Presentation is loading. Please wait.

Presentation is loading. Please wait.

Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies."— Presentation transcript:

1 Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies

2 Stephen S. Yau CSE 465-591, Fall 2006 2 Fundamental strategies to develop and implement IA: Security by Obscurity Strategy Perimeter Defense Strategy Defense in Depth Strategy Security Strategies

3 Stephen S. Yau CSE 465-591, Fall 2006 3  If existence of an organization’s IA baseline and critical objects is unknown, might not subject to threats.  Intent to secure the system by hiding the details of the security mechanisms  IA involves the use of obscurity strategy to a certain extend Security by Obscurity Strategy (Stealth)

4 Stephen S. Yau CSE 465-591, Fall 2006 4 Security by Obscurity Strategy (cont.) (Stealth)   An example of security through Obscurity: “Guarding the written specifications for security functions and preventing all but the most trusted people from seeing it.”   Not very practical and realistic for systems interacting with customers

5 Stephen S. Yau CSE 465-591, Fall 2006 5  Focus on threats form outsiders  Intent to control the flow of information between organization’s internal trusted network and the un- trusted external internet  Not much of IA capabilities is allocated to secure the internal system  Examples: Firewall, security access keys, access codes Perimeter Defense Strategy

6 Stephen S. Yau CSE 465-591, Fall 2006 6 Perimeter Defense Strategy (cont.) Two critical weaknesses: – –Does very little or nothing to protect against attacks by an authorized inside user – –If the perimeter defenses fail, then the internal systems are open to attack

7 Stephen S. Yau CSE 465-591, Fall 2006 7  Define a number of operationally interoperable and complementary technical and non-technical IA layers of defense  Separate organization network into enclaves  An enclave is an environment under control of a single authority with personnel and physical security measures.  Perimeter defense for each enclave  Complicated and multiple connections between enclaves and between enclave and outside  Need multiple layers and different solution for each connection Defense in Depth Strategy

8 Stephen S. Yau CSE 465-591, Fall 2006 8 Layer 4-10 (Non-technical IA Infrastructure) Layer 3: IA Architecture (Technical IA Infrastructure) Layer 2: IA Management Layer 1: IA Policies IA Baseline Critical Objects Defense in Depth Strategy --- Layered Architecture Model

9 Stephen S. Yau CSE 465-591, Fall 2006 9  Core consists of critical objects and IA baseline that collect, input, process, store, output, and communicate with any element in core.  IA Policies (Layer 1) defines the actions and behavior required to accomplish the organization’s IA needs.  IA Management (Layer 2) monitors and controls implementation of the IA policies.  IA Architecture (Layer 3) provides a means to allocate and integrate technical and non-technical controls Defense in Depth Strategy (cont.) --- Layered Architecture Model

10 Stephen S. Yau CSE 465-591, Fall 2006 10 Defense in Depth Strategy (cont.) --- Layered Architecture Model Layer 4 to 10 involve non-technical implementations of IA policies, and provide infrastructure in support of IA Architecture – –Layer 4 Operational security administration – –Layer 5 Configuration management – –Layer 6 Life-cycle security – –Layer 7 Contingency planning – –Layer 8 IA education, training, awareness – –Layer 9 IA policy Compliance Oversight – –Layer 10 IA incident response and reporting

11 Stephen S. Yau CSE 465-591, Fall 2006 11 Layer 3: IA Architecture IA architecture (Layer 3) ensure that at least the minimum level of interoperability and services is available to authorized users to perform their tasks, to coordinate with other users, and to exchange information securely IA architecture integrates three levels of security: –Physical security –Procedure security –Logical security

12 Stephen S. Yau CSE 465-591, Fall 2006 12 Layer 4: Operational Security Administration People: –Users: general and privileged –Separation of roles –Prevention –Limitation –Accountability –Detection –Deterrence –Outsourcing Security operations

13 Stephen S. Yau CSE 465-591, Fall 2006 13 Layer 5: Configuration Management Purposes: –Provide a mechanism to ensure documentation of all changes –Identify anticipated effects of changes on cost/schedule as a basis for approving/disapproving proposed changes –Maintain integrity of schedule –Maintain updated documentation on status of each proposed change –Ensure all changes communicated to appropriate personnel

14 Stephen S. Yau CSE 465-591, Fall 2006 14 Layer 6: Life-Cycle Security Security is involved in each state of the system’s life cycle: –Initiation –Definition –Design –Acquisition –Development and Implementation –Operation and Maintenance –Destruction and Disposal

15 Stephen S. Yau CSE 465-591, Fall 2006 15 Layer 7: Contingency Plan Planning for the Worst –Backups –Power outage –Emergency action plan/disaster recovery plan –Continuity of operations plan

16 Stephen S. Yau CSE 465-591, Fall 2006 16 Layer 8: IA Education, Training, and Awareness IA support services IA awareness programs IA curriculum development, certification and accreditation IA compliance inspection and validation Workshop, conference and symposia support

17 Stephen S. Yau CSE 465-591, Fall 2006 17 Layer 9: IA Policy Compliance Oversight Intent to provide a means of detecting, reporting, and correcting noncompliance with the IA policies Implementation can be performed both internally and by external parties Mechanisms –Intrusion detection systems –Scanners probing vulnerabilities of network to prevent attacks Specifying IP addresses to check origins of communication (OS, servers, routers, firewalls,…) –Automated auditing –Virus detectors –Periodic assessments of IA management and vulnerabilities

18 Stephen S. Yau CSE 465-591, Fall 2006 18 Layer 10: IA Incident Response & Reporting When best-laid defenses eventually fail, a incident response plan is needed. General incident handling procedures: 1.Determine appropriate response 2.Collect and safeguard the information 3.Contain the situation 4.Assemble the incident management team 5.Create evidence disks and printouts 6.Eradicate/clean up/recover 7.Prepare preliminary status report for management and other authorities 8.Document and report all activities 9.Lesson learned: make improvements

19 Stephen S. Yau CSE 465-591, Fall 2006 19 Reference J. G. Boyce, D. W. Jennings, Information Assurance: Managing Organizational IT Security Risks. Butterworth Heineman, 2002, ISBN 0- 7506-7327-3

Download ppt "Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies."

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Building a Successful Security Infrastructure

Building a Successful Security Infrastructure
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Stephen S. Yau 1CSE 465-591, Fall 2006 IA Management.

Stephen S. Yau 1CSE , Fall 2006 IA Management.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Network security policy: best practices

Network security policy: best practices
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Similar presentations

Ads by Google