Presentation - robbins.UOPX.CMGT400.LECTURE.WEEK01.ppt

Document Sample
Presentation - robbins.UOPX.CMGT400.LECTURE.WEEK01.ppt Powered By Docstoc
					CMGT 400
Intro to Information Assurance & Security

Philip Robbins – February 5, 2013 (Week 1)
University of Phoenix Mililani Campus
Agenda: Week 1

• Introductions
• Course Syllabus
• Fundamental Aspects
   - Information
   - Information Assurance
   - Information Security Services
   - Risk Management, CND, and Incident Response
• Quiz #1
• Assignment
Concepts

• Information
   - What is it?
   - Why is it important?
   - How do we protect (secure) it?
Why is this important?

• Information is valuable.
therefore,
• Information Systems are valuable.
etc…


• Compromise of Information Security Services (C-I-A)
  have real consequences (loss)
   - Confidentiality: death, proprietary info, privacy, theft
   - Integrity: theft, loss of confidence, validity
   - Availability: lost productivity, disruption of C2,
     defense, emergency services
Concepts

• Information Systems
   Systems that store, transmit, and process information.

                            +
• Information Security
   The protection of information.
_______________________________________________
• Information Systems Security
   The protection of systems that store, transmit, and
   process information.
Fundamental Concepts
• What is Information Assurance (IA)?
  - Our assurance (confidence) in the protection of our
    information / Information Security Services.

• What are Information Security Services (ISS)?
  - Confidentiality: Making sure our information is
    protected from unauthorized disclosure.
  - Integrity: Making sure the information we process,
    transmit, and store has not been corrupted or
    adversely manipulated.
  - Availability: Making sure that the information is there
    when we need it and gets to those who need it.
Private vs. Military Requirements
• Which security model an organization uses depends on
  it’s goals and objectives.
    – Military is generally concerned with
      CONFIDENTIALITY
    – Private businesses are generally concerned with
      AVAILABILITY (ex. Netflix, eBay etc) OR INTEGRITY
      (ex. Banks).
    – Some private sector companies are concerned with
      CONFIDENTIALITY (ex. hospitals).

   • Which ISS do you believe is most important?
Fundamental Concepts

• Progression of Terminology
      Computer Security
                               Legacy Term (no longer used).
       (COMPUSEC)


      Information Security
                               Legacy Term (still used).
           (INFOSEC)


     Information Assurance     Term widely accepted today with
               (IA)            focus on Information Sharing.



         Cyber Security        Broad Term quickly being adopted.
Fundamental Concepts
• What is Cyberspace?
  - Term adopted by the USG
  - The virtual environment of information and
    interactions between people.
  - Telecommunication Network infrastructures
  - Information Systems
  - The Internet
Review of Fundamental Concepts

• What is the Defense in Depth Strategy?
   - Using layers of defense as protection.
• People, Technology, and Operations.




             Onion Model
  Defense-in-Depth

     Links in the Security Chain: Management, Operational, and Technical Controls
ü Risk assessment                           ü Access control mechanisms
ü Security planning, policies, procedures   ü Identification & authentication mechanisms
ü Configuration management and control        (Biometrics, tokens, passwords)
ü Contingency planning                      ü Audit mechanisms
ü Incident response planning                ü Encryption mechanisms
ü Security awareness and training           ü Boundary and network protection devices
ü Security in acquisitions                    (Firewalls, guards, routers, gateways)
ü Physical security                         ü Intrusion protection/detection systems
ü Personnel security                        ü Security configuration settings
ü Security assessments and authorization    ü Anti-viral, anti-spyware, anti-spam software
ü Continuous monitoring                     ü Smart cards

         Adversaries attack the weakest link…where is yours?
    Review of Fundamental Concepts

    Information
    Assurance
    Services
    (IAS)                                                         ü    ü      ü     ü         ü   ü

                                                                 ü     ü      ü      ü        ü   ü
                                                                  ü     ü      ü     ü        ü   ü

                                                                  ü     ü      ü     ü        ü   ü

                                                                  ü    ü      ü      ü        ü   ü
                                                                  ü     ü      ü     ü        ü   ü

                                                                  ü    ü      ü      ü        ü   ü



Source: Cieslak, Randall (Dec 2011). Cyber Fundamentals. USPACOM Chief Information Officer.
Review of Fundamental Concepts
Challenges

• Fixed Resources
• Sustainable strategies reduce costs
Information Systems Security: Privacy

• Defined: the protection and proper handling of
  sensitive personal information
  - Requires proper technology for protection
  - Requires processes and controls for
   appropriate handling
Personally Identifiable Information (PII)

•   Name
•   SSN
•   Phone number
•   Driver's license number
•   Credit card numbers
    – etc…
 Concept 1: Info Security & Assurance
• You leave your job at ACME, Inc. to become the new Information
Systems Security Manager (ISSM) for University of University College
(UUC).

• The Chief Information Officer (CIO) of UUC drops by your office to let
you know that they have no ISS program at UUC!

• A meeting with the Board of Directors is
scheduled and you are asked by the CIO to
attend.

• The Board wants to hear your considerations
on how to start the new ISS program spanning
all national and international networks.
 Concept 1: Info Security & Assurance
- What would you tell the Board?

- As an ISSM, what would you consider first?

- What types of questions would you ask the Board and/or to the CIO?
 Concept 2: Physical & Logical ISS
• First day on the job and you find yourself already
meeting with the local Physical Security and IT
Services Managers at UUC.

• You introduce yourself as the new ISSM and both
managers eagerly ask you “what can we do to help?”
 Concept 2: Physical & Logical ISS
- What do you tell these Managers?

- What types of questions would you ask the Managers?

- As an ISSM, what are some IT, computer, and network security issues you
consider important to a new ISS program at UUC?

- What about your meeting with the Board of Directors earlier? How does it apply
here?
 Concept 3: Risk
• After a month on the job, as an ISSM, you decide to update
the CIO on the progress of the UUC ISS program via email
when all of a sudden the entire internal network goes down!

• Your Computer Network Defense Team is able to
determine the source of the disruption to an unknown
vulnerability that was exploited on a generic perimeter router.

• The CIO calls you into his office and indicates to you that
he is “concerned about the Risk to the networks at UUC” and
‘wants a risk assessment conducted’ ASAP.
 Concept 3: Risk
- What does the CIO mean by “Risk to the networks at UUC”?

- As an ISSM, how would you conduct a risk assessment for the CIO?

- What are some of the elements of risk?

- How is risk measured and why is it important?
Risk Management
• Information Systems Risk Management is the
  process of identifying, assessing, and mitigating
  (reducing) risks to an acceptable level.
- Why is this important?

• There is no such thing as
  100% security.
- Can risk ever be eliminated?
Risk Management

• Risks MUST be identified, classified and
  analyzed to asses potential damage (loss) to
  company.

• Risk is difficult to measure and quantify,
  however, we must prioritize the risks and
  attempt to address them!
Risk Management

• Identify assets and their values
• Identify Vulnerabilities and Threats
• Quantify the probability of damage and cost of
  damage
• Implement cost effective countermeasures!
• ULTIMATE GOAL is to be cost effective. That is:
  ensure that your assets are safe, at the same
  time don’t spend more to protect something than
  it’s worth*
Who is ultimately responsible for
risk?
• MANAGEMENT!!!




• Management may delegate to data custodians
  or business units that shoulder some of the risk.
• However, it is senior management that is
  ultimately responsible for the companies health -
  as such they are ultimately responsible for the
  risk.
Computer Network Defense
• Defending against unauthorized actions that
  would compromise or cripple information
  systems and networks.

• Protect, monitor, analyze, detect, and respond to
  network attacks, intrusions, or disruptions.
Incident Response
• Responding to a Security Breach
  - Incident Handling
  - Incident Management
  - Eradication & Recovery
  - Investigation (Forensics / Analysis)
  - Legal, Regulatory and Compliance Reporting
  - Documentation
Break

• Let’s take a break…
Chapter 1: Introduction and Security Trends

• The Morris Worm
  - Robert Morris
  - 1988
  - First Large scale attack on
   the Internet
  - No malicious payload (benign)
  - Replicated itself
  - Infected computer system could no longer run
       any other programs
Chapter 1: Introduction and Security Trends

• Kevin Mitnick
  - Famous Hacker
  - 1995
  - Wire and computer fraud
  - Intercepting wire communication
  - Stole software and email accounts
  - Jailed: 5 years.
Chapter 1: Introduction and Security Trends

• The Melissa Virus
  - David Smith
  - 1999
  - Infected 1 million computers
  - $80 million
  - Payload: “list.doc” with macro
  - Clogged networks generated
   by email servers sending
   “Important Messages” from
   your address book
Chapter 1: Introduction and Security Trends

• The “I Love You” Virus
  - Melissa Variation
  - 2000
  - 45 million computers
  - $10 billion
  - Payload: .vbs (script)
  - Released by a student in the Phillipines (not a
      crime)
Chapter 1: Introduction and Security Trends

• The “Code Red” Worm
  - 2001
  - 350 million computers
  - $2.5 billion
  - Payload: benign
  - Takes control of computers
  - DoS attacks: targeted “White House” website
Chapter 1: Introduction and Security Trends

• The “Conficker” Worm
  - 2008-2009
  - Payload: benign
  - Bot network
  - Very little damage
  - Blocks antivirus updates
Chapter 1: Introduction and Security Trends

• Stuxnet
  - 2010
  - First Cyber Weapon
  - Affected SCADA
   systems within IRAN’s
   Nuclear Enrichment
   Facilities
  - Uses 4 “Zero Day”
   Vulnerabilities
Chapter 1: Introduction and Security Trends

• What is Malware?
  - Malicious Software
  - Includes “Viruses” & “Worms”
  - Protect using Anit-virus software & System
      Patching
Chapter 1: Introduction and Security Trends

• Intruders, Hackers, and Threat Agents
Chapter 1: Introduction and Security Trends

• Network Interconnection
  - More connections
  - From large mainframes to smaller connected
   systems
              - Increased threat & vulnerabilities
              - Single point failures?
              - Critical Infrastructure
              - Information Value
              - Information Warfare
Chapter 1: Introduction and Security Trends

• Steps in an Attack
  - Ping Sweeps (ping/whois) – identify target
  - Port Scans (nmap) – exploit service
Chapter 1: Introduction and Security Trends

• Steps in an Attack
  - Bypass firewall
  - Bypass IDS & IPS: Avoid detection / logs
  - Infect system (either Network or Physical)
  - Pivot systems (launch client-side attacks)
Chapter 1: Introduction and Security Trends
Chapter 1: Introduction and Security Trends

• Types of Attacks
  - Denial of Service (DoS)
  - Distributed Denial of Service (DDoS)
  - Botnets (IRC)
  - Logic Bombs
  - SQL Injection
  - Scripting
  - Phishing Emails
  - HTTP session hijacking (Man in the Middle)
  - Buffer Overflows
Chapter 1: Introduction and Security Trends

• Types of Attacks: Botnets
Chapter 1: Introduction and Security Trends

• Types of Attacks: Redirection (Fake Sites)
Chapter 1: Introduction and Security Trends

• Redirection (Fake Sites)
Chapter 1: Introduction and Security Trends

• Types of Attacks: Fake Antivirus
 Chapter 1: Introduction and Security Trends

• Types of Attacks: Keyloggers (Remote Stealth
  Keystroke Dump)
Chapter 1: Introduction and Security Trends

• Types of Attacks: USB Keys (Autorun infection)




Found a bunch of USB keys in a parking lot?
Would you stick one of them into your PC?
Chapter 1: Introduction and Security Trends

• Types of Attacks: Spam Email (Storm Worms)
Chapter 1: Introduction and Security Trends

• Types of Attacks: Spear Phishing Emails
Chapter 1: Introduction and Security Trends

• Types of Attacks: SQL injection
Chapter 1 Review Questions
 Question #1
Which of the following is an attempt to find and
attack a site that has hardware or software that is
vulnerable to a specific exploit?

A.   Target of opportunity attack
B.   Targeted attack
C.   Vulnerability scan attack
D.   Information warfare attack
 Question #1
Which of the following is an attempt to find and
attack a site that has hardware or software that is
vulnerable to a specific exploit?

A.   Target of opportunity attack
B.   Targeted attack
C.   Vulnerability scan attack
D.   Information warfare attack
 Question #2
Which of the following threats has not grown
over the last decade as a result of increasing
numbers of Internet users?

A.   Viruses
B.   Hackers
C.   Denial-of-service attacks
D.   All of the above
 Question #2
Which of the following threats has not grown
over the last decade as a result of increasing
numbers of Internet users?

A.   Viruses
B.   Hackers
C.   Denial-of-service attacks
D.   All of the above
 Question #3
The rise of which of the following has greatly
increased the number of individuals who probe
organizations looking for vulnerabilities to
exploit?

A.   Virus writers
B.   Script kiddies
C.   Hackers
D.   Elite Hackers
 Question #3
The rise of which of the following has greatly
increased the number of individuals who probe
organizations looking for vulnerabilities to
exploit?

A.   Virus writers
B.   Script kiddies
C.   Hackers
D.   Elite Hackers
 Question #4
Which of the following is generally viewed as the
first Internet worm to have caused significant
damage and to have “brought the Internet
down”?

A.   Melissa
B.   I LOVE YOU
C.   Morris
D.   Code Red
 Question #4
Which of the following is generally viewed as the
first Internet worm to have caused significant
damage and to have “brought the Internet
down”?

A.   Melissa
B.   I LOVE YOU
C.   Morris
D.   Code Red
 Question #5
The act of deliberately accessing computer
systems and networks without authorization is
generally known as?

A.   Computer intrusions
B.   Hacking
C.   Cracking
D.   Probing
 Question #5
The act of deliberately accessing computer
systems and networks without authorization is
generally known as?

A.   Computer intrusions
B.   Hacking
C.   Cracking
D.   Probing
 Question #6
Warfare conducted against the information and
information processing equipment used by an
adversary is known as?

A.   Hacking
B.   Cyber terrorism
C.   Information Warfare
D.   Network Warfare
 Question #6
Warfare conducted against the information and
information processing equipment used by an
adversary is known as?

A.   Hacking
B.   Cyber terrorism
C.   Information Warfare
D.   Network Warfare
 Question #7
Which of the following is not described as a
critical infrastructure?

A.   Electricity (Power)
B.   Banking (Finance)
C.   Telecommunications
D.   Retail Stores
 Question #7
Elite hackers don’t account for more than what
percentage of the total number of individuals
conducting intrusive activity on the Internet?

A.   Electricity (Power)
B.   Banking (Finance)
C.   Telecommunications
D.   Retail Stores
 Question #8 (Last one)
Elite hackers don’t account for more than what
percentage of the total number of individuals
conducting intrusive activity on the Internet?

A.   1-2 percent
B.   3-5 percent
C.   7-10 percent
D.   15-20 percent
 Question #8 (Last one)
Elite hackers don’t account for more than what
percentage of the total number of individuals
conducting intrusive activity on the Internet?

A.   1-2 percent
B.   3-5 percent
C.   7-10 percent
D.   15-20 percent
Break

• Let’s take a break…
Chapter 2: General Security Concepts

• Computer Security (COMPUSEC)
  - Ensure computer systems are secure

• Network Security
  - Protection of multiple connected (networked)
   computer systems

• Information Assurance (IA) & Security
      - Emphasis on the data; Our assurance
(confidence)           in the protection of our information
/ Information                 Security Services.
Chapter 2: General Security Concepts

• CIA Triad (Information Security Services)
Chapter 2: General Security Concepts

• Operational Model of Computer Security

  Protection = Prevention + Detection + Response
Chapter 2: General Security Concepts

• Least Privilege (Need to Know)
  - Users should have only the necessary
   (minimum) rights, privileges, or information to
   perform their tasks (no additional permissions).

• Implicit Deny
  - “Deny all” authorization and access (blacklisted)
   unless specifically allowed (white list).
  - Default security rule for firewalls, routers, etc…
Chapter 2: General Security Concepts

• Separation of Duties
  - Ensures tasks are broken down and are
   accomplished / involve by more than one
   individual.
  - Check & balance system.

• Job Rotation
  - Rotation individuals through jobs / tasks.
  - Organization does not become dependent on a
   single employee.
Chapter 2: General Security Concepts



  Be sure to understand the difference between:
         Least Privilege vs. Implicit Deny
                         &
      Separation of Duties vs. Job Rotation
Chapter 2: General Security Concepts

• Layered Security
  - Defense in Depth
  - Redundancy
  - No single point of
   failure
Chapter 2: General Security Concepts

• Layered Security
Chapter 2: General Security Concepts

• Security Through Obscurity
  - Approach of protecting something by hiding it.
  - Generally not a good idea.
  - Steganography
  - Reverse engineering.
Chapter 2: General Security Concepts




  Be sure to understand the difference between:
                Layered Security
                       vs.
           Security Through Obscurity
Chapter 2: General Security Concepts

• Access
  - Control what a subject can perform or what
   objects the subject can interact with.
  - i.e. Access Control Lists (ACL’s)

• Authentication
  - Verify the identity of a subject. (Who You Are)
  - Involves identification
  - Passwords, cards, biometrics (fingerprints), etc.
   - Digital certificates
Chapter 2: General Security Concepts

• Authorization
  - Verifies what a subject is authorized to do.



   Be sure to understand the difference between:
              Access vs. Identification
                        vs.
          Authentication vs. Authorization
Chapter 2: General Security Concepts

• Social Engineering
  - Talk individuals into
  divulging information that
  they normally would never
  have.
  - Used to gain information
  on identities, access, or
  authorization.
  - Data aggregation.
Chapter 2: General Security Concepts

• Policies
  – Constraints of behavior on systems and people
  – Specifies activities that are required, limited,
    and forbidden
• Example
  – Information systems should be configured to
    require good security practices in the selection
    and use of passwords
Chapter 2: General Security Concepts

• Requirements
  – Required characteristics of a system or
    process.
  – Often the same as or similar to the policy
  – Specifies what should be done, not how to
    do it.
• Example
  – Information systems must enforce password
    quality standards.
Chapter 2: General Security Concepts

• Guidelines define how to support a policy
  – Example: ‘As a guideline’ passwords should
    not be dictionary words, don’t write
    passwords down, etc…
Chapter 2: General Security Concepts

• Standards: what products, technical methods
  will be used to support policy.
• Example
  – All fiber optic cables must be ACME brand
  – Passwords must be at least 8 characters,
     contain 2 upper and lower case chars…
• Procedures: step by step instructions
Chapter 2: General Security Concepts

• Classification of Information
  - Sensitivity / Confidentiality

• Example
  – Unclassified (UNCLASS)
  – For Official Use Only (FOUO)
  – Confidential
  – Secret (S)
  – Secret Releasable (S//REL)
  – Top Secret (TS)
Chapter 2: General Security Concepts

• Acceptable Use Policy (AUP)
  - Outline of what the organization considers to be
  the appropriate / inappropriate use of
  company resources.
  - Do you have a right to privacy when using a
  company’s system / network resources?
Chapter 2: General Security Concepts

• Service Level Agreement (SLA)
  - Contractual agreements between entities that
  describe specified levels of service.

• Example
  – Bandwidth allocation
  – Download / Upload Speeds
  – Uptime
  – Support & Maintenance
  – Data Restoration / Backup
Chapter 2: General Security Concepts

• Bell-LaPadula Confidentiality Security Model
  - Principle 1: Simple Security (No Read Up) Rule
  No subject can read from an object with a security
  classification higher than possessed by the subject.


  - Principle 2: * - property (No Write Down) Rule
  Allows a subject to write to an object of equal or greater
   security classification.

  Why wouldn’t you be able to write down?
Chapter 2: General Security Concepts

• Biba Integrity Security Model
  - Policy 1: Low-Water-Mark
  Prevents unauthorized modification of data; subjects
   writing to objects of a higher integrity label.


  - Policy 2: Ring
  Allows a subject to read any object without regard to the
  object’s level of integrity and without lowering the subject’s
  integrity level.
Chapter 2 Review Questions
 Question #1
What is the most common form of authentication
used?

A.   Smart Cards
B.   Tokens
C.   Username / Password
D.   Biometrics
 Question #1
What is the most common form of authentication
used?

A.   Smart Cards
B.   Tokens
C.   Username / Password
D.   Biometrics
 Question #2
The CIA of security includes:

A.Confidentiality, integrity, authentication
B.Confidentiality, integrity, availability
C.Certificates, integrity, availability
D.Confidentiality, inspection, authentication
 Question #2
The CIA of security includes:

A.Confidentiality, integrity, authentication
B.Confidentiality, integrity, availability
C.Certificates, integrity, availability
D.Confidentiality, inspection, authentication
 Question #3
The security principle used in the Bell-LaPadula
security model that states that no subject can
read from an object with a higher security
classification is the:

A.Simple Security Rule
B.Ring policy
C.Mandatory access control
D.*-property
 Question #3
The security principle used in the Bell-LaPadula
security model that states that no subject can
read from an object with a higher security
classification is the:

A.Simple Security Rule
B.Ring policy
C.Mandatory access control
D.*-property
 Question #4
Which of the following concepts requires users
and system processes to use the minimal
amount of permission necessary to function?

A.Layer Defense
B.Diversified Defense
C.Simple Security Rule
D.Least Privilege
 Question #4
Which of the following concepts requires users
and system processes to use the minimal
amount of permission necessary to function?

A.Layer Defense
B.Diversified Defense
C.Simple Security Rule
D.Least Privilege
 Question #5
Which of the following is an access control
method based on changes at preset intervals?

A.Simple Security Rule
B.Job Rotation
C.Two-man rule
D.Separation of Duties
 Question #5
Which of the following is an access control
method based on changes at preset intervals?

A.Simple Security Rule
B.Job Rotation
C.Two-man rule
D.Separation of Duties
 Question #6
The Bell-LaPadula security model is an example
of a security model that is based on:

A.The integrity of the data
B.The availability of the data
C.The confidentiality of the data
D.The authenticity of the data
 Question #6
The Bell-LaPadula security model is an example
of a security model that is based on:

A.The integrity of the data
B.The availability of the data
C.The confidentiality of the data
D.The authenticity of the data
 Question #7
The term used to describe the requirement that
different portions of a critical process must be
performed by different people is:

A.Least privilege
B.Defense in Depth
C.Separation of Duties
D.Job Rotation
 Question #7
The term used to describe the requirement that
different portions of a critical process must be
performed by different people is:

A.Least privilege
B.Defense in Depth
C.Separation of Duties
D.Job Rotation
 Question #8
Hiding information to prevent disclosure is an
example of:

A.Security through obscurity
B.Certificate-based security
C.Discretionary data security
D.Defense in depth
 Question #8
Hiding information to prevent disclosure is an
example of:

A.Security through obscurity
B.Certificate-based security
C.Discretionary data security
D.Defense in depth
 Question #9 (Last one)
The concept of blocking an action unless it is
specifically authorized is:

A.Implicit deny
B.Least privilege
C.Simple Security Rule
D.Hierarchical defense model
 Question #9 (Last one)
The concept of blocking an action unless it is
specifically authorized is:

A.Implicit deny
B.Least privilege
C.Simple Security Rule
D.Hierarchical defense model
 Quiz: Week 1

• 10-15 minutes
IDV Assignment due Week #2

• Paper No. 1

- Review fundamentals of information assurance.
- Pick a company.
- How is their information considered an asset?
- How is their information being protected?
- Which Information Security Service is most
  important to the company?
- Are there specific information security
  requirements (regulations, policy, standards,
  etc.) that the company needs to abide to?

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:9
posted:4/19/2014
language:Latin
pages:113