1 / 21

Chapter 1

Chapter 1. Introduction to Information Security. Objectives. In this chapter, you will: Define basic security concepts Begin to assess security risks Outline a security policy Locate information security resources. Basic Security Concepts.

ursula-heath
Download Presentation

Chapter 1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 1 Introduction to Information Security Web Security for Network and System Administrators

  2. Objectives In this chapter, you will: • Define basic security concepts • Begin to assess security risks • Outline a security policy • Locate information security resources Web Security for Network and System Administrators

  3. Basic Security Concepts • Confidentiality – only authorized individuals can access data • Integrity – data changes are tracked and properly controlled • Availability – systems are accessible for business needs Web Security for Network and System Administrators

  4. Basic Security Concepts • Physical security – protect people, equipment, and facilities • Privacy – critical data is not released to the wrong people • Marketplace perception – the way the company is perceived by customers, partners, and competitors Web Security for Network and System Administrators

  5. Assessing Risk • Check existing security policies and processes • Analyze, prioritize, and categorize resources by determining: total cost of ownership, internal value, and external value. • TCO refers to the total monetary and labor costs calculated over a specific time period • Internal value refers to the monetary assessment of the importance of a particular asset to the internal working of a company • External value refers to the money or another commodity that the asset brings to the company from external sources Web Security for Network and System Administrators

  6. Assessing Risk • Consider business concerns through the annualized loss expectancy (ALE = SLE * ARO) • Single loss expectancy (SLE) is equal to the asset’s value times the exposure factor (EF) • Asset value = TCO + internal value + external value • EF is the percentage of asset loss that is expected from a particular threat • Annualized rate of occurrence (ARO) is the estimated frequency with which a particular threat may occur each year Web Security for Network and System Administrators

  7. Assessing Risk • Evaluate existing security controls to determine what controls are deployed and effective • Leverage existing management and control architecture to build a persuasive business case for, or against, implementing new security controls Web Security for Network and System Administrators

  8. Building a Security Policy • A security policy has the following three important benefits: • Communicates a common vision for security throughout a company • Represents a single easy-to-use source of security requirements • Exists as a flexible document that should be updated at least annually to address new security threats Web Security for Network and System Administrators

  9. Building a Security Policy An organization’s security policy should cover the following: • Foreword: Purpose, scope, responsibilities, and penalties for noncompliance • Physical security: Controls to protect the people, equipment, facilities, and computer assets • User ID and rights management: Only authorized individuals have access to the necessary systems and network devices Web Security for Network and System Administrators

  10. Building a Security Policy An organization’s security policy should cover the following: • Network security: Protect the network devices and data in transit • System security: Necessary defenses to protect computer systems from compromise • Testing: Authorized security tools and testing • Auditing: Procedures to periodically check security compliance Web Security for Network and System Administrators

  11. Building a Security Policy Foreword • Purpose: Why is this policy being established? • Scope: What people, systems, software, information, and facilities are covered? • Responsibilities: Who is responsible for the various computing roles in a company? • Compliance: What are the penalties for noncompliance? Which organization is responsible for auditing compliance? Web Security for Network and System Administrators

  12. Human threats: theft, vandalism, sabotage, and terrorism Building damage: fire, water damage, and toxic leaks Natural disasters: floods, hurricanes, and tornadoes Infrastructure disruption: loss of power, loss of HVAC, and downed communication lines Equipment failure: computer system damage and network device failure Building a Security Policy Physical Security Web Security for Network and System Administrators

  13. Building a Security PolicyUser ID and Rights Management • User Account Creation, Deletion, and Validation – manage user accounts • Password Policies – manage password parameters • Access Controls - determine who gets what access to what Web Security for Network and System Administrators

  14. Building a Security Policy Network Security • Specific timeframes for changing passwords on the network devices • Use of secure network protocols • Firewalls at specific chokepoints in a network architecture • Use of authentication servers to access network devices Web Security for Network and System Administrators

  15. Building a Security Policy System Security • The systems section is used to outline the specific settings required to secure a particular operating system or application • For example, for Windows NT 4.0, it may be a requirement that every logical drive be installed with NTFS • For a particular UNIX flavor, shadow password files may be required to hide user IDs and passwords from general users Web Security for Network and System Administrators

  16. Building a Security Policy Testing and Auditing • Specify requirements for vulnerability scanners, compliance checking tools, and other security tools run within the environment • Require auditing logs on specific devices, periodic self-audits performed by the system administrators, and the use of security compliance checking tools • Specify corporate auditing requirements, frequencies, and organizations Web Security for Network and System Administrators

  17. Security ResourcesSecurity Certifications • CISSP • SSCP • GIAC • CISA • CIW Security Professional Web Security for Network and System Administrators

  18. Security ResourcesWeb Resources Web Security for Network and System Administrators

  19. Summary • The CIA triad categorizes aspects of information that must be protected from attacks: confidentiality, integrity, and availability. • The PPP triad depicts security, privacy, and marketplace perception as three additional abstract concepts that should drive security efforts. Web Security for Network and System Administrators

  20. Summary • The first step in creating an effective security policy is to perform a risk assessment within the environment. A risk assessment consists of five steps: • Check for existing security policies and processes • Analyze, prioritize, and categorize resources • Consider business concerns • Evaluate existing security controls • Leverage existing management and control architecture • To estimate potential financial loss from security threats, the following formula works well by accounting for the most important cost factors associated with security: ALE = SLE * ARO. • A security policy has three major benefits. It: • Communicates a common vision for security throughout a company • Represents a single easy-to-use source of security requirements • Exists as a flexible document that should be updated at least annually to address new security threats Web Security for Network and System Administrators

  21. Summary • An effective security policy includes security requirements in the following areas: • Physical security • User ID and rights management • Systems • Network • Security tools • Auditing • There are a number of security-related certifications to help security professionals quantify their knowledge on a resume. • Every security professional must stay current about the latest threats through Web resources, mailing lists, and printed materials. Web Security for Network and System Administrators

More Related