Download presentation
Presentation is loading. Please wait.
1
Introduction to Information Security
2
Objectives In this lecture, you will: Define basic security concepts
Begin to assess security risks Outline a security policy Locate information security resources
3
Basic Security Concepts
information security – perception information security – reality CIA (Confidentiality , Data integrity and Availability) triad PPP (physical security, privacy, and marketplace security ) triad term “information security” often evokes the more well-known aspects of the security, such as ethical hacking, war dialing, or intrusion detection. In reality, information security is a broad structural foundation of decisions, policies, and processes that form a durable wall to protect data. Confidentiality of data ensures that access is allowed only to authorized individuals or groups. Data integrity refers to the protection mechanisms that are in place to ensure changes of data are tracked and properly controlled. Availability Most IT organizations focus heavily on system and network availability by fixing server and application problems. Information security professionals must also ensure availability by preventing security breaches. PPP triad
4
Basic Security Concepts
Confidentiality – only authorized individuals can access data Integrity – data changes are tracked and properly controlled Availability – systems are accessible for business needs CIA Tirade CIA Tirade Confidentiality of data is often perceived to be the only focus of security. The importance of the CIA tirade is to establish that confidentiality is only one part of security. PPP Tirade It emphasizes that confidentiality, integrity and availability are not enough to make data secure. It states that issues relating to privacy, physical security and marketplace perception must also be addressed. PPP Tirade
5
Assessing Risks Assessment can be performed using a five-step process
Check existing security policies and processes Analyze, prioritize, and categorize resources Consider business concerns Evaluate existing security controls Leverage existing management and control architecture The annualized loss expectancy (ALE) is a formula that helps to calculate the potential financial loss from perceived threats. Based on the ALE calculation, you can determine which assets hold the greatest value, prioritize the protection of those assets, and determine which security measures will best benefit the business. The formula is: ALE = SLE * ARO. Single loss expectancy (SLE) is equal to the asset’s value times the exposure factor. The first component of SLE, the asset value, is the total monetary amount determined from the TCO, the internal values, and external values as described in the previous sections. The second component, exposure factor (EF), is the percentage of asset loss that is expected from a particular threat. The example of the attack on EBS helps to illustrate the calculation of SLE. Annualized rate of occurrence (ARO) is the estimated frequency with which a particular threat may occur each year. Leverage existing management and control architecture – The crucial step in the risk assessment process occurs when the ALE is compared to the cost of implementing or maintaining effective security measures. If new security controls are required, security professionals must build a persuasive business case for, or against, implementing new security controls.
6
Assessing Risk Check existing security policies and processes
Analyze, prioritize, and categorize resources by determining: total cost of ownership, internal value, and external value. TCO refers to the total monetary and labor costs calculated over a specific time period Internal value refers to the monetary assessment of the importance of a particular asset to the internal working of a company External value refers to the money or another commodity that the asset brings to the company from external sources
7
Assessing Risk Consider business concerns through the annualized loss expectancy (ALE = SLE * ARO) Single loss expectancy (SLE) is equal to the asset’s value times the exposure factor (EF) Asset value = TCO + internal value + external value EF is the percentage of asset loss that is expected from a particular threat Annualized rate of occurrence (ARO) is the estimated frequency with which a particular threat may occur each year
8
Assessing Risk Evaluate existing security controls to determine what controls are deployed and effective Leverage existing management and control architecture to build a persuasive business case for, or against, implementing new security controls
9
Security policy At a minimum, an organization’s security policy should cover the following: Physical security Access Control Network security System security Authorized security tools Auditing procedures A security policy is a document that reflects the overall security concepts, standards, and processes that form the foundation for every security measure taken by an organization. Foreword to lay out the purpose, scope, responsibilities, and penalties for non-compliance Physical security to protect the people, equipment, facilities, and computer assets Access Control: User ID and rights management to ensure only authorized individuals have access to the necessary systems and network devices Network security to protect the network devices and data in transit System security to deploy the necessary defenses to protect computer systems from compromise Authorized security tools and testing required for the particular computer environment Auditing procedures to periodically check security compliance
10
Benefits of a Security Policy
A security policy has the following three important benefits: Communicates a common vision for security throughout a company Represents a single easy-to-use source of security requirements Exists as a flexible document that should be updated at least annually to address new security threats
11
Inputs for a security policy
Local laws, regulations and business contracts Internal business goals, principles and guidelines Security measures deemed essential through risk assessment
12
Building a Security Policy
An organization’s security policy should cover the following: Foreword: Purpose, scope, responsibilities, and penalties for noncompliance Physical security: Controls to protect the people, equipment, facilities, and computer assets User ID and rights management: Only authorized individuals have access to the necessary systems and network devices
13
Building a Security Policy Cont.
An organization’s security policy should cover the following: Network security: Protect the network devices and data in transit System security: Necessary defenses to protect computer systems from compromise Testing: Authorized security tools and testing Auditing: Procedures to periodically check security compliance
14
Building a Security Policy Foreword
Purpose: Why is this policy being established? Scope: What people, systems, software, information, and facilities are covered? Responsibilities: Who is responsible for the various computing roles in a company? Compliance: What are the penalties for noncompliance? Which organization is responsible for auditing compliance?
15
Building a Security Policy Physical Security
Human threats: theft, vandalism, sabotage, and terrorism Building damage: fire, water damage, and toxic leaks Natural disasters: floods, hurricanes, and tornadoes Infrastructure disruption: loss of power, loss of HVAC, and downed communication lines Equipment failure: computer system damage and network device failure
16
Building a Security Policy User ID and Rights Management
Authentication: Authentication model Implementation technologies Implementation mechanism Access Controls - determine who gets what access to what Access control model Authentication example User Account Creation, Deletion, and Validation – manage user accounts Password Policies – manage password parameters Access control example ACL, RBAC
17
Building a Security Policy Network Security
Specific timeframes for changing passwords on the network devices Use of secure network protocols Firewalls at specific chokepoints in a network architecture Use of authentication servers to access network devices
18
Building a Security Policy System Security
The systems section is used to outline the specific settings required to secure a particular operating system or application For example, for Windows NT 4.0, it may be a requirement that every logical drive be installed with NTFS For a particular UNIX flavor, shadow password files may be required to hide user IDs and passwords from general users
19
Building a Security Policy Testing and Auditing
Specify requirements for vulnerability scanners, compliance checking tools, and other security tools run within the environment Require auditing logs on specific devices, periodic self-audits performed by the system administrators, and the use of security compliance checking tools Specify corporate auditing requirements, frequencies, and organizations
20
Security Resources Security Certifications
CISSP SSCP GIAC CISA CIW Security Professional
21
Security Resources Web Resources
22
Summary The CIA triad categorizes aspects of information that must be protected from attacks: confidentiality, integrity, and availability. The PPP triad depicts security, privacy, and marketplace perception as three additional abstract concepts that should drive security efforts.
23
Summary Cont. The first step in creating an effective security policy is to perform a risk assessment within the environment. A risk assessment consists of five steps: Check for existing security policies and processes Analyze, prioritize, and categorize resources Consider business concerns Evaluate existing security controls Leverage existing management and control architecture To estimate potential financial loss from security threats, the following formula works well by accounting for the most important cost factors associated with security: ALE = SLE * ARO. A security policy has three major benefits. It: Communicates a common vision for security throughout a company Represents a single easy-to-use source of security requirements Exists as a flexible document that should be updated at least annually to address new security threats
24
Summary Cont. An effective security policy includes security requirements in the following areas: Physical security User ID and rights management Systems Network Security tools Auditing There are a number of security-related certifications to help security professionals quantify their knowledge on a resume. Every security professional must stay current about the latest threats through Web resources, mailing lists, and printed materials.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.