Download as PPTX, PDF, TXT or read online from Scribd
Download as pptx, pdf, or txt
You are on page 1/ 34
HANA
DUL
SET
NET CHAPTER 1: INTRODUCTION TO INFORMATION SECURITY
ISEL532 – IT SECURITY AND RISK
MANAGEMENT INTRODUCTION INFORMATION SECURITY abbreviated as InfoSec as a set of practices intended to keep data secure.
01/02/2024 Two important aspects: • Information Security – means protecting information (data) and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. • Information Security Management – is a process of defining the security controls in order to protect the information assets. SECURITY PROGRAMS LESSON ONE
01/02/2024 SECURITY PROGRAM OBJECTIVES • Protect the company and its assets; • Manage Risks by Identifying assets, discovering threats and estimating the risk; • Provide direction for security activities by framing of information security policies, procedures, standards, guidelines, and baselines; • Information Classification; • Security Organization; and • Security Education. SECURITY MANAGEMENT RESPONSIBILITIES • Determining objectives, scope, policies, and is expected to be accomplished from a security program. • Evaluate business objectives, security risks, user productivity, and functionality requirements. • Define steps to ensure that all the above are accounted for and properly addressed PROTECTING DATA WITH A SECURITY PROGRAM An information security program will establish the policies and processes that you'll use to protect your information. Common program areas such as incident management plan, enterprise security architecture, and threat and vulnerability management help organizations understand where data lives in the environment as well as what processes and technology solutions are in place to protect it. Conducting a thorough security program assessment will help you identify additional program areas that will help your organization mitigate potential risks. APPROACHES TO BUILD A SECURITY PROGRAM Top-Down Approach • The initiation, support, and direction come from the top management and work their way through middle management and then to staff members. • Treated as the best approach but seems to base on the “I get paid more therefore I must know more about everything” type of mentality. • Ensures that the senior management who are ultimately responsible for protecting the company assets is driving the program. APPROACHES TO BUILD A SECURITY PROGRAM Bottom-Up Approach • The lower-end team comes up with a security control or a program without proper management support and direction. • It is often considered less effective and doomed to fail for the same flaw in thinking as above; “I get paid more therefore I must know more about everything”. SECURITY CONTROLS LESSON TWO
01/02/2024 CATEGORIES OF SECURITY CONTROLS Administrative Controls • Developing and publishing of policies, standards, procedures, and guidelines. • Screening of personnel. • Conducting security-awareness training. • Implementing change control procedures. CATEGORIES OF SECURITY CONTROLS Technical or Logical Controls • Implementing and maintaining access control mechanisms. • Password and resource management. • Identification and authentication methods • Security devices. • Configuration of the infrastructure. CATEGORIES OF SECURITY CONTROLS Physical Controls • Controlling individual access into the facility and different departments. • Locking systems and removing unnecessary floppy or CD-ROM drives. • Protecting the perimeter of the facility. • Monitoring for intrusion. • Environmental controls. SECURITY FRAMEWORKS AND STANDARDS • The National Institute of Standards and Technology (NIST) Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations – this document lists security requirements useful not only for federal agencies but for all organizations’ information security risk management programs. • The International Organization for Standardization (ISO) standard ISO 27001, Information Security Management – provides guidance on information technology security and computer security. SECURITY FRAMEWORKS AND STANDARDS • The Payment Card Industry Data Security Standard (PCI DSS) – which establishes security requirements and security controls for the protection of sensitive data associated with personal credit card and payment card information • The Health Insurance Portability and Accountability Act (HIPAA) – a federal law regulating information security and privacy protections for personal health information Frameworks and standards are systems that, when followed, help an entity to consistently manage information security controls for all their systems, networks, and devices, including configuration management, physical security, personnel security, network security, and information security systems. They define what constitutes good cybersecurity practices and provide a structure that entities can use for managing their information security controls. ELEMENTS OF SECURITY LESSON THREE
01/02/2024 ELEMENTS OF SECURITY Vulnerability • It is a software, hardware, or procedural weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment. • Vulnerability characterizes the absence or weakness of a safeguard that could be exploited. • E.g.: a service running on a server, unpatched applications or operating system software, unrestricted modem dial-in access, an open port on a firewall, lack of physical security etc. ELEMENTS OF SECURITY Threat • Any potential danger to information or systems. • A threat is a possibility that someone (person, s/w) would identify and exploit the vulnerability. • The entity that takes advantage of vulnerability is referred to as a threat agent. • E.g.: A threat agent could be an intruder accessing the network through a port on the firewall ELEMENTS OF SECURITY Risk • Risk is the likelihood of a threat agent taking advantage of vulnerability and the corresponding business impact. • Reducing vulnerability and/or threat reduces the risk. • E.g.: If a firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method. ELEMENTS OF SECURITY Exposure • An exposure is an instance of being exposed to losses from a threat agent. • Vulnerability exposes an organization to possible damages. • E.g.: If password management is weak and password rules are not enforced, the company is exposed to the possibility of having users' passwords captured and used in an unauthorized manner. ELEMENTS OF SECURITY Countermeasure or Safeguard • It is an application, or s/w configuration, or h/w, or a procedure that mitigates the risk. • E.g.: strong password management, a security guard, access control mechanisms within an operating system, the implementation of basic input/output system (BIOS) passwords, and security-awareness training. THE RELATIONSHIP BETWEEN THE SECURITY ELEMENTS • Example: If a company has antivirus software but does not keep the virus signatures up- to-date, this is vulnerability. The company is vulnerable to virus attacks. • The threat is that a virus will show up in the environment and disrupt productivity. • The likelihood of a virus showing up in the environment and causing damage is the risk. • If a virus infiltrates the company's environment, then vulnerability has been exploited and the company is exposed to loss. • The countermeasures in this situation are to update the signatures and install the antivirus software on all computers. CORE PRINCIPLES OF INFORMATION SECURITY
Deploying critical data and workloads in a cloud environment can drive
numerous benefits such as reduced costs and increased time to market on product and services. When designing a strategy for regulatory compliance in cloud deployments, however, IT leaders must first make some big decisions. THE CIA TRIAD • Confidentiality – through preventing access by unauthorized users. Confidentiality measures are designed to protect against unauthorized disclosure of information. The objective of the confidentiality principle is to ensure that private information remains private and that it can only be viewed or accessed by individuals who need that information in order to complete their job duties. THE CIA TRIAD • Integrity – from validating that your data is trustworthy and accurate. Integrity involves protection from unauthorized modifications (e.g., add, delete, or change) of data. The principle of integrity is designed to ensure that data can be trusted to be accurate and that it has not been inappropriately modified. THE CIA TRIAD • Availability – by ensuring data is available when needed. Availability is protecting the functionality of support systems and ensuring data is fully available at the point in time (or period requirements) when it is needed by its users. The objective of availability is to ensure that data is available to be used when it is needed to make decisions. CORE INFORMATION SECURITY PRINCIPLES CONFIDENTIALITY • Social Engineering- one • Ensures that the necessary level of person posing as the actual secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of Countermeasures • confidentiality should prevail while • Encrypting data as it is stored and data resides on systems and devices transmitted. within the network, as it is transmitted and once it reaches its • By using network padding destination. • Implementing strict access control • Threat sources mechanisms and data • Network Monitoring classification • Shoulder Surfing- monitoring • Training personnel on proper key strokes or screen procedures. • Stealing password files CORE INFORMATION SECURITY PRINCIPLES INTEGRITY • Integrity of data is protected when the assurance of accuracy and reliability of information •Countermeasures and system is provided, and unauthorized modification is - Strict Access Control prevented. - Intrusion Detection • Threat sources - Hashing - Viruses - Logic Bombs - Backdoors CORE INFORMATION SECURITY PRINCIPLES AVAILABILITY • Threat sources • Countermeasures • Availability ensures - Device or software • Maintaining backups to reliability and timely failure. replace the failed access to data and - Environmental issues system resources to like heat, cold, • IDS to monitor the authorized individuals. humidity, static network traffic and electricity, and host system activities contaminants can also • Use of certain firewall affect system and router availability. configurations • Denial-of-service attacks CHAPTER 1: INTRODUCTION TO INFORMATION SECURITY
