Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security management w.lilakiatsakun.

Published byCordelia Ryan Modified over 9 years ago

Similar presentations

Presentation on theme: "Security management w.lilakiatsakun."— Presentation transcript:

1 Security management w.lilakiatsakun

2 Principles of Security
Referred to as AIC/CIA triad - Availability Integrity Confidentiality

3 Availability (1/2) The system and networks should provide adequate capability in order to perform in a predictable manner with an acceptable level of performance Recover from disruption in a secure and quick manner Single point of failure should be avoided Back up measures should be taken

4 Availability (2/2) Redundancy mechanisms should be in place when necessary System should be protected from some environmental issues like heat, cold, humidity static electricity and contamination. IDS should be used to protect Denial of Service attack Certain firewall and router configuration can also reduce the threat of DoS attacks

5 Integrity (1/3) Integrity is upheld when the assurance of accuracy and reliability of information and systems is provided and unauthorized modification is prevented Hardware, software and communication mechanisms must work in a concerted manner to maintain and process data correctly and move data to intended destinations without unexpected alternation

6 Integrity (2/3) The system and network should be protected from outside interference and contamination Users mistake Threats such as virus, back door into a systems or data Strict access control, intrusion detection and hashing can combat threats

7 Integrity (3/3) Security should streamline the user’ capabilities and give them only certain choices and functionality so that error become less common and less devastating System critical files should be restricted from user view and access Applications should provide mechanism that check for valid and reasonable input values Databases should let only authorized individuals modify data and data in transit should be protected by encryption or other mechanism

8 Confidentiality (1/3) Confidentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure Attacker can thwart confidentiality mechanism by monitoring, shoulder surfing, stealing password files and social engineering

9 Confidentiality (2/3) shoulder surfing is when a person looks over another person ‘s shoulder and watches theirs keystrokes or views data as it appears on a computer screen social engineering is when one person tricks another person into sharing confidential information by posing as someone authorized to have access to that information

10 Confidentiality (3/3) Confidentiality can be provided by
encrypting data as it is stored and transmitted Strict access control Data classification Training personnel on the proper procedures

11 Security definition (1/5)
Vulnerability is a software, hardware or procedural weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within environment Services running on a server Unpatched application or operating system softwares Unrestricted modem dial-in access An open port on a firewall Physical security that allows anyone to enter a server room Nonforced password management on servers and workstations

12 Security definition (2/5)
Threat is any potential danger to information or systems Threat is somone or somethings (threat agent) will use a specific vulnerability against individual or company

13 Security definition (3/5)
Risk is the likelihood of a threat agent taking advantage of the vulnerability and the corresponding business impact If a firewall has several ports open, an intruder will use one to access the network in an authorized method If users are not educated on processes and procedures, an employee will make an unintentional mistake that destroy data If on IDS, an attack will go unnoticed until it is too late

14 Security definition (4/5)
Exposure is an instance of being exposed to losses from a threat agent Vulnerability exposes an organization to possible damages If password management is not used and password rules are not enforced, the company is exposed to possibility of having users’ passwords captured and used in unauthorized manner

15 Security definition (5/5)
Countermeasure or safeguard is put into place to mitigate the potential risk Countermeasure may be a software configuration, a hardware device or procedure that eliminates a vulnerability or reduces the likelihood that a threat agent will be able to exploit a vulnerability Strong password management a security guard Access control mechanism Security awareness training

16

17 Security Management program (1/3)
Objectives - To protect the company and its assets A security program should use a Top-down approach meaning that the initiation, support and direction come from top management and work their way through middle management and then to staff members

18 Security Management program (2/3)
The security policy works as a blueprint for the company’s security program and provides the necessary foundation to build upon The next step is to develop and implement procedure, standards and guidelines that support the security policy and identify the security countermeasures and method

19 Security Management program (3/3)
Once these mentioned items are developed, the security program increases in granularity by developing baselines and configurations for the chosen security controls and methods

20 Security administration and supporting controls

21 Organizational security model (1/3)
It is a framework made up of many entities, protection mechanisms, logical (technical), administrative, and physical components, procedures, business processes and configurations that all work together in a synergistic way to provide security level for an environment

22 Organizational security model (2/3)

23 Organizational security model (3/3)
Daily goals or operational goals focus on productivity and task-oriented activities to ensure that the company functions in a smooth and predictable manner Midterm goals or tactical goals could be to integrate all workstations and resources into one domain so that more central control can be achieved Long-term goals or strategic goals could be to move all the branches from dedicated communication lines to frame relay, implement IPsec VPN for all remote users and integrate wireless technology with necessary measures into the environment

24 Security program component
The most commonly used standard is ISO (BS7799) Part 1 is an implementation guide with guidelines on how to build a comprehensive information security infrastructure (ISO 27002) Part2 is an auditing guide based on requirement that must be met for an organization to be compliant with ISO (Currently - ISO 27001)

25 ISO27002 (1/2) The content sections are: Structure
Risk Assessment and Treatment Security Policy Organization of Information Security Asset Management Human Resources Security

26 ISO27002 (2/2) Physical Security Communications and Ops Management
Access Control Information Systems Acquisition, Development, Maintenance Information Security Incident management Business Continuity Compliance

27 ISO 27001 The content sections of the standard are:
Management Responsibility Internal Audits ISMS Improvement Annex A - Control objectives and controls Annex B - OECD principles and this international standard Annex C - Correspondence between ISO 9001, ISO and this standard

28 Security policy (1/4) A security policy is an overall general statement that dictates what role security plays within an organization A security policy can be an organization security policy, issue-specific policy or system-specific policy

29 Security policy (2/4) Organization security policy address relative laws, regulations and liability issues and how they are to be satisfied Organization security policy has several characteristics such as Business objectives should drive the policy ‘s creation, implementation and enforcement It should be developed and used to integrated security into all business function and process It should be derived from and support all legislation and regulation applicable to the company

30 Security policy (3/4) Issue-specific policy, also called functional implementing policy addresses specific security issues that management feels need more attention For example - security policy policy states that employees cannot use to share confidential information

31 Security policy (4/4) System-specific policy presents the management ‘s decision that are specific to the actual computers, networks, application and data. Example This type of policy may provide an approved software list for a workstation. How computers are to be lock downed How printers, scanners are to be used

32 Type of policies Regulatory – ensure that the organization is following standard set by specific industry regulations Financial institutions, health care facilities Advisory – strongly advise employees regarding which types of behaviors and activities should and should not take place within organization How to handle financial transactions or process confidential information Informative – inform employees of certain topics , it is not an enforceable policy How the company interact with partners, company ‘s goal or mission

33

34 Definitions (1) Standards refers to mandatory activities, actions, rules, or regulations Standards could be internal and external mandated (regulations and government laws) Organization security standards may specify how hardware and software products are to be used Expected user behavior These rules are usually compulsory within company and needed to be enforced

35 Definitions (2) A baseline refers to a point n time that is used as a comparison for future changes Baselines are used to define minimum level of protection that is required In security, specific baselines can be defined per system type which indicates the necessary setting and the level of protection required

36 Definitions (3) Guidelines are recommended actions and operational guides to users, IT ‘ staff, operations staffs and others when a specific a standard does not apply A policy state that access to confidential data must be audited A supporting guideline could further explain that audit should contain sufficient information to allow for reconciliation with prior reviews A supporting procedure would outline the necessary steps to configure, implement and maintain this type of auditing

37 Definitions (4) Procedures are detailed step by step tasks that should be performed to achieve a certain goal How to install operating systems, configure security mechanisms, implement access control list

38

39 Network security policy: best practices
Ref: document ID 13601

40 Process Preparation Prevention Response Create usage policy statement
Conduct a risk analysis Establish a security team structure Prevention Approving security changes Monitoring security of your network Response Security violation Restoration Review

41 Preparation: Create usage policy statement (1)
Outline user’s roles and responsibilities with regard to security General policy : cover all network system and data within your company, by providing : Understanding of the security policy, its purpose Guidelines for improving their security practices Definitions of their security responsibilities Identify specific action that could result in punitive

42 Preparation: Create usage policy statement (2)
Partner acceptable use statement : it provides Partner with an understanding of the information that is available to them The expected disposition of that information The conduct of the employee of your company Clearly explain any specific acts that have been identified as security attacks and the punitive action

43 Preparation: Create usage policy statement (3)
Administrator acceptable use statement: to explain The procedures for user account administration Policy enforcement Privilege review It should be clearly presented specific policies concerning user passwords and handling data Check the policy with the partner acceptable use and user acceptable use statement to ensure uniformity Make sure that admin requirement listed in policy are reflected in training plan and performance evaluation

44 Preparation: Conduct a risk analysis (1)
A risk analysis should identify the risk to Network , resources and data To identify portion of your network, assign a threat rating to each portion and apply appropriate level of security Each network resources can be assigned as 3 risk level Low risk: system or data that if compromised would not disrupt the business or cause legal or financial ramification, not provide further access to other system The targeted system or data can be easily restored

45 Preparation: Conduct a risk analysis (2)
Medium risk system or data that if compromised would cause a moderate disruption in the business or minor legal or financial ramification, provide further access to other system The targeted system or data requires a moderate effort to restore The restoration process is disruptive to the system

46 Preparation: Conduct a risk analysis (3)
High risk system or data that if compromised would cause an extreme disruption in the business or major legal or financial ramification, Threaten the health and safety of a person provide further access to other system The targeted system or data requires a significant effort to restore The restoration process is disruptive to the business or the other systems

47 Preparation: Conduct a risk analysis (3)
Identify the type of users as 5 most common types: Administrators : internal users responsible for network resources Privileged: internal users with a need for greater access Users: internal users with a general access Partners: external users with a need to access some resources Others: external users or customer

48

49 Preparation: Establish team structure
Create a cross functional security led by a Security Manager with participants from each of your company’s operational area The security team has 3 areas of responsibilities Policy development : establishing and reviewing security policies for the company Practice: conduct the risk analysis, the approval of security change requests, review security alerts from both vendor and the CERT (Community Emergency Response Team) and turn the policy to implementations Response: to do the troubleshooting and fixing of such a violation, each team member should know in detail the security features provided by the equipment

50 Prevention: Approving security changes (1)
Recommendation on reviewing the following types of changes: Any changes to the firewall configuration Any change to access control list (ACL) Any change to Simple Network Management Protocol (SNMP) configuration Any change or update in software that differs from the approved software revision level list

51 Prevention: Approving security changes (2)
Recommended guidelines Change passwords to network devices on a routine basis Restrict access to network devices to an approved list of personnel Ensure that the current software revision levels of network equipment and server environments are in compliance with the security configuration requirement

52 Prevention: Monitoring security of your network (1)
Similar to network monitoring except it focuses on detecting changes in the network that indicating a security violation In the Risk analysis matrix the firewall is considered as high risk network device – monitor it in real time From the Approving security changes Any changes to the firewall should be monitored It means SNMP agent should monitor such things as failed login attempts, unusual traffic, changes to the firewall, access granted to the firewall and connection set up through the firewall

53 Prevention: Monitoring security of your network (2)
Following this example, create a monitoring policy for each area identified in your risk analysis Low-risk equipment : monitoring weekly Medium-risk equipment : monitoring daily High-risk equipment : monitoring hourly Lastly, security policy should address how to notify the security team of security violations such as , SMS

54 Response: Security violation (1)
First action after detection of an intrusion is the notification of the security team Define a procedure in security policy that is available 24 hours a day, 7 days a week Next define the level of the authority given to the security team to make changes, possible corrective actions are Implementing changes to prevent further access to the violation Isolating the violated systems Contacting the carrier or ISP in an attempt to trace the attack

55 Response: Security violation (2)
Using recording devices to gather evidence Disconnecting violated systems or the source of the violation Contacting the police or other government agencies Shutting down violated system Restoring system according to a prioritized list Notify internal managerial and legal personnel

56 Response: Security violation (3)
Lastly, collecting and maintaining information during security attack To determine the extent to which systems have been compromised To prosecute external violations To determine the extent of the violation Record the event by obtaining sniffer traces of the network, copies of log files, active user accounts and network connections Limit further compromise by disabling account, disconnecting the network equipment from the network and disconnecting from the internet

57 Response: Security violation (4)
Back up the compromised system to aid in a detailed analysis of the damage and method of attack Look for other signs of compromise. Often when system is compromised there are other systems or accounts involved Maintain and review security device log files and network monitoring log files and the often provide clues to the method of attack

58 Response: Restoration
Define in the security policy how to conduct secure and make available normal backup As each system has its own means and procedures for backing up the security policy should act as a meta-policy detailing for each system security condition that require restoration from backup If approval is required before restoration can be done include the process for obtaining approval as well

59 Response: Review (1) It is the final effort in creating and maintaining a security policy 3 things to be reviewed Policy / Posture / Practice Security policy should be a living document Reviewing against known best practices Check the CERT website for useful tips, practices security improvement and alert

60 Response: Review (2) Review network posture in comparison with the desired security posture Outside firm that specializes in security can attempt to penetrate the network and test not only the posture of the network but the security response of organization as well For high-availability networks, recommend conducting such a test annually

61 Response: Review (3) Finally, practice is defined as a test of the support staff to insure that they have clear understanding of what to do during a security violation Often the test is unannounced and done conjunction with the network posture test It show the gaps in procedure and training of personnel so that corrective action can be taken

Download ppt "Security management w.lilakiatsakun."

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Auditing Concepts.

Auditing Concepts.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems

Auditing Computer Systems
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
The Islamic University of Gaza

The Islamic University of Gaza
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Session 3 – Information Security Policies

Session 3 – Information Security Policies

Similar presentations

Ads by Google