecommunications & Network Security The International Information Systems Security Certification Consortium, or (ISC)², working with a professional testing service, has developed a certification examination based on the information systems security Common Body of Knowledge (CBK). The information systems security test domains are: Cryptography Law, Investigations & Ethics Access Control Systems & Methodology Security Management Practices Security Architecture & Models Physical Security Business Continuity & Disaster Recovery Planning Operations Security (Computers) Application & Systems Development Telecommunications & Network Security Domain 1 addresses cryptography. Cryptography is the use of secret codes to achieve desired levels of confidentiality and integrity. Two categories focus on: (1) cryptographic applications and uses and (2) crypto technology and implementations. Included are basic technologies, encryption systems, and key management methods. Domain 2 addresses law, investigation, and ethics. Law involves the legal and regulatory issues faced in an information security environment. Investigation consists of guidelines and principles necessary to successfully investigate security incidents and preserve the integrity of evidence. Ethics consists of knowledge of the difference between right and wrong and the inclination to do the right thing. Domain 3 addresses access control. Access control consists of all of the various mechanisms (physical, logical, and administrative) used to ensure that only authorized persons or processes are allowed to use or access a system. Three categories of access control focus on: (1) access control principles and objectives, (2) access control issues, and (3) access control administration. Domain 4 addresses security management policies, standards, and organization. Policies are used to describe management intent, standards provide a consistent level of security in an organization, and an organization architecture enables the accomplishment of security objectives. Four categories include: (1) information classification, (2) security awareness, (3) organization architecture, and (4) policy development. Domain 5 addresses security architecture and system security. Computer architecture involves the aspects of computer organization and configuration that are employed to achieve computer security while system security involves the mechanisms that are used to maintain the security of system programs. Domain 6 addresses physical security. Physical security involves the provision of a safe environment for information processing activities with a focus on preventing unauthorized physical access to computing equipment. Three categories include: (1) threats and facility requirements, (2) personnel physical access control, and (3) microcomputer physical security. Domain 7 addresses business continuity planning and risk management. Risk management encompasses all activities involved in the control of risk (risk assessment, risk reduction, protective measures, risk acceptance, and risk assignment). Business continuity planning involves the planning of specific, coordinated actions to avoid or mitigate the effects of disruptions to normal business information processing functions. Domain 8 addresses (computer) operations security. Computer operations security involves the controls over hardware, media and the operators with access privileges to these. Several aspects are included — notably, operator controls, hardware controls, media controls trusted system operations, trusted facility management, trusted recovery, and environmental contamination control. Domain 9 addresses application and system development. Application and system security involves the controls placed within the application and system programs to support the security policy of the organization. Topics discussed include threats, applications development, availability issues, security design, and application/data access control. Domain 10 addresses Telecommunications & Network Security. Communications security involves ensuring the integrity and confidentiality of information transmitted via telecommunications media as well as ensuring the availability of the telecommunications media itself. Three categories of communications security are: (1) telecommunications security objectives, threats, and countermeasures; (2) network security; and (3) Internet security.

4 Security Infrastructure
Cryptography. - is the use of secret codes to achieve desired levels of confidentiality and integrity. Two categories focus on: (1) cryptographic applications and uses and (2) crypto technology and implementations. Included are basic technologies, encryption systems, and key management methods.

5 Security Infrastructure
Law, Investigation, and Ethics. Law involves the legal and regulatory issues faced in an information security environment. Investigation consists of guidelines and principles necessary to successfully investigate security incidents and preserve the integrity of evidence. Ethics consists of knowledge of the difference between right and wrong and the inclination to do the right thing.

6 Security Infrastructure
Access Control. Access control consists of all of the various mechanisms (physical, logical, and administrative) used to ensure that only authorized persons or processes are allowed to use or access a system. Three categories of access control focus on: (1) access control principles and objectives, (2) access control issues, and (3) access control administration.

7 Security Infrastructure
Security Management Policies, Standards, and Organization. Policies are used to describe management intent, standards provide a consistent level of security in an organization, and an organization architecture enables the accomplishment of security objectives. Four categories include: (1) information classification, (2) security awareness, (3) organization architecture, and (4) policy development.

8 Security Challenges? Secured Infrastructure

9 Security Infrastructure
Security Architecture. Security architecture involves the aspects of computer organization and configuration that are employed to achieve computer security. In addition implementing system security to ensure mechanisms are used to maintain the security of system programs.

10 Security Architecture
Cryptography Public Key (RSA) X.509 Certificates Digital Signatures Digital Envelopes Hashing/Message Digest Symmetric Encryption Certificate Authorities Security Attacks Viruses Trojan Horses Bombs/Worms Spoofing/Smurf Sniffing and Tapping DOS Etc. Domain Trust Management Directional Trust Transitive Trust Kerberos NTLM Security Services Security Infrastructure DNS DMZ, Firewalls Directory Services IDS Virus Checkers VPN PKI NAT RADIUS, Remote Access Web Servers DHCP Wireless Security Goals Authentication Auditing Availability Authorization Privacy Integrity Non-Repudiation Application Single Sign On Kerberos/DCE Mixed/Integrated Security Smart Cards Cryptographic APIs PDAs (PocketPC, Palm Pilots) Protocols IPSEC SSL/TLS Kerberos L2TP PPTP PPP Etc.

11 Security Infrastructure
Physical Security. Physical security involves the provision of a safe environment for information processing activities with a focus on preventing unauthorized physical access to computing equipment. Three categories include: (1) threats and facility requirements, (2) personnel physical access control, and (3) microcomputer physical security.

12 Security Infrastructure
Business Continuity Planning and Risk Management. Risk management encompasses all activities involved in the control of risk (risk assessment, risk reduction, protective measures, risk acceptance, and risk assignment). Business continuity planning involves the planning of specific, coordinated actions to avoid or mitigate the effects of disruptions to normal business information processing functions.

13 Security Infrastructure
Operations Security (Computer). Computer operations security involves the controls over hardware, media and the operators with access privileges to these. Several aspects are included — notably, operator controls, hardware controls, media controls trusted system operations, trusted facility management, trusted recovery, and environmental contamination control.

14 Security Infrastructure
Application and System Development. Application and system security involves the controls placed within the application and system programs to support the security policy of the organization. Topics discussed include threats, applications development, availability issues, security design, and application/data access control.

15 Security Infrastructure
Telecommunications & Network Security. Communications security involves ensuring the integrity and confidentiality of information transmitted via telecommunications media as well as ensuring the availability of the telecommunications media itself. Three categories of communications security are: (1) telecommunications security objectives, threats, and countermeasures; (2) network security; and (3) Internet security.

16 Multiple Combined Security Strategies

17 Ten (10) Security Strategies
Description Least Privilege This principle means the any object (e.g., user, administrator, program, system) should have only the necessary security privilege required to perform its assigned tasks. Defense in Depth This principle recommends that multiple layers of security defense be implemented. They should back each other up. Choke Point Forces everyone to use a narrow channel, which you can monitor and control. A firewall is good example. Weakest Link This principle suggests that attackers seek out weakest link in your security. As a result, you need to be aware of these weak links and take steps to eliminate them. Fail-Safe Stance In the event your system fails, it should fail in a position that denies access to resources. Most systems will adhere to a deny stance or permit stance. Universal Participation To achieve maximum effectiveness, security systems should require participation of all personnel. Diversity of Defense This principle suggests that security effectiveness is also dependent on the implementation of similar products from different vendors. (This includes Circuit Diversity) Simplicity This principle suggests that by implementing simple things it is easier to manage. Security through Obsolesce This principle suggests that by implementing old technology no one will have the knowledge to compromise the system. Security through Obscurity This principle recommends the hiding of things as a form of protection.

18 Security Requirements
Authentication Availability Auditing Authorization Privacy/Confidentiality Integrity Non-repudiation 4APIN

19 Stages of Information and Classification
Disseminate Process Accumulate (Collect) Store Transmit D-PAST

20 N-Factor Authentication Methods
Someplace where you are located (SITE). Something that you HAVE. Something that you ARE. Something that you NEED. Something that you KNOW SHANK

21 TLC’s Security Stoplight Chart
Security Assurance Domains Red Yellow Green 1. Cryptography 2. Law, Investigations & Ethics 3. Access Control Systems & Methodology 4. Security Management Practices 5. Security Architecture & Models 6. Physical Security 7. Business Continuity & Disaster Recovery Planning 8. Operations Security (Computers) 9. Application & Systems Development 10. Telecommunications & Network Security

22 Security Controls Types of Control Preventive Detective Corrective
Deterrent Recovery Compensating

23 Security Infrastructure
Questions/Answers

Download ppt "Building a Successful Security Infrastructure"

Similar presentations

Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Access Control Methodologies

Access Control Methodologies
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Security Controls – What Works

Security Controls – What Works
Chapter 1 – Introduction

Chapter 1 – Introduction
Information Security Policies and Standards

Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Applied Cryptography for Network Security

Applied Cryptography for Network Security
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
E-Commerce Security and Fraud Issues and Protections

E-Commerce Security and Fraud Issues and Protections
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Similar presentations

Ads by Google