310 likes | 452 Views
INFOSEC. Objectives. CISSP CBK. DHS EBK. Pedagogy. About the Course. Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu. IST 515. Objectives.
E N D
INFOSEC Objectives CISSP CBK DHS EBK Pedagogy About the Course Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu IST 515
Objectives This module will familiarize you with the following: • Current trend of computer crime and security. • Why information security is not just a technical problem? • The common body of knowledge in information security proposed by (ISC)2. • The essential body of knowledge in security suggested by Department of Homeland Security. • The purposes, coverage and policy of the course. • Concept of “Defense in depth (DID)” in security.
Reading List • SANS 2008 Salary and Certification Survey. http://www.sans.org/resources/salary_survey_2008.pdf • Robert Richardson, “2009 CSI Computer Crime & Security Survey.” (Required) • Wikipedia, “Certified Information Systems Security Professional (CISSP).” http://en.wikipedia.org/wiki/Certified_Information_Systems_Security_Professional • Department of Homeland Security, “Information Technology Security Essential Body of Knowledge,” 2007. • ISACA, Information Security career Progression. http://www.isaca.org/ContentManagement/ContentDisplay.cfm?ContentID=42042 • Wikipedia, “Defense in Depth (computing).” http://en.wikipedia.org/wiki/Defense_in_Depth_(computing)
Sun Tzu's Art of War • If you know your enemies and know yourself, you can win a hundred battles without a single loss (知彼知己,百戰不殆). • If you only know yourself, but not your opponent, you may win or may lose (不知彼而知己, 一勝一負). • If you know neither yourself nor your enemy, you will always endanger yourself (不知彼,不知己,每戰必殆). (http://en.wikipedia.org/wiki/The_Art_of_War)
SANS Security Salary Survey (2008) • Salaries for information security professionals are high. Only 1.65% of respondents earn less than US $40,000 per year and over 38% earn US $100,000 or more per year. • 81% of respondents with hiring responsibilities consider certification a factor in their hiring decisions. • 41% of the respondents said their organizations use certifications as a factor when determining salary increases. • Digital forensics, intrusion detection, and penetration testing are the technical topics respondents are most interested in learning in 2009.
2010 IT Skills and Salary Report (http://www.examland.com/it-certification/1865/1865/)
2008 CSI Security Survey • The most expensive computer security incidents were those involving financial fraud. • Virus incidents occurred most frequently. • Almost one in ten organizations reported they’d had a Domain Name System incident. • Twenty-seven percent of those responding to a question regarding “targeted attacks.” • The vast majority of respondents (68 percent) said their organizations had a formal information security policy.
Test Your Understanding • What percentage of corporations experienced at least one security incident? • Name the two highest-prevalence threats, which are experienced by a majority of firms? • Describe trends for the three traditional hacker attacks. • Describe trends in the three low-prevalence, high-impact attacks. • Why do you think companies may have a difficult time planning for low-prevalence, high-impact attacks? • Describe trends for wiretapping, telecommunications eavesdropping, and telecommunications fraud. • Does media coverage typically mirror the importance of threats?
CSI Security Survey 2009 • Big jumps in incidence of password sniffing, financial fraud, and malware infection. • One-third of respondents' organizations were fraudulently represented as the sender of a phishing message. • Average losses due to security incidents are down again this year (from $289,000 per respondent to $234,244 per respondent), though they are still above 2006 figures. • Twenty-five percent felt that over 60 percent of their financial losses were due to non-malicious actions by insiders. • Respondents were satisfied, though not overjoyed, with all security technologies.
CSI Security Survey 2009 • Investment in end-user security awareness training was inadequate, but investments in other components of their security program were adequate. • Actions Taken: 22 percent - notified individuals whose personal information was breached and 17 percent - provided new security services to users or customers. • Security Solutions: Use tools that would improve their visibility - better log management, security information and event management, security data visualization, security dashboards and the like. • Regulatory compliance efforts have had a positive effect on their organization's security programs.
Let us Talk • What kind of knowledge and skills are needed to succeed in information security career? - CBK vs. EBK - Similarities and differences • What professionals have to say about the field? - Hard vs. soft skills • How about IST 515? • How about your degree?
CISSP CBK Information Systems Security • Information security and risk management • Access control • Cryptography basics • Physical (environmental) security • Security architecture and design • Telecommunications and network security • Application security • Operations security • Business continuity and disaster recovery planning • Legal, regulations, compliance and investigations Common Body of Knowledge
Roles and Competencies (EBK) • Strategic Management • IT Security Training & Awareness • Risk Management • Data Security • Physical & Environmental Security • System & Application Security • IT Systems Operations & Maintenance • Procurement; Personnel Security • Enterprise Continuity • Incident Management • Regulatory & Standards Compliance • Digital Forensics • Network Security & Telecom.
Critical Skills Necessary for Advancement* * SANS Information Security Survey, 2007
IST 515 covers the interdisciplinary theoretical, conceptual, methodological, and practical foundations of information security and assurance, with emphases on information systems security, security and risk management, economic aspects of security, trust management,human factors in security, and enterprise security.
Course Coverage • Common Body of Knowledge (CBK) – CISSP and Essential Body of Knowledge (EBK) – DHS. • Penetration Testing / Ethical Hacking – EC Council • Topics to be covered (CBK): - Information Security & Risk Management - Access Control - Physical & Environmental Security - Security Architecture and Design - Application Security - Operation Security - Business continuity and disaster recovery planning - Legal, regulations, compliance and investigations
Course Objectives • Understand the Basics of information security and assurance. • Understand the core technologies used in making a networked information system secure and assured. • Understand how to build information systems with assurances and the role of “trust” in delivering these assurances. • Take an interdisciplinary approach to analyze the security and assurance of modern information systems. • Understand the economic aspects of security. • Understand the impact of human factors in security.
Policy/Regulation • Firewall/DMZ • Access Control/VPN • Qualitative models • Quantitative models Security Defense In Depth • Scanner • IDS • Data mining • Risk analysis • Plans • Tracing • Investigation
IST 554: Network Management & Security IST 515: Information Security & Assurance IST 564: Crisis, Disaster & Risk Management IN SC 561: Web Security & Privacy SRA 472: Integration of Privacy & Security SRA 868: Visual Analytics for Security IST 451: Network Security IST 452: Legal & Regulatory Issues IST 453: Computer Forensics Law IST 454: Computer & Cyber Forensics IST 456: Security & Risk Management Defense In Depth of Security Feedback Prediction Prevention Detection Forensics Response • Policy/Regulation • Firewall/DMZ • Access Control/VPN • Scanner • IDS • Data mining • Qualitative models • Quantitative models • Plans • Risk analysis • Tracing • Investigation IST 515 IST 554 SRA 868 IST 452 IST 451 IST 453 IST 456 SRA 472 IN SC 561 IST 454 IST 564
Required for IS & HLS IST 554 Network Management and Security Required for HLS • HLS: Homeland Security • INSC: Information Science • IS: Information Sciences • IST: Information Sciences & Technology • SRA: Security & Risk Analysis Elective IST 515 Information Security and Assurance IST 564 Crisis, Disaster and Risk Management IST 451 Network Security IST 454 Cyber Forensics INSC 516 Web Sec. & Privacy SRA 472 Privacy & Security IST 456 Security Mgmt SRA 868 Visual Analytics IST 554 Independent Studies IST 594 Research Paper
Security Defense in Depth Policies, Procedures, and Awareness Physical Security Data Defenses Application Defenses Host Defenses Network Defenses Perimeter Defenses
Dr. Hank Foley, Dean College of Information Sciences and Technology Dr. Chao H. Chu, Executive Director Center for Information Assurance Certificate of Accomplishment The Center for Information Assurance at the Pennsylvania State University, through its curricula, certify that Student has acquired the knowledge and skills that meet the National Training Standard NSTISSI-4011 for the Information Systems Security (INFOSEC) Professionals, established by the Committee on National Security Systems (CNSS) and the National Security Agency (NSA), on December 201x
INFOSEC Certificate Required Courses(6 credits): • IST 515. Information Security and Assurance • IST 554. Network Management and Security Elective Courses (Select 9 credits): • IST 451. Network Security • IST 454. Computer and Cyber Forensics • IST 456. Security and Risk Management • IST 564. Crisis, Disaster, and Risk Management • IN SC 561. Web Security and Privacy
Thank You? Any Question?