OOSAD Chapter 14 by liuqingzhan


									   Information Security

Introduction to Information Security
        Michael Whitman and
          Herbert Mattord

             Chapter Objectives
     After studying this chapter you should be
      able to:
      – NSTISSC Security Model
      – Compare SDLC and SecSDLC Phases
      – Security Management and Project Team
      – Threat to Information Security
      – Design Security Architecture
      – Security Technology
Chapter 14                                        14-2
NSTISSC Security Model p.15
National Security Telecommunications and
Information Systems Security Committee
presented “National Training Standard for
Information Security Professionals NSTISSI No.
4011” document which
o- Define information security as “the protection of
information and the systems and hardware that use,
store, and transmit that information.”
1.- Develop an NSTISSC Security Model (p.15)
2.- Secure five components of the IS (p.123) 14-3
Chapter 14   14-4
           Compare SDLC and
          SecSDLC Phases p. 26
        The security SDLC has all the common steps in
          the traditional SDLC, plus steps unique to the
          security SDLC.
        The steps unique to the security SDLC are:
        – Phase 1: Investigation
               Management defines project processes and goals
                and documents these in the program security policy
         – Phase 2: Analysis
             Analyze existing security policies and programs

             Analyze current threats and controls

             Examine legal issues
Chapter 14                                                  14-5
             Perform risk analysis
              Compare SDLC and
             SecSDLC Phases p. 26
– Phase 3: Logical Design
    Develop security blueprint

    Plan incident response actions

    Plan business response to disaster

    Determine feasibility of continuing and/or outsourcing the

– Phase 4: Physical Design
    Select technologies needed to support security blueprint

    Develop definition of successful solution

    Design physical security measures to support technological
    Review the approval project
Chapter 14                                                  14-6
              Compare SDLC and
             SecSDLC Phases p. 26
      – Phase 5: Implementation
          Buy or develop security solutions

          At end of phase, present tested package to
           management for approval
      – Phase 6: Maintenance
          Constantly monitor, test, modify, update, and repair

           to meet changing threats

Chapter 14                                                   14-7
      Security Management and
         Project Team p.31
     – Senior Management
          Chief Information Officer (CIO)
          Chief Information Security Officer

            – responsible for assessment, management,
              and implementation of securing the
              information in the organization.
            – May also be referred to as the manager
              for Security, the security administrator, or
              a similar title.
            – Usually reports directly to the CIO
Chapter 14                                              14-8
                 Security Management and
                       Project Team
      – Security Project Team
              Champion
              Team leader

              Security policy developer

              Risk assessment specialists

              Security professionals

              Systems administrators

              End users

Chapter 14                                   14-9
 Threat to Information Security   (David Kroenke, 2009)

Chapter 14                                     14-10
     Design Security Architecture
    - Defense in depth
            Develop security in layers
    - Security Perimeter
            Defines the edge between the outer limit of an
             organization’s security and the beginning of the
             outside world.
            Is the first level of security that protects all internal
             systems from outside threats.
     – Key Security Technologies

Chapter 14                                                           14-11
     Security Technology p.275
    1. Firewall
    2. Dial-up Protection:
     – RADIUS (Remote Authentication Dial-in User Service)
        Configuration: Figure 8-6 (p.285)
                1. Remote worker dials RAS (Remote Access Server) system
                2. RAS passes username and password to RADIUS server
                3. RADIUS server approves or rejects request and provides
                 access authorization
                4. RAS provides access to authorized remote worker
                            1             2
    Teleworker                 RAS             RADIUS
                            3             4

Chapter 14                                                              14-12
     Security Technology p.275
    3. Intrusion Detection Systems (IDSs)
     – Host based IDS: resides on a host and monitor only
       activities on the host.
     – Network IDS: monitor network traffic and examine
       packets on network ad alerts administrators of
       unusual patterns
     – Signature-based IDS or knowledge-based IDS:
       examine data traffic in search of something that
       matches signatures, which are preconfigured,
       predetermined attack patterns.
     – Statistical Anomaly-based IDS: collect data from
       normal traffic and establish a baseline. Then
       periodically samples network activity, based on
       statistical methods, and compares the samples to the
       baseline. When the activity is outside the baseline
       parameters, IDS notify the administrator.
Chapter 14                                                    14-13
     Security Technology p.275
 4. Scanning and Analysis Tools
     – Port Scanners p292
                (network channel or connection)
     – Vulnerability Scanners
                Scan networks for highly detailed information
     – Packet Sniffers
         A network tool that collects copies of packets
          form the network and analyzes them.
 5. Content Filters
   restrict accessible content from within a
   network. E.g. restriction of web sites with
   nonbusiness related material; restriction
   of spam e-mail form outside sources
Chapter 14                                                       14-14
     Security Technology p.275
 6. Cryptography and Encryption-based
     – Symmetric encryption (private key encryption)
            use a single key for encryption and decryption
     – Asymmetric encryption (public key
            use two different keys
     – Digital Signature
     – PKI: Public Key Infrastructure
     – Digital certificate
           An electronic document, similar to digital
            signature, attached to a file certifying that this
            file is from the organization it claims to be from
            and has not been modified from the original
Chapter 14 format                                                14-15
     Security Technology p.275
     – Digital Authority
         An agency that manages the issuance of
          certificates and serves as the electronic notary
          public to verify their worth and integrity.
         E.g. when downloading or uploading software on
          the Internet, a pop-up window shows that the
          files did in fact come from the purported agency,
          and thus can be trusted.
     – Securing E-Mail
         S/MIME (Secure Multipurpose Internet Mail
         PEM (Privacy Enhanced Mail)

         PGP (Pretty Good Privacy)

Chapter 14                                                    14-16
     Security Technology p.275
     – Securing Web (p.309)
         SET (Secure Electronic Transactions)

         SHTTP (Secured HTTP): encryption
         IPSec (IP Security)

    7. Access Control Devices
     – Authentication: Are you whom you claim to
                What you know: password
                What you have: dumb cards such as ID cards, or
                 ATM cards
                What you are: biometrics

Chapter 14                                                        14-17

To top