Chapter 8 Section 6 Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley.
Copyright © Pearson Education Limited 2015. Controls for Information Security Chapter 8 8-1.
-
Upload
janice-newton -
Category
Documents
-
view
213 -
download
1
Transcript of Copyright © Pearson Education Limited 2015. Controls for Information Security Chapter 8 8-1.
Copyright © Pearson Education Limited 2015.
Controls for Information Security
Chapter 8
8-1
Copyright © Pearson Education Limited 2015.
Learning Objectives
•Explain how information security affects information systems reliability.
•Discuss how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about the security of an organization’s information system.
8-2
Copyright © Pearson Education Limited 2015.
Trust Services Framework
• Security▫Access to the system and data is controlled and
restricted to legitimate users.• Confidentiality
▫Sensitive organizational data is protected. • Privacy
▫Personal information about trading partners, investors, and employees are protected.
• Processing integrity▫Data are processed accurately, completely, in a
timely manner, and only with proper authorization.• Availability
▫System and information are available. 8-3
Copyright © Pearson Education Limited 2015.
8-4
Copyright © Pearson Education Limited 2015.
Security Life CycleSecurity is a management issue
8-5
See pages 256-257 fordetails.
Copyright © Pearson Education Limited 2015.
Security Approaches
•Defense-in-depth▫Multiple layers of control (preventive and
detective) to avoid a single point of failure•Time-based model, security is effective if:
▫P > D + C where P is time it takes an attacker to break
through preventive controls D is time it takes to detect an attack is in
progress C is time it takes to respond to the attack and
take corrective action8-6
Copyright © Pearson Education Limited 2015.
Steps criminals use to attack an organization’s information systems•Conduct reconnaissance•Attempt social engineering•Scan and map the target•Research•Execute the attack•Cover tracks
8-7
Copyright © Pearson Education Limited 2015.
How to Mitigate Risk of Attack
Preventive Controls
Detective Controls•People•Process•IT Solutions•Physical security•Change controls
and change management
•Log analysis•Intrusion detection
systems•Penetration testing•Continuous
monitoring
8-8
Table 8-1
Copyright © Pearson Education Limited 2015.
Preventive: People
•Culture of security▫Tone set at the top with management
•Training▫Follow safe computing practices
Never open unsolicited e-mail attachments Use only approved software Do not share passwords Physically protect laptops/cellphones
▫Protect against social engineering
8-9
Copyright © Pearson Education Limited 2015.
Preventive: Process
• Authentication—verifies the person 1.Something person knows2.Something person has3.Some biometric characteristic4.Combination of all three
Focus 8-1 on Effective of passwords
• Authorization—determines what a person can access Access control matrix
8-10
Copyright © Pearson Education Limited 2015.
Preventive: IT Solutions
•Antimalware controls•Network access controls•Device and software hardening controls•Encryption
8-11
Copyright © Pearson Education Limited 2015.
Preventive: Other
•Physical security access controls▫Limit entry to building▫Restrict access to network and data
•Change controls and change management▫Formal processes in place regarding
changes made to hardware, software, or processes
8-12
Copyright © Pearson Education Limited 2015.
Corrective
•Computer Incident Response Team (CIRT)•Chief Information Security Officer (CISO)•Patch management
8-13
Copyright © Pearson Education Limited 2015.
Key Terms• Defense-in-depth• Time-based model of
security• Social engineering• Authentication• Biometric identifier• Multifactor authentication• Multimodal authentication• Authorization• Access control matrix• Compatibility test• Border router• Firewall• Demilitarized zone (DMZ)• Routers
• Access control list (ACL)• Packet filtering• Deep packet inspection• Intrusion prevention system• Remote Authentication Dial-
in User Service (RADIUS)• War dialing• Endpoints• Vulnerabilities• Vulnerability scanners• Hardening• Change control and change
management• Log analysis• Intrusion detection system
(IDS) 8-14
Copyright © Pearson Education Limited 2015.
Key Terms (continued)
• Penetration test• Computer incident
response team (CIRT)• Exploit• Patch• Patch management• Virtualization• Cloud computing
8-15