CMGT 400 - PowerPoint PPT Presentation

1 / 113
About This Presentation
Title:

CMGT 400

Description:

Chapter 2: General Security Concepts Computer Security (COMPUSEC) - Ensure computer systems are secure Network Security - Protection of multiple connected ... – PowerPoint PPT presentation

Number of Views:120
Avg rating:3.0/5.0
Slides: 114
Provided by: PhilipR98
Category:
Tags: cmgt | compusec

less

Transcript and Presenter's Notes

Title: CMGT 400


1
CMGT 400
  • Intro to Information Assurance Security
  • Philip Robbins February 5, 2013 (Week 1)
  • University of Phoenix Mililani Campus

2
Agenda Week 1
  • Introductions
  • Course Syllabus
  • Fundamental Aspects
  • Information
  • Information Assurance
  • Information Security Services
  • Risk Management, CND, and Incident Response
  • Quiz 1
  • Assignment

3
Concepts
  • Information
  • What is it?
  • Why is it important?
  • How do we protect (secure) it?

4
Why is this important?
  • Information is valuable.
  • therefore,
  • Information Systems are valuable.
  • etc
  • Compromise of Information Security Services
    (C-I-A) have real consequences (loss)
  • Confidentiality death, proprietary info,
    privacy, theft
  • Integrity theft, loss of confidence, validity
  • Availability lost productivity, disruption of
    C2, defense, emergency services

5
Concepts
  • Information Systems
  • Systems that store, transmit, and process
    information.
  • Information Security
  • The protection of information.
  • _______________________________________________
  • Information Systems Security
  • The protection of systems that store, transmit,
    and process information.

6
Fundamental Concepts
  • What is Information Assurance (IA)?
  • Our assurance (confidence) in the protection of
    our information / Information Security Services.
  • What are Information Security Services (ISS)?
  • Confidentiality Making sure our information is
    protected from unauthorized disclosure.
  • Integrity Making sure the information we
    process, transmit, and store has not been
    corrupted or adversely manipulated.
  • Availability Making sure that the information
    is there when we need it and gets to those who
    need it.

7
Private vs. Military Requirements
  • Which security model an organization uses depends
    on its goals and objectives.
  • Military is generally concerned with
    CONFIDENTIALITY
  • Private businesses are generally concerned with
    AVAILABILITY (ex. Netflix, eBay etc) OR INTEGRITY
    (ex. Banks).
  • Some private sector companies are concerned with
    CONFIDENTIALITY (ex. hospitals).
  • Which ISS do you believe is most important?

8
Fundamental Concepts
  • Progression of Terminology

Computer Security (COMPUSEC)
Legacy Term (no longer used).
Information Security (INFOSEC)
Legacy Term (still used).
Information Assurance (IA)
Term widely accepted today with focus on
Information Sharing.
Cyber Security
Broad Term quickly being adopted.
9
Fundamental Concepts
  • What is Cyberspace?
  • Term adopted by the USG
  • The virtual environment of information and
    interactions between people.
  • Telecommunication Network infrastructures
  • Information Systems
  • The Internet

10
Review of Fundamental Concepts
  • What is the Defense in Depth Strategy?
  • Using layers of defense as protection.
  • People, Technology, and Operations.

Onion Model
11
Defense-in-Depth

Links in the Security Chain Management,
Operational, and Technical Controls
  • Risk assessment
  • Security planning, policies, procedures
  • Configuration management and control
  • Contingency planning
  • Incident response planning
  • Security awareness and training
  • Security in acquisitions
  • Physical security
  • Personnel security
  • Security assessments and authorization
  • Continuous monitoring
  • Access control mechanisms
  • Identification authentication mechanisms
  • (Biometrics, tokens, passwords)
  • Audit mechanisms
  • Encryption mechanisms
  • Boundary and network protection devices
  • (Firewalls, guards, routers, gateways)
  • Intrusion protection/detection systems
  • Security configuration settings
  • Anti-viral, anti-spyware, anti-spam software
  • Smart cards

Adversaries attack the weakest linkwhere is
yours?
12
Review of Fundamental Concepts
Information Assurance Services (IAS)
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
Source Cieslak, Randall (Dec 2011). Cyber
Fundamentals. USPACOM Chief Information Officer.
13
Review of Fundamental Concepts
14
Challenges
  • Fixed Resources
  • Sustainable strategies reduce costs

15
Information Systems Security Privacy
  • Defined the protection and proper handling of
    sensitive personal information
  • - Requires proper technology for protection
  • - Requires processes and controls for
    appropriate handling

16
Personally Identifiable Information (PII)
  • Name
  • SSN
  • Phone number
  • Driver's license number
  • Credit card numbers
  • etc

17
Concept 1 Info Security Assurance
  • You leave your job at ACME, Inc. to become the
    new Information Systems Security Manager (ISSM)
    for University of University College (UUC).
  • The Chief Information Officer (CIO) of UUC
    drops by your office to let you know that they
    have no ISS program at UUC!
  • A meeting with the Board of Directors is
  • scheduled and you are asked by the CIO to
  • attend.
  • The Board wants to hear your considerations
  • on how to start the new ISS program spanning
  • all national and international networks.

18
Concept 1 Info Security Assurance
  • - What would you tell the Board?
  • - As an ISSM, what would you consider first?
  • - What types of questions would you ask the Board
    and/or to the CIO?

19
Concept 2 Physical Logical ISS
  • First day on the job and you find yourself
    already meeting with the local Physical Security
    and IT Services Managers at UUC.
  • You introduce yourself as the new ISSM and both
    managers eagerly ask you what can we do to help?

20
Concept 2 Physical Logical ISS
  • - What do you tell these Managers?
  • - What types of questions would you ask the
    Managers?
  • - As an ISSM, what are some IT, computer, and
    network security issues you consider important to
    a new ISS program at UUC?
  • - What about your meeting with the Board of
    Directors earlier? How does it apply here?

21
Concept 3 Risk
  • After a month on the job, as an ISSM, you
    decide to update the CIO on the progress of the
    UUC ISS program via email when all of a sudden
    the entire internal network goes down!
  • Your Computer Network Defense Team is able to
    determine the source of the disruption to an
    unknown vulnerability that was exploited on a
    generic perimeter router.
  • The CIO calls you into his office and indicates
    to you that he is concerned about the Risk to
    the networks at UUC and wants a risk assessment
    conducted ASAP.

22
Concept 3 Risk
  • - What does the CIO mean by Risk to the networks
    at UUC?
  • - As an ISSM, how would you conduct a risk
    assessment for the CIO?
  • - What are some of the elements of risk?
  • - How is risk measured and why is it important?

23
Risk Management
  • Information Systems Risk Management is the
    process of identifying, assessing, and mitigating
    (reducing) risks to an acceptable level.
  • - Why is this important?
  • There is no such thing as
  • 100 security.
  • - Can risk ever be eliminated?

24
Risk Management
  • Risks MUST be identified, classified and analyzed
    to asses potential damage (loss) to company.
  • Risk is difficult to measure and quantify,
    however, we must prioritize the risks and attempt
    to address them!

25
Risk Management
  • Identify assets and their values
  • Identify Vulnerabilities and Threats
  • Quantify the probability of damage and cost of
    damage
  • Implement cost effective countermeasures!
  • ULTIMATE GOAL is to be cost effective. That is
    ensure that your assets are safe, at the same
    time dont spend more to protect something than
    its worth

26
Who is ultimately responsible for risk?
  • MANAGEMENT!!!
  • Management may delegate to data custodians or
    business units that shoulder some of the risk.
  • However, it is senior management that is
    ultimately responsible for the companies health -
    as such they are ultimately responsible for the
    risk.

27
Computer Network Defense
  • Defending against unauthorized actions that would
    compromise or cripple information systems and
    networks.
  • Protect, monitor, analyze, detect, and respond to
    network attacks, intrusions, or disruptions.

28
Incident Response
  • Responding to a Security Breach
  • - Incident Handling
  • - Incident Management
  • - Eradication Recovery
  • - Investigation (Forensics / Analysis)
  • - Legal, Regulatory and Compliance Reporting
  • - Documentation

29
Break
  • Lets take a break

30
Chapter 1 Introduction and Security Trends
  • The Morris Worm
  • - Robert Morris
  • - 1988
  • - First Large scale attack on
  • the Internet
  • - No malicious payload (benign)
  • - Replicated itself
  • - Infected computer system could no longer run
    any other programs

31
Chapter 1 Introduction and Security Trends
  • Kevin Mitnick
  • - Famous Hacker
  • - 1995
  • - Wire and computer fraud
  • - Intercepting wire communication
  • - Stole software and email accounts
  • - Jailed 5 years.

32
Chapter 1 Introduction and Security Trends
  • The Melissa Virus
  • - David Smith
  • - 1999
  • - Infected 1 million computers
  • - 80 million
  • - Payload list.doc with macro
  • - Clogged networks generated
  • by email servers sending
  • Important Messages from
  • your address book

33
Chapter 1 Introduction and Security Trends
  • The I Love You Virus
  • - Melissa Variation
  • - 2000
  • - 45 million computers
  • - 10 billion
  • - Payload .vbs (script)
  • - Released by a student in the Phillipines (not
    a crime)

34
Chapter 1 Introduction and Security Trends
  • The Code Red Worm
  • - 2001
  • - 350 million computers
  • - 2.5 billion
  • - Payload benign
  • - Takes control of computers
  • - DoS attacks targeted White House website

35
Chapter 1 Introduction and Security Trends
  • The Conficker Worm
  • - 2008-2009
  • - Payload benign
  • - Bot network
  • - Very little damage
  • - Blocks antivirus updates

36
Chapter 1 Introduction and Security Trends
  • Stuxnet
  • - 2010
  • - First Cyber Weapon
  • - Affected SCADA
  • systems within IRANs
  • Nuclear Enrichment
  • Facilities
  • - Uses 4 Zero Day
  • Vulnerabilities

37
Chapter 1 Introduction and Security Trends
  • What is Malware?
  • - Malicious Software
  • - Includes Viruses Worms
  • - Protect using Anit-virus software System
    Patching

38
Chapter 1 Introduction and Security Trends
  • Intruders, Hackers, and Threat Agents

39
Chapter 1 Introduction and Security Trends
  • Network Interconnection
  • - More connections
  • - From large mainframes to smaller connected
    systems
  • - Increased threat vulnerabilities
  • - Single point failures?
  • - Critical Infrastructure
  • - Information Value
  • - Information Warfare

40
Chapter 1 Introduction and Security Trends
  • Steps in an Attack
  • - Ping Sweeps (ping/whois) identify target
  • - Port Scans (nmap) exploit service

41
Chapter 1 Introduction and Security Trends
  • Steps in an Attack
  • - Bypass firewall
  • - Bypass IDS IPS Avoid detection / logs
  • - Infect system (either Network or Physical)
  • - Pivot systems (launch client-side attacks)

42
Chapter 1 Introduction and Security Trends
43
Chapter 1 Introduction and Security Trends
  • Types of Attacks
  • - Denial of Service (DoS)
  • - Distributed Denial of Service (DDoS)
  • - Botnets (IRC)
  • - Logic Bombs
  • - SQL Injection
  • - Scripting
  • - Phishing Emails
  • - HTTP session hijacking (Man in the Middle)
  • - Buffer Overflows

44
Chapter 1 Introduction and Security Trends
  • Types of Attacks Botnets

45
Chapter 1 Introduction and Security Trends
  • Types of Attacks Redirection (Fake Sites)

46
Chapter 1 Introduction and Security Trends
  • Redirection (Fake Sites)

47
Chapter 1 Introduction and Security Trends
  • Types of Attacks Fake Antivirus

48
Chapter 1 Introduction and Security Trends
  • Types of Attacks Keyloggers (Remote Stealth
    Keystroke Dump)

49
Chapter 1 Introduction and Security Trends
  • Types of Attacks USB Keys (Autorun infection)

Found a bunch of USB keys in a parking lot?
Would you stick one of them into your PC?
50
Chapter 1 Introduction and Security Trends
  • Types of Attacks Spam Email (Storm Worms)

51
Chapter 1 Introduction and Security Trends
  • Types of Attacks Spear Phishing Emails

52
Chapter 1 Introduction and Security Trends
  • Types of Attacks SQL injection

53
Chapter 1 Review Questions
54
Question 1
Which of the following is an attempt to find
and attack a site that has hardware or software
that is vulnerable to a specific exploit? A.
Target of opportunity attack B. Targeted
attack C. Vulnerability scan attack D.
Information warfare attack
55
Question 1
Which of the following is an attempt to find
and attack a site that has hardware or software
that is vulnerable to a specific exploit? A.
Target of opportunity attack B. Targeted
attack C. Vulnerability scan attack D.
Information warfare attack
56
Question 2
Which of the following threats has not grown over
the last decade as a result of increasing numbers
of Internet users? A. Viruses B. Hackers C.
Denial-of-service attacks D. All of the above
57
Question 2
Which of the following threats has not grown over
the last decade as a result of increasing numbers
of Internet users? A. Viruses B. Hackers C.
Denial-of-service attacks D. All of the above
58
Question 3
The rise of which of the following has
greatly increased the number of individuals who
probe organizations looking for vulnerabilities
to exploit? A. Virus writers B. Script
kiddies C. Hackers D. Elite Hackers
59
Question 3
The rise of which of the following has
greatly increased the number of individuals who
probe organizations looking for vulnerabilities
to exploit? A. Virus writers B. Script
kiddies C. Hackers D. Elite Hackers
60
Question 4
Which of the following is generally viewed as
the first Internet worm to have caused
significant damage and to have brought the
Internet down? A. Melissa B. I LOVE YOU C.
Morris D. Code Red
61
Question 4
Which of the following is generally viewed as
the first Internet worm to have caused
significant damage and to have brought the
Internet down? A. Melissa B. I LOVE YOU C.
Morris D. Code Red
62
Question 5
The act of deliberately accessing
computer systems and networks without
authorization is generally known as? A.
Computer intrusions B. Hacking C. Cracking D.
Probing
63
Question 5
The act of deliberately accessing
computer systems and networks without
authorization is generally known as? A.
Computer intrusions B. Hacking C. Cracking D.
Probing
64
Question 6
Warfare conducted against the information
and information processing equipment used by
an adversary is known as? A. Hacking B. Cyber
terrorism C. Information Warfare D. Network
Warfare
65
Question 6
Warfare conducted against the information
and information processing equipment used by
an adversary is known as? A. Hacking B. Cyber
terrorism C. Information Warfare D. Network
Warfare
66
Question 7
Which of the following is not described as
a critical infrastructure? A. Electricity
(Power) B. Banking (Finance) C.
Telecommunications D. Retail Stores
67
Question 7
Elite hackers dont account for more than
what percentage of the total number of
individuals conducting intrusive activity on the
Internet? A. Electricity (Power) B. Banking
(Finance) C. Telecommunications D. Retail Stores
68
Question 8 (Last one)
Elite hackers dont account for more than
what percentage of the total number of
individuals conducting intrusive activity on the
Internet? A. 1-2 percent B. 3-5 percent C.
7-10 percent D. 15-20 percent
69
Question 8 (Last one)
Elite hackers dont account for more than
what percentage of the total number of
individuals conducting intrusive activity on the
Internet? A. 1-2 percent B. 3-5 percent C.
7-10 percent D. 15-20 percent
70
Break
  • Lets take a break

71
Chapter 2 General Security Concepts
  • Computer Security (COMPUSEC)
  • - Ensure computer systems are secure
  • Network Security
  • - Protection of multiple connected (networked)
    computer systems
  • Information Assurance (IA) Security
  • - Emphasis on the data Our assurance
    (confidence) in the protection of our
    information / Information Security Services.

72
Chapter 2 General Security Concepts
  • CIA Triad (Information Security Services)

73
Chapter 2 General Security Concepts
  • Operational Model of Computer Security
  • Protection Prevention Detection Response

74
Chapter 2 General Security Concepts
  • Least Privilege (Need to Know)
  • - Users should have only the necessary
    (minimum) rights, privileges, or information to
    perform their tasks (no additional permissions).
  • Implicit Deny
  • - Deny all authorization and access
    (blacklisted) unless specifically allowed (white
    list).
  • - Default security rule for firewalls, routers,
    etc

75
Chapter 2 General Security Concepts
  • Separation of Duties
  • - Ensures tasks are broken down and
    are accomplished / involve by more than one
    individual.
  • - Check balance system.
  • Job Rotation
  • - Rotation individuals through jobs / tasks.
  • - Organization does not become dependent on a
    single employee.

76
Chapter 2 General Security Concepts
Be sure to understand the difference
between Least Privilege vs. Implicit Deny
Separation of Duties vs. Job Rotation

77
Chapter 2 General Security Concepts
  • Layered Security
  • - Defense in Depth
  • - Redundancy
  • - No single point of
  • failure

78
Chapter 2 General Security Concepts
  • Layered Security

79
Chapter 2 General Security Concepts
  • Security Through Obscurity
  • - Approach of protecting something by hiding it.
  • - Generally not a good idea.
  • - Steganography
  • - Reverse engineering.

80
Chapter 2 General Security Concepts
Be sure to understand the difference
between Layered Security vs. Security Through
Obscurity
81
Chapter 2 General Security Concepts
  • Access
  • - Control what a subject can perform or what
    objects the subject can interact with.
  • - i.e. Access Control Lists (ACLs)
  • Authentication
  • - Verify the identity of a subject. (Who You
    Are)
  • - Involves identification
  • - Passwords, cards, biometrics (fingerprints),
    etc. - Digital certificates

82
Chapter 2 General Security Concepts
  • Authorization
  • - Verifies what a subject is authorized to do.
  • Be sure to understand the difference between
  • Access vs. Identification
  • vs.
  • Authentication vs. Authorization

83
Chapter 2 General Security Concepts
  • Social Engineering
  • - Talk individuals into
  • divulging information that
  • they normally would never
  • have.
  • - Used to gain information
  • on identities, access, or
  • authorization.
  • - Data aggregation.

84
Chapter 2 General Security Concepts
  • Policies
  • Constraints of behavior on systems and people
  • Specifies activities that are required, limited,
    and forbidden
  • Example
  • Information systems should be configured to
    require good security practices in the selection
    and use of passwords

85
Chapter 2 General Security Concepts
  • Requirements
  • Required characteristics of a system or process.
  • Often the same as or similar to the policy
  • Specifies what should be done, not how to do it.
  • Example
  • Information systems must enforce password quality
    standards.

86
Chapter 2 General Security Concepts
  • Guidelines define how to support a policy
  • Example As a guideline passwords should not
    be dictionary words, dont write passwords down,
    etc

87
Chapter 2 General Security Concepts
  • Standards what products, technical methods will
    be used to support policy.
  • Example
  • All fiber optic cables must be ACME brand
  • Passwords must be at least 8 characters, contain
    2 upper and lower case chars
  • Procedures step by step instructions

88
Chapter 2 General Security Concepts
  • Classification of Information
  • - Sensitivity / Confidentiality
  • Example
  • Unclassified (UNCLASS)
  • For Official Use Only (FOUO)
  • Confidential
  • Secret (S)
  • Secret Releasable (S//REL)
  • Top Secret (TS)

89
Chapter 2 General Security Concepts
  • Acceptable Use Policy (AUP)
  • - Outline of what the organization considers to
    be
  • the appropriate / inappropriate use of
  • company resources.
  • - Do you have a right to privacy when using a
  • companys system / network resources?

90
Chapter 2 General Security Concepts
  • Service Level Agreement (SLA)
  • - Contractual agreements between entities that
  • describe specified levels of service.
  • Example
  • Bandwidth allocation
  • Download / Upload Speeds
  • Uptime
  • Support Maintenance
  • Data Restoration / Backup

91
Chapter 2 General Security Concepts
  • Bell-LaPadula Confidentiality Security Model
  • - Principle 1 Simple Security (No Read Up)
    Rule
  • No subject can read from an object with a
    security
  • classification higher than possessed by the
    subject.
  • - Principle 2 - property (No Write Down)
    Rule
  • Allows a subject to write to an object of equal
    or greater security classification.
  • Why wouldnt you be able to write down?

92
Chapter 2 General Security Concepts
  • Biba Integrity Security Model
  • - Policy 1 Low-Water-Mark
  • Prevents unauthorized modification of data
    subjects writing to objects of a higher
    integrity label.
  • - Policy 2 Ring
  • Allows a subject to read any object without
    regard to the
  • objects level of integrity and without lowering
    the subjects
  • integrity level.

93
Chapter 2 Review Questions
94
Question 1
What is the most common form of
authentication used? A. Smart Cards B.
Tokens C. Username / Password D. Biometrics
95
Question 1
What is the most common form of
authentication used? A. Smart Cards B.
Tokens C. Username / Password D. Biometrics
96
Question 2
  • The CIA of security includes
  • Confidentiality, integrity, authentication
  • Confidentiality, integrity, availability
  • Certificates, integrity, availability
  • Confidentiality, inspection, authentication

97
Question 2
  • The CIA of security includes
  • Confidentiality, integrity, authentication
  • Confidentiality, integrity, availability
  • Certificates, integrity, availability
  • Confidentiality, inspection, authentication

98
Question 3
  • The security principle used in the Bell-LaPadula
  • security model that states that no subject can
  • read from an object with a higher security
  • classification is the
  • Simple Security Rule
  • Ring policy
  • Mandatory access control
  • -property

99
Question 3
  • The security principle used in the Bell-LaPadula
  • security model that states that no subject can
  • read from an object with a higher security
  • classification is the
  • Simple Security Rule
  • Ring policy
  • Mandatory access control
  • -property

100
Question 4
  • Which of the following concepts requires users
  • and system processes to use the minimal amount of
    permission necessary to function?
  • Layer Defense
  • Diversified Defense
  • Simple Security Rule
  • Least Privilege

101
Question 4
  • Which of the following concepts requires users
  • and system processes to use the minimal amount of
    permission necessary to function?
  • Layer Defense
  • Diversified Defense
  • Simple Security Rule
  • Least Privilege

102
Question 5
  • Which of the following is an access control
  • method based on changes at preset intervals?
  • Simple Security Rule
  • Job Rotation
  • Two-man rule
  • Separation of Duties

103
Question 5
  • Which of the following is an access control
  • method based on changes at preset intervals?
  • Simple Security Rule
  • Job Rotation
  • Two-man rule
  • Separation of Duties

104
Question 6
  • The Bell-LaPadula security model is an example
  • of a security model that is based on
  • The integrity of the data
  • The availability of the data
  • The confidentiality of the data
  • The authenticity of the data

105
Question 6
  • The Bell-LaPadula security model is an example
  • of a security model that is based on
  • The integrity of the data
  • The availability of the data
  • The confidentiality of the data
  • The authenticity of the data

106
Question 7
  • The term used to describe the requirement that
  • different portions of a critical process must be
  • performed by different people is
  • Least privilege
  • Defense in Depth
  • Separation of Duties
  • Job Rotation

107
Question 7
  • The term used to describe the requirement that
  • different portions of a critical process must be
  • performed by different people is
  • Least privilege
  • Defense in Depth
  • Separation of Duties
  • Job Rotation

108
Question 8
  • Hiding information to prevent disclosure is an
  • example of
  • Security through obscurity
  • Certificate-based security
  • Discretionary data security
  • Defense in depth

109
Question 8
  • Hiding information to prevent disclosure is an
  • example of
  • Security through obscurity
  • Certificate-based security
  • Discretionary data security
  • Defense in depth

110
Question 9 (Last one)
  • The concept of blocking an action unless it is
  • specifically authorized is
  • Implicit deny
  • Least privilege
  • Simple Security Rule
  • Hierarchical defense model

111
Question 9 (Last one)
  • The concept of blocking an action unless it is
  • specifically authorized is
  • Implicit deny
  • Least privilege
  • Simple Security Rule
  • Hierarchical defense model

112
Quiz Week 1
  • 10-15 minutes

113
IDV Assignment due Week 2
  • Paper No. 1
  • Review fundamentals of information assurance.
  • Pick a company.
  • How is their information considered an asset?
  • How is their information being protected?
  • Which Information Security Service is most
    important to the company?
  • Are there specific information security
    requirements (regulations, policy, standards,
    etc.) that the company needs to abide to?
Write a Comment
User Comments (0)
About PowerShow.com