CS 620 Introduction to Information Security Dr. Karen
51 Slides807.00 KB
CS 620 Introduction to Information Security Dr. Karen Forcht Department of Computer Science James Madison University
Part I (Overview, Access, Control, Cryptography, Risk Analysis) Part II (Business Continuity Planning, Data Classification, Security Awareness, Computer and System Security)
Part III (Telecommunications Security, Organization Architecture, Legal Regulatory Investigation) Part IV (Investigation, Application program Security, Physical Security, Operations Security)
Part V (Information Ethics, Policy Development)
Computer Security Act of 1987 Requires: Sensitive systems and data must be identified Plans for ensuring security and control of such systems must be created Personnel training programs must be developed and in place
Development of Security Program Objectives Policies Connectivity, Corporate Structure, and Security Plans Responsibilities
Security Policy Goals Avoidance Deterrence Detection Correction
Risk Analysis Identify sensitivity of data Determine value of systems and information Assess threats and vulnerabilities (sabotage, environment, errors)
Purposes of Risk Analysis No significant intentional or accidental threat is overlooked Assure that cost-benefit analysis is reasonable
Contingency Plan Purpose: Protect, detect, recover Criticality: Formulated, communicated to ALL employees, tested regularly
Legal Issues Licenses Fraud/Misuse Privacy Copyright Trade Secrets Employee Agreements
Access Control Collection of mechanisms to restrain or prohibit use of information and systems Includes: Functions, implementation, good practices, environmental constraints
Considerations Ownership of Data Custodian of Data Accountability Reconciliation Rule of Least Privilege
User Authentication and Password Management Access Control Knowledge-Based Authentication Token-Based Authentication Characteristic-Based Authentication Password Management
Access Control Policies Procedures Standards Control
Cryptography Definition: Use of secret codes to provide integrity/confidentiality of information during transfer and storage Considerations: -Complexity -Secrecy - Characteristics of key
Definition: Encryption: plaintext to ciphertext Decryption: From ciphertext to plaintext
Key Management Public vs. Private Selecting Key Management of the Keys Protection of Keys Testing of Keys Updating Keys Error Detection
Risk Management Includes ideas, models, methods, techniques to control risk Includes: -Assessment -Reduction -Protective measures -Risk Acceptance -Insurance
Considerations of Risk Assessment Annual Loss Expectancy(ALE) Asset Valuation/Inventory Types of Attacks/Threats Availability of Resources/Denial of Service Detection Exposure Passive Threats Perils Prevention Analysis/Assessment/Management of Risk Data Valuation
Classification of People/Assets Should Include: -People -Procedures -Data/Information -Software -Hardware
Threat and Exposure Assessment Density/Volume of Information Accessibility of Systems Complexity Electronic Vulnerability Media Vulnerability Human Factors
Safeguards and Counter Measures Prevent Exposures Detect Attempted Threats Correct the Causes of Threats
Business Continuity Planning (1) Planning and Analysis Methods Rates of Occurrence of Disabling Events Availability and Use of Planning Tools/Aids Identification of Business Success factors(BSF) and Critical capabilities(Critical or Key Success Factors (CSF/KSF)
Business Continuity Planning (2) Alternative Sources of Supply Legal and Regulatory Requirements
Backups and Procedures Importance for Recovery Data Value Manuals and Documentation Back Up Frequency On-Line Systems Equipment
The Three C’s -Catastrophe -Contingency -Continuation BE PREPARED!!!
Off-site Backups and Storage Two Control Points: 1. When backup material is being transferred to/from the site 2. When backup material is stored at the site (also consider in-house storage)
Data Classification Elements and Objectives of a Classification Scheme Criteria used to Classify Data Procedures to be Used Differences Between Government and Commercial Programs Limitations Program Implementation
To Be Included: Distinguish Between Classification and Sensitivity Classified vs. Sensitive Data Elements Handling of Data Identify Criteria Classification Schemes Rule of Users Managers Effect of Data Aggregation on Classification Techniques for Avoiding Disclosure
Security Awareness Include: Corporate Policies, Procedures, Intentions Areas Where Remedial Actions are Needed Assessment of Threats and Vulnerabilities Technology Trends Behaviors to be Encouraged User Motives Applicable Laws and Regulation Available/Applicable Communication Channels/Media
Administrative/Organizational Controls Policies Awareness Employee Non-Disclosure Considerations Employee Training Telecommuting Considerations Effects of Technological Changes/Updates
Personnel Considerations Human Motives for Criminal Action Employee Selection Professional Certificates Working Environment Technological Updates (Effect on Users) Employee Separation
Computer and System Security Professionals Should Understand: Computer Organizations, Architectures, Designs Source and Origin of Security Requirements Advantages/Disadvantages of Various Architectures Security Features/Functions of Various Components Choices to be Considered When Selecting Components
Common Flaws and Penetration Methods Operating Systems Flaws Penetration Techniques(Trojan Horses, Virus, Salami Attack, Deception)
Viruses Design Protection Recovery Prevention Counter Measures
Telecommunications Security Objectives hazards and Exposures Effects of Topology, Media, Protocols, Switching Hazards and Classes of Attack Defenses and Protective Measures
Methods Aborted Connection Active Wiretapping Between - The - Lines Entry Call Back Emanations Covert Channel Cross-Talk Eavesdropping Electronic Funds Transfer(EFT) Handshaking
Considerations Transmission Technologies Bandwidth Connectivity Potential Geographical Scope Noise Immunity Security Applications Relative Cost
System Security Officer Organizational Knowledge (Structural and Behavioral) Technical Knowledge Accounting/Audit Concepts Personnel Administration Matters Laws/Legislation Strategic/Tactical Planning Labor/Negotiation/Strategies/Tactics
Computer Security Incidence Response Goals Constituency Structure Management Support/Funding Charter Handbook of Operations Staffing
Legal/Regulatory Federal Laws/Regulations State Laws/Regulations International Issues Organizational/Agency Considerations Personal Behavior Remedies to Constituents Civil vs. Criminal Law Pending Legislation
Computer Crime Fraud Embezzlement Unauthorized Access “White Collar” Crime Theft of Hardware/Copying Software Physical Abuse Misuse of Information Privacy/Confidentiality Violations Intellectual Property Negligence License Agreements
Investigation Legal Requirements for Maintaining a Trail of Evidence Interrogation Techniques Legal Limits on Interrogation Methods Permitted
Application Program Security Distribution of Controls Between Application and System Controls Specific to Key, Common, or Industry Applications Criteria for Selection and Application Tests for Adequacy Standards for Good Practice
Software Controls Development Maintenance Assurance Specification and Verification Database Security Controls Accounting/Auditing
Physical Security Site/Building Location External characteristics/Appearance Location of Computer Centers Construction Standards Electrical Power(UPS) Water/Fire Considerations Traffic/Access Control Air Conditioning/Exhaust Entrances/Exits Furnishings Storage of Media/Supplies
Operations Security Resources to be Protected Privileges to be Restricted Available Control Mechanisms Potential for Abuse of Access Appropriateness of Controls Acceptable Norms of Good Practice
Information Ethics Doing the Right Thing!! Privacy/Confidentiality Common Good Professional Societies Professional Certifications
Policy Development Considerations: Have Longevity Be Jargon Free Be Independent of Jobs, Titles, or Positions Set Objectives Fix Responsibility Provide Resources Allocate Staff Be Implemented Using Standards and Guidelines
That’s All Folks (and not a minute too soon!!) I’m Looking Forward to working With You!!!!
