Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fundamentals of Information Systems Security

Similar presentations


Presentation on theme: "Fundamentals of Information Systems Security"— Presentation transcript:

1 Fundamentals of Information Systems Security
Lesson 1 Information Systems Security

2 Learning Objective Explain the concepts of information systems security (ISS) as applied to an IT infrastructure.

3 Key Concepts Confidentiality, integrity, and availability (C-I-A) concepts Layered security solutions implemented for the seven domains of a typical IT infrastructure Common threats for each of the seven domains IT security policy framework Impact of data classification standard on the seven domains

4 DISCOVER: CONCEPTS

5 Introducing ISS Information Systems Information ISS 4/13/2017
Information is a person’s private data, a company’s intellectual property, or a country’s national security interest. Information systems are the hardware, operating system software, and applications that make up a system to provide access to information. ISS protects the system and the information stored in the system. It also enables transmission and archival of information. It also takes care of accessibility of information to users. ISS deals with risks, threats, and vulnerabilities.

6 Introducing ISS Information is a person’s private data, a company’s intellectual property, or a country’s national security interest. Information Systems are the hardware, operating system software, and applications that make up a system to provide access to information. ISS (Information Systems Security) protects the system and the information stored in the system. It also enables transmission and archival of information. It also takes care of accessibility of information to users. ISS deals with risks, threats, and vulnerabilities.

7 4/13/2017 The C-I-A Triad

8 Confidentiality Personal Data and Information Intellectual Property
Credit card account numbers and bank account numbers Social security numbers and address information Intellectual Property Copyrights, patents, and secret formulas Source code, customer databases, and technical specifications National Security Military intelligence Homeland security and government-related information

9 Integrity Maintain valid, uncorrupted, and accurate information.
4/13/2017 Integrity Maintain valid, uncorrupted, and accurate information. User names and passwords Patents and copyrights Source code Diplomatic information Financial data

10 4/13/2017 Integrity (Cont.)

11 4/13/2017 Availability X X X

12 Availability Availability refers to the measurement of time applied to how and whether systems, applications, and data can be used. Availability measurements include the following: Uptime: The total amount of time that a system, application, and data is available for use. It is typically measured in seconds, minutes, and hours per calendar month. Downtime: The total amount of time that a system, application, or data is not available. This is also measured in seconds, minutes, and hours per calendar month. Availability: (Total Uptime) divided by (Total Uptime + Total Downtime) Mean Time to Failure (MTTF): The average amount of time between failures for a particular system. MTTF varies according to the type of system being measured. Mean Time to Repair (MTTR): The average amount of time it takes to repair a system, application, or component. Recovery Time Objective (RTO): The amount of time it takes to recover and make systems, applications, and data available after an outage.

13 Risks, Threats, and Vulnerabilities
Risk: The likelihood that something bad will happen to an asset (e.g., loosing data, loosing business after a disaster, failing to comply with laws or regulations). Threat: Any action that could damage an asset (e.g., theft, fire, hacking) Vulnerability: A weakness that allows a threat to be realized or have an effect on an asset e.g., not painting the walls of computer center with material to withstand fire)

14 Compliance Laws Driving ISS
4/13/2017 Compliance Laws Driving ISS Health Insurance Portability and Accountability Act (HIPAA) Sarbanes-Oxley (SOX) Act Children’s Internet Protection Act (CIPA)

15 Compliance Laws Driving ISS
Corporations and other entities must comply with a number of U.S. and international regulations related to data and privacy. More focus on compliance means more focus on information security, driving the demand for security professionals. Cover the following: HIPAA requires healthcare providers to secure patient data. SOX requires corporations to produce accurate and reliable financial reports. It requires direct security controls to protect the integrity of reporting. CIPA requires public schools to use and enforce an Internet safety policy.

16 IT Security Policy Framework
4/13/2017 IT Security Policy Framework POLICY A short written statement that defines a course of action that applies to the entire organization Standard A detailed written definition of how software and hardware are to be used Procedure Written instructions for how to use the policy and standard Guideline Suggested course of action for using the policy, standard, or procedure An IT security policy framework is a hierarchical framework for documenting and implementing a set of IT security policies.

17 Seven Domains of a Typical IT Infrastructure
4/13/2017 Seven Domains of a Typical IT Infrastructure

18 Seven Domains of a Typical IT Infrastructure
User domain: Made up of typical IT users and the hardware, software, and data they use Workstation domain: The “desktop domain” where most users enter the IT infrastructure LAN domain: Small network organized by function or department, allowing access to all resources on the LANs LAN-to-WAN domain: The point at which the IT infrastructure joins a WAN and the Internet WAN domain: The point at which the WAN connects to other WANs via the Internet Remote Access domain: Connects remote employees and partners to the IT infrastructure Systems/Applications domain: Holds all of the mission-critical systems, applications, and data

19 Common Threats in the User Domain
4/13/2017 Common Threats in the User Domain Lack of user awareness User apathy toward policies User violating security policy User inserting CD/DVD/USB with personal files

20 Mitigation of Common Threats in the User Domain
Lack of user awareness: Conduct security awareness training, display security awareness posters, insert reminders in banner greetings, and send reminders to employees. User apathy toward policies: Conduct annual security awareness training, implement AUP, update staff manual and handbook, and discuss status during performance reviews. User violating security policy: Place employee on probation, review AUP and employee manual, and discuss status during performance reviews. User inserting CD/DVD/USB with personal files: Enable automatic antivirus scans for inserted media drives, files, and attachments. An antivirus scanning system examines all new files on your computer’s hard drive for viruses. Enable antivirus scanning for s with attachments.

21 Common Threats in the User Domain (Continued)
4/13/2017 Common Threats in the User Domain (Continued) User downloading photos, music, or videos User destructing systems, applications, and data Disgruntled employee attacking organization or committing sabotage Employee blackmail or extortion

22 Mitigation of Common Threats in the User Domain (Continued)
User downloading photos, music, or videos: Enable content filtering and antivirus scanning on attachments. Content filtering security appliances configured to permit or deny specific domain names in accordance with AUP definition. User destructing systems, applications, and data: Restrict access for users to only those systems, applications, and data needed to perform their job. Minimize write or delete permissions to the data owner only. Disgruntled employee attacking organization or committing sabotage: Track and monitor abnormal employee behavior, erratic job performance, and use of IT infrastructure during off-hours. Begin IT access control lockout procedures based on AUP monitoring and compliance. Employee blackmail or extortion: Track and monitor abnormal employee behavior and use of IT infrastructure during off-hours. Enable intrusion detection system/intrusion prevention system (IDS/IPS) monitoring for sensitive employee positions and access. IDS/IPS security appliances examine the Internet Protocol (IP) data streams for inbound and outbound traffic. Alarms and alerts programmed within an IDS/IPS help identify abnormal traffic and can block IP traffic per policy definition.

23 Common Threats in the Workstation Domain
4/13/2017 Common Threats in the Workstation Domain Unauthorized workstation access Unauthorized access to systems, applications, and data Desktop or laptop operating system vulnerabilities Desktop or laptop application software vulnerabilities or patches

24 Mitigation of Common Threats in the Workstation Domain
Unauthorized workstation access: Enable password protection on workstations for access. Unauthorized access to systems, applications, and data: Define strict access control policies, standards, procedures, and guidelines. Implement a second-level test to verify a user’s right to gain access. Desktop or laptop operating system vulnerabilities: Define workstation operating system vulnerability window policy. A vulnerability window is the gap in time that you leave a computer unpatched with a security update. Start periodic workstation domain vulnerability tests to find gaps. Desktop or laptop application software vulnerabilities or patches: Define a workstation application software vulnerability window policy. Update application software and security patches according to defined policies, standards, procedures, and guidelines.

25 Common Threats in the Workstation Domain (Continued)
4/13/2017 Common Threats in the Workstation Domain (Continued) Viruses, malicious code, and other malware User inserting CD/DVD/USB with personal files User downloading photos, music, or videos

26 Mitigation of Common Threats in the Workstation Domain (Continued)
Viruses, malicious code, and other malware: Use workstation antivirus and malicious code policies, standards, procedures, and guidelines. Enable an automated antivirus protection solution that scans and updates individual workstations with proper protection. User inserting CD/DVD/USB with personal files: Deactivate all CD-ROM, DVD, and USB ports. Enable automatic virus scans for all installed media containing files. User downloading photos, music, or videos: Enable user content filtering and antivirus scanning at Internet entry and exit points. Enable workstation auto-scans and auto-quarantine for unknown file types.

27 Common Threats in the LAN Domain
4/13/2017 Common Threats in the LAN Domain Unauthorized physical access to LAN Unauthorized access to systems, applications, and data LAN server operating system vulnerabilities LAN server application software vulnerabilities and software patch updates

28 Mitigation of Common Threats in the LAN Domain
Unauthorized physical access to LAN: Make sure wiring closets, data centers, and computer rooms are secure. No access is there without proper credentials. Unauthorized access to systems, applications, and data: Strict access control policies, standards, procedures, and guidelines should be implemented. Second-level identity required to access sensitive systems, applications, and data. LAN server operating system vulnerabilities: Define vulnerability window policies, standards, procedures, and guidelines. Conduct LAN domain vulnerability assessments. LAN server application software vulnerabilities and software patch updates: Define a strict software vulnerability window policy requiring quick software patching.

29 Common Threats in the LAN Domain (Continued)
4/13/2017 Common Threats in the LAN Domain (Continued) Rogue users on WLANs Confidentiality of data on WLANs LAN server configuration guidelines and standards

30 Mitigation of Common Threats in the LAN Domain (Continued)
Rogue users on WLANs: Eliminate rogue users from unauthorized access. Use WLAN network keys that require a password for wireless access. Turn off broadcasting on wireless access points (WAPs). Enable second-level authentication prior to granting WLAN access. Confidentiality of data on WLANs: Maintain confidentiality of data transmissions. Implement encryption between workstation and WAP to maintain confidentiality. LAN server configuration guidelines and standards: LAN servers have different hardware, operating systems, and software, making it difficult to manage and troubleshoot consistently.

31 Common Threats in the LAN-to-WAN Domain
4/13/2017 Common Threats in the LAN-to-WAN Domain Unauthorized probing and port scanning Unauthorized access Internet Protocol (IP) router, firewall, and network appliance operating system vulnerability Local users downloading unknown file types from unknown sources WAN

32 Mitigation of Common Threats in the LAN-to-WAN Domain
Unauthorized probing and port scanning: Disable ping, probing, and port scanning on all exterior IP devices within the LAN-to-WAN domain. Ping uses the Internet Control Message Protocol (ICMP) echo-request and echo-reply protocol. Disallow IP port numbers used for probing and scanning and monitor with intrusion detection system/intrusion prevention system (IDS/IPS). Unauthorized access: Apply strict security monitoring controls for intrusion detection and prevention. Monitor traffic and block it right away if malicious. IP router, firewall, and network appliance operating system vulnerability: Define a strict zero-day vulnerability window definition. Update devices with security fixes and software patches right away. Local users downloading unknown file types from unknown sources: Apply file transfer monitoring, scanning, and alarming for unknown file types/sources.

33 Common Threats in the WAN Domain
4/13/2017 Common Threats in the WAN Domain Open, public, and accessible data Most of the traffic being sent as clear text Vulnerable to eavesdropping Vulnerable to malicious attacks Vulnerable to denial of service (DoS) and distributed denial of service (DDoS) attacks WAN

34 Mitigation of Common Threats in the WAN Domain
Open, public, and accessible data: Apply AUPs modeled after RFC 1087, Ethics and the Internet. Most of the traffic being sent as clear text: Stop the use of the Internet for private communications unless encryption and virtual private network (VPN) tunnels are used. Enforce the organization’s data classification standard. Vulnerable to eavesdropping: Use encryption and VPN tunneling for secure IP communications. Vulnerable to malicious attacks: Deploy layered LAN-to-WAN security countermeasures. Vulnerable to DoS and DDoS attacks: Apply filters on exterior IP stateful firewalls and IP router WAN interfaces.

35 Common Threats in the WAN Domain (Continued)
4/13/2017 Common Threats in the WAN Domain (Continued) Vulnerable to corruption of information and data Insecure Transmission Control Protocol/Internet Protocol (TCP/IP) applications Hackers and attackers ing Trojans, worms, and malicious software freely and constantly WAN

36 Mitigation of Common Threats in the WAN Domain (Continued)
Vulnerable to corruption of information and data: Encrypt IP data transmission with VPNs. Back up and store data in offline data vaults. Test regularly. Insecure TCP/IP) applications: Never use TCP/IP applications for private transmission without proper encryption. Create a network management Virtual LAN (VLAN). Hackers and attackers ing Trojans, worms, and malicious software freely and constantly: Scan all attachments for type, antivirus, and malicious software at the LAN-to-WAN domain.

37 Common Threats in the Remote Access Domain
4/13/2017 Common Threats in the Remote Access Domain Brute-force user ID and password attacks Multiple logon retries and access control attacks Unauthorized remote access to IT systems, applications, and data Confidential data compromised remotely Data leakage in violation of data classification standards Internet

38 Mitigation of Common Threats in the Remote Access Domain
Brute force user ID and password attacks: Define user ID and password policy definitions. Use of passwords must be strictly more than eight characters and alphanumeric. Multiple logon retries and access control attacks: Set automatic blocking for attempted for logon retries. Unauthorized remote access to IT systems, applications, and data: Apply first-level and second-level security for remote access to sensitive systems and data. Confidential data compromised remotely: Encrypt all confidential data in the database or hard drive. If the data is stolen, it’s encrypted and can’t be used. Data leakage in violation of data classification standards: Apply security countermeasures in the LAN-to-WAN domain.

39 Common Threats in the Systems/Applications Domain
4/13/2017 Common Threats in the Systems/Applications Domain Unauthorized access to data centers, computer rooms, and wiring closets Difficult-to-manage servers that require high availability Server operating systems software vulnerability management Security required by cloud computing virtual environments Corrupt or lost data Cloud Computing

40 Mitigation of Common Threats in the Systems/Applications Domain
Unauthorized access to data centers, computer rooms, and wiring closets: Apply policies, standards, procedures, and guidelines for staff and visitors to secure facilities. Difficult-to-manage servers that require high availability: Create a system that brings together servers, storage, and networking. Server operating systems software vulnerability management: Define vulnerability window for server operating system environments. Maintain hardened production server operating systems. Security required by cloud computing virtual environments: Implement virtual firewalls and server segmentation on separate VLANs. A virtual firewall is a software-based firewall used in virtual environments. Corrupt or lost data: Implement daily data backups and off-site data storage for monthly data archiving. Define data recovery procedures based on defined Recovery Time Objectives (RTOs).

41 DISCOVER: PROCESS

42 Layered security solution to an IT infrastructure
The next three slides explain the process of applying a layered security solution to an IT infrastructure and conforming to the A-I-C triad. The key point is how the process is a layered solution in which all parts of the A-I-C triad are served only when layered together across the entire infrastructure. Security policy examples are given on the left of each slide.

43 Implementing the C-I-A Triad
4/13/2017 Implementing the C-I-A Triad Confidentiality AUP Security Awareness Policy Enhanced Access Control

44 Implementing the C-I-A Triad (Continued)
4/13/2017 Implementing the C-I-A Triad (Continued) Integrity AUP Threat Assessment and Monitoring Security Awareness Policy Vulnerability Assessment and Management Enhanced Access Control Asset Protection Policy

45 Implementing the C-I-A Triad (Continued)
4/13/2017 Implementing the C-I-A Triad (Continued) Availability Data Classification Standard AUP Threat Assessment and Monitoring Security Awareness Policy Vulnerability Assessment and Management Enhanced Access Control Asset Protection Policy

46 DISCOVER: ROLES

47 Who Implements the C-I-A Triad?
4/13/2017 Who Implements the C-I-A Triad? Confidentiality Integrity Availability User IT administrator Network administrator Human resources Senior management User IT administrator Network administrator Human resources Senior management IT administrator Network administrator Third-party vendor, for example, telecommunication company

48 DAD Triad Disclosure Alteration Denial

49 DISCOVER: RATIONALE

50 Cyberspace: The New Frontier
4/13/2017 Cyberspace: The New Frontier

51 Conduct and Ethics in ISS
ISS is a classic battle of “good vs. evil.” No global laws, rules, or regulations govern cyberspace. U.S. government and Internet Architecture Board (IAB) have developed joint Internet acceptable use policy (AUP). Security professionals are in high demand as the “good guys.”

52 Hacking and Ethical hacking
In this lesson, you discovered the risks, threats, and vulnerabilities within the seven domains of a typical IT infrastructure. You also learned that a proper security policy framework includes comprehensive mitigation strategies. One of the most common risks to organizations comes from unauthorized access via the LAN-to-WAN domain.

53 Hacking and Ethical hacking
Hackers, will first attempt to perform network probing and port scanning to identify IP hosts, open ports, and services that might be vulnerable. Ethical hackers must follow the same route to do “Performing Reconnaissance and Probing Using Common Tools”, by using Wireshark to capture and analyze network traffic, use OpenVAS to scan a network, and review the collected data using NetWitness Investigator.

54 Hacking and Ethical hacking
To use OpenVAS to scan a network, visit: then choose OpenVas via Greenbone for Windows and download it.` Review the collected data using NetWitness Investigator. To install version 9.5 go to: Check this video:

55 Hacking and Ethical hacking
Before using Wireshark to capture and analyze network traffic, make sure that you have WinPcap software on your machine. If you don’t have it visit: and install version 4.1.3 To use Wireshark visit: Download the 32 bit version

56 Hacking and Ethical hacking
Then the hackers will use Zenmap (http://nmap.org/zenmap/) to perform a targeted IP subnetwork Intense Scan, which will identify what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, and what type of packet filters or firewalls are in use. Hackers perform this same type of scan as part of their initial reconnaissance to learn about a target before an attack.”

57 Summary Terms associated with ISS include risks, threats, and vulnerabilities Layered security strategy protects an IT infrastructure’s C-I-A IT policy framework includes policies, standards, procedures, and guidelines Data classification standard defines how data is to be handled within an IT infrastructure


Download ppt "Fundamentals of Information Systems Security"

Similar presentations


Ads by Google