140 likes | 303 Views
Live Session Presentation. Introduction to Information Systems Security Training and Policy Week 1. Information Systems Security. Purpose: Confidentiality Integrity Availability Also: Authenticity Non-Repudiation. Protect. Detect. Full security is achieved through:
E N D
Live Session Presentation Introduction to Information Systems Security Training and Policy Week 1
Information Systems Security Purpose: Confidentiality Integrity Availability Also: Authenticity Non-Repudiation Protect Detect Full security is achieved through: physical, administrative, and technical safeguards common sense Recover Respond
Who Should Be Trained? Who Should Be Trained? Management End Users (First Line of Defense) InfoSec Staff (ISSPM, ISSM, NSM, ISSO, TASO, NSO) System Administrators Infrastructure Support Services
Awareness Training Secure Password Selection Password Security “Least Privilege” Policy Understanding Workstation security - Terminal Timeout How to Report Incidents for appropriate action WARNING Banner Pages Roles for Contingency Actions Anti-Virus Precautions and Reactions Regular Backups and Off-Site Storage Review and Act upon CERT/CIRT Alerts Event Reporting Chain “Social Engineering” Awareness
Advanced Training Detect Protect Apply as required for the group. Management need to understand the risks, and the need for advance capabilities toward Protection, Detection Response and recovery. SysAdmins on Patches, Security Log config and review, OS config, Least Priviledge, etc. Security Staff keep up to date on advanced issues Respond Recover
Keep up on Patches Computer Incident/Emergency Response Centers/Teams, and occasionally vendors, responsibly send out Alerts or Advisories to warn activities and agencies of identified vulnerabilities that may be exploited, and how to proceed to “close the hole”. Examples include: ‚ ƒ „ CERT-CC FEDCIRC FIRST Government CERTS Often, you can learn of new exploits before the CERTs warn subscribers by getting on SecurityFocus e-mail lists (Bugtraq, VulnDev, etc)
Network Security Policy • Key Issues to Effective Network Security • Management support • Personnel training • Cost-effective, planned, security measures • Roles and responsibilities • Processes and procedures Adopt “Defense-in-Depth”
Security Policy “The first step is to conduct a risk assessment” “best protect your most valuable assets” “evaluate each security threat” “compare the measures taken to protect that asset and ensure the measures do not cost more than…” Slide Comments taken from: Network Security Policy – A Manager’s Perspective Ernest D. Hernandez November 22, 2000
Security Policy “The security-related decisions you make, or fail to make, as administrator largely determines how secure or insecure your network is, how much functionality your network offers, and how easy your network is to use. However, you cannot make good decisions about security without first determining what your security goals are. Until you determine what your security goals are, you cannot make effective use of any collection of security tools because you simply will not know what to check for and what restrictions to impose.” Guide to Writing Network Security Policy: ~ Site Security Handbook http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2196.html
Network Security Plan What are we trying to protect? - Assets? From whom are we trying to protect? What are our Threats? What are our Vulnerabilities? What is likelihood of Threat occurrence? What is the detrimental impact from occurrence? What Safeguards do we have/do we need? How do we implement security policy cost-effectively?
Risk Management Patch Emerging Problems Identify Addn’l Needs Audit for Compliance Review/Update Train Identify & Include Security Features DESIGN ENGINEER RE-ACCREDIT System Life Cycle OPERATE DEVEL Risk Analysis ST&E Security Procedures Disaster Recovery Plan Train ACCREDIT Test Security Features, Train CERTIFY IMPLE- MENT For our purposes “accredit” means “approve for operation/connection/use”
File Backups Scheduling / Impact to normal operations Cost over Speed and Recoverability Off-Site Rotations: Son - Father - Grandfather
Asynch Session Readings Note: 2 are not on syllabus! http://www.sans.org/infosecFAQ/email/protection http://www.sans.org/infosecFAQ/malicious/hoaxes.htm http://www.sans.org/infosecFAQ/malicious/trojan_war.htm Little Black Book of Viruses (download from website) Discussion: Malicious Software and Hoaxes