COMPUTER & NETWORK SECURITY
Unit 1 Objectives
1. Recognize the growing importance of information security specialists to the information technology (IT) infrastructure.
2. Comprehend information security in the context of the mission of a business.
3. Build an awareness of 12 generally accepted basic principles of information security to help you determine how these basic principles are applied to real-life situations.
Unit 1 Objectives cont…
4. Distinguish between the three main security goals.
5. Learn how to design and apply the principle of "Defense in Depth."
6. Comprehend human vulnerabilities in security systems to better design solutions to counter them.
Unit 1 Objectives cont…
7. Explain the difference between functional and assurance requirements.
8. Comprehend the fallacy of security through obscurity to avoid using it as a measure of security.
9. Comprehend the importance of risk analysis and risk management tools and techniques for balancing the needs of business.
10. Determine which side of the open disclosure debate you would take.
Unit 1 Objectives cont…
11. Analyze the Certified Information Systems Security Professional (CISSP) certificate program as the gold standard in information technology (IT) security certification.
12. Define and describe the role of the International Information Systems Security Certifications Consortium.
13. Distinguish the contents of the 10 domains of the Common Body of Knowledge.
14. Distinguish the CISSP from other security certification programs in the industry.
What is Network Security
Network Security consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources.
What is Information Security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
Discussion
What would computing be like today if no standards had been adopted?
Why are standards so important to the computing Industry?
Importance of I.S. to the Business
“To protect computers, networks, and the information they store, organizations are increasingly turning to information security specialists.”
How is this acheived
• To support business operations a number of common positions and career opportunities are needed.– Network Administrator– Network Engineer– Security Engineer– Programmer and Application Tester– Chief Security Officer
Importance of I.S. to the Business
• Implement Security Practices
• Perform Risk Analysis
• Configure Rights and Permission
• Implement Access Controls and Changes
• Secure Network Data
Importance cont…
• Recognize Attack Vectors
• Understand Life Cycles
• Conduct Security Audit and Testing
• Develop BCP, BIA and DRP
• Comprehend Laws and Regulations
• An organization’s security posture defines its tolerance for risk and outlines how it plans to protect information and resources within its charge.
12 basic principles of information security.
Principle 1: There Is No Such Thing as Absolute Security Explains that no information system can ever be totally secure, but can be configured to minimize risks.
Principle 2: The Three Security Goals Are Confidentiality, Integrity, and Availability
C.I.A.
Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems.
Integrity means that data cannot be modified undetectably
For any information system to serve its purpose, the information must be available when it is needed.
Principle 3
Principle 3: Defense in Depth as Strategy Explains the importance of creating a layered defense around any information system.
Principle 3 cont…
• Defense in depth is an information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited which can cover aspects of personnel, procedural, technical and physical for the duration of the system's life cycle.
Principle 4
Principle 4: When Left on Their Own, People Tend to Make the Worst Security Decisions
Principle 4: Discussion
What are the need for security minded professionals in any organization where people use the information system.
Principle 5
Principle 5: Computer Security Depends on Two Types of Requirements: Functional and Assurance
Verify and Validate
Verification and validation of products, processes, and systems to ensure they function correctly.
Principle 6
Principle 6: Security Through Obscurity Is Not an Answer Dispels the myth that hiding details about security mechanisms enhances security.
Principle 6: Arguments
Arguments for: Security through obscurity may (but cannot be guaranteed to) act as a temporary "speed bump" for attackers while a resolution to a known security issue is implemented. Here, the goal is simply to reduce the short-run risk of exploitation of a vulnerability in the main components of the system.
Arguments against: In cryptography proper, the argument against security by obscurity dates back to at least Kerckhoffs' principle, put forth in 1883 by Auguste Kerckhoffs. The principle holds that design of a cryptographic system should not require secrecy and should not cause "inconvenience" if it falls into the hands of the enemy.
Principle 6: Arguments
Principle 7
Principle 7: Security = Risk Management Explains simple methods for evaluating the risk level of any information system.
Principle 8
Principle 8: The Three Types of Security Controls Are Preventative, Detective, and Responsive
Prevention:
Detection:
Responsive:
Principle 8 cont…
Principle 9
Principle 9: Complexity Is the Enemy of Security Explains the need for simplicity in designing and maintaining an information system.
Principle 10
Principle 10: Fear, Uncertainty, and Doubt Do Not Work in Selling Security
Principle 10 - Discussion
Why is it better to taking a business-centric approach (as opposed to scare tactics) when convincing management to make security investment
Principle 11
Principle 11: People, Process, and Technology Are All Needed to Adequately Secure a System or Facility
Principle 11 - Discussions
What role does people, processes, and technology play in information security, and how they interact to enhance security.
Principle 12
Principle 12: Open Disclosure of Vulnerabilities Is Good for Security!
Principle 12 – Discussions
How does open communications among IT professionals and users can improve security
Vendor Neutral CertificationsCertified Information Systems Auditor (CISA) and
Certified Information Security Manager CISM) - To assure that information security manager has the required knowledge and ability to provide effective security management and consulting
Global Information Assurance Certifications (GIAC) - Intended primarily for practitioners or hands-on personnel such as system administrators and network engineers
CompTIA Security+ Certification – Tests the security knowledge mastery of an individual with two years on-the-job networking security experience
(ISC)2 - Certified Information Systems Security Professional (CISSP)
(ISC)2 - System Security Certified Practitioner (SSCP)
Vendor Neutral Certifications
Vendor-Specific Certification Programs
Check Point Certified SecurityPrinciples AssociateCisco Security Certifications*INFOSEC ProfessionalMicrosoft Certified Information Technology SpecialistRSA Certified Systems EngineerSun Certified Security Administrator for the Solaris
Operating SystemSymantec Technology ArchitectTivoli Certified Consultant
CISSP
Provides Employers with the confidenceIndustry assuranceFirst certification accredited by ANSI ISO/IEC
Standard 17024:2003Globally recognized
10 Domains – CBK• Access Control • Application Development Security • Business Continuity and Disaster Recovery Planning • Cryptography • Information Security Governance and Risk
Management • Legal, Regulations, Investigations and Compliance • Operations Security • Physical (Environmental) Security • Security Architecture and Design • Telecommunications and Network Security
How to become a CISSP
1. Criteria– 5 years experience or 4 years with a BSc.
2. Examination– Pass the CISSP examination with a scaled score of
700 points or greater3. Endorsement– All candidate must be endorsed by a active CISSP in
good standing4. Audit– Candidates may be randomly selected for audit
Maintaining a CISSPAll CISSP must recertify every 3 years:This is primarily accomplished through
continuing professional education [CPE], 120 credits of which are required every three years. A minimum of 20 CPEs must be posted during each year of the three-year certification cycle.
CISSPs must also pay an annual maintenance fee of $85 per year.