Material best practices in network security using ethical hacking
-
Upload
desmond-devendran -
Category
Technology
-
view
1.839 -
download
3
Transcript of Material best practices in network security using ethical hacking
BEST PRACTICES IN NETWORK SECURITY
USING ETHICAL HACKING
Network Security DesignThe 12 Step Program
1. Identify network assets2. Analyze security risks3. Analyze security requirements and
tradeoffs4. Develop a security plan5. Define a security policy6. Develop procedures for applying security
policies
The 12 Step Program (continued)7. Develop a technical implementation strategy
8. Achieve buy-in from users, managers, and technical staff
9. Train users, managers, and technical staff
10. Implement the technical strategy and security procedures
11. Test the security and update it if any problems are found
12. Maintain security
Network Assets
• Hardware• Software• Applications• Data• Intellectual property• Trade secrets• Company’s reputation
Security Risks
• Hacked network devices– Data can be intercepted, analyzed, altered, or
deleted– User passwords can be compromised– Device configurations can be changed
• Reconnaissance attacks• Denial-of-service attacks
Security Tradeoffs
• Tradeoffs must be made between security goals and other goals:– Affordability– Usability– Performance– Availability– Manageability
A Security Plan
• High-level document that proposes what an organization is going to do to meet security requirements
• Specifies time, people, and other resources that will be required to develop a security policy and achieve implementation of the policy
A Security Policy
• Per RFC 2196, “The Site Security Handbook,” a security policy is a– “Formal statement of the rules by which people
who are given access to an organization’s technology and information assets must abide.”
• The policy should address– Access, accountability, authentication, privacy,
and computer technology purchasing guidelines
Security Mechanisms• Physical security
• Authentication
• Authorization
• Accounting (Auditing)
• Data encryption
• Packet filters
• Firewalls
• Intrusion Detection Systems (IDS)
• Intrusion Prevention Systems (IPS)
Encryption for Confidentiality and Integrity
Figure 8-1. Public/Private Key System for Ensuring Data Confidentiality
Figure 8-2. Public/Private Key System for Sending a Digital Signature
Modularizing Security Design
• Security defense in depth– Network security should be multilayered with
many different techniques used to protect the network
• Belt-and-suspenders approach– Don’t get caught with your pants down
Modularizing Security Design• Secure all components of a modular
design:– Internet connections– Public servers and e-commerce servers– Remote access networks and VPNs– Network services and network management– Server farms– User services– Wireless networks
Cisco SAFE
• Cisco SAFE Security Reference Model addresses security in every module of a modular network architecture.
Securing Internet Connections
• Physical security• Firewalls and packet filters• Audit logs, authentication, authorization• Well-defined exit and entry points• Routing protocols that support authentication
Securing Public Servers
• Place servers in a DMZ that is protected via firewalls
• Run a firewall on the server itself
• Enable DoS protection
– Limit the number of connections per timeframe
• Use reliable operating systems with the latest security patches
• Maintain modularity
– Front-end Web server doesn’t also run other services
Security Topologies
EnterpriseNetwork
DMZ
Web, File, DNS, Mail Servers
Internet
Security Topologies
Internet
Enterprise NetworkDMZ
Web, File, DNS, Mail Servers
Firewall
Securing Remote-Access and Virtual Private Networks
• Physical security
• Firewalls
• Authentication, authorization, and auditing
• Encryption
• One-time passwords
• Security protocols– CHAP
– RADIUS
– IPSec
Securing Network Services• Treat each network device (routers,
switches, and so on) as a high-value host and harden it against possible intrusions
• Require login IDs and passwords for accessing devices– Require extra authorization for risky
configuration commands
• Use SSH rather than Telnet• Change the welcome banner to be less
welcoming
Securing Server Farms• Deploy network and host IDSs to monitor server
subnets and individual servers
• Configure filters that limit connectivity from the server in case the server is compromised
• Fix known security bugs in server operating systems
• Require authentication and authorization for server access and management
• Limit root password to a few people
• Avoid guest accounts
Securing User Services• Specify which applications are allowed to
run on networked PCs in the security policy• Require personal firewalls and antivirus
software on networked PCs– Implement written procedures that specify
how the software is installed and kept current
• Encourage users to log out when leaving their desks
• Consider using 802.1X port-based security on switches
Securing Wireless Networks• Place wireless LANs (WLANs) in their own
subnet or VLAN– Simplifies addressing and makes it easier to
configure packet filters
• Require all wireless (and wired) laptops to run personal firewall and antivirus software
• Disable beacons that broadcast the SSID, and require MAC address authentication– Except in cases where the WLAN is used by
visitors
WLAN Security Options
• Wired Equivalent Privacy (WEP)• IEEE 802.11i• Wi-Fi Protected Access (WPA)• IEEE 802.1X Extensible Authentication
Protocol (EAP)– Lightweight EAP or LEAP (Cisco)– Protected EAP (PEAP)
• Virtual Private Networks (VPNs)• Any other acronyms we can think of? :-)
Wired Equivalent Privacy (WEP)
• Defined by IEEE 802.11• Users must possess the appropriate WEP
key that is also configured on the access point– 64 or 128-bit key (or passphrase)
• WEP encrypts the data using the RC4 stream cipher method
• Infamous for being crackable
WEP Alternatives
• Vendor enhancements to WEP• Temporal Key Integrity Protocol (TKIP)
– Every frame has a new and unique WEP key
• Advanced Encryption Standard (AES) • IEEE 802.11i• Wi-Fi Protected Access (WPA) from the Wi-
Fi Alliance
Extensible Authentication Protocol (EAP)
• With 802.1X and EAP, devices take on one of three roles:– The supplicant resides on the wireless LAN client– The authenticator resides on the access point– An authentication server resides on a RADIUS
server
EAP (Continued)• An EAP supplicant on the client obtains
credentials from the user, which could be a user ID and password
• The credentials are passed by the authenticator to the server and a session key is developed
• Periodically the client must reauthenticate to maintain network connectivity
• Reauthentication generates a new, dynamic WEP key
Cisco’s Lightweight EAP (LEAP)
• Standard EAP plus mutual authentication– The user and the access point must authenticate
• Used on Cisco and other vendors’ products
Other EAPs• EAP-Transport Layer Security (EAP-TLS) was developed by Microsoft
– Requires certificates for clients and servers.
• Protected EAP (PEAP) is supported by Cisco, Microsoft, and RSA Security
– Uses a certificate for the client to authenticate the RADIUS server
– The server uses a username and password to authenticate the client
• EAP-MD5 has no key management features or dynamic key generation
– Uses challenge text like basic WEP authentication
– Authentication is handled by RADIUS server
VPN Software on Wireless Clients• Safest way to do wireless networking for
corporations• Wireless client requires VPN software• Connects to VPN concentrator at HQ• Creates a tunnel for sending all traffic• VPN security provides:
– User authentication– Strong encryption of data– Data integrity
• ENTER THE JED1 “ THE DEMO”
32
Risk Management
How Much to Invest in Security?How much is too much?• Firewall• Intrusion Detection/Prevention• Guard• Biometrics• Virtual Private Network• Encrypted Data & Transmission• Card Readers• Policies & Procedures• Audit & Control Testing• Antivirus / Spyware• Wireless Security
How much is too little? Hacker attack Internal Fraud Loss of Confidentiality Stolen data Loss of Reputation Loss of Business Penalties Legal liability Theft & Misappropriation
Security is a Balancing Act between Security Costs & Losses
Risk Management
Internal Factors External Factors
Regulation
Indu
stryCulture
Corporate HistoryManagement’s
Risk Tolerance
Organizational
Maturity
Structure
Risk Mgmt Strategies are determined by both internal & external factorsRisk Tolerance or Appetite: The level of risk that management is comfortable with
Risk Management ProcessEstablishScope &
Boundaries
Identification
Analysis
Evaluation
Avoid Reduce Transfer Retain
Accept Residual Risk
Ris
k C
omm
unic
atio
n&
Mon
itorin
g
Ris
k A
sses
smen
tR
isk
Tre
atm
ent
What assets & risks exist?
What does this risk cost?What priorities shall we set?
What controls can we use?
What to investigate?What to consider?
Risk Appetite• Do you operate your computer with or without antivirus
software?• Do you have antispyware?• Do you open emails with forwarded attachments from friends
or follow questionable web links?• Have you ever given your bank account information to a
foreign emailer to make $$$?
What is your risk appetite?If liberal, is it due to risk acceptance or ignorance?
Companies too have risk appetites, decided after evaluating risk
Continuous Risk Mgmt Process
Identify &Assess Risks
Develop RiskMgmt Plan
Implement RiskMgmt Plan
ProactiveMonitoring
RiskAppetite
Risks change with time as business & environment changesControls degrade over time and are subject to failureCountermeasures may open new risks
Security Evaluation: Risk Assessment
Five Steps include:1. Assign Values to Assets:
– Where are the Crown Jewels?2. Determine Loss due to Threats & Vulnerabilities
– Confidentiality, Integrity, Availability3. Estimate Likelihood of Exploitation
– Weekly, monthly, 1 year, 10 years?4. Compute Expected Loss
– Loss = Downtime + Recovery + Liability + Replacement– Risk Exposure = ProbabilityOfVulnerability * $Loss
5. Treat Risk– Survey & Select New Controls– Reduce, Transfer, Avoid or Accept Risk– Risk Leverage = (Risk exposure before reduction) – (risk exposure after
reduction) / (cost of risk reduction)
Step 1: Determine Value of Assets
Identify & Determine Value of Assets (Crown Jewels):
• Assets include:– IT-Related: Information/data, hardware, software, services,
documents, personnel– Other: Buildings, inventory, cash, reputation, sales opportunities
• What is the value of this asset to the company?• How much of our income can we attribute to this asset?• How much would it cost to recover this?• How much liability would we be subject to if the asset were
compromised? • Helpful websites: www.attrition.org
Determine Cost of Assets
Sales
Product A
Product B
Product C
Risk: Replacement Cost=Cost of loss of integrity=Cost of loss of availability=Cost of loss of confidentiality=
Risk: Replacement Cost=Cost of loss of integrity=Cost of loss of availability=Cost of loss of confidentiality=
Risk: Replacement Cost=Cost of loss of integrity=Cost of loss of availability=Cost of loss of confidentiality=
Tangible $ Intangible: High/Med/Low
Costs
Matrix of Loss Scenario
Size of Loss
Repu-tation
Law-suit Loss
Fines/Reg. Loss
Mar-ket Loss
Exp.Yearly Loss
Hacker steals customer data; publicly blackmails company
1-10K Records
$1M-$20M
$1M-$10M
$1M-$35M
$1M-$5M
$10M
Employee steals strategic plan; sells data to competitor
3-year Min. Min. Min. $20M $2M
Backup tapes and Cust. data found in garbage; makes front-page news
10M Records
$20M $20M $10M $5M $200K
Contractor steals employee data; sells data to hackers
10K Records
$5M $10M Min. Min. $200K
Step 1: Determine Value of Assets
Asset Name$ Value
Direct Loss: Replacement
$ ValueConsequential
Financial Loss
Confidentiality, Integrity, and Availability
Notes
Laptop $1,000 Mailings=$130 x #CustReputation= $9,000
Conf., Avail.Breach Notification Law
Equipment $10,000 $2k per day in income
Availability(e.g., due to fire or theft)
Workbook
Step 2: Determine Loss Due to Threats
Natural: Flood, fire, cyclones, rain/hail/snow, plagues and earthquakes
Unintentional: Fire, water, building damage/collapse, loss of utility services, and equipment failure
Intentional: Fire, water, theft, vandalism
Intentional, non-physical: Fraud, espionage, hacking, identity theft, malicious code, social engineering, phishing, denial of service
Threat Agent Types
Hackers/ Crackers
Challenge, rebellion Unauthorized access
Criminals Financial gain, Disclosure/ destruction of info.
Fraud, computer crimes
Terrorists Destruction/ revenge/ extortion
DOS, info warfare
Industry Spies
Competitive advantage Info theft, econ. exploitation
Insiders Opportunity, personal issues
Fraud/ theft, malware, abuse
Step 2: Determine Threats Due to Vulnerabilities
System Vulnerabilities
Behavioral:Disgruntled employee,
uncontrolled processes,poor network design,improperly configured
equipment
Misinterpretation:Poorly-defined
procedures,employee error,Insufficient staff,
Inadequate mgmt,Inadequate compliance
enforcement
Coding Problems:
Security ignorance,poorly-defined requirements,
defective software,unprotected
communication
Physical Vulnerabilities:
Fire, flood,negligence, theft,kicked terminals,no redundancy
Step 3: Estimate Likelihood of Exploitation
Best sources:• Past experience• National & international standards &
guidelines: NIPC, OIG, FedCIRC, mass media• Specialists and expert advice• Economic, engineering, or other models• Market research & analysis• Experiments & prototypesIf no good numbers emerge, estimates can be
used, if management is notified of guesswork
Likelihood of Exploitation:Sources of Losses
Source: 2006 Annual Study: Cost of a Data Breach, PGP/VontuEvaluation of 31 organizations
Step 4: Compute Expected Loss Risk Analysis Strategies
Qualitative: Prioritizes risks so that highest risks can be addressed first
• Based on judgment, intuition, and experience• May factor in reputation, goodwill,
nontangiblesQuantitative: Measures approximate cost of
impact in financial termsSemiquantitative: Combination of
Qualitative & Quantitative techniques
Step 4: Compute Loss UsingQualitative Analysis
Qualitative Analysis is used:• As a preliminary look at risk• With non-tangibles, such as reputation, image
-> market share, share value• When there is insufficient information to
perform a more quantified analysis
Vulnerability Assessment Quadrant Map
Threat(Probability)
Vulnerability(Severity)
12
34
Hacker/CriminalMalware
Disgruntled Employee
Fire
Terrorist
FloodSpy
Snow emergencyIntruder
Workbook
Step 4: Compute Loss UsingSemi-Quantitative Analysis
Impact1. Insignificant: No
meaningful impact2. Minor: Impacts a small
part of the business, < $1M
3. Major: Impacts company brand, >$1M
4. Material: Requires external reporting, >$200M
5. Catastrophic: Failure or downsizing of company
Likelihood1. Rare2. Unlikely: Not seen within
the last 5 years3. Moderate: Occurred in
last 5 years, but not in last year
4. Likely: Occurred in last year
5. Frequent: Occurs on a regular basis
Risk = Impact * Likelihood
SemiQuantitative Impact Matrix
Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5)
Catastrophic (5)
Material(4)
Major(3)
Minor(2)
Insignificant(1)
SEVERE
HIGHM
EDIUM
LOW
Likelihood
Imp
act
Step 4: Compute Loss Using Quantitative Analysis
Single Loss Expectancy (SLE): The cost to the organization if one threat occurs once
– Eg. Stolen laptop=• Replacement cost + • Cost of installation of special software and data • Assumes no liability
– SLE = Asset Value (AV) x Exposure Factor (EF)• With Stolen Laptop EF > 1.0
Annualized Rate of Occurrence (ARO): Probability or frequency of the threat occurring in one year
– If a fire occurs once every 25 years, ARO=1/25Annual Loss Expectancy (ALE): The annual expected
financial loss to an asset, resulting from a specific threat– ALE = SLE x ARO
Risk Assessment Using Quantitative Analysis
Quantitative:• Cost of HIPAA accident with insufficient
protections– SLE = $50K + (1 year in jail:) $100K = $150K– Plus loss of reputation…
• Estimate of Time = 10 years or less = 0.1• Annualized Loss Expectancy (ALE)=
– $150 x .1 =$15K
Annualized Loss Expectancy
Asset Value->
$1K $10K $100K $1M
1 Yr 1K 10K 100K 1000K
5 Yrs 200 2K 20K 200K
10 Yrs 100 1K 10K 100K
20 Yrs 50 1K 5K 50KAsset Costs $10K Risk of Loss 20% per Year
Over 5 years, average loss = $10K
Spend up to $2K each year to prevent loss
QuantitativeRisk
Asset Threat Single LossExpectancy
(SLE)
AnnualizedRate of
Occurrence(ARO)
Annual LossExpectancy
(ALE)
Building
Fire $1M .05(20 years)
$50K
Laptop
Stolen $1K + $9K(breach notif)
0.2(5 years)
$1K
Workbook
Step 5: Treat RiskRisk Acceptance: Handle attack when necessary• E.g.: Comet hits• Ignore risk if risk exposure is negligibleRisk Avoidance: Stop doing risky behavior• E.g.: Do not use Social Security NumbersRisk Mitigation: Implement control to minimize vulnerability• E.g. Purchase & configure a firewallRisk Transference: Pay someone to assume risk for you• E.g., Buy malpractice insurance (doctor)• While financial impact can be transferred, legal responsibility
cannotRisk Planning: Implement a set of controls
System Characterization
Identify Threats
Identify Vulnerabilities
Analyze Controls
Determine Likelihood
Analyze Impact
Determine Risk
Recommend Controls
Document Results Risk AssessmentReport
Recommended Controls
Documented Risks
Impact Rating
Likelihood Rating
List of current &planned controls
List of threats& vulnerabilities
System boundarySystem functions
System/data criticalitySystem/data sensitivity
Activity Output
Company historyIntelligence agency
data: NIPC, OIG
Audit &test results
Business ImpactAnalysis
Data Criticality & Sensitivity analysis
Input
NIST RiskAssessmentMethodology
Control Types
ThreatCompensating
Control
Impact
Vulnerability
CorrectiveControl
DeterrentControl
DetectiveControl
PreventiveControl
Attack
Reduceslikelihood of
Decreases
Resultsin
Reduces
Protects
Creates
Reduceslikelihood of
Triggers
Discovers
Deterrent control
Mitigating control
Detective control
Preventive control
Corrective controlV
ULNERABILITY
IMPACT
Residual risk
Risk Probability
THREAT
Controls & Countermeasures
• Cost of control should never exceed the expected loss assuming no control
• Countermeasure = Targeted Control– Aimed at a specific threat or vulnerability– Problem: Firewall cannot process packets fast
enough due to IP packet attacks– Solution: Add border router to eliminate invalid
accesses
Analysis of Risk vs. ControlsWorkbook
Risk ALE or Score Control Cost ofControl
Stolen Laptop $1K($9K Breach Notif.
Law)
Encryption $60
Disk Failure $3K per day RAID $750
Hacker $9K Breach Notif. Law
Firewall $1K
Cost of Some Controls is shown in Case Study Appendix
Extra Step:Step 6: Risk Monitoring
Report to Mgmt status of security• Metrics showing current performance• Outstanding issues• Newly arising issues• How handled – when resolution is expected
Stolen Laptop In investigation $2k, legal issues
HIPAA Incident Response
Procedure being defined – incident response
$200K
Cost overruns Internal audit investigation $400K
HIPAA: Physical security
Training occurred $200K
Security Dashboard, Heat chart or Stoplight Chart
Training • Importance of following policies & procedures• Clean desk policy• Incident or emergency response• Authentication & access control • Privacy and confidentiality • Recognizing and reporting security incidents• Recognizing and dealing with social engineering
Security Control Baselines & Metrics
Baseline: A measurement of performance
• Metrics are regularly and consistently measured, quantifiable, inexpensively collected
• Leads to subsequent performance evaluation
• E.g. How many viruses is help desk reporting?
(Company data - Not real)
Risk Management
• Risk Management is aligned with business strategy & direction
• Risk mgmt must be a joint effort between all key business units & IS
• Business-Driven (not Technology-Driven)
Steering Committee:• Sets risk management priorities• Define Risk management objectives to achieve business strategy
Risk Management Roles
Governance & Sr Mgmt:Allocate resources, assess& use risk assessment results
Chief Info OfficerIT planning, budget,performance incl. risk
Info. Security Mgr Develops, collaborates, and manages IS risk mgmt process
Security TrainersDevelop appropriate training materials, includingrisk assessment, to educate end users.
Business Managers(Process Owners)Make difficult decisionsrelating to priority toachieve business goals
System / Info OwnersResponsible to ensurecontrols in place toaddress CIA.Sign off on changes
IT Security PractitionersImplement security requirem.into IT systems: network,system, DB, app, admin.
Due Diligence
Due Diligence = Did careful risk assessment (RA)Due Care = Implemented recommended controls from RA
Liability minimized if reasonable precautions taken
Senior Mgmt SupportRisk
Assessm
ent
Backup & Recovery
Policies & Procedures
Adequate Security Controls
Compliance
Monitoring
& Metrics Business Continuity &
Disaster Recovery
Question
Risk Assessment includes:1. The steps: risk analysis, risk treatment, risk
acceptance, and risk monitoring2. Answers the question: What risks are we prone
to, and what is the financial costs of these risks?
3. Assesses controls after implementation4. The identification, financial analysis, and
prioritization of risks, and evaluation of controls
Question
Single Loss Expectancy refers to:1. The probability that an attack will occur in
one year2. The duration of time where a loss is
expected to occur (e.g., one month, one year, one decade)
3. The cost of losing an asset once4. The average cost of loss of this asset per year
Question
The role(s) responsible for deciding whether risks should be accepted, transferred, or mitigated is:
1. The Chief Information Officer2. The Chief Risk Officer3. The Chief Information Security Officer4. Enterprise governance and senior business
management
Question
Which of these risks is best measured using a qualitative process?
1. Temporary power outage in an office building 2. Loss of consumer confidence due to a
malfunctioning website3. Theft of an employee’s laptop while traveling 4. Disruption of supply deliveries due to flooding
Question
The risk that is assumed after implementing controls is known as:
1. Accepted Risk2. Annualized Loss Expectancy3. Quantitative risk4. Residual risk
Question
The primary purpose of risk management is to:
1. Eliminate all risk2. Find the most cost-effective controls3. Reduce risk to an acceptable level4. Determine budget for residual risk
Question Due Diligence ensures that1. An organization has exercised the best possible security
practices according to best practices2. An organization has exercised acceptably reasonable
security practices addressing all major security areas3. An organization has implemented risk management and
established the necessary controls4. An organization has allocated a Chief Information Security
Officer who is responsible for securing the organization’s information assets
Question
ALE is:1. The average cost of loss of this asset, for a
single incident2. An estimate using quantitative risk
management of the frequency of asset loss due to a threat
3. An estimate using qualitative risk management of the priority of the vulnerability
4. ALE = SLE x ARO
Vocabulary to study
• Risk mgmt, risk appetite, risk analysis, risk assessment, risk treatment, residual risk
• Risk avoidance, risk reduction/risk mitigation, risk transference, risk retention/risk acceptance
• Threat, threat agent, vulnerability, • Qualitative risk analysis, quantitative risk analysis• SLE, ARO, ALE• Due diligence, due care
HEALTH FIRST CASE STUDYAnalyzing Risk
Jamie Ramon MDDoctor
Chris Ramon RDDietician
TerryMedical Admin
PatSoftware Consultant
Step 1: Define Assets
Step 1: Define Assets
Consider Consequential Financial Loss
Asset Name $ ValueDirect Loss: Replacement
$ ValueConsequential Financial Loss
Confidentiality, Integrity, and
Availability Notes
Medical DB C? I? A?
Daily Operation (DO)
Medical Malpractice (M)
HIPAA Liability (H)
Notification Law Liability (NL)
Step 1: Define Assets
Consider Consequential Financial Loss
Asset Name $ ValueDirect Loss: Replacement
$ ValueConsequential Financial Loss
Confidentiality, Integrity, and
Availability Notes
Medical DB DO+M_H+NL C I A
Daily Operation (DO) $
Medical Malpractice (M) $
HIPAA Liability (H) $
Notification Law Liability (NL)
$
HIPAA Criminal Penalties
$ Penalty Imprison-ment
Offense
Up to $50K Up to one year
Wrongful disclosure of individually identifiable health information
Up to $100K
Up to 5 years
…committed under false pretenses
Up to $500K
Up to 10 years
… with intent to sell, achieve personal gain, or cause malicious harm
Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims, …
Step 2: Estimate Potential Loss for ThreatsStep 3: Estimate Likelihood of Exploitation
• Normal threats: Threats common to all organizations
• Inherent threats: Threats particular to your specific industry
• Known vulnerabilities: Previous audit reports indicate deficiencies.
Step 2: Estimate Potential Loss for ThreatsStep 3: Estimate Likelihood of Exploitation
Step 4: Compute Expected LossStep 5: Treat Risk
Step 4: Compute E(Loss)ALE = SLE * ARO
Asset Threat Single Loss
Expectancy (SLE)
Annualized
Rate of Occurrence(ARO)
Annual Loss
Expectancy (ALE)
Step 5: Treat Risk Risk Acceptance: Handle
attack when necessary Risk Avoidance: Stop doing
risky behavior Risk Mitigation: Implement
control to minimize vulnerability Risk Transference: Pay
someone to assume risk for you Risk Planning: Implement a set
of controls
86
Physical (Environmental) Security
Physical Security
• From (ISC)2 Candidate Information Bulletin:– The Physical (Environmental) Security domain
addresses the threats, vulnerabilities, and countermeasures that can be utilized to physically protect an enterprise’s resources and sensitive information. These resources include people, the facility in which they work, and the data, equipment, support systems, media, and supplies they utilize.
87
Introduction
• Threats to physical security include:– Interruption of services– Theft– Physical damage– Unauthorized disclosure– Loss of system integrity
88
Introduction
• Threats fall into many categories:– Natural environmental threats (e.g., floods, fire)– Supply system threats (e.g., power outages,
communication interruptions)– Manmade threats (e.g., explosions, disgruntled
employees, fraud)– Politically motivated threats (e.g., strikes, riots,
civil disobedience)
89
Introduction
• Primary consideration in physical security is that nothing should impede “life safety goals.”– Ex.: Don’t lock the only fire exit door from the
outside.• “Safety:” Deals with the protection of life and
assets against fire, natural disasters, and devastating accidents.
• “Security:” Addresses vandalism, theft, and attacks by individuals.
90
Physical Security Planning
• Physical security, like general information security, should be based on a layered defense model.
• Layers are implemented at the perimeter and moving toward an asset.
• Layers include: Deterrence, Delaying, Detection, Assessment, Response
91
Physical Security Planning
• A physical security program must address:– Crime and disruption protection through deterrence
(fences, security guards, warning signs, etc.).– Reduction of damages through the use of delaying
mechanisms (e.g., locks, security personnel, etc.).– Crime or disruption detection (e.g., smoke detectors,
motion detectors, CCTV, etc.).– Incident assessment through response to incidents and
determination of damage levels.– Response procedures (fire suppression mechanisms,
emergency response processes, etc.).
92
Physical Security Planning
• Crime Prevention Through Environmental Design (CPTED)– Is a discipline that outlines how the proper design
of a physical environment can reduce crime by directly affecting human behavior.
– Concepts developed in 1960’s.– Think: Social Engineering
93
Physical Security Planning
• CPTED has three main strategies:– Natural Access Control– Natural Surveillance– Territorial Reinforcement
94
Physical Security Planning
• Natural Access Control– The guidance of people entering and leaving a
space by the placement of doors, fences, lighting, and landscaping
– Be familiar with: bollards, use of security zones, access barriers, use of natural access controls
95
Physical Security Planning
• Natural Surveillance– Is the use and placement of physical
environmental features, personnel walkways, and activity areas in ways that maximize visibility.
– The goal is to make criminals feel uncomfortable and make all other people feel safe and comfortable, through the use of observation.
96
Physical Security Planning
• Territorial Reinforcement– Creates physical designs that highlight the
company’s area of influence to give legitimate owners a sense of ownership.
– Accomplished through the use of walls, lighting, landscaping, etc.
97
Physical Security Planning
• CPTED is not the same as “target hardening”• Target hardening focuses on denying access
through physical and artificial barriers (can lead to restrictions on use, enjoyment, and aesthetics of the environment).
98
Physical Security Planning
• Issues with selecting a facility site:– Visibility (terrain, neighbors, population of area,
building markings)– Surrounding area and external factors (crime rate,
riots, terrorism, first responder locations)– Accessibility (road access, traffic, proximity to
transportation services)– Natural Disasters (floods, tornados, earthquakes)
99
Physical Security Planning
• Other facility considerations:– Physical construction materials and structure
composition• Be familiar with: load, light frame construction
material, heavy timber construction material, incombustible material, dire resistant material (know the fire ratings and construction properties).
100
Physical Security Planning
• “Mantrap:” A small room with two doors. The first door is locked; a person is identified and authenticated. Once the person is authenticated and access is authorized, the first door opens and allows the person into the mantrap. The person has to be authenticated again in order to open the second door and access a critical area. The mantrap area could have a weight sensing floor as an additional control to prevent literal piggybacking.
101
Physical Security Planning
• Automatic door lock configuration:• “Fail safe:” If a power disruption occurs, the
door defaults to being unlocked.• “Fail secure:” If a power disruption occurs,
the door defaults to being locked.
102
Physical Security Planning
• Windows can also be used to promote physical security.
• Know the different types of glass:– Standard– Tempered– Acrylic– Wired– Laminated– Solar Window Film– Security Film
103
Physical Security Planning
• Consider use of internal partitions carefully:– True floor to true ceiling to counter security issues– Should never be used in areas that house
sensitive systems and devices
104
Internal Support Systems
• Power issues:– A continuous supply of electricity assures the
availability of company resources.– Data centers should be on a different power
supply from the rest of the building– Redundant power supplies: two or more feeds
coming from two or more electrical substations
105
Internal Support Systems
• Power protection:– UPS Systems
• Online UPS systems• Standby UPS System
– Power line conditioners– Backup Sources
106
Internal Support Systems
• Other power terms to know:– Ground– Noise– Transient Noise– Inrush Current– Clean Power– EMI– RFI
107
Internal Support Systems• Types of Voltage Fluctuations
– Power Excess•Spike•Surge
– Power Loss•Fault •Blackout
– Power Degradation•Sag/dip•Brownout• Inrush Current
108
Internal Support Systems
• Environmental Issues– Positive Drains– Static Electricity– Temperature
109
Internal Support Systems
• Environmental Issues: Positive Drains– Contents flow out instead of in– Important for water, steam, gas lines
110
Internal Support Systems
• Environmental Issues: Static Electricity– To prevent:
•Use antistatic flooring in data processing areas•Ensure proper humidity•Proper grounding•No carpeting in data centers•Antistatic bands
111
Internal Support Systems
• Environmental Issues: Temperature– Computing components can be affected by
temperature:• Magnetic Storage devices: 100 Deg. F.• Computer systems and peripherals: 175 Deg. F.• Paper products: 350 Deg. F.
112
Internal Support Systems
• Ventilation– Airborne materials and particle concentration
must be monitored for inappropriate levels.– “Closed Loop”– “Positive Pressurization”
113
Internal Support Systems
• Fire prevention, detection, suppression• “Fire Prevention:” Includes training employees on
how to react, supplying the right equipment, enabling fire suppression supply, proper storage of combustible elements
• “Fire Detection:” Includes alarms, manual detection pull boxes, automatic detection response systems with sensors, etc.
• “Fire Suppression:” Is the use of a suppression agent to put out a fire.
114
Internal Support Systems
• American Society for Testing and Materials (ASTM) is the organization that creates the standards that dictate how fire resistant ratings tests should be carried out and how to properly interpret results.
115
Internal Support Systems• Fire needs oxygen and fuel to continue to
grow.• Ignition sources can include the failure of an
electrical device, improper storage of materials, malfunctioning heating devices, arson, etc.
• Special note on “plenum areas:” The space above drop down ceilings, wall cavities, and under raised floors. Plenum areas should have fire detectors and should only use plenum area rated cabling.
116
Internal Support Systems• Types of Fire:
– A: Common Combustibles• Elements: Wood products, paper, laminates• Suppression: Water, foam
– B: Liquid• Elements: Petroleum products and coolants• Suppression: Gas, CO2, foam, dry powders
– C: Electrical• Elements: Electrical equipment and wires• Suppression: Gas, CO2, dry powders
– D: Combustible Metals• Elements: magnesium, sodium, potassium• Suppression: Dry powder
– K: Commercial Kitchens• Elements: Cooking oil fires• Suppression: Wet chemicals such as potassium acetate.
117
Internal Support Systems
• Types of Fire Detectors– Smoke Activated– Heat Activated
– Know the types and properties of each general category.
118
Internal Support Systems
• Different types of suppression agents:– Water– Halon and halon substitutes– Foams– Dry Powders– CO2– Soda Acid
– Know suppression agent properties and the types of fires that each suppression agent combats
– Know the types of fire extinguishers (A,B,C, D) that combat different types of fires
119
Internal Support Systems
• Types of Sprinklers– Wet Pipe Systems (aka Closed Head System)– Dry Pipe Systems– Preaction Systems– Deluge Systems
120
Perimeter Security
• The first line of defense is perimeter control at the site location, to prevent unauthorized access to the facility.
• Perimeter security has two modes:– Normal facility operation– Facility closed operation
121
Perimeter Security
• Proximity protection components put in place to provide the following services:– Control of pedestrian and vehicle traffic– Various levels of protection for different security
zones– Buffers and delaying mechanisms to protect
against forced entry– Limit and control entry points
122
Perimeter Security
• Protection services can be provided by:– Access Control Mechanisms– Physical Barriers– Intrusion Detection– Assessment– Response– Deterrents
123
Perimeter Security
• Fences are “first line of de’fence’” mechanisms. (Small Joke!)
• Varying heights, gauge, and mesh provides security features (know them).
• Barbed wire direction makes a difference.
124
Perimeter Security
• Perimeter Intrusion Detection and Assessment System (PIDAS):
– A type of fencing that has sensors on the wire mesh and base of the fence.
– A passive cable vibration sensor sets off an alarm if an intrusion is detected.
125
Perimeter Security
• Gates have 4 distinct types:– Class I: Residential usage– Class II: Commercial usage, where general public
access is expected (e.g., public parking lot, gated community, self storage facility)
– Class III: Industrial usage, where limited access is expected (e.g., warehouse property entrance not intended to serve public)
– Class IV: Restricted access (e.g., a prison entrance that is monitored either in person or via CCTV)
126
Perimeter Security
• Locks are inexpensive access control mechanisms that are widely accepted and used.
• Locks are considered delaying devices.• Know your locks!
127
Perimeter Security
• Types of Locks– Mechanical Locks
•Warded & Tumbler– Combination Locks– Cipher Locks (aka programmable locks)
•Smart locks– Device Locks
•Cable locks, switch controls, slot locks, port controls, peripheral switch controls, cable traps
128
Perimeter Security
• Lock Strengths:– Grade 1 (commercial and industrial use)– Grade 2 (heavy duty residential/light duty commercial)– Grade 3 (residential and consumer expendable)
• Cylinder Categories– Low Security (no pick or drill resistance)– Medium Security (some pick resistance)– High Security (pick resistance through many different
mechanisms—used only in Grade 1 & 2 locks)
129
Perimeter Security
• Lighting– Know lighting terms and types of lighting to use in
different situations (inside v. outside, security posts, access doors, zones of illumination)
– It is important to have the correct lighting when using various types of surveillance equipment.
– Lighting controls and switches should be in protected, locked, and centralized areas.
130
Perimeter Security• “Continuous lighting:” An array of lights that provide an even amount of
illumination across an area.• “Controlled lighting:” An organization should erect lights and use
illumination in such a way that does not blind its neighbors or any passing cars, trains, or planes.
• “Standby Lighting:” Lighting that can be configured to turn on and off at different times so that potential intruders think that different areas of the facility are populated.
• “Redundant” or “backup lighting:” Should be available in case of power failures or emergencies.
• “Response Area Illumination:” Takes place when an IDS detects suspicious activities and turns on the lights within the specified area.
131
Perimeter Security
• Surveillance Devices– These devices usually work in conjunction with
guards or other monitoring mechanisms to extend their capacity.
– Know the factors in choosing CCTV, focal length, lens types (fixed v. zoom), iris, depth of field, illumination requirements
132
Perimeter Security
• “Focal length:” The focal length of a lens defines its effectiveness in viewing objects from a horizontal and vertical view.
• The sizes of images that will be shown on a monitor along with the area that can be covered by one camera are defined by focal length. – Short focal length = wider angle views– Long focal length = narrower views
133
Perimeter Security
• “Depth of field:” Refers to the portion of the environment that is in focus
• “Shallow depth of focus:” Provides a softer backdrop and leads viewers to the foreground object
• “Greater depth of focus:” Not much distinction between objects in the foreground and background.
134
Perimeter Security
• Intrusion Detection systems are used to detect unauthorized entries and to alert a responsible entity to respond.
• Know the different types of IDS systems (electro-mechanical v. volumetric) and changes that can be detected by an IDS system.
135
Perimeter Security
• Patrol Force and Guards– Use in areas where critical reasoning skills are
required• Auditing Physical Access
– Need to log and review:• Date & time of access attempt• Entry point• User ID• Unsuccessful access attempts
136
Physical Security
• Final Concept to Guide in Assessing Physical Security Issues on Exam:– Deterrence– Delay– Detection– Assessment– Response
137
Social Engineering: A Test of Your Common Sense
Social Engineering
• Monday morning, 6am; the electric rooster is telling you it's time to start a new work week. A shower, some coffee, and you're in the car and off. On the way to work you're thinking of all you need to accomplished this week.
• Then, on top of that there's the recent merger between your company and a competitor. One of your associates told you, you better be on your toes because rumors of layoff's are floating around.
Social Engineering• You arrive at the office and stop by the restroom
to make sure you look your best. You straighten your tie, and turn to head to your cube when you notice, sitting on the back of the sink, is a CD-ROM. Someone must have left this behind by accident. You pick it up and notice there is a label on it. The label reads "2005 Financials & Layoff's". You get a sinking feeling in your stomach and hurry to your desk. It looks like your associate has good reasons for concern, and you're about to find out for your self.
And so• The Game Is In Play: People Are The Easiest
Target
You make it to your desk and insert the CD-ROM. You find several files on the CD, including a spreadsheet which you quickly open. The spreadsheet contains a list of employee names, start dates, salaries, and a note field that says "Release" or "Retain". You quickly search for your name but cannot find it. In fact, many of the names don't seem familiar. Why would they, this is pretty large company, you don't know everyone.
Since your name is not on the list you feel a bit of relief. It's time to turn this over to your boss. Your boss thanks you and you head back to your desk.
Let's Take A Step Back In Time
•The CD you found in the restroom, it was not left there by accident. It was strategically placed there by me, or one of Security Consulting employees.
• You see, a firm has been hired to perform a Network Security Assessment on your company.
• In reality, they have been contracted to hack into your company from the Internet and have been authorized to utilize social engineering techniques.
Bingo - Gotcha• The spreadsheet you opened was not the only thing
executing on your computer.• The moment you open that file you caused a script to
execute which installed a few files on your computer. • Those files were designed to call home and make a
connection to one of our servers on the Internet. Once the connection was made the software on the Security firms servers responded by pushing (or downloading) several software tools to your computer.
• Tools designed to give the team complete control of your computer. Now they have a platform, inside your company's network, where they can continue to hack the network. And, they can do it from inside without even being there.
This is what we call a 180 degree attack.
• Meaning, the security consulting team did not have to defeat the security measures of your company's firewall from the Internet.
• You took care of that for us. • Many organizations give their employees unfettered access
(or impose limited control) to the Internet. • Given this fact, the security firm devised a method for
attacking the network from within with the explicit purpose of gaining control of a computer on the private network.
• All we had to do is get someone inside to do it for us.
Welcome to Social Engineering
• What would you have done if you found a CD with this type of information on it?
• Yes it is people who are the weakest link in any security system and Social Engineering Exploits that ---
Phisher Site Basics •Thief sends e-mail to customer claiming to be a legitimate company which has lost the customer’s personal information
•Customer reads e-mail and goes to fake website
•Customer enters credit card or other personal information on website
•Thief steals personal information
Phisher Site E-mail Example (part 1)From: EarthLink <[email protected]>To: <[email protected]>Date: 7/6/2003 11:50:02 AMSubject: Billing Department
Dear EarthLink User,We regret to inform you, but due to a recent system flush, the billing/personal information for your account is temporally unavailable, and we need to verify your identity.
<cont.>
Phisher Site E-mail Example (part 2)In order to continue using your EarthLink account and keeping it active, you must provide us with your full information within 24 hours of receiving this message.
To re-enter your account information and keep your account active visit:
www.billingdepartment-el.net
Sincerely,Sean WrightEarthLink Billing Department
Phisher Site Example
The Real EarthLink Web Site
How to Spot Phisher Sites TIP-OFFSTRICKS
• Claims of “lost” information
• Unfamiliar URL• Asks for credit card or
other personal info• No log in or not secure• Most companies will
not do this
• E-mail looks legit (at first)
• Prompts you to act quickly to keep service
• Website, html or fax form looks legit
Tips for Avoiding Phisher Sites • Be suspicious of email asking for credit
card or other personal info• URL should be familiar• Should require log-in• Should be a SECURE SITE• Call the company when in doubt• Always report spam/fraud to your ISP
1Since February 2001, complaint data have also been provided to the Clearinghouse by the Social Security Administration-Office of Inspector General. 2Projections for calendar year 2003 are based on complaints received from January through June 2003.
CY-1999
CY-2000 CY-2001 CY-2002 CY-20032
Total: 1,380
Total: 31,117
Total: 86,197
Total: 161,886
Projected Total: 210,000
Projected Cumulative Complaint Count 1999-2003:
490,000
Projection
(in
thousa
nds)
Federal Trade CommissionIdentity Theft Data Clearinghouse Complaints1
Federal Trade Commission
Federal Trade CommissionConsumer Sentinel Complaints1
- Identity Theft Complaints
139,007
220,088
380,170
1Percentages are based on the total number of Consumer Sentinel complaints by calendar year.
(in
thousa
nds)
- Fraud Complaints
107,890133,891
31,117
86,197
218,284
161,886
Federal Trade Commission
1-877-IDTHEFT
1-877-FTC-HELP
www.consumer.gov/idtheft
www.consumer.gov/sentinel
Federal Trade Commission
And Another
• The easiest way to break into any computer system is to use a valid username and password and the easiest way to get that information is to ask someone for it.
The Beginning
• Like many hacking techniques, social engineering got its start in attacks against the telephone company. The hacker (or phone phreaks, as they used to be called) would dial-up an operator and by using the right jargon, convince him or her to make a connection or share some information that should not have been shared.
In Reality
• social engineering is probably as old as speech, and goes back to the first lie.
• It is still successful today because people are generally helpful, especially to someone who is nice, knowledgeable, and / or insistent.
• No amount of technology can protect you against a social engineering attack.
So How Do You Protect Yourself from Yourself?
• Recognizing an Attack – You can prepare your organization by teaching
people how to recognize a possible social engineering attack. Do we have a Cyber Security & Ethics 101 Class?
• Prevent a successful attack – You can prepare a defense against this form of
social engineering by including instructions in your security policy for handling it.
So How Do You Protect Yourself from Yourself?
• Create a response plan – Your response plan should include instructions on
how to deal with inquiries relating to passwords or other classified information.
• Implement and Monitor the response plan and continue to reinforce with Training
Target And Attack• The basic goals of social engineering are the same as hacking
in general: to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network.
• Typical targets include telephone companies and answering services, big-name corporations and financial institutions, military and government agencies, and hospitals.
• The Internet boom had its share of industrial engineering attacks in start-ups as well, but attacks generally focus on larger entities.
And Another
• One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm’s entire corporate network.
• How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the company for two days before even attempting to set foot on the premises.
And so on…
• For example, they learned key employees’ names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them.
And so on…• The strangers knew the CFO was out of town, so they were
able to enter his office and obtain financial data off his unlocked computer.
• They dug through the corporate trash, finding all kinds of useful documents.
• They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands.
• The strangers had studied the CFO's voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system.
Common Techniques
• Social Engineering by Phone• Dumpster Diving• On-line Social Engineering• Persuasion• Reverse Social Engineering• And many more….
Defining The Term "Social Engineering"
• In the world of computers and technology, social engineering is a technique used to obtain or attempt to obtain secure information by tricking an individual into revealing the information.
• Social engineering is normally quite successful because most targets (or victims) want to trust people and provide as much help as possible.
• Victims of social engineering typically have no idea they have been conned out of useful information or have been tricked into performing a particular task.
• The prey is not just you but your children and elders as well
A Challenge to the CSU
• This is the 21st Century The Time of CyberSpace
• Why is their No Formal GE Requirement for CyberSecurity and Ethics which can not only be taught at the CSU level but the CC level as well?
• Why don’t we extend this education to K-12 and Senior Centers as well?
Mt. SAC and Cal Poly Efforts
• NSF Grant Project – Establishment of a Regional Information Systems Security Center (RISSC see http://rissc.mtsac.edu/RISSC_NEW/default.asp )
• Cal Poly’s Participation in the Title V Grant and development of Network Security curriculum
• Cal Poly Pomona’s Establishment of a Center for Information Assurance (see http://www.bus.csupomona.edu/cfia.asp )
Please join US for
•Information Assurance SymposiumBuilding Information Assurance Capacity and Improving Infrastructure at Minority Serving Institutions
December 8 - 10, 2005Cal Poly Pomona8:30 a.m. - 5:00 p.m.
Contribute to:
• Information Sharing• Curriculum Development• Awareness, Knowledge and Development of
initiatives to help others around us be better at practicing good security techniques
• Our thanks to Educause, ISACA, ISSA, IIA and HTCIA for their support
Building a SuccessfulSecurity Infrastructure
SecurityDomains
Application/SystemSecurity
OperationsSecurity
Telecommunication & Network Security
Physical Security
Cryptography
SecurityArchitecture
SecurityManagement
Access Control
Law, Investigations, and Ethics
Business Continuation& Disaster Recovery Planning
Ten Security Domains
Group Discussion• CryptographyCryptography• Law, Investigations & Ethics Law, Investigations & Ethics • Access Control Systems & MethodologyAccess Control Systems & Methodology• Security Management PracticesSecurity Management Practices• Security Architecture & ModelsSecurity Architecture & Models• Physical SecurityPhysical Security• Business Continuity & Disaster Recovery PlanningBusiness Continuity & Disaster Recovery Planning• Operations Security (Computers)Operations Security (Computers)• Application & Systems DevelopmentApplication & Systems Development• Telecommunications & Network SecurityTelecommunications & Network Security
Security Infrastructure
• Cryptography. - is the use of secret codes to achieve desired levels of confidentiality and integrity. Two categories focus on: (1) cryptographic applications and uses and (2) crypto technology and implementations. Included are basic technologies, encryption systems, and key management methods.
Security Infrastructure
• Law, Investigation, and Ethics. Law involves the legal and regulatory issues faced in an information security environment. Investigation consists of guidelines and principles necessary to successfully investigate security incidents and preserve the integrity of evidence. Ethics consists of knowledge of the difference between right and wrong and the inclination to do the right thing.
Security Infrastructure
• Access Control. Access control consists of all of the various mechanisms (physical, logical, and administrative) used to ensure that only authorized persons or processes are allowed to use or access a system. Three categories of access control focus on: (1) access control principles and objectives, (2) access control issues, and (3) access control administration.
Security Infrastructure
• Security Management Policies, Standards, and Organization. Policies are used to describe management intent, standards provide a consistent level of security in an organization, and an organization architecture enables the accomplishment of security objectives. Four categories include: (1) information classification, (2) security awareness, (3) organization architecture, and (4) policy development.
People/Organization
Technologies
Processes
Policies
SecuredInfrastructure
Security Challenges?
Security Infrastructure
• Security Architecture. Security architecture involves the aspects of computer organization and configuration that are employed to achieve computer security. In addition implementing system security to ensure mechanisms are used to maintain the security of system programs.
CryptographyPublic Key (RSA)
X.509 CertificatesDigital SignaturesDigital Envelopes
Hashing/Message DigestSymmetric EncryptionCertificate Authorities
Security InfrastructureDNS
DMZ, FirewallsDirectory Services
IDSVirus Checkers
VPNPKINAT
RADIUS, Remote AccessWeb Servers
DHCPWireless
ApplicationSingle Sign OnKerberos/DCE
Mixed/Integrated SecuritySmart Cards
Cryptographic APIsPDAs (PocketPC, Palm
Pilots)
Domain Trust ManagementDirectional TrustTransitive Trust
KerberosNTLM
SecurityServices
ProtocolsIPSEC
SSL/TLSKerberos
L2TPPPTPPPPEtc.
Security GoalsAuthentication
AuditingAvailability
AuthorizationPrivacyIntegrity
Non-Repudiation
Security AttacksViruses
Trojan HorsesBombs/WormsSpoofing/Smurf
Sniffing and TappingDOSEtc.
Security Architecture
Security Infrastructure
• Physical Security. Physical security involves the provision of a safe environment for information processing activities with a focus on preventing unauthorized physical access to computing equipment. Three categories include: (1) threats and facility requirements, (2) personnel physical access control, and (3) microcomputer physical security.
Security Infrastructure• Business Continuity Planning and Risk Management. Risk
management encompasses all activities involved in the control of risk (risk assessment, risk reduction, protective measures, risk acceptance, and risk assignment). Business continuity planning involves the planning of specific, coordinated actions to avoid or mitigate the effects of disruptions to normal business information processing functions.
Security Infrastructure
• Operations Security (Computer). Computer operations security involves the controls over hardware, media and the operators with access privileges to these. Several aspects are included — notably, operator controls, hardware controls, media controls trusted system operations, trusted facility management, trusted recovery, and environmental contamination control.
Security Infrastructure
• Application and System Development. Application and system security involves the controls placed within the application and system programs to support the security policy of the organization. Topics discussed include threats, applications development, availability issues, security design, and application/data access control.
Security Infrastructure
• Telecommunications & Network Security. Communications security involves ensuring the integrity and confidentiality of information transmitted via telecommunications media as well as ensuring the availability of the telecommunications media itself. Three categories of communications security are: (1) telecommunications security objectives, threats, and countermeasures; (2) network security; and (3) Internet security.
Multiple Combined Security Strategies
External Border Network Perimeter Security
Internal Network (LAN/WAN) Perimeter Security
Server Security
Desktop Security
User/Social Engineering Security
Security StrategiesSecurity Strategies DescriptionDescription
Least PrivilegeLeast Privilege This principle means the any object (e.g., user, administrator, program, system) This principle means the any object (e.g., user, administrator, program, system) should have only the necessary security privilege required to perform its assigned should have only the necessary security privilege required to perform its assigned tasks. tasks.
Defense in DepthDefense in Depth This principle recommends that multiple layers of security defense be This principle recommends that multiple layers of security defense be implemented. They should back each other up.implemented. They should back each other up.
Choke PointChoke Point Forces everyone to use a narrow channel, which you can monitor and control. A Forces everyone to use a narrow channel, which you can monitor and control. A firewall is good example.firewall is good example.
Weakest LinkWeakest Link This principle suggests that attackers seek out weakest link in your security. As a This principle suggests that attackers seek out weakest link in your security. As a result, you need to be aware of these weak links and take steps to eliminate them.result, you need to be aware of these weak links and take steps to eliminate them.
Fail-Safe StanceFail-Safe Stance In the event your system fails, it should fail in a position that denies access to In the event your system fails, it should fail in a position that denies access to resources. Most systems will adhere to a deny stance or permit stance.resources. Most systems will adhere to a deny stance or permit stance.
Universal ParticipationUniversal Participation To achieve maximum effectiveness, security systems should require participation To achieve maximum effectiveness, security systems should require participation of all personnel.of all personnel.
Diversity of DefenseDiversity of Defense This principle suggests that security effectiveness is also dependent on the This principle suggests that security effectiveness is also dependent on the implementation of similar products from different vendors. (This includes Circuit implementation of similar products from different vendors. (This includes Circuit Diversity)Diversity)
SimplicitySimplicity This principle suggests that by implementing simple things it is easier to manage. This principle suggests that by implementing simple things it is easier to manage.
Security through ObsolesceSecurity through Obsolesce This principle suggests that by implementing old technology no one will have the This principle suggests that by implementing old technology no one will have the knowledge to compromise the system.knowledge to compromise the system.
Security through ObscuritySecurity through Obscurity This principle recommends the hiding of things as a form of protection.This principle recommends the hiding of things as a form of protection.
Ten (10) Security Strategies
Security Requirements
• AAuthentication• AAvailability• AAuditing• AAuthorization• PPrivacy/Confidentiality• IIntegrity• NNon-repudiation
4APIN
Stages of Information and Classification
DDisseminatePProcessAAccumulate (Collect)SStoreTTransmit
D-PAST
N-Factor Authentication Methods
Someplace where you are located (SSITE).Something that you HHAVE.Something that you AARE.Something that you NNEED.Something that you K KNOW
SHANK
Security Assurance DomainsSecurity Assurance Domains RedRed YellowYellow GreenGreen
1. Cryptography 1. Cryptography
2. Law, Investigations & Ethics 2. Law, Investigations & Ethics
3. Access Control Systems & Methodology 3. Access Control Systems & Methodology
4. Security Management Practices 4. Security Management Practices
5. Security Architecture & Models 5. Security Architecture & Models
6. Physical Security 6. Physical Security
7. Business Continuity & Disaster Recovery Planning 7. Business Continuity & Disaster Recovery Planning
8. Operations Security (Computers) 8. Operations Security (Computers)
9. Application & Systems Development 9. Application & Systems Development
10. Telecommunications & Network Security 10. Telecommunications & Network Security
TLC’s Security Stoplight Chart
Security ControlsTypes of Control • Preventive• Detective• Corrective• Deterrent• Recovery• Compensating
Questions/Answers
Security Infrastructure