320 likes | 334 Views
TEL382. Greene Chapter 5. Outline. What Are We Trying To Protect? Information Ownership Policy Information Classification Footprinting & Four-Step Hacking Process Information Classification Policy Information Classification Labeling and Handling
E N D
TEL382 Greene Chapter 5
Outline • What Are We Trying To Protect? • Information Ownership Policy • Information Classification • Footprinting & Four-Step Hacking Process • Information Classification Policy • Information Classification Labeling and Handling • Information Classification Program Lifecycle • Classification Handling and Labeling Policy • Value and Criticality of Information Systems • Inventory of Information Systems Assets Policy
Introduction • How to protect something when we don’t know what it is worth and how sensitive it is • How to determine how much time, effort and funds should we spend securing the asset
What Are We Trying To Protect? • Databases • Data Files • Intellectual Property • Operational & Support Procedures • Research Documentation • Archived Information • Business Plans
Information Ownership Policy • Information Custodian Manages Day-to-Day Controls • Responsible for providing CIA for information • ISO 17799 Recommends the Need for a Policy • Information Security Officer (ISO) Provides Direction and Guidance
Information Classification • Military • Unclassified • Confidential • Secret • Top Secret • Commercial • Public (Annual Reports, Product Documents, White Papers, etc.) • Restricted (Policy Documentation, Procedure Manuals, Employee Lists, etc.) • Sensitive (Personal/Privileged – Patient or Employee Records) • Confidential (Business Strategies, Financial Position/Plans, Schematics, Formulas, Patents)
Information Classification Labeling and Handling • Labels (Electronic, Print, Audio, Visual) • Clear, Universally Understood • Handle Information in Accordance with Its Classification • Information Owner Defines Protection • Information Custodian Implements Protection • Information User Uses Information In Accordance with Label
Information Classification Program Lifecycle • Information Classification Procedures • Define asset and supporting information systems • Characterize criticality of information system • Identify information owner and information custodian • Assign classification level • Determine and implement corresponding level of controls • Label information and information system appropriately • Document handling procedures, including disposal • Integrate handling procedures into information user security awareness program • Declassify information when (and if) appropriate • Information may be reclassified or declassified
Value and Criticality of Information Systems • In Calculating Asset Value, Consider: • Cost to acquire or develop • Cost to maintain and protect • Cost to replace • Importance to owner • Competitive advantage of information • Marketability of information • Impact on delivery of product or services • Reputation • Liability issues • Regulatory compliance requirements
Inventory of Information Systems Assets Policy • Hardware • Computer Equipment • Communication Equipment • Storage Media • Infrastructure Equipment • Software • OS • Productivity • Applications
Asset Attributes • Unique Identifier • Asset Description • Manufacturer Imprint • Physical and Logical Address • Controlling Entity
System Characterization • Understanding of System • System Boundaries • HW & SW • Information Stored, Processed or Passing Through • Ranking By: • Protection Level – Safeguards Required • Operations Importance (System Impact – How Important)
TEL382 Greene Chapter 9
Outline • What is a Security Posture? • Access Control Policy • Managing User Access • User Access Management Policy • Keeping Passwords Secure • Password Use Policy • User Authentication for Remote Connections • User Authentication for Remote Connections Policy • Mobile Computing • Mobile Computing Policy • Telecommunting • Telecommunting Policy • Monitoring System Access and Use • Monitoring System Access and Use Policy
Introduction • Controlling Who (What) has Access to Which Information • Concepts • Deny/Allow All • Least Privilege • Need-to-Know • Etc. • Methods • Accounts • Authentication • Password Management
What is a Security Posture? • Organization’s Attitude Toward Security • Default Positions • Secure (Default Deny) • Reactive (Default Permit) • Least Privilege • Give User Least Amount of Access Required to Perform Job Functions • Need-to-Know • Demonstrated and Authorized Reasons for Access • Few People Have Access to Critical Business Operations • Individual Users Don’t Know More Than They Should
Access Control Policy • Access Models • MAC • DAC • RBAC • Classification Models • TS, S, C, U • R, S, C, P • Security Clearance Level, Access Privilege, Need-to-Know
Managing User Access • User Access Management • Starting Work • Promotions, Terminations, Transfers, etc.
Keeping Passwords Secure • Don’t Share • Don’t Write It Down Anywhere • Change Frequently • Change From Admin Assigned Value Immediately • Process for Reissuing (I Forgot!!) • Change if Compromise is Suspected • Don’t Allow Applications or Web Sites to Remember • Don’t Use Same Password for Different Purposes
User Authentication for Remote Connections • Risk Assessment • Dial-Up vs. Internet Access • VPN • IPSec • Authentication Server • RADIUS • TACACS+ • Hardware Tokens • Private Lines • Dial-back
Mobile Computing • Risk Assessment • Approved Devices • How Data is Stored on Portable Devices • Mandating Connectivity Means • Protection • Malware • Theft/Loss
Telecommunting • Controls Ensuring CIA (Same as “on-premises”) • Secure Equipment from Accidental and Intentional Misuse • Equipment Not to be Used For Non-business Purposes • Classification Guidelines • Equipment Must be Physically Secured
Monitoring System Access and Use • Parameters to Monitor • Authorized Access • Privileged Operations • Unauthorized Attempts • System Alerts or Failures • Review and Retention • Legalities
TEL382 Greene Chapter 10
Outline • What Are The Risks to the Organization? • Security Requirements of Systems • Security Requirements of Systems Policy • The Things That Should Never Happen To Sensitive Data • Sloppy Code vs. Secure Code • Security in Applications Systems Policy • Risk Assessments and Cryptography • Breaking the Caesar Cipher • Cryptographic Controls Policy • Operating System and Application Software Stability • Security of System Files, Development, and Support Processes Policy
What Are The Risks to the Organization? • Business and Mission-Critical Applications • Organizational Risks • Loss of Productivity • Loss of Trust • Systems Development • Systems Maintenance
Security Requirements of Systems • Risk Assessments • Third-Party Consultants • Advantages/Disadvantages • Separation of Duties • Adding Controls After Implementation
The Things That Should Never Happen To Sensitive Data • Loss • Modification • Misuse
Code • Sloppy vs. Secure • System Owner Responsibilities • Techniques • Input Validation • Data Validation • Output Validation
Cryptography • Risk Assessments • CIA Plus Non-repudiation • Digital Signatures • Key Management
Operating System and Application Software Stability • Thorough Testing • Testing Environment • No Live Data • Only Stable Versions • Updates • Rollback Policy • When To/Who Install(s) Updates