1 / 32

TEL382

TEL382. Greene Chapter 5. Outline. What Are We Trying To Protect? Information Ownership Policy Information Classification Footprinting & Four-Step Hacking Process Information Classification Policy Information Classification Labeling and Handling

jreel
Download Presentation

TEL382

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TEL382 Greene Chapter 5

  2. Outline • What Are We Trying To Protect? • Information Ownership Policy • Information Classification • Footprinting & Four-Step Hacking Process • Information Classification Policy • Information Classification Labeling and Handling • Information Classification Program Lifecycle • Classification Handling and Labeling Policy • Value and Criticality of Information Systems • Inventory of Information Systems Assets Policy

  3. Introduction • How to protect something when we don’t know what it is worth and how sensitive it is • How to determine how much time, effort and funds should we spend securing the asset

  4. What Are We Trying To Protect? • Databases • Data Files • Intellectual Property • Operational & Support Procedures • Research Documentation • Archived Information • Business Plans

  5. Information Ownership Policy • Information Custodian Manages Day-to-Day Controls • Responsible for providing CIA for information • ISO 17799 Recommends the Need for a Policy • Information Security Officer (ISO) Provides Direction and Guidance

  6. Information Classification • Military • Unclassified • Confidential • Secret • Top Secret • Commercial • Public (Annual Reports, Product Documents, White Papers, etc.) • Restricted (Policy Documentation, Procedure Manuals, Employee Lists, etc.) • Sensitive (Personal/Privileged – Patient or Employee Records) • Confidential (Business Strategies, Financial Position/Plans, Schematics, Formulas, Patents)

  7. Information Classification Labeling and Handling • Labels (Electronic, Print, Audio, Visual) • Clear, Universally Understood • Handle Information in Accordance with Its Classification • Information Owner Defines Protection • Information Custodian Implements Protection • Information User Uses Information In Accordance with Label

  8. Information Classification Program Lifecycle • Information Classification Procedures • Define asset and supporting information systems • Characterize criticality of information system • Identify information owner and information custodian • Assign classification level • Determine and implement corresponding level of controls • Label information and information system appropriately • Document handling procedures, including disposal • Integrate handling procedures into information user security awareness program • Declassify information when (and if) appropriate • Information may be reclassified or declassified

  9. Value and Criticality of Information Systems • In Calculating Asset Value, Consider: • Cost to acquire or develop • Cost to maintain and protect • Cost to replace • Importance to owner • Competitive advantage of information • Marketability of information • Impact on delivery of product or services • Reputation • Liability issues • Regulatory compliance requirements

  10. Inventory of Information Systems Assets Policy • Hardware • Computer Equipment • Communication Equipment • Storage Media • Infrastructure Equipment • Software • OS • Productivity • Applications

  11. Asset Attributes • Unique Identifier • Asset Description • Manufacturer Imprint • Physical and Logical Address • Controlling Entity

  12. System Characterization • Understanding of System • System Boundaries • HW & SW • Information Stored, Processed or Passing Through • Ranking By: • Protection Level – Safeguards Required • Operations Importance (System Impact – How Important)

  13. Review Risk Assessment

  14. TEL382 Greene Chapter 9

  15. Outline • What is a Security Posture? • Access Control Policy • Managing User Access • User Access Management Policy • Keeping Passwords Secure • Password Use Policy • User Authentication for Remote Connections • User Authentication for Remote Connections Policy • Mobile Computing • Mobile Computing Policy • Telecommunting • Telecommunting Policy • Monitoring System Access and Use • Monitoring System Access and Use Policy

  16. Introduction • Controlling Who (What) has Access to Which Information • Concepts • Deny/Allow All • Least Privilege • Need-to-Know • Etc. • Methods • Accounts • Authentication • Password Management

  17. What is a Security Posture? • Organization’s Attitude Toward Security • Default Positions • Secure (Default Deny) • Reactive (Default Permit) • Least Privilege • Give User Least Amount of Access Required to Perform Job Functions • Need-to-Know • Demonstrated and Authorized Reasons for Access • Few People Have Access to Critical Business Operations • Individual Users Don’t Know More Than They Should

  18. Access Control Policy • Access Models • MAC • DAC • RBAC • Classification Models • TS, S, C, U • R, S, C, P • Security Clearance Level, Access Privilege, Need-to-Know

  19. Managing User Access • User Access Management • Starting Work • Promotions, Terminations, Transfers, etc.

  20. Keeping Passwords Secure • Don’t Share • Don’t Write It Down Anywhere • Change Frequently • Change From Admin Assigned Value Immediately • Process for Reissuing (I Forgot!!) • Change if Compromise is Suspected • Don’t Allow Applications or Web Sites to Remember • Don’t Use Same Password for Different Purposes

  21. User Authentication for Remote Connections • Risk Assessment • Dial-Up vs. Internet Access • VPN • IPSec • Authentication Server • RADIUS • TACACS+ • Hardware Tokens • Private Lines • Dial-back

  22. Mobile Computing • Risk Assessment • Approved Devices • How Data is Stored on Portable Devices • Mandating Connectivity Means • Protection • Malware • Theft/Loss

  23. Telecommunting • Controls Ensuring CIA (Same as “on-premises”) • Secure Equipment from Accidental and Intentional Misuse • Equipment Not to be Used For Non-business Purposes • Classification Guidelines • Equipment Must be Physically Secured

  24. Monitoring System Access and Use • Parameters to Monitor • Authorized Access • Privileged Operations • Unauthorized Attempts • System Alerts or Failures • Review and Retention • Legalities

  25. TEL382 Greene Chapter 10

  26. Outline • What Are The Risks to the Organization? • Security Requirements of Systems • Security Requirements of Systems Policy • The Things That Should Never Happen To Sensitive Data • Sloppy Code vs. Secure Code • Security in Applications Systems Policy • Risk Assessments and Cryptography • Breaking the Caesar Cipher • Cryptographic Controls Policy • Operating System and Application Software Stability • Security of System Files, Development, and Support Processes Policy

  27. What Are The Risks to the Organization? • Business and Mission-Critical Applications • Organizational Risks • Loss of Productivity • Loss of Trust • Systems Development • Systems Maintenance

  28. Security Requirements of Systems • Risk Assessments • Third-Party Consultants • Advantages/Disadvantages • Separation of Duties • Adding Controls After Implementation

  29. The Things That Should Never Happen To Sensitive Data • Loss • Modification • Misuse

  30. Code • Sloppy vs. Secure • System Owner Responsibilities • Techniques • Input Validation • Data Validation • Output Validation

  31. Cryptography • Risk Assessments • CIA Plus Non-repudiation • Digital Signatures • Key Management

  32. Operating System and Application Software Stability • Thorough Testing • Testing Environment • No Live Data • Only Stable Versions • Updates • Rollback Policy • When To/Who Install(s) Updates

More Related