Presentation on theme: "Fundamentals of Information Systems Security"— Presentation transcript:
1Fundamentals of Information Systems Security Lesson 1Information Systems Security
2Learning ObjectiveExplain the concepts of information systems security (ISS) as applied to an IT infrastructure.
3Key ConceptsConfidentiality, integrity, and availability (C-I-A) conceptsLayered security solutions implemented for the seven domains of a typical IT infrastructureCommon threats for each of the seven domainsIT security policy frameworkImpact of data classification standard on the seven domains
5Introducing ISS Information Systems Information ISS 4/13/2017 Information is a person’s private data, a company’s intellectual property, or a country’s national security interest.Information systems are the hardware, operating system software, and applications that make up a system to provide access to information.ISS protects the system and the information stored in the system. It also enables transmission and archival of information. It also takes care of accessibility of information to users. ISS deals with risks, threats, and vulnerabilities.
6Introducing ISSInformation is a person’s private data, a company’s intellectual property, or a country’s national security interest.Information Systems are the hardware, operating system software, and applications that make up a system to provide access to information.ISS (Information Systems Security) protects the system and the information stored in the system. It also enables transmission and archival of information. It also takes care of accessibility of information to users. ISS deals with risks, threats, and vulnerabilities.
8Confidentiality Personal Data and Information Intellectual Property Credit card account numbers and bank account numbersSocial security numbers and address informationIntellectual PropertyCopyrights, patents, and secret formulasSource code, customer databases, and technical specificationsNational SecurityMilitary intelligenceHomeland security and government-related information
9Integrity Maintain valid, uncorrupted, and accurate information. 4/13/2017IntegrityMaintain valid, uncorrupted, and accurate information.User names and passwordsPatents and copyrightsSource codeDiplomatic informationFinancial data
12AvailabilityAvailability refers to the measurement of time applied to how and whether systems, applications, and data can be used.Availability measurements include the following:Uptime: The total amount of time that a system, application, and data is available for use. It is typically measured in seconds, minutes, and hours per calendar month.Downtime: The total amount of time that a system, application, or data is not available. This is also measured in seconds, minutes, and hours per calendar month.Availability: (Total Uptime) divided by (Total Uptime + Total Downtime)Mean Time to Failure (MTTF): The average amount of time between failures for a particular system. MTTF varies according to the type of system being measured.Mean Time to Repair (MTTR): The average amount of time it takes to repair a system, application, or component.Recovery Time Objective (RTO): The amount of time it takes to recover and make systems, applications, and data available after an outage.
13Risks, Threats, and Vulnerabilities Risk: The likelihood that something bad will happen to an asset (e.g., loosing data, loosing business after a disaster, failing to comply with laws or regulations).Threat: Any action that could damage an asset (e.g., theft, fire, hacking)Vulnerability: A weakness that allows a threat to be realized or have an effect on an asset e.g., not painting the walls of computer center with material to withstand fire)
14Compliance Laws Driving ISS 4/13/2017Compliance Laws Driving ISSHealth Insurance Portability and Accountability Act (HIPAA)Sarbanes-Oxley (SOX) ActChildren’s Internet Protection Act (CIPA)
15Compliance Laws Driving ISS Corporations and other entities must comply with a number of U.S. and international regulations related to data and privacy. More focus on compliance means more focus on information security, driving the demand for security professionals.Cover the following:HIPAA requires healthcare providers to secure patient data.SOX requires corporations to produce accurate and reliable financial reports. It requires direct security controls to protect the integrity of reporting.CIPA requires public schools to use and enforce an Internet safety policy.
16IT Security Policy Framework 4/13/2017IT Security Policy FrameworkPOLICYA short written statement that defines a course of action that applies to the entire organizationStandardA detailed written definition of how software and hardware are to be usedProcedureWritten instructions for how to use the policy and standardGuidelineSuggested course of action for using the policy, standard, or procedureAn IT security policy framework is a hierarchical framework for documenting and implementing a set of IT security policies.
17Seven Domains of a Typical IT Infrastructure 4/13/2017Seven Domains of a Typical IT Infrastructure
18Seven Domains of a Typical IT Infrastructure User domain: Made up of typical IT users and the hardware, software, and data they useWorkstation domain: The “desktop domain” where most users enter the IT infrastructureLAN domain: Small network organized by function or department, allowing access to all resources on the LANsLAN-to-WAN domain: The point at which the IT infrastructure joins a WAN and the InternetWAN domain: The point at which the WAN connects to other WANs via the InternetRemote Access domain: Connects remote employees and partners to the IT infrastructureSystems/Applications domain: Holds all of the mission-critical systems, applications, and data
19Common Threats in the User Domain 4/13/2017Common Threats in the User DomainLack of user awarenessUser apathy toward policiesUser violating security policyUser inserting CD/DVD/USB with personal files
20Mitigation of Common Threats in the User Domain Lack of user awareness: Conduct security awareness training, display security awareness posters, insert reminders in banner greetings, and send reminders to employees.User apathy toward policies: Conduct annual security awareness training, implement AUP, update staff manual and handbook, and discuss status during performance reviews.User violating security policy: Place employee on probation, review AUP and employee manual, and discuss status during performance reviews.User inserting CD/DVD/USB with personal files: Enable automatic antivirus scans for inserted media drives, files, and attachments. An antivirus scanning system examines all new files on your computer’s hard drive for viruses. Enable antivirus scanning for s with attachments.
21Common Threats in the User Domain (Continued) 4/13/2017Common Threats in the User Domain (Continued)User downloading photos, music, or videosUser destructing systems, applications, and dataDisgruntled employee attacking organization or committing sabotageEmployee blackmail or extortion
22Mitigation of Common Threats in the User Domain (Continued) User downloading photos, music, or videos: Enable content filtering and antivirus scanning on attachments. Content filtering security appliances configured to permit or deny specific domain names in accordance with AUP definition.User destructing systems, applications, and data: Restrict access for users to only those systems, applications, and data needed to perform their job. Minimize write or delete permissions to the data owner only.Disgruntled employee attacking organization or committing sabotage: Track and monitor abnormal employee behavior, erratic job performance, and use of IT infrastructure during off-hours. Begin IT access control lockout procedures based on AUP monitoring and compliance.Employee blackmail or extortion: Track and monitor abnormal employee behavior and use of IT infrastructure during off-hours. Enable intrusion detection system/intrusion prevention system (IDS/IPS) monitoring for sensitive employee positions and access. IDS/IPS security appliances examine the Internet Protocol (IP) data streams for inbound and outbound traffic. Alarms and alerts programmed within an IDS/IPS help identify abnormal traffic and can block IP traffic per policy definition.
23Common Threats in the Workstation Domain 4/13/2017Common Threats in the Workstation DomainUnauthorized workstation accessUnauthorized access to systems, applications, and dataDesktop or laptop operating system vulnerabilitiesDesktop or laptop application software vulnerabilities or patches
24Mitigation of Common Threats in the Workstation Domain Unauthorized workstation access: Enable password protection on workstations for access.Unauthorized access to systems, applications, and data: Define strict access control policies, standards, procedures, and guidelines. Implement a second-level test to verify a user’s right to gain access.Desktop or laptop operating system vulnerabilities: Define workstation operating system vulnerability window policy. A vulnerability window is the gap in time that you leave a computer unpatched with a security update. Start periodic workstation domain vulnerability tests to find gaps.Desktop or laptop application software vulnerabilities or patches: Define a workstation application software vulnerability window policy. Update application software and security patches according to defined policies, standards, procedures, and guidelines.
25Common Threats in the Workstation Domain (Continued) 4/13/2017Common Threats in the Workstation Domain (Continued)Viruses, malicious code, and other malwareUser inserting CD/DVD/USB with personal filesUser downloading photos, music, or videos
26Mitigation of Common Threats in the Workstation Domain (Continued) Viruses, malicious code, and other malware: Use workstation antivirus and malicious code policies, standards, procedures, and guidelines. Enable an automated antivirus protection solution that scans and updates individual workstations with proper protection.User inserting CD/DVD/USB with personal files: Deactivate all CD-ROM, DVD, and USB ports. Enable automatic virus scans for all installed media containing files.User downloading photos, music, or videos: Enable user content filtering and antivirus scanning at Internet entry and exit points. Enable workstation auto-scans and auto-quarantine for unknown file types.
27Common Threats in the LAN Domain 4/13/2017Common Threats in the LAN DomainUnauthorized physical access to LANUnauthorized access to systems, applications, and dataLAN server operating system vulnerabilitiesLAN server application software vulnerabilities and software patch updates
28Mitigation of Common Threats in the LAN Domain Unauthorized physical access to LAN: Make sure wiring closets, data centers, and computer rooms are secure. No access is there without proper credentials.Unauthorized access to systems, applications, and data: Strict access control policies, standards, procedures, and guidelines should be implemented. Second-level identity required to access sensitive systems, applications, and data.LAN server operating system vulnerabilities: Define vulnerability window policies, standards, procedures, and guidelines. Conduct LAN domain vulnerability assessments.LAN server application software vulnerabilities and software patch updates: Define a strict software vulnerability window policy requiring quick software patching.
29Common Threats in the LAN Domain (Continued) 4/13/2017Common Threats in the LAN Domain (Continued)Rogue users on WLANsConfidentiality of data on WLANsLAN server configuration guidelines and standards
30Mitigation of Common Threats in the LAN Domain (Continued) Rogue users on WLANs: Eliminate rogue users from unauthorized access. Use WLAN network keys that require a password for wireless access. Turn off broadcasting on wireless access points (WAPs). Enable second-level authentication prior to granting WLAN access.Confidentiality of data on WLANs: Maintain confidentiality of data transmissions. Implement encryption between workstation and WAP to maintain confidentiality.LAN server configuration guidelines and standards: LAN servers have different hardware, operating systems, and software, making it difficult to manage and troubleshoot consistently.
31Common Threats in the LAN-to-WAN Domain 4/13/2017Common Threats in the LAN-to-WAN DomainUnauthorized probing and port scanningUnauthorized accessInternet Protocol (IP) router, firewall, and network appliance operating system vulnerabilityLocal users downloading unknown file types from unknown sourcesWAN
32Mitigation of Common Threats in the LAN-to-WAN Domain Unauthorized probing and port scanning: Disable ping, probing, and port scanning on all exterior IP devices within the LAN-to-WAN domain. Ping uses the Internet Control Message Protocol (ICMP) echo-request and echo-reply protocol. Disallow IP port numbers used for probing and scanning and monitor with intrusion detection system/intrusion prevention system (IDS/IPS).Unauthorized access: Apply strict security monitoring controls for intrusion detection and prevention. Monitor traffic and block it right away if malicious.IP router, firewall, and network appliance operating system vulnerability: Define a strict zero-day vulnerability window definition. Update devices with security fixes and software patches right away.Local users downloading unknown file types from unknown sources: Apply file transfer monitoring, scanning, and alarming for unknown file types/sources.
33Common Threats in the WAN Domain 4/13/2017Common Threats in the WAN DomainOpen, public, and accessible dataMost of the traffic being sent as clear textVulnerable to eavesdroppingVulnerable to malicious attacksVulnerable to denial of service (DoS) and distributed denial of service (DDoS) attacksWAN
34Mitigation of Common Threats in the WAN Domain Open, public, and accessible data: Apply AUPs modeled after RFC 1087, Ethics and the Internet.Most of the traffic being sent as clear text: Stop the use of the Internet for private communications unless encryption and virtual private network (VPN) tunnels are used. Enforce the organization’s data classification standard.Vulnerable to eavesdropping: Use encryption and VPN tunneling for secure IP communications.Vulnerable to malicious attacks: Deploy layered LAN-to-WAN security countermeasures.Vulnerable to DoS and DDoS attacks: Apply filters on exterior IP stateful firewalls and IP router WAN interfaces.
35Common Threats in the WAN Domain (Continued) 4/13/2017Common Threats in the WAN Domain (Continued)Vulnerable to corruption of information and dataInsecure Transmission Control Protocol/Internet Protocol (TCP/IP) applicationsHackers and attackers ing Trojans, worms, and malicious software freely and constantlyWAN
36Mitigation of Common Threats in the WAN Domain (Continued) Vulnerable to corruption of information and data: Encrypt IP data transmission with VPNs. Back up and store data in offline data vaults. Test regularly.Insecure TCP/IP) applications: Never use TCP/IP applications for private transmission without proper encryption. Create a network management Virtual LAN (VLAN).Hackers and attackers ing Trojans, worms, and malicious software freely and constantly: Scan all attachments for type, antivirus, and malicious software at the LAN-to-WAN domain.
37Common Threats in the Remote Access Domain 4/13/2017Common Threats in the Remote Access DomainBrute-force user ID and password attacksMultiple logon retries and access control attacksUnauthorized remote access to IT systems, applications, and dataConfidential data compromised remotelyData leakage in violation of data classification standardsInternet
38Mitigation of Common Threats in the Remote Access Domain Brute force user ID and password attacks: Define user ID and password policy definitions. Use of passwords must be strictly more than eight characters and alphanumeric.Multiple logon retries and access control attacks: Set automatic blocking for attempted for logon retries.Unauthorized remote access to IT systems, applications, and data: Apply first-level and second-level security for remote access to sensitive systems and data.Confidential data compromised remotely: Encrypt all confidential data in the database or hard drive. If the data is stolen, it’s encrypted and can’t be used.Data leakage in violation of data classification standards: Apply security countermeasures in the LAN-to-WAN domain.
39Common Threats in the Systems/Applications Domain 4/13/2017Common Threats in the Systems/Applications DomainUnauthorized access to data centers, computer rooms, and wiring closetsDifficult-to-manage servers that require high availabilityServer operating systems software vulnerability managementSecurity required by cloud computing virtual environmentsCorrupt or lost dataCloud Computing
40Mitigation of Common Threats in the Systems/Applications Domain Unauthorized access to data centers, computer rooms, and wiring closets: Apply policies, standards, procedures, and guidelines for staff and visitors to secure facilities.Difficult-to-manage servers that require high availability: Create a system that brings together servers, storage, and networking.Server operating systems software vulnerability management: Define vulnerability window for server operating system environments. Maintain hardened production server operating systems.Security required by cloud computing virtual environments: Implement virtual firewalls and server segmentation on separate VLANs. A virtual firewall is a software-based firewall used in virtual environments.Corrupt or lost data: Implement daily data backups and off-site data storage for monthly data archiving. Define data recovery procedures based on defined Recovery Time Objectives (RTOs).
42Layered security solution to an IT infrastructure The next three slides explain the process of applying a layered security solution to an IT infrastructure and conforming to the A-I-C triad.The key point is how the process is a layered solution in which all parts of the A-I-C triad are served only when layered together across the entire infrastructure.Security policy examples are given on the left of each slide.
43Implementing the C-I-A Triad 4/13/2017Implementing the C-I-A TriadConfidentialityAUPSecurity Awareness PolicyEnhanced AccessControl
44Implementing the C-I-A Triad (Continued) 4/13/2017Implementing the C-I-A Triad (Continued)IntegrityAUPThreat Assessmentand MonitoringSecurity AwarenessPolicyVulnerability Assessment and ManagementEnhanced Access ControlAsset Protection Policy
45Implementing the C-I-A Triad (Continued) 4/13/2017Implementing the C-I-A Triad (Continued)AvailabilityData ClassificationStandardAUPThreat Assessmentand MonitoringSecurity AwarenessPolicyVulnerability Assessment and ManagementEnhanced AccessControlAsset Protection Policy
47Who Implements the C-I-A Triad? 4/13/2017Who Implements the C-I-A Triad?ConfidentialityIntegrityAvailabilityUserIT administratorNetwork administratorHuman resourcesSenior managementUserIT administratorNetwork administratorHuman resourcesSenior managementIT administratorNetwork administratorThird-party vendor, for example, telecommunication company
50Cyberspace: The New Frontier 4/13/2017Cyberspace: The New Frontier
51Conduct and Ethics in ISS ISS is a classic battle of “good vs. evil.”No global laws, rules, or regulations govern cyberspace.U.S. government and Internet Architecture Board (IAB) have developed joint Internet acceptable use policy (AUP).Security professionals are in high demand as the “good guys.”
52Hacking and Ethical hacking In this lesson, you discovered the risks, threats, and vulnerabilities within the seven domains of a typical IT infrastructure. You also learned that a proper security policy framework includes comprehensive mitigation strategies. One of the most common risks to organizations comes from unauthorized access via the LAN-to-WAN domain.
53Hacking and Ethical hacking Hackers, will first attempt to perform network probing and port scanning to identify IP hosts, open ports, and services that might be vulnerable.Ethical hackers must follow the same route to do “Performing Reconnaissance and Probing Using Common Tools”, by using Wireshark to capture and analyze network traffic, use OpenVAS to scan a network, and review the collected data using NetWitness Investigator.
54Hacking and Ethical hacking To use OpenVAS to scan a network, visit: then choose OpenVas via Greenbone for Windows and download it.`Review the collected data using NetWitness Investigator. To install version 9.5 go to:Check this video:
55Hacking and Ethical hacking Before using Wireshark to capture and analyze network traffic, make sure that you have WinPcap software on your machine.If you don’t have it visit: and install version 4.1.3To use Wireshark visit:Download the 32 bit version
56Hacking and Ethical hacking Then the hackers will use Zenmap (http://nmap.org/zenmap/) to perform a targeted IP subnetwork Intense Scan, which will identify what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, and what type of packet filters or firewalls are in use. Hackers perform this same type of scan as part of their initial reconnaissance to learn about a target before an attack.”
57SummaryTerms associated with ISS include risks, threats, and vulnerabilitiesLayered security strategy protects an IT infrastructure’s C-I-AIT policy framework includes policies, standards, procedures, and guidelinesData classification standard defines how data is to be handled within an IT infrastructure