1. Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu About the Course IST 515 Objectives Pedagogy CISSP CBK DHS EBK INFOSEC

2. Objectives This module will familiarize you with the following: Current trend of computer crime and security. Why information security is not just a technical problem? The common body of knowledge in information security proposed by (ISC) 2. The essential body of knowledge in security suggested by Department of Homeland Security. The purposes, coverage and policy of the course. Concept of “ Defense in depth (DID) ” in security.

3.  SANS 2008 Salary and Certification Survey. http://www.sans.org/resources/salary_survey_2008.pdf http://www.sans.org/resources/salary_survey_2008.pdf  Robert Richardson, “2009 CSI Computer Crime & Security Survey.” (Required)  Wikipedia, “Certified Information Systems Security Professional (CISSP).” http://en.wikipedia.org/wiki/Certified_Information_Systems_Security _Professional http://en.wikipedia.org/wiki/Certified_Information_Systems_Security _Professional  Department of Homeland Security, “Information Technology Security Essential Body of Knowledge,” 2007.  ISACA, Information Security career Progression. http://www.isaca.org/ContentManagement/ContentDisplay.cfm?Conte ntID=42042 http://www.isaca.org/ContentManagement/ContentDisplay.cfm?Conte ntID=42042  Wikipedia, “Defense in Depth (computing).” http://en.wikipedia.org/wiki/Defense_in_Depth_(computing) http://en.wikipedia.org/wiki/Defense_in_Depth_(computing) Reading List

4. Sun Tzu's Art of War If you know your enemies and know yourself, you can win a hundred battles without a single loss ( 知彼知己, 百戰不殆 ). If you only know yourself, but not your opponent, you may win or may lose ( 不知彼而知己, 一勝 一負 ). (http://en.wikipedia.org/wiki/The_Art_of_War) If you know neither yourself nor your enemy, you will always endanger yourself ( 不知彼, 不知己, 每戰必殆 ).

5. SANS Security Salary Survey (2008) Salaries for information security professionals are high. Only 1.65% of respondents earn less than US $40,000 per year and over 38% earn US $100,000 or more per year. 81% of respondents with hiring responsibilities consider certification a factor in their hiring decisions. 41% of the respondents said their organizations use certifications as a factor when determining salary increases. Digital forensics, intrusion detection, and penetration testing are the technical topics respondents are most interested in learning in 2009.

6. 2010 IT Skills and Salary Report Security CertificationsMeanMedianResponses CCNA (Cisco Certificated Network Associate) Security $89,911$80,500110 CCSA – Check Point Certified Security Administrator$99,512$93,00049 CCSE – Check Point Certified Security Expert$98,254$91,00030 CEH – Certified Ethical Hacker$92,794$86,50076 CISA – Certified Information Systems Auditor$100,855$94,50078 CISM – Certified Information Security Manager$113,846$96,25064 CISSP – Certified Information Systems Security Professional $99,928$96,000373 Security+ – CompTIA Security+$76,844$73,000417 (http://www.examland.com/it-certification/1865/1865/)

7. 2008 CSI Security Survey  The most expensive computer security incidents were those involving financial fraud.  Virus incidents occurred most frequently.  Almost one in ten organizations reported they’d had a Domain Name System incident.  Twenty-seven percent of those responding to a question regarding “targeted attacks.”  The vast majority of respondents (68 percent) said their organizations had a formal information security policy.

8. Summary of Key Types of Incident Key Types of Incident200420052006200720082009 Virus / Malware Infection78%74%65%52%50%64% Insider Abuse59%48%42%59%44%30% Laptop Theft49%48%47%50%42% Unauthorized Access37%32% 25%29% Denial of Service39%32%25% 21%29% Instant Messaging Abuse25%21%8% Bots21%20%23% Theft/loss of Customer Data17% Abuse of Wireless Network15%16%14%17%14%8% System Penetration17%14%15%13% 14% Financial Fraud8%7%9%12% 20% Misuse of Web Application10%5%6%9%11% Theft/loss of proprietary Info10%9% 8%9% Password Sniffing10%9%17% DNS Attacks6%8%7% Web Site defacement7%5%6%10%6%14% Telecom Fraud10% 8%5% Sabotage5%2%3%4%2%

9. Trends of Key Incidents

10. Security Technologies Used (2008) TechnologiesPercentage Anti-virus software97% Firewalls94% Virtual Private Network (VPN)85% Anti-spyware software80% Encryption of data in transit71% Intrusion detection systems69% Vulnerability / patch management tools65% Web / URL filtering61% Intrusion prevention systems54% Application-level firewalls53% Encryption of data at rest (in storage)53%

11. Test Your Understanding What percentage of corporations experienced at least one security incident? Name the two highest-prevalence threats, which are experienced by a majority of firms? Describe trends for the three traditional hacker attacks. Describe trends in the three low-prevalence, high-impact attacks. Why do you think companies may have a difficult time planning for low-prevalence, high-impact attacks? Describe trends for wiretapping, telecommunications eavesdropping, and telecommunications fraud. Does media coverage typically mirror the importance of threats?

12. CSI Security Survey 2009 Big jumps in incidence of password sniffing, financial fraud, and malware infection. One-third of respondents' organizations were fraudulently represented as the sender of a phishing message. Average losses due to security incidents are down again this year (from $289,000 per respondent to $234,244 per respondent), though they are still above 2006 figures. Twenty-five percent felt that over 60 percent of their financial losses were due to non-malicious actions by insiders. Respondents were satisfied, though not overjoyed, with all security technologies.

13. CSI Security Survey 2009 Investment in end-user security awareness training was inadequate, but investments in other components of their security program were adequate. Actions Taken: 22 percent - notified individuals whose personal information was breached and 17 percent - provided new security services to users or customers. Security Solutions: Use tools that would improve their visibility - better log management, security information and event management, security data visualization, security dashboards and the like. Regulatory compliance efforts have had a positive effect on their organization's security programs.

14. Types of Attack

15. Let us Talk What kind of knowledge and skills are needed to succeed in information security career? - CBK vs. EBK - Similarities and differences What professionals have to say about the field? - Hard vs. soft skills How about IST 515? How about your degree?

16. Information security and risk management Access control Cryptography basics Physical (environmental) security Security architecture and design Information Systems Security Telecommunications and network security Application security Operations security Business continuity and disaster recovery planning Legal, regulations, compliance and investigations CISSP CBK Common Body of Knowledge

17. Roles and Competencies (EBK)  Strategic Management  IT Security Training & Awareness  Risk Management  Data Security  Physical & Environmental Security  System & Application Security  IT Systems Operations & Maintenance  Procurement; Personnel Security  Enterprise Continuity  Incident Management  Regulatory & Standards Compliance  Digital Forensics  Network Security & Telecom.

18. Ten Most Common Activities Performed RankCurrent Position%Prior Position% 1Risk Management76.6Data Security56.6 2Security Program Management74.0Risk Management54.8 3Data Security70.7Network Security53.5 4Policy Creation and Maintenance65.3Security Program Management49.0 5Regulatory Compliance63.4Policy Creation and Maintenance48.8 6Security Project Management59.6 Business Continuity/Disaster Recovery 45.8 7Incident Management58.5System and Application Security45.2 8Network Security57.3Security Architecture45.1 9 Business Continuity/Disaster Recovery 56.1Incident Management44.8 10Security Architecture55.9Security Project Management44.8

19. Critical Skills Necessary for Advancement* Areas Very Important Not Important No Opinion Writing ability69%28%0%1% Verbal communication ability68%29%0%1% Technical knowledge66%31%2%1% Critical thinking and judgment69%26%2%3% Teamwork and collaboration52%42%3% Ability to lead change52%39%5%4% Business knowledge40%50%6%3% Cross-functional influence35%50%7%9% Influence33%52%8%7% Facilitation24%56%11%10% Mentoring and coaching19%57%17%7% Strategic business planning22%48%21%10% * SANS Information Security Survey, 2007

20. IST 515 covers the interdisciplinary theoretical, conceptual, methodological, and practical foundations of information security and assurance, with emphases on information systems security, security and risk management, economic aspects of security, trust management, human factors in security, and enterprise security.

21. Course Coverage  Common Body of Knowledge (CBK) – CISSP and Essential Body of Knowledge (EBK) – DHS.  Penetration Testing / Ethical Hacking – EC Council  Topics to be covered (CBK): - Information Security & Risk Management - Access Control - Physical & Environmental Security - Security Architecture and Design - Application Security - Operation Security - Business continuity and disaster recovery planning - Legal, regulations, compliance and investigations

22. Course Objectives Understand the Basics of information security and assurance. Understand the core technologies used in making a networked information system secure and assured. Understand how to build information systems with assurances and the role of “trust” in delivering these assurances. Take an interdisciplinary approach to analyze the security and assurance of modern information systems. Understand the economic aspects of security. Understand the impact of human factors in security.

23. Prevention Monitoring Detection Forensics Response Recovery Prediction Qualitative models Quantitative models Policy/Regulation Firewall/DMZ Access Control/VPN Scanner IDS Data mining Tracing Investigation Risk analysis Plans Security Defense In Depth

24. Policy/Regulation Firewall/DMZ Access Control/VPN IST 554: Network Management & Security IST 515: Information Security & Assurance IST 564: Crisis, Disaster & Risk Management IN SC 561: Web Security & Privacy SRA 472: Integration of Privacy & Security SRA 868: Visual Analytics for Security PredictionDetectionForensicsResponse Defense In Depth of Security Feedback IST 451 IST 515 SRA 868 IST 451: Network Security IST 452: Legal & Regulatory Issues IST 453: Computer Forensics Law IST 454: Computer & Cyber Forensics IST 456: Security & Risk Management IST 453 IST 454IST 564 IST 456IST 452 SRA 472 Qualitative models Quantitative models Prevention Plans Risk analysis Scanner IDS Data mining IST 554 IN SC 561 Tracing Investigation

25. IST 554 Network Management and Security IST 451 Network Security IST 454 Cyber Forensics IST 456 Security Mgmt IST 515 Information Security and Assurance IST 564 Crisis, Disaster and Risk Management INSC 516 Web Sec. & Privacy SRA 472 Privacy & Security SRA 868 Visual Analytics IST 554 Independent Studies IST 594 Research Paper Required for IS & HLS Required for HLS Elective HLS: Homeland Security INSC: Information Science IS: Information Sciences IST: Information Sciences & Technology SRA: Security & Risk Analysis

26. Policies, Procedures, and Awareness Physical Security Data Defenses Application Defenses Host Defenses Network Defenses Perimeter Defenses Security Defense in Depth

28. The Center for Information Assurance at the Pennsylvania State University, through its curricula, certify that Student has acquired the knowledge and skills that meet the National Training Standard NSTISSI-4011 for the Information Systems Security (INFOSEC) Professionals, established by the Committee on National Security Systems (CNSS) and the National Security Agency (NSA), on December 201x Dr. Hank Foley, Dean College of Information Sciences and Technology Certificate of Accomplishment Dr. Chao H. Chu, Executive Director Center for Information Assurance

29. INFOSEC Certificate Required Courses (6 credits): IST 515. Information Security and Assurance IST 554. Network Management and Security Elective Courses (Select 9 credits): IST 451. Network Security IST 454. Computer and Cyber Forensics IST 456. Security and Risk Management IST 564. Crisis, Disaster, and Risk Management IN SC 561. Web Security and Privacy

30. Thank You? Any Question?