Presentation is loading. Please wait.

Presentation is loading. Please wait.

CMGT 400 Philip Robbins – February 5, 2013 (Week 1) University of Phoenix Mililani Campus Intro to Information Assurance & Security.

Published byTobias Byrd Modified over 10 years ago

Similar presentations

Presentation on theme: "CMGT 400 Philip Robbins – February 5, 2013 (Week 1) University of Phoenix Mililani Campus Intro to Information Assurance & Security."— Presentation transcript:

1 CMGT 400 Philip Robbins – February 5, 2013 (Week 1) University of Phoenix Mililani Campus Intro to Information Assurance & Security

2 Agenda: Week 1 Introductions Course Syllabus Fundamental Aspects -Information -Information Assurance -Information Security Services -Risk Management, CND, and Incident Response Quiz #1 Assignment

3 Concepts Information -What is it? -Why is it important? -How do we protect (secure) it?

4 Why is this important? Information is valuable. therefore, Information Systems are valuable. etc… Compromise of Information Security Services (C-I-A) have real consequences (loss) -Confidentiality: death, proprietary info, privacy, theft -Integrity: theft, loss of confidence, validity -Availability: lost productivity, disruption of C2, defense, emergency services

5 Concepts Information Systems Systems that store, transmit, and process information.+ Information Security The protection of information._______________________________________________ Information Systems Security The protection of systems that store, transmit, and process information.

6 Fundamental Concepts What is Information Assurance (IA)? -Our assurance (confidence) in the protection of our information / Information Security Services. What are Information Security Services (ISS)? -Confidentiality: Making sure our information is protected from unauthorized disclosure. -Integrity: Making sure the information we process, transmit, and store has not been corrupted or adversely manipulated. -Availability: Making sure that the information is there when we need it and gets to those who need it.

7 Private vs. Military Requirements Which security model an organization uses depends on it’s goals and objectives. –Military is generally concerned with CONFIDENTIALITY –Private businesses are generally concerned with AVAILABILITY (ex. Netflix, eBay etc) OR INTEGRITY (ex. Banks). –Some private sector companies are concerned with CONFIDENTIALITY (ex. hospitals). Which ISS do you believe is most important?

8 Fundamental Concepts Progression of Terminology Computer Security (COMPUSEC) Information Security (INFOSEC) Information Assurance (IA) Cyber Security Legacy Term (no longer used). Legacy Term (still used). Term widely accepted today with focus on Information Sharing. Broad Term quickly being adopted.

9 Fundamental Concepts What is Cyberspace? -Term adopted by the USG -The virtual environment of information and interactions between people. -Telecommunication Network infrastructures -Information Systems -The Internet

10 Review of Fundamental Concepts What is the Defense in Depth Strategy? -Using layers of defense as protection. People, Technology, and Operations. Onion Model

11 Defense-in-Depth Adversaries attack the weakest link…where is yours? Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments and authorization Continuous monitoring Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards Links in the Security Chain: Management, Operational, and Technical Controls

12 Review of Fundamental Concepts Source: Cieslak, Randall (Dec 2011). Cyber Fundamentals. USPACOM Chief Information Officer. Information Assurance Services (IAS)

13 Review of Fundamental Concepts

14 Challenges Fixed Resources Sustainable strategies reduce costs

15 Information Systems Security: Privacy Defined: the protection and proper handling of sensitive personal information - Requires proper technology for protection - Requires processes and controls for appropriate handling

16 Personally Identifiable Information (PII) Name SSN Phone number Driver's license number Credit card numbers –etc…

17 Concept 1: Info Security & Assurance You leave your job at ACME, Inc. to become the new Information Systems Security Manager (ISSM) for University of University College (UUC). The Chief Information Officer (CIO) of UUC drops by your office to let you know that they have no ISS program at UUC! A meeting with the Board of Directors is scheduled and you are asked by the CIO to attend. The Board wants to hear your considerations on how to start the new ISS program spanning all national and international networks.

18 Concept 1: Info Security & Assurance - What would you tell the Board? - As an ISSM, what would you consider first? - What types of questions would you ask the Board and/or to the CIO?

19 Concept 2: Physical & Logical ISS First day on the job and you find yourself already meeting with the local Physical Security and IT Services Managers at UUC. You introduce yourself as the new ISSM and both managers eagerly ask you “what can we do to help?”

20 Concept 2: Physical & Logical ISS - What do you tell these Managers? - What types of questions would you ask the Managers? - As an ISSM, what are some IT, computer, and network security issues you consider important to a new ISS program at UUC? - What about your meeting with the Board of Directors earlier? How does it apply here?

21 Concept 3: Risk After a month on the job, as an ISSM, you decide to update the CIO on the progress of the UUC ISS program via email when all of a sudden the entire internal network goes down! Your Computer Network Defense Team is able to determine the source of the disruption to an unknown vulnerability that was exploited on a generic perimeter router. The CIO calls you into his office and indicates to you that he is “concerned about the Risk to the networks at UUC” and ‘wants a risk assessment conducted’ ASAP.

22 Concept 3: Risk - What does the CIO mean by “Risk to the networks at UUC”? - As an ISSM, how would you conduct a risk assessment for the CIO? - What are some of the elements of risk? - How is risk measured and why is it important?

23 Risk Management Information Systems Risk Management is the process of identifying, assessing, and mitigating (reducing) risks to an acceptable level. - Why is this important? There is no such thing as 100% security. - Can risk ever be eliminated?

24 Risk Management Risks MUST be identified, classified and analyzed to asses potential damage (loss) to company. Risk is difficult to measure and quantify, however, we must prioritize the risks and attempt to address them!

25 Risk Management Identify assets and their values Identify Vulnerabilities and Threats Quantify the probability of damage and cost of damage Implement cost effective countermeasures! ULTIMATE GOAL is to be cost effective. That is: ensure that your assets are safe, at the same time don’t spend more to protect something than it’s worth*

26 Who is ultimately responsible for risk? MANAGEMENT!!! Management may delegate to data custodians or business units that shoulder some of the risk. However, it is senior management that is ultimately responsible for the companies health - as such they are ultimately responsible for the risk.

27 Computer Network Defense Defending against unauthorized actions that would compromise or cripple information systems and networks. Protect, monitor, analyze, detect, and respond to network attacks, intrusions, or disruptions.

28 Incident Response Responding to a Security Breach - Incident Handling - Incident Management - Eradication & Recovery - Investigation (Forensics / Analysis) - Legal, Regulatory and Compliance Reporting - Documentation

29 Break Let’s take a break…

30 Chapter 1: Introduction and Security Trends The Morris Worm - Robert Morris - 1988 - First Large scale attack on the Internet - No malicious payload (benign) - Replicated itself - Infected computer system could no longer run any other programs

31 Chapter 1: Introduction and Security Trends Kevin Mitnick - Famous Hacker - 1995 - Wire and computer fraud - Intercepting wire communication - Stole software and email accounts - Jailed: 5 years.

32 Chapter 1: Introduction and Security Trends The Melissa Virus - David Smith - 1999 - Infected 1 million computers - $80 million - Payload: “list.doc” with macro - Clogged networks generated by email servers sending “Important Messages” from your address book

33 Chapter 1: Introduction and Security Trends The “I Love You” Virus - Melissa Variation - 2000 - 45 million computers - $10 billion - Payload:.vbs (script) - Released by a student in the Phillipines (not a crime)

34 Chapter 1: Introduction and Security Trends The “Code Red” Worm - 2001 - 350 million computers - $2.5 billion - Payload: benign - Takes control of computers - DoS attacks: targeted “White House” website

35 Chapter 1: Introduction and Security Trends The “Conficker” Worm - 2008-2009 - Payload: benign - Bot network - Very little damage - Blocks antivirus updates

36 Chapter 1: Introduction and Security Trends Stuxnet - 2010 - First Cyber Weapon - Affected SCADA systems within IRAN’s Nuclear Enrichment Facilities - Uses 4 “Zero Day” Vulnerabilities

37 Chapter 1: Introduction and Security Trends What is Malware? - Malicious Software - Includes “Viruses” & “Worms” - Protect using Anit-virus software & System Patching

38 Chapter 1: Introduction and Security Trends Intruders, Hackers, and Threat Agents

39 Chapter 1: Introduction and Security Trends Network Interconnection - More connections - From large mainframes to smaller connected systems - Increased threat & vulnerabilities - Single point failures? - Critical Infrastructure - Information Value - Information Warfare

40 Chapter 1: Introduction and Security Trends Steps in an Attack - Ping Sweeps (ping/whois) – identify target - Port Scans (nmap) – exploit service

41 Chapter 1: Introduction and Security Trends Steps in an Attack - Bypass firewall - Bypass IDS & IPS: Avoid detection / logs - Infect system (either Network or Physical) - Pivot systems (launch client-side attacks)

42 Chapter 1: Introduction and Security Trends

43 Types of Attacks - Denial of Service (DoS) - Distributed Denial of Service (DDoS) - Botnets (IRC) - Logic Bombs - SQL Injection - Scripting - Phishing Emails - HTTP session hijacking (Man in the Middle) - Buffer Overflows

44 Chapter 1: Introduction and Security Trends Types of Attacks: Botnets

45 Chapter 1: Introduction and Security Trends Types of Attacks: Redirection (Fake Sites)

46 Chapter 1: Introduction and Security Trends Redirection (Fake Sites)

47 Chapter 1: Introduction and Security Trends Types of Attacks: Fake Antivirus

48 Chapter 1: Introduction and Security Trends Types of Attacks: Keyloggers (Remote Stealth Keystroke Dump)

49 Chapter 1: Introduction and Security Trends Types of Attacks: USB Keys (Autorun infection) Found a bunch of USB keys in a parking lot? Would you stick one of them into your PC?

50 Chapter 1: Introduction and Security Trends Types of Attacks: Spam Email (Storm Worms)

51 Chapter 1: Introduction and Security Trends Types of Attacks: Spear Phishing Emails

52 Chapter 1: Introduction and Security Trends Types of Attacks: SQL injection

53 Chapter 1 Review Questions

54 Question #1 Which of the following is an attempt to find and attack a site that has hardware or software that is vulnerable to a specific exploit? A. Target of opportunity attack B. Targeted attack C. Vulnerability scan attack D. Information warfare attack

55 Question #1 Which of the following is an attempt to find and attack a site that has hardware or software that is vulnerable to a specific exploit? A. Target of opportunity attack B. Targeted attack C. Vulnerability scan attack D. Information warfare attack

56 Question #2 Which of the following threats has not grown over the last decade as a result of increasing numbers of Internet users? A. Viruses B. Hackers C. Denial-of-service attacks D. All of the above

57 Question #2 Which of the following threats has not grown over the last decade as a result of increasing numbers of Internet users? A. Viruses B. Hackers C. Denial-of-service attacks D. All of the above

58 Question #3 The rise of which of the following has greatly increased the number of individuals who probe organizations looking for vulnerabilities to exploit? A. Virus writers B. Script kiddies C. Hackers D. Elite Hackers

59 Question #3 The rise of which of the following has greatly increased the number of individuals who probe organizations looking for vulnerabilities to exploit? A. Virus writers B. Script kiddies C. Hackers D. Elite Hackers

60 Question #4 Which of the following is generally viewed as the first Internet worm to have caused significant damage and to have “brought the Internet down”? A. Melissa B. I LOVE YOU C. Morris D. Code Red

61 Question #4 Which of the following is generally viewed as the first Internet worm to have caused significant damage and to have “brought the Internet down”? A. Melissa B. I LOVE YOU C. Morris D. Code Red

62 Question #5 The act of deliberately accessing computer systems and networks without authorization is generally known as? A. Computer intrusions B. Hacking C. Cracking D. Probing

63 Question #5 The act of deliberately accessing computer systems and networks without authorization is generally known as? A. Computer intrusions B. Hacking C. Cracking D. Probing

64 Question #6 Warfare conducted against the information and information processing equipment used by an adversary is known as? A. Hacking B. Cyber terrorism C. Information Warfare D. Network Warfare

65 Question #6 Warfare conducted against the information and information processing equipment used by an adversary is known as? A. Hacking B. Cyber terrorism C. Information Warfare D. Network Warfare

66 Question #7 Which of the following is not described as a critical infrastructure? A. Electricity (Power) B. Banking (Finance) C. Telecommunications D. Retail Stores

67 Question #7 Elite hackers don’t account for more than what percentage of the total number of individuals conducting intrusive activity on the Internet? A. Electricity (Power) B. Banking (Finance) C. Telecommunications D. Retail Stores

68 Question #8 (Last one) Elite hackers don’t account for more than what percentage of the total number of individuals conducting intrusive activity on the Internet? A. 1-2 percent B. 3-5 percent C. 7-10 percent D. 15-20 percent

69 Question #8 (Last one) Elite hackers don’t account for more than what percentage of the total number of individuals conducting intrusive activity on the Internet? A. 1-2 percent B. 3-5 percent C. 7-10 percent D. 15-20 percent

70 Break Let’s take a break…

71 Chapter 2: General Security Concepts Computer Security (COMPUSEC) - Ensure computer systems are secure Network Security - Protection of multiple connected (networked) computer systems Information Assurance (IA) & Security - Emphasis on the data; Our assurance (confidence) in the protection of our information / Information Security Services.

72 Chapter 2: General Security Concepts CIA Triad (Information Security Services)

73 Chapter 2: General Security Concepts Operational Model of Computer Security Protection = Prevention + Detection + Response

74 Chapter 2: General Security Concepts Least Privilege (Need to Know) - Users should have only the necessary (minimum) rights, privileges, or information to perform their tasks (no additional permissions). Implicit Deny - “Deny all” authorization and access (blacklisted) unless specifically allowed (white list). - Default security rule for firewalls, routers, etc…

75 Chapter 2: General Security Concepts Separation of Duties - Ensures tasks are broken down and are accomplished / involve by more than one individual. - Check & balance system. Job Rotation - Rotation individuals through jobs / tasks. - Organization does not become dependent on a single employee.

76 Chapter 2: General Security Concepts Be sure to understand the difference between: Least Privilege vs. Implicit Deny & Separation of Duties vs. Job Rotation

77 Chapter 2: General Security Concepts Layered Security - Defense in Depth - Redundancy - No single point of failure

78 Chapter 2: General Security Concepts Layered Security

79 Chapter 2: General Security Concepts Security Through Obscurity - Approach of protecting something by hiding it. - Generally not a good idea. - Steganography - Reverse engineering.

80 Chapter 2: General Security Concepts Be sure to understand the difference between: Layered Security vs. Security Through Obscurity

81 Chapter 2: General Security Concepts Access - Control what a subject can perform or what objects the subject can interact with. - i.e. Access Control Lists (ACL’s) Authentication - Verify the identity of a subject. (Who You Are) - Involves identification - Passwords, cards, biometrics (fingerprints), etc. - Digital certificates

82 Chapter 2: General Security Concepts Authorization - Verifies what a subject is authorized to do. Be sure to understand the difference between: Access vs. Identification vs. Authentication vs. Authorization

83 Chapter 2: General Security Concepts Social Engineering - Talk individuals into divulging information that they normally would never have. - Used to gain information on identities, access, or authorization. - Data aggregation.

84 Policies –Constraints of behavior on systems and people –Specifies activities that are required, limited, and forbidden Example –Information systems should be configured to require good security practices in the selection and use of passwords Chapter 2: General Security Concepts

85 Requirements –Required characteristics of a system or process. –Often the same as or similar to the policy –Specifies what should be done, not how to do it. Example –Information systems must enforce password quality standards. Chapter 2: General Security Concepts

86 Guidelines define how to support a policy –Example: ‘As a guideline’ passwords should not be dictionary words, don’t write passwords down, etc…

87 Chapter 2: General Security Concepts Standards: what products, technical methods will be used to support policy. Example –All fiber optic cables must be ACME brand –Passwords must be at least 8 characters, contain 2 upper and lower case chars… Procedures: step by step instructions

88 Chapter 2: General Security Concepts Classification of Information - Sensitivity / Confidentiality Example –Unclassified (UNCLASS) –For Official Use Only (FOUO) –Confidential –Secret (S) –Secret Releasable (S//REL) –Top Secret (TS)

89 Chapter 2: General Security Concepts Acceptable Use Policy (AUP) - Outline of what the organization considers to be the appropriate / inappropriate use of company resources. - Do you have a right to privacy when using a company’s system / network resources?

90 Chapter 2: General Security Concepts Service Level Agreement (SLA) - Contractual agreements between entities that describe specified levels of service. Example –Bandwidth allocation –Download / Upload Speeds –Uptime –Support & Maintenance –Data Restoration / Backup

91 Chapter 2: General Security Concepts Bell-LaPadula Confidentiality Security Model - Principle 1: Simple Security (No Read Up) Rule No subject can read from an object with a security classification higher than possessed by the subject. - Principle 2: * - property (No Write Down) Rule Allows a subject to write to an object of equal or greater security classification. Why wouldn’t you be able to write down?

92 Chapter 2: General Security Concepts Biba Integrity Security Model - Policy 1: Low-Water-Mark Prevents unauthorized modification of data; subjects writing to objects of a higher integrity label. - Policy 2: Ring Allows a subject to read any object without regard to the object’s level of integrity and without lowering the subject’s integrity level.

93 Chapter 2 Review Questions

94 Question #1 What is the most common form of authentication used? A. Smart Cards B. Tokens C. Username / Password D. Biometrics

95 Question #1 What is the most common form of authentication used? A. Smart Cards B. Tokens C. Username / Password D. Biometrics

96 Question #2 The CIA of security includes: A.Confidentiality, integrity, authentication B.Confidentiality, integrity, availability C.Certificates, integrity, availability D.Confidentiality, inspection, authentication

97 Question #2 The CIA of security includes: A.Confidentiality, integrity, authentication B.Confidentiality, integrity, availability C.Certificates, integrity, availability D.Confidentiality, inspection, authentication

98 Question #3 The security principle used in the Bell-LaPadula security model that states that no subject can read from an object with a higher security classification is the: A.Simple Security Rule B.Ring policy C.Mandatory access control D.*-property

99 Question #3 The security principle used in the Bell-LaPadula security model that states that no subject can read from an object with a higher security classification is the: A.Simple Security Rule B.Ring policy C.Mandatory access control D.*-property

100 Question #4 Which of the following concepts requires users and system processes to use the minimal amount of permission necessary to function? A.Layer Defense B.Diversified Defense C.Simple Security Rule D.Least Privilege

101 Question #4 Which of the following concepts requires users and system processes to use the minimal amount of permission necessary to function? A.Layer Defense B.Diversified Defense C.Simple Security Rule D.Least Privilege

102 Question #5 Which of the following is an access control method based on changes at preset intervals? A.Simple Security Rule B.Job Rotation C.Two-man rule D.Separation of Duties

103 Question #5 Which of the following is an access control method based on changes at preset intervals? A.Simple Security Rule B.Job Rotation C.Two-man rule D.Separation of Duties

104 Question #6 The Bell-LaPadula security model is an example of a security model that is based on: A.The integrity of the data B.The availability of the data C.The confidentiality of the data D.The authenticity of the data

105 Question #6 The Bell-LaPadula security model is an example of a security model that is based on: A.The integrity of the data B.The availability of the data C.The confidentiality of the data D.The authenticity of the data

106 Question #7 The term used to describe the requirement that different portions of a critical process must be performed by different people is: A.Least privilege B.Defense in Depth C.Separation of Duties D.Job Rotation

107 Question #7 The term used to describe the requirement that different portions of a critical process must be performed by different people is: A.Least privilege B.Defense in Depth C.Separation of Duties D.Job Rotation

108 Question #8 Hiding information to prevent disclosure is an example of: A.Security through obscurity B.Certificate-based security C.Discretionary data security D.Defense in depth

109 Question #8 Hiding information to prevent disclosure is an example of: A.Security through obscurity B.Certificate-based security C.Discretionary data security D.Defense in depth

110 Question #9 (Last one) The concept of blocking an action unless it is specifically authorized is: A.Implicit deny B.Least privilege C.Simple Security Rule D.Hierarchical defense model

111 Question #9 (Last one) The concept of blocking an action unless it is specifically authorized is: A.Implicit deny B.Least privilege C.Simple Security Rule D.Hierarchical defense model

112 Quiz: Week 1 10-15 minutes

113 IDV Assignment due Week #2 Paper No. 1 -Review fundamentals of information assurance. -Pick a company. -How is their information considered an asset? -How is their information being protected? -Which Information Security Service is most important to the company? -Are there specific information security requirements (regulations, policy, standards, etc.) that the company needs to abide to?

Download ppt "CMGT 400 Philip Robbins – February 5, 2013 (Week 1) University of Phoenix Mililani Campus Intro to Information Assurance & Security."

Similar presentations

Ethics, Privacy and Information Security

Ethics, Privacy and Information Security
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
Chapter 1 Introduction to Security

Chapter 1 Introduction to Security
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 IT Essentials PC Hardware and Software 4.1 Instructional Resource Chapter.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 IT Essentials PC Hardware and Software 4.1 Instructional Resource Chapter.

Similar presentations

Ads by Google