Terrence V. Lillard T. Lillard Consulting, Inc. Building a Successful Security Infrastructure.

Terrence V. LillardTerrence V. LillardT. Lillard Consulting, Inc.T. Lillard Consulting, Inc.

Building a SuccessfulBuilding a SuccessfulSecurity InfrastructureSecurity Infrastructure

SecurityDomains

Application/SystemSecurity

OperationsSecurity

Telecommunication & Network Security

Physical Security

Cryptography

SecurityArchitecture

SecurityManagement

Access Control

Law, Investigations, and Ethics

Business Continuation& Disaster Recovery Planning

Ten Security Domains

Cryptography Law, Investigations & Ethics Access Control Systems & Methodology Security Management Practices Security Architecture & Models Physical Security Business Continuity & Disaster Recovery Planning Operations Security (Computers) Application & Systems Development Telecommunications & Network Security

Group Discussion

Security Infrastructure

Cryptography. - is the use of secret codes to achieve is the use of secret codes to achieve desired levels of confidentiality and integrity. Two categories desired levels of confidentiality and integrity. Two categories focus on: (1) cryptographic applications and uses and (2) focus on: (1) cryptographic applications and uses and (2) crypto technology and implementations. Included are basic crypto technology and implementations. Included are basic technologies, encryption systems, and key management technologies, encryption systems, and key management methods.methods.


Law, Investigation, and EthicsLaw, Investigation, and Ethics. Law involves the legal and . Law involves the legal and regulatory issues faced in an information security regulatory issues faced in an information security environment. Investigation consists of guidelines and environment. Investigation consists of guidelines and principles necessary to successfully investigate security principles necessary to successfully investigate security incidents and preserve the integrity of evidence. Ethics incidents and preserve the integrity of evidence. Ethics consists of knowledge of the difference between right and consists of knowledge of the difference between right and wrong and the inclination to do the right thing.wrong and the inclination to do the right thing.


Access ControlAccess Control. Access control consists of all of the various . Access control consists of all of the various mechanisms (physical, logical, and administrative) used to mechanisms (physical, logical, and administrative) used to ensure that only authorized persons or processes are ensure that only authorized persons or processes are allowed to use or access a system. Three categories of allowed to use or access a system. Three categories of access control focus on: (1) access control principles and access control focus on: (1) access control principles and objectives, (2) access control issues, and (3) access control objectives, (2) access control issues, and (3) access control administration.administration.


Security Management Policies, Standards, and Organization. Policies are used to describe management intent, standards provide a consistent level of security in an organization, and an organization architecture enables the accomplishment of security objectives. Four categories include: (1) information classification, (2) security awareness, (3) organization architecture, and (4) policy development.

People/Organization

Technologies

Processes

Policies

SecuredInfrastructure

Security Challenges?


Security ArchitectureSecurity Architecture. Security architecture involves the . Security architecture involves the aspects of computer organization and configuration that are aspects of computer organization and configuration that are employed to achieve computer security. In addition employed to achieve computer security. In addition implementing system security to ensure mechanisms are implementing system security to ensure mechanisms are used to maintain the security of system programs. used to maintain the security of system programs.

CryptographyPublic Key (RSA)X.509 CertificatesDigital SignaturesDigital Envelopes

Hashing/Message DigestSymmetric EncryptionCertificate Authorities

Security InfrastructureDNS

DMZ, FirewallsDirectory Services

IDSVirus Checkers

VPNPKINAT

RADIUS, Remote AccessWeb Servers

DHCPWireless

ApplicationSingle Sign OnKerberos/DCE

Mixed/Integrated SecuritySmart Cards

Cryptographic APIsPDAs (PocketPC, Palm

Pilots)

Domain Trust ManagementDirectional TrustTransitive Trust

KerberosNTLM

SecurityServices

ProtocolsIPSEC

SSL/TLSKerberos

L2TPPPTPPPPEtc.

Security GoalsAuthentication

AuditingAvailability

AuthorizationPrivacy

IntegrityNon-Repudiation

Security AttacksViruses

Trojan HorsesBombs/WormsSpoofing/Smurf

Sniffing and TappingDOSEtc.

Security Architecture


Physical SecurityPhysical Security. Physical security involves the provision of . Physical security involves the provision of a safe environment for information processing activities with a safe environment for information processing activities with a focus on preventing unauthorized physical access to a focus on preventing unauthorized physical access to computing equipment. Three categories include: (1) threats computing equipment. Three categories include: (1) threats and facility requirements, (2) personnel physical access and facility requirements, (2) personnel physical access control, and (3) microcomputer physical security.control, and (3) microcomputer physical security.


Business Continuity Planning and Risk ManagementBusiness Continuity Planning and Risk Management. Risk . Risk management encompasses all activities involved in the management encompasses all activities involved in the control of risk (risk assessment, risk reduction, protective control of risk (risk assessment, risk reduction, protective measures, risk acceptance, and risk assignment). Business measures, risk acceptance, and risk assignment). Business continuity planning involves the planning of specific, continuity planning involves the planning of specific, coordinated actions to avoid or mitigate the effects of coordinated actions to avoid or mitigate the effects of disruptions to normal business information processing disruptions to normal business information processing functions.functions.


Operations Security (Computer)Operations Security (Computer). Computer operations . Computer operations security involves the controls over hardware, media and the security involves the controls over hardware, media and the operators with access privileges to these. Several aspects operators with access privileges to these. Several aspects are included — notably, operator controls, hardware are included — notably, operator controls, hardware controls, media controls trusted system operations, trusted controls, media controls trusted system operations, trusted facility management, trusted recovery, and environmental facility management, trusted recovery, and environmental contamination control.contamination control.


Application and System DevelopmentApplication and System Development. Application and . Application and system security involves the controls placed within the system security involves the controls placed within the application and system programs to support the security application and system programs to support the security policy of the organization. Topics discussed include threats, policy of the organization. Topics discussed include threats, applications development, availability issues, security applications development, availability issues, security design, and application/data access control.design, and application/data access control.


Telecommunications & Network SecurityTelecommunications & Network Security. Communications . Communications security involves ensuring the integrity and confidentiality of security involves ensuring the integrity and confidentiality of information transmitted via telecommunications media as information transmitted via telecommunications media as well as ensuring the availability of the telecommunications well as ensuring the availability of the telecommunications media itself. Three categories of communications security media itself. Three categories of communications security are: (1) telecommunications security objectives, threats, and are: (1) telecommunications security objectives, threats, and countermeasures; (2) network security; and (3) Internet countermeasures; (2) network security; and (3) Internet security.security.

Multiple Combined Security Strategies Multiple Combined Security Strategies

External Border Network Perimeter Security

Internal Network (LAN/WAN) Perimeter Security

Server Security

Desktop Security

User/Social Engineering Security

Security StrategiesSecurity Strategies DescriptionDescription

Least PrivilegeLeast Privilege This principle means the any object (e.g., user, administrator, program, system) should This principle means the any object (e.g., user, administrator, program, system) should have only the necessary security privilege required to perform its assigned tasks. have only the necessary security privilege required to perform its assigned tasks.

Defense in DepthDefense in Depth This principle recommends that multiple layers of security defense be implemented. This principle recommends that multiple layers of security defense be implemented. They should back each other up.They should back each other up.

Choke PointChoke Point Forces everyone to use a narrow channel, which you can monitor and control. A Forces everyone to use a narrow channel, which you can monitor and control. A firewall is good example.firewall is good example.

Weakest LinkWeakest Link This principle suggests that attackers seek out weakest link in your security. As a This principle suggests that attackers seek out weakest link in your security. As a result, you need to be aware of these weak links and take steps to eliminate them.result, you need to be aware of these weak links and take steps to eliminate them.

Fail-Safe StanceFail-Safe Stance In the event your system fails, it should fail in a position that denies access to In the event your system fails, it should fail in a position that denies access to resources. Most systems will adhere to a deny stance or permit stance.resources. Most systems will adhere to a deny stance or permit stance.

Universal ParticipationUniversal Participation To achieve maximum effectiveness, security systems should require participation of all To achieve maximum effectiveness, security systems should require participation of all personnel.personnel.

Diversity of DefenseDiversity of Defense This principle suggests that security effectiveness is also dependent on the This principle suggests that security effectiveness is also dependent on the implementation of similar products from different vendors. (This includes Circuit implementation of similar products from different vendors. (This includes Circuit Diversity)Diversity)

SimplicitySimplicity This principle suggests that by implementing simple things it is easier to manage. This principle suggests that by implementing simple things it is easier to manage.

Security through ObsolesceSecurity through Obsolesce This principle suggests that by implementing old technology no one will have the This principle suggests that by implementing old technology no one will have the knowledge to compromise the system.knowledge to compromise the system.

Security through ObscuritySecurity through Obscurity This principle recommends the hiding of things as a form of protection.This principle recommends the hiding of things as a form of protection.

Ten (10) Security Strategies

Security RequirementsSecurity Requirements

AAuthenticationuthentication AAvailabilityvailability AAuditinguditing AAuthorizationuthorization PPrivacy/Confidentialityrivacy/Confidentiality IIntegrityntegrity NNon-repudiationon-repudiation

Stages of Information and ClassificationStages of Information and Classification

DDisseminateisseminate

PProcessrocess

AAccumulate (Collect)ccumulate (Collect)

SStoretore

TTransmit ransmit

N-Factor Authentication Methods N-Factor Authentication Methods

Someplace where you are located (Someplace where you are located (SSITE).ITE).

Something that you Something that you HHAVE.AVE.

Something that you Something that you AARE.RE.

Something that you Something that you NNEED.EED.

Something that youSomething that you K KNOWNOW

Security Assurance DomainsSecurity Assurance Domains RedRed YellowYellow GreenGreen

1. Cryptography 1. Cryptography

2. Law, Investigations & Ethics 2. Law, Investigations & Ethics

3. Access Control Systems & Methodology 3. Access Control Systems & Methodology

4. Security Management Practices 4. Security Management Practices

5. Security Architecture & Models 5. Security Architecture & Models

6. Physical Security 6. Physical Security

7. Business Continuity & Disaster Recovery Planning 7. Business Continuity & Disaster Recovery Planning

8. Operations Security (Computers) 8. Operations Security (Computers)

9. Application & Systems Development 9. Application & Systems Development

10. Telecommunications & Network Security 10. Telecommunications & Network Security

TLC’s Security Stoplight Chart TLC’s Security Stoplight Chart

Security ControlsSecurity ControlsTypes of Control Types of Control PreventivePreventive DetectiveDetective CorrectiveCorrective DeterrentDeterrent RecoveryRecovery CompensatingCompensating

Questions/AnswersQuestions/Answers


Terrence V. Lillard T. Lillard Consulting, Inc. Building a Successful Security Infrastructure.

Documents

Transcript of Terrence V. Lillard T. Lillard Consulting, Inc. Building a Successful Security Infrastructure.