cmgt 400 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
CMGT 400 PowerPoint Presentation
Download Presentation
CMGT 400

Loading in 2 Seconds...

play fullscreen
1 / 113

CMGT 400 - PowerPoint PPT Presentation

153 Views
Download Presentation
CMGT 400
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. CMGT 400 Intro to Information Assurance & Security Philip Robbins – February 5, 2013 (Week 1) University of Phoenix Mililani Campus

  2. Agenda: Week 1 • Introductions • Course Syllabus • Fundamental Aspects • Information • Information Assurance • Information Security Services • Risk Management, CND, and Incident Response • Quiz #1 • Assignment

  3. Concepts • Information • What is it? • Why is it important? • How do we protect (secure) it?

  4. Why is this important? • Information is valuable. therefore, • Information Systems are valuable. • etc… • Compromise of Information Security Services (C-I-A) have real consequences (loss) • Confidentiality: death, proprietary info, privacy, theft • Integrity: theft, loss of confidence, validity • Availability: lost productivity, disruption of C2, defense, emergency services

  5. Concepts • Information Systems • Systems that store, transmit, and process information. + • Information Security • The protection of information. _______________________________________________ • Information Systems Security • The protection of systems that store, transmit, and process information.

  6. Fundamental Concepts • What is Information Assurance (IA)? • Our assurance (confidence) in the protection of our information / Information Security Services. • What are Information Security Services (ISS)? • Confidentiality: Making sure our information is protected from unauthorized disclosure. • Integrity: Making sure the information we process, transmit, and store has not been corrupted or adversely manipulated. • Availability: Making sure that the information is there when we need it and gets to those who need it.

  7. Private vs. Military Requirements • Which security model an organization uses depends on it’s goals and objectives. • Military is generally concerned with CONFIDENTIALITY • Private businesses are generally concerned with AVAILABILITY (ex. Netflix, eBay etc) OR INTEGRITY (ex. Banks). • Some private sector companies are concerned with CONFIDENTIALITY (ex. hospitals). • Which ISS do you believe is most important?

  8. Fundamental Concepts • Progression of Terminology • Computer Security • (COMPUSEC) • Legacy Term (no longer used). • Information Security • (INFOSEC) • Legacy Term (still used). • Information Assurance • (IA) • Term widely accepted today with focus on Information Sharing. • Cyber Security • Broad Term quickly being adopted.

  9. Fundamental Concepts • What is Cyberspace? • Term adopted by the USG • The virtual environment of information and interactions between people. • Telecommunication Network infrastructures • Information Systems • The Internet

  10. Review of Fundamental Concepts • What is the Defense in Depth Strategy? • Using layers of defense as protection. • People, Technology, and Operations. • Onion Model

  11. Defense-in-Depth Links in the Security Chain: Management, Operational, and Technical Controls • Risk assessment • Security planning, policies, procedures • Configuration management and control • Contingency planning • Incident response planning • Security awareness and training • Security in acquisitions • Physical security • Personnel security • Security assessments and authorization • Continuous monitoring • Access control mechanisms • Identification & authentication mechanisms (Biometrics, tokens, passwords) • Audit mechanisms • Encryption mechanisms • Boundary and network protection devices (Firewalls, guards, routers, gateways) • Intrusion protection/detection systems • Security configuration settings • Anti-viral, anti-spyware, anti-spam software • Smart cards Adversaries attack the weakest link…where is yours?

  12. Review of Fundamental Concepts Information Assurance Services (IAS) ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü Source: Cieslak, Randall (Dec 2011). Cyber Fundamentals. USPACOM Chief Information Officer.

  13. Review of Fundamental Concepts

  14. Challenges • Fixed Resources • Sustainable strategies reduce costs

  15. Information Systems Security: Privacy • Defined: the protection and proper handling of sensitive personal information - Requires proper technology for protection - Requires processes and controls for appropriate handling

  16. Personally Identifiable Information (PII) • Name • SSN • Phone number • Driver's license number • Credit card numbers • etc…

  17. Concept 1: Info Security & Assurance • You leave your job at ACME, Inc. to become the new Information Systems Security Manager (ISSM) for University of University College (UUC). • The Chief Information Officer (CIO) of UUC drops by your office to let you know that they have no ISS program at UUC! • A meeting with the Board of Directors is • scheduled and you are asked by the CIO to • attend. • The Board wants to hear your considerations • on how to start the new ISS program spanning • all national and international networks.

  18. Concept 1: Info Security & Assurance • - What would you tell the Board? • - As an ISSM, what would you consider first? • - What types of questions would you ask the Board and/or to the CIO?

  19. Concept 2: Physical & Logical ISS • First day on the job and you find yourself already meeting with the local Physical Security and IT Services Managers at UUC. • You introduce yourself as the new ISSM and both managers eagerly ask you “what can we do to help?”

  20. Concept 2: Physical & Logical ISS • - What do you tell these Managers? • - What types of questions would you ask the Managers? • - As an ISSM, what are some IT, computer, and network security issues you consider important to a new ISS program at UUC? • - What about your meeting with the Board of Directors earlier? How does it apply here?

  21. Concept 3: Risk • After a month on the job, as an ISSM, you decide to update the CIO on the progress of the UUC ISS program via email when all of a sudden the entire internal network goes down! • Your Computer Network Defense Team is able to determine the source of the disruption to an unknown vulnerability that was exploited on a generic perimeter router. • The CIO calls you into his office and indicates to you that he is “concerned about the Risk to the networks at UUC” and ‘wants a risk assessment conducted’ ASAP.

  22. Concept 3: Risk • - What does the CIO mean by “Risk to the networks at UUC”? • - As an ISSM, how would you conduct a risk assessment for the CIO? • - What are some of the elements of risk? • - How is risk measured and why is it important?

  23. Risk Management • Information Systems Risk Management is the process of identifying, assessing, and mitigating (reducing) risks to an acceptable level. - Why is this important? • There is no such thing as 100% security. - Can risk ever be eliminated?

  24. Risk Management • Risks MUST be identified, classified and analyzed to asses potential damage (loss) to company. • Risk is difficult to measure and quantify, however, we must prioritize the risks and attempt to address them!

  25. Risk Management • Identify assets and their values • Identify Vulnerabilities and Threats • Quantify the probability of damage and cost of damage • Implement cost effective countermeasures! • ULTIMATE GOAL is to be cost effective. That is: ensure that your assets are safe, at the same time don’t spend more to protect something than it’s worth*

  26. Who is ultimately responsible for risk? • MANAGEMENT!!! • Management may delegate to data custodians or business units that shoulder some of the risk. • However, it is senior management that is ultimately responsible for the companies health - as such they are ultimately responsible for the risk.

  27. Computer Network Defense • Defending against unauthorized actions that would compromise or cripple information systems and networks. • Protect, monitor, analyze, detect, and respond to network attacks, intrusions, or disruptions.

  28. Incident Response • Responding to a Security Breach - Incident Handling - Incident Management - Eradication & Recovery - Investigation (Forensics / Analysis) - Legal, Regulatory and Compliance Reporting - Documentation

  29. Break • Let’s take a break…

  30. Chapter 1: Introduction and Security Trends • The Morris Worm - Robert Morris - 1988 - First Large scale attack on the Internet - No malicious payload (benign) - Replicated itself - Infected computer system could no longer run any other programs

  31. Chapter 1: Introduction and Security Trends • Kevin Mitnick - Famous Hacker - 1995 - Wire and computer fraud - Intercepting wire communication - Stole software and email accounts - Jailed: 5 years.

  32. Chapter 1: Introduction and Security Trends • The Melissa Virus - David Smith - 1999 - Infected 1 million computers - $80 million - Payload: “list.doc” with macro - Clogged networks generated by email servers sending “Important Messages” from your address book

  33. Chapter 1: Introduction and Security Trends • The “I Love You” Virus - Melissa Variation - 2000 - 45 million computers - $10 billion - Payload: .vbs (script) - Released by a student in the Phillipines (not a crime)

  34. Chapter 1: Introduction and Security Trends • The “Code Red” Worm - 2001 - 350 million computers - $2.5 billion - Payload: benign - Takes control of computers - DoS attacks: targeted “White House” website

  35. Chapter 1: Introduction and Security Trends • The “Conficker” Worm - 2008-2009 - Payload: benign - Bot network - Very little damage - Blocks antivirus updates

  36. Chapter 1: Introduction and Security Trends • Stuxnet - 2010 - First Cyber Weapon - Affected SCADA systems within IRAN’s Nuclear Enrichment Facilities - Uses 4 “Zero Day” Vulnerabilities

  37. Chapter 1: Introduction and Security Trends • What is Malware? - Malicious Software - Includes “Viruses” & “Worms” - Protect using Anit-virus software & System Patching

  38. Chapter 1: Introduction and Security Trends • Intruders, Hackers, and Threat Agents

  39. Chapter 1: Introduction and Security Trends • Network Interconnection - More connections - From large mainframes to smaller connected systems - Increased threat & vulnerabilities - Single point failures? - Critical Infrastructure - Information Value - Information Warfare

  40. Chapter 1: Introduction and Security Trends • Steps in an Attack - Ping Sweeps (ping/whois) – identify target - Port Scans (nmap) – exploit service

  41. Chapter 1: Introduction and Security Trends • Steps in an Attack - Bypass firewall - Bypass IDS & IPS: Avoid detection / logs - Infect system (either Network or Physical) - Pivot systems (launch client-side attacks)

  42. Chapter 1: Introduction and Security Trends

  43. Chapter 1: Introduction and Security Trends • Types of Attacks - Denial of Service (DoS) - Distributed Denial of Service (DDoS) - Botnets (IRC) - Logic Bombs - SQL Injection - Scripting - Phishing Emails - HTTP session hijacking (Man in the Middle) - Buffer Overflows

  44. Chapter 1: Introduction and Security Trends • Types of Attacks: Botnets

  45. Chapter 1: Introduction and Security Trends • Types of Attacks: Redirection (Fake Sites)

  46. Chapter 1: Introduction and Security Trends • Redirection (Fake Sites)

  47. Chapter 1: Introduction and Security Trends • Types of Attacks: Fake Antivirus

  48. Chapter 1: Introduction and Security Trends • Types of Attacks: Keyloggers (Remote Stealth Keystroke Dump)

  49. Chapter 1: Introduction and Security Trends • Types of Attacks: USB Keys (Autorun infection) Found a bunch of USB keys in a parking lot? Would you stick one of them into your PC?

  50. Chapter 1: Introduction and Security Trends • Types of Attacks: Spam Email (Storm Worms)