Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 1 Fundamentals of Information Systems.

Similar presentations


Presentation on theme: "© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 1 Fundamentals of Information Systems."— Presentation transcript:

1 © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Page 1 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Fundamentals of Information Systems Security Lesson 1 Information Systems Security

2 Page 2 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Learning Objective  Explain the concepts of information systems security (ISS) as applied to an IT infrastructure.

3 Page 3 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Key Concepts  Confidentiality, integrity, and availability (C-I-A) concepts  Layered security solutions implemented for the seven domains of a typical IT infrastructure  Common threats for each of the seven domains  IT security policy framework  Impact of data classification standard on the seven domains

4 Page 4 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: CONCEPTS

5 Page 5 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Introducing ISS ISS Information Systems Information

6 Page 6 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.  Information is a person’s private data, a company’s intellectual property, or a country’s national security interest.  Information Systems are the hardware, operating system software, and applications that make up a system to provide access to information.  ISS (Information Systems Security) protects the system and the information stored in the system. It also enables transmission and archival of information. It also takes care of accessibility of information to users. ISS deals with risks, threats, and vulnerabilities. Introducing ISS

7 Page 7 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. The C-I-A Triad

8 Page 8 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Confidentiality Personal Data and Information Credit card account numbers and bank account numbers Social security numbers and address information Intellectual Property Copyrights, patents, and secret formulas Source code, customer databases, and technical specifications National Security Military intelligence Homeland security and government-related information

9 Page 9 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Integrity Maintain valid, uncorrupted, and accurate information.  User names and passwords  Patents and copyrights  Source code  Diplomatic information  Financial data

10 Page 10 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Integrity (Cont.)

11 Page 11 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Availability X X X

12 Page 12 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.  Availability refers to the measurement of time applied to how and whether systems, applications, and data can be used.  Availability measurements include the following: Uptime: The total amount of time that a system, application, and data is available for use. It is typically measured in seconds, minutes, and hours per calendar month. Downtime: The total amount of time that a system, application, or data is not available. This is also measured in seconds, minutes, and hours per calendar month. Availability: (Total Uptime) divided by (Total Uptime + Total Downtime) Mean Time to Failure (MTTF): The average amount of time between failures for a particular system. MTTF varies according to the type of system being measured. Mean Time to Repair (MTTR): The average amount of time it takes to repair a system, application, or component. Recovery Time Objective (RTO): The amount of time it takes to recover and make systems, applications, and data available after an outage. Availability

13 Page 13 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Risks, Threats, and Vulnerabilities  Risk: The likelihood that something bad will happen to an asset (e.g., loosing data, loosing business after a disaster, failing to comply with laws or regulations).  Threat: Any action that could damage an asset (e.g., theft, fire, hacking)  Vulnerability: A weakness that allows a threat to be realized or have an effect on an asset e.g., not painting the walls of computer center with material to withstand fire)

14 Page 14 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Compliance Laws Driving ISS Health Insurance Portability and Accountability Act (HIPAA) Sarbanes-Oxley (SOX) Act Children’s Internet Protection Act (CIPA)

15 Page 15 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.  Corporations and other entities must comply with a number of U.S. and international regulations related to data and privacy. More focus on compliance means more focus on information security, driving the demand for security professionals.  Cover the following: HIPAA requires healthcare providers to secure patient data. SOX requires corporations to produce accurate and reliable financial reports. It requires direct security controls to protect the integrity of reporting. CIPA requires public schools to use and enforce an Internet safety policy. Compliance Laws Driving ISS

16 Page 16 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. IT Security Policy Framework POLICY Standard Procedure Guideline A short written statement that defines a course of action that applies to the entire organization A detailed written definition of how software and hardware are to be used Written instructions for how to use the policy and standard Suggested course of action for using the policy, standard, or procedure An IT security policy framework is a hierarchical framework for documenting and implementing a set of IT security policies.

17 Page 17 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Seven Domains of a Typical IT Infrastructure

18 Page 18 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.  User domain: Made up of typical IT users and the hardware, software, and data they use  Workstation domain: The “desktop domain” where most users enter the IT infrastructure  LAN domain: Small network organized by function or department, allowing access to all resources on the LANs  LAN-to-WAN domain: The point at which the IT infrastructure joins a WAN and the Internet  WAN domain: The point at which the WAN connects to other WANs via the Internet  Remote Access domain: Connects remote employees and partners to the IT infrastructure  Systems/Applications domain: Holds all of the mission-critical systems, applications, and data Seven Domains of a Typical IT Infrastructure

19 Page 19 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Common Threats in the User Domain  Lack of user awareness  User apathy toward policies  User violating security policy  User inserting CD/DVD/USB with personal files

20 Page 20 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Mitigation of Common Threats in the User Domain  Lack of user awareness: Conduct security awareness training, display security awareness posters, insert reminders in banner greetings, and send reminders to employees.  User apathy toward policies: Conduct annual security awareness training, implement AUP, update staff manual and handbook, and discuss status during performance reviews.  User violating security policy: Place employee on probation, review AUP and employee manual, and discuss status during performance reviews.  User inserting CD/DVD/USB with personal files: Enable automatic antivirus scans for inserted media drives, files, and attachments. An antivirus scanning system examines all new files on your computer’s hard drive for viruses. Enable antivirus scanning for s with attachments.

21 Page 21 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Common Threats in the User Domain (Continued)  User downloading photos, music, or videos  User destructing systems, applications, and data  Disgruntled employee attacking organization or committing sabotage  Employee blackmail or extortion

22 Page 22 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.  User downloading photos, music, or videos: Enable content filtering and antivirus scanning on attachments. Content filtering security appliances configured to permit or deny specific domain names in accordance with AUP definition.  User destructing systems, applications, and data: Restrict access for users to only those systems, applications, and data needed to perform their job. Minimize write or delete permissions to the data owner only.  Disgruntled employee attacking organization or committing sabotage: Track and monitor abnormal employee behavior, erratic job performance, and use of IT infrastructure during off-hours. Begin IT access control lockout procedures based on AUP monitoring and compliance.  Employee blackmail or extortion: Track and monitor abnormal employee behavior and use of IT infrastructure during off-hours. Enable intrusion detection system/intrusion prevention system (IDS/IPS) monitoring for sensitive employee positions and access. IDS/IPS security appliances examine the Internet Protocol (IP) data streams for inbound and outbound traffic. Alarms and alerts programmed within an IDS/IPS help identify abnormal traffic and can block IP traffic per policy definition. Mitigation of Common Threats in the User Domain (Continued)

23 Page 23 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.  Unauthorized workstation access  Unauthorized access to systems, applications, and data  Desktop or laptop operating system vulnerabilities  Desktop or laptop application software vulnerabilities or patches Common Threats in the Workstation Domain

24 Page 24 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Mitigation of Common Threats in the Workstation Domain  Unauthorized workstation access: Enable password protection on workstations for access.  Unauthorized access to systems, applications, and data: Define strict access control policies, standards, procedures, and guidelines. Implement a second-level test to verify a user’s right to gain access.  Desktop or laptop operating system vulnerabilities: Define workstation operating system vulnerability window policy. A vulnerability window is the gap in time that you leave a computer unpatched with a security update. Start periodic workstation domain vulnerability tests to find gaps.  Desktop or laptop application software vulnerabilities or patches: Define a workstation application software vulnerability window policy. Update application software and security patches according to defined policies, standards, procedures, and guidelines.

25 Page 25 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.  Viruses, malicious code, and other malware  User inserting CD/DVD/USB with personal files  User downloading photos, music, or videos Common Threats in the Workstation Domain (Continued)

26 Page 26 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Mitigation of Common Threats in the Workstation Domain (Continued)  Viruses, malicious code, and other malware: Use workstation antivirus and malicious code policies, standards, procedures, and guidelines. Enable an automated antivirus protection solution that scans and updates individual workstations with proper protection.  User inserting CD/DVD/USB with personal files: Deactivate all CD-ROM, DVD, and USB ports. Enable automatic virus scans for all installed media containing files.  User downloading photos, music, or videos: Enable user content filtering and antivirus scanning at Internet entry and exit points. Enable workstation auto-scans and auto-quarantine for unknown file types.

27 Page 27 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.  Unauthorized physical access to LAN  Unauthorized access to systems, applications, and data  LAN server operating system vulnerabilities  LAN server application software vulnerabilities and software patch updates Common Threats in the LAN Domain

28 Page 28 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Mitigation of Common Threats in the LAN Domain  Unauthorized physical access to LAN: Make sure wiring closets, data centers, and computer rooms are secure. No access is there without proper credentials.  Unauthorized access to systems, applications, and data: Strict access control policies, standards, procedures, and guidelines should be implemented. Second-level identity required to access sensitive systems, applications, and data.  LAN server operating system vulnerabilities: Define vulnerability window policies, standards, procedures, and guidelines. Conduct LAN domain vulnerability assessments.  LAN server application software vulnerabilities and software patch updates: Define a strict software vulnerability window policy requiring quick software patching.

29 Page 29 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Common Threats in the LAN Domain (Continued)  Rogue users on WLANs  Confidentiality of data on WLANs  LAN server configuration guidelines and standards

30 Page 30 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.  Rogue users on WLANs: Eliminate rogue users from unauthorized access. Use WLAN network keys that require a password for wireless access. Turn off broadcasting on wireless access points (WAPs). Enable second-level authentication prior to granting WLAN access.  Confidentiality of data on WLANs: Maintain confidentiality of data transmissions. Implement encryption between workstation and WAP to maintain confidentiality.  LAN server configuration guidelines and standards: LAN servers have different hardware, operating systems, and software, making it difficult to manage and troubleshoot consistently. Mitigation of Common Threats in the LAN Domain (Continued)

31 Page 31 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.  Unauthorized probing and port scanning  Unauthorized access  Internet Protocol (IP) router, firewall, and network appliance operating system vulnerability  Local users downloading unknown file types from unknown sources Common Threats in the LAN-to-WAN Domain WAN

32 Page 32 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.  Unauthorized probing and port scanning: Disable ping, probing, and port scanning on all exterior IP devices within the LAN-to-WAN domain. Ping uses the Internet Control Message Protocol (ICMP) echo-request and echo-reply protocol. Disallow IP port numbers used for probing and scanning and monitor with intrusion detection system/intrusion prevention system (IDS/IPS).  Unauthorized access: Apply strict security monitoring controls for intrusion detection and prevention. Monitor traffic and block it right away if malicious.  IP router, firewall, and network appliance operating system vulnerability: Define a strict zero-day vulnerability window definition. Update devices with security fixes and software patches right away.  Local users downloading unknown file types from unknown sources: Apply file transfer monitoring, scanning, and alarming for unknown file types/sources. Mitigation of Common Threats in the LAN-to-WAN Domain

33 Page 33 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.  Open, public, and accessible data  Most of the traffic being sent as clear text  Vulnerable to eavesdropping  Vulnerable to malicious attacks  Vulnerable to denial of service (DoS) and distributed denial of service (DDoS) attacks Common Threats in the WAN Domain WAN

34 Page 34 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.  Open, public, and accessible data: Apply AUPs modeled after RFC 1087, Ethics and the Internet.  Most of the traffic being sent as clear text: Stop the use of the Internet for private communications unless encryption and virtual private network (VPN) tunnels are used. Enforce the organization’s data classification standard.  Vulnerable to eavesdropping: Use encryption and VPN tunneling for secure IP communications.  Vulnerable to malicious attacks: Deploy layered LAN-to-WAN security countermeasures.  Vulnerable to DoS and DDoS attacks: Apply filters on exterior IP stateful firewalls and IP router WAN interfaces. Mitigation of Common Threats in the WAN Domain

35 Page 35 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.  Vulnerable to corruption of information and data  Insecure Transmission Control Protocol/Internet Protocol (TCP/IP) applications  Hackers and attackers ing Trojans, worms, and malicious software freely and constantly Common Threats in the WAN Domain (Continued) WAN

36 Page 36 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Mitigation of Common Threats in the WAN Domain (Continued)  Vulnerable to corruption of information and data: Encrypt IP data transmission with VPNs. Back up and store data in offline data vaults. Test regularly.  Insecure TCP/IP) applications: Never use TCP/IP applications for private transmission without proper encryption. Create a network management Virtual LAN (VLAN).  Hackers and attackers ing Trojans, worms, and malicious software freely and constantly: Scan all attachments for type, antivirus, and malicious software at the LAN-to-WAN domain.

37 Page 37 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.  Brute-force user ID and password attacks  Multiple logon retries and access control attacks  Unauthorized remote access to IT systems, applications, and data  Confidential data compromised remotely  Data leakage in violation of data classification standards Common Threats in the Remote Access Domain Internet

38 Page 38 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Mitigation of Common Threats in the Remote Access Domain  Brute force user ID and password attacks: Define user ID and password policy definitions. Use of passwords must be strictly more than eight characters and alphanumeric.  Multiple logon retries and access control attacks: Set automatic blocking for attempted for logon retries.  Unauthorized remote access to IT systems, applications, and data: Apply first-level and second-level security for remote access to sensitive systems and data.  Confidential data compromised remotely: Encrypt all confidential data in the database or hard drive. If the data is stolen, it’s encrypted and can’t be used.  Data leakage in violation of data classification standards: Apply security countermeasures in the LAN-to-WAN domain.

39 Page 39 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.  Unauthorized access to data centers, computer rooms, and wiring closets  Difficult-to-manage servers that require high availability  Server operating systems software vulnerability management  Security required by cloud computing virtual environments  Corrupt or lost data Common Threats in the Systems/Applications Domain Cloud Computing

40 Page 40 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Mitigation of Common Threats in the Systems/Applications Domain  Unauthorized access to data centers, computer rooms, and wiring closets: Apply policies, standards, procedures, and guidelines for staff and visitors to secure facilities.  Difficult-to-manage servers that require high availability: Create a system that brings together servers, storage, and networking.  Server operating systems software vulnerability management: Define vulnerability window for server operating system environments. Maintain hardened production server operating systems.  Security required by cloud computing virtual environments: Implement virtual firewalls and server segmentation on separate VLANs. A virtual firewall is a software-based firewall used in virtual environments.  Corrupt or lost data: Implement daily data backups and off-site data storage for monthly data archiving. Define data recovery procedures based on defined Recovery Time Objectives (RTOs).

41 Page 41 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: PROCESS

42 Page 42 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Layered security solution to an IT infrastructure The next three slides explain the process of applying a layered security solution to an IT infrastructure and conforming to the A-I-C triad. The key point is how the process is a layered solution in which all parts of the A-I-C triad are served only when layered together across the entire infrastructure. Security policy examples are given on the left of each slide.

43 Page 43 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Implementing the C-I-A Triad Confidentiality AUP Security Awareness Policy Enhanced Access Control

44 Page 44 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Implementing the C-I-A Triad (Continued) Integrity AUP Security Awareness Policy Enhanced Access Control Threat Assessment and Monitoring Asset Protection Policy Vulnerability Assessment and Management

45 Page 45 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Implementing the C-I-A Triad (Continued) Availability AUP Security Awareness Policy Enhanced Access Control Threat Assessment and Monitoring Asset Protection Policy Vulnerability Assessment and Management Data Classification Standard

46 Page 46 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: ROLES

47 Page 47 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Who Implements the C-I-A Triad? Confidentiality IntegrityAvailability  User  IT administrator  Network administrator  Human resources  Senior management  User  IT administrator  Network administrator  Human resources  Senior management  IT administrator  Network administrator  Third-party vendor, for example, telecommunication company

48 Page 48 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DAD TriadDAD Triad DisclosureDisclosure AlterationAlteration DenialDenial

49 Page 49 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: RATIONALE

50 Page 50 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Cyberspace: The New Frontier

51 Page 51 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Conduct and Ethics in ISS  ISS is a classic battle of “good vs. evil.”  No global laws, rules, or regulations govern cyberspace.  U.S. government and Internet Architecture Board (IAB) have developed joint Internet acceptable use policy (AUP).  Security professionals are in high demand as the “good guys.”

52 Page 52 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Hacking and Ethical hacking In this lesson, you discovered the risks, threats, and vulnerabilities within the seven domains of a typical IT infrastructure. You also learned that a proper security policy framework includes comprehensive mitigation strategies. One of the most common risks to organizations comes from unauthorized access via the LAN-to-WAN domain.

53 Page 53 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Hacking and Ethical hacking Hackers, will first attempt to perform network probing and port scanning to identify IP hosts, open ports, and services that might be vulnerable. Ethical hackers must follow the same route to do “Performing Reconnaissance and Probing Using Common Tools”, by using Wireshark to capture and analyze network traffic, use OpenVAS to scan a network, and review the collected data using NetWitness Investigator.

54 Page 54 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Hacking and Ethical hacking To use OpenVAS to scan a network, visit: then choose OpenVas via Greenbone for Windows and download it.` Review the collected data using NetWitness Investigator. To install version 9.5 go to: investigator.software.informer.com/9.5/ Check this video: mediaplayer-video/rsa-advanced-cyber-defense- practice-cyber-attack-protection-emc.htm#http://www.emc.com/collateral/demos/microsites/ mediaplayer-video/rsa-advanced-cyber-defense- practice-cyber-attack-protection-emc.htm#!

55 Page 55 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Hacking and Ethical hacking Before using Wireshark to capture and analyze network traffic, make sure that you have WinPcap software on your machine. If you don’t have it visit: and install version To use Wireshark visit: Download the 32 bit version

56 Page 56 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Hacking and Ethical hacking Then the hackers will use Zenmap (http://nmap.org/zenmap/) to perform a targeted IP subnetwork Intense Scan, which will identify what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, and what type of packet filters or firewalls are in use. Hackers perform this same type of scan as part of their initial reconnaissance to learn about a target before an attack.”http://nmap.org/zenmap/

57 Page 57 Fundamentals of Information Systems Security © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Summary  Terms associated with ISS include risks, threats, and vulnerabilities  Layered security strategy protects an IT infrastructure’s C-I-A  IT policy framework includes policies, standards, procedures, and guidelines  Data classification standard defines how data is to be handled within an IT infrastructure


Download ppt "© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 1 Fundamentals of Information Systems."

Similar presentations


Ads by Google