Unit1-Network Security

COMPUTER & NETWORK SECURITY

Unit 1 Objectives

1. Recognize the growing importance of information security specialists to the information technology (IT) infrastructure.

2. Comprehend information security in the context of the mission of a business.

3. Build an awareness of 12 generally accepted basic principles of information security to help you determine how these basic principles are applied to real-life situations.

Unit 1 Objectives cont…

4. Distinguish between the three main security goals.

5. Learn how to design and apply the principle of "Defense in Depth."

6. Comprehend human vulnerabilities in security systems to better design solutions to counter them.

Unit 1 Objectives cont…

7. Explain the difference between functional and assurance requirements.

8. Comprehend the fallacy of security through obscurity to avoid using it as a measure of security.

9. Comprehend the importance of risk analysis and risk management tools and techniques for balancing the needs of business.

10. Determine which side of the open disclosure debate you would take.

Unit 1 Objectives cont…

11. Analyze the Certified Information Systems Security Professional (CISSP) certificate program as the gold standard in information technology (IT) security certification.

12. Define and describe the role of the International Information Systems Security Certifications Consortium.

13. Distinguish the contents of the 10 domains of the Common Body of Knowledge.

14. Distinguish the CISSP from other security certification programs in the industry.

What is Network Security

Network Security consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources.

What is Information Security

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

Discussion

What would computing be like today if no standards had been adopted?

Why are standards so important to the computing Industry?

Importance of I.S. to the Business

“To protect computers, networks, and the information they store, organizations are increasingly turning to information security specialists.”

How is this acheived

• To support business operations a number of common positions and career opportunities are needed.– Network Administrator– Network Engineer– Security Engineer– Programmer and Application Tester– Chief Security Officer

Importance of I.S. to the Business

• Implement Security Practices

• Perform Risk Analysis

• Configure Rights and Permission

• Implement Access Controls and Changes

• Secure Network Data

Importance cont…

• Recognize Attack Vectors

• Understand Life Cycles

• Conduct Security Audit and Testing

• Develop BCP, BIA and DRP

• Comprehend Laws and Regulations

• An organization’s security posture defines its tolerance for risk and outlines how it plans to protect information and resources within its charge.

12 basic principles of information security.

Principle 1: There Is No Such Thing as Absolute Security Explains that no information system can ever be totally secure, but can be configured to minimize risks.

Principle 2: The Three Security Goals Are Confidentiality, Integrity, and Availability

C.I.A.

Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems.

Integrity means that data cannot be modified undetectably

For any information system to serve its purpose, the information must be available when it is needed.

Principle 3

Principle 3: Defense in Depth as Strategy Explains the importance of creating a layered defense around any information system.

Principle 3 cont…

• Defense in depth is an information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited which can cover aspects of personnel, procedural, technical and physical for the duration of the system's life cycle.

Principle 4

Principle 4: When Left on Their Own, People Tend to Make the Worst Security Decisions

Principle 4: Discussion

What are the need for security minded professionals in any organization where people use the information system.

Principle 5

Principle 5: Computer Security Depends on Two Types of Requirements: Functional and Assurance

Verify and Validate

Verification and validation of products, processes, and systems to ensure they function correctly.

Principle 6

Principle 6: Security Through Obscurity Is Not an Answer Dispels the myth that hiding details about security mechanisms enhances security.

Principle 6: Arguments

Arguments for: Security through obscurity may (but cannot be guaranteed to) act as a temporary "speed bump" for attackers while a resolution to a known security issue is implemented. Here, the goal is simply to reduce the short-run risk of exploitation of a vulnerability in the main components of the system.

Arguments against: In cryptography proper, the argument against security by obscurity dates back to at least Kerckhoffs' principle, put forth in 1883 by Auguste Kerckhoffs. The principle holds that design of a cryptographic system should not require secrecy and should not cause "inconvenience" if it falls into the hands of the enemy.

Principle 6: Arguments

Principle 7

Principle 7: Security = Risk Management Explains simple methods for evaluating the risk level of any information system.

Principle 8

Principle 8: The Three Types of Security Controls Are Preventative, Detective, and Responsive

Prevention:

Detection:

Responsive:

Principle 8 cont…

Principle 9

Principle 9: Complexity Is the Enemy of Security Explains the need for simplicity in designing and maintaining an information system.

Principle 10

Principle 10: Fear, Uncertainty, and Doubt Do Not Work in Selling Security

Principle 10 - Discussion

Why is it better to taking a business-centric approach (as opposed to scare tactics) when convincing management to make security investment

Principle 11

Principle 11: People, Process, and Technology Are All Needed to Adequately Secure a System or Facility

Principle 11 - Discussions

What role does people, processes, and technology play in information security, and how they interact to enhance security.

Principle 12

Principle 12: Open Disclosure of Vulnerabilities Is Good for Security!

Principle 12 – Discussions

How does open communications among IT professionals and users can improve security

Vendor Neutral CertificationsCertified Information Systems Auditor (CISA) and

Certified Information Security Manager CISM) - To assure that information security manager has the required knowledge and ability to provide effective security management and consulting

Global Information Assurance Certifications (GIAC) - Intended primarily for practitioners or hands-on personnel such as system administrators and network engineers

CompTIA Security+ Certification – Tests the security knowledge mastery of an individual with two years on-the-job networking security experience

(ISC)2 - Certified Information Systems Security Professional (CISSP)

(ISC)2 - System Security Certified Practitioner (SSCP)

Vendor Neutral Certifications

Vendor-Specific Certification Programs

Check Point Certified SecurityPrinciples AssociateCisco Security Certifications*INFOSEC ProfessionalMicrosoft Certified Information Technology SpecialistRSA Certified Systems EngineerSun Certified Security Administrator for the Solaris

Operating SystemSymantec Technology ArchitectTivoli Certified Consultant

CISSP

Provides Employers with the confidenceIndustry assuranceFirst certification accredited by ANSI ISO/IEC

Standard 17024:2003Globally recognized

10 Domains – CBK• Access Control • Application Development Security • Business Continuity and Disaster Recovery Planning • Cryptography • Information Security Governance and Risk

Management • Legal, Regulations, Investigations and Compliance • Operations Security • Physical (Environmental) Security • Security Architecture and Design • Telecommunications and Network Security

How to become a CISSP

1. Criteria– 5 years experience or 4 years with a BSc.

2. Examination– Pass the CISSP examination with a scaled score of

700 points or greater3. Endorsement– All candidate must be endorsed by a active CISSP in

good standing4. Audit– Candidates may be randomly selected for audit

Maintaining a CISSPAll CISSP must recertify every 3 years:This is primarily accomplished through

continuing professional education [CPE], 120 credits of which are required every three years. A minimum of 20 CPEs must be posted during each year of the three-year certification cycle.

CISSPs must also pay an annual maintenance fee of $85 per year.