SlideShare a Scribd company logo

Ne Course Part Two

Download as PPT, PDF
B
backdoor

The document discusses various aspects of information security and network security. It defines information security and describes different types including physical security, communication security, and network security. It then discusses several common security processes and tools used for protection, such as anti-virus software, access controls, firewalls, intrusion detection systems, policy management, and vulnerability scanning. However, it notes that no single security measure provides complete protection and that security is an ongoing process.

1 of 69
Network Professional Course Information & Network Security U Nyein Oo Director/COO Myanma Computer Co., Ltd
Information Security Basics Define Information Security Defined as: Measures adopted to prevent the unauthorized use, misuse, modification, or denial of use of knowledge, facts, data, or capabilities.
Information Security Basics Different Type of Security Physical Security Communication Security Network Security
Security is a Process Obviously, you cannot rely on just one of the types of security to protect your organization. Likewise, you cannot rely on a single security product “ie. Firewall” to provide protection to your computers and networks.
Security is a Process Kinds of Security Process Anti Virus Software Access Control Firewall Intrusion Detection Policy Management Vulnerability Scanning
Security is a Process Anti-Virus Software Anti-Virus software is necessary as part of a good security program. If properly implemented and configured, it can greatly reduce the networks exposure to malicious programs Anti-Virus will not however protect the network from being misused through exploiting a legitimate program or service.
Security is a Process Access Controls Nearly all devices on a network have the ability to perform Access Control. If a system is properly implemented and configured, access to restricted or sensitive data becomes much more difficult. Access Controls will not necessarily prevent someone from using a system vulnerability and restricted data.
Security is a Process Firewalls Firewalls are designed to protect an internal network from external attacks. By their nature, they are border security devices, and protect the networks at the border only. Properly configured, firewalls have become a network security necessity. However, a firewall cannot prevent a webserver with a vulnerability from being compromised if access to that web server is permitted. Firewalls will also not protect the internal network from internal attacks.
Security is a Process Intrusion Detection IDS has the ability to recognize attack signatures and in some cases act what they identify. IDS is a system that generally only alerts someone of an attack attempt. However, IDS in many cases never prevents the attack from being successful. New technology in this arena is promising in being able to detect an attack and block it on the fly.
Security is a Process Policy Management Policies and procedures are and important part of a good security program, and management of policies across computer systems is equally important. With policy management systems, an organization can be alerted when any system does not conform to a policy. However, policy management systems do not take into account vulnerabilities in systems or mis-configuration of applications. It also doesn’t guarantee that users will not write down passwords, or other access sensitive data.
Security is a Process Vulnerability Scanning Scanning for vulnerabilities is another good part to a security program. Such scanning will help identify potential entry points for intruders. Vulnerability scanning does not protect computers. Security measures need to be implemented immediately after a vulnerability is identified. Vulnerability scanning will also not detect users who may already have illegitimate access to systems.
Type of Attack The Following are kinds of Attack Access Attack Spoofing Eavesdropping Interception Modification Attack Changes in Data Insertion of Data Deletion of Data Denial of Service Attack Repudiation Attack
Types of Attacks – Access Attacks An access attack is an attempt to gain access to information that the attacker is not authorized to see. This type of attack can occur wherever the information resides, or exists during transmission.
Types of Attacks – Access Attacks Snooping Snooping is looking through information files in the hopes of finding something interesting. If the files are on a computer, the attacker will open file after file in an attempt to find valuable information.
Types of Attacks – Access Attacks Eavesdropping Eavesdropping is when an attacker listens in on a conversation they are not part of. To gain access to unauthorized information via eavesdropping, an attacker must position himself in a location where the information of interest is likely to pass. Introduction of wireless networks has made this process much easier for attackers and their ability to “listen in”.
Types of Attacks – Access Attacks Interception Eavesdropping is when an attacker listens in on a conversation they are not part of. To gain access to unauthorized information via eavesdropping, an attacker must position himself in a location where the information of interest is likely to pass. Introduction of wireless networks has made this process much easier for attackers and their ability to “listen in”. This type of attack can be very complex, and work on nearly every type of network.
Types of Attacks – Modification Attacks A Modification attack is an attempt to modify information that an attacker is not authorized to modify. This attack can occur wherever the information resides. It may also be attempted while information is in transit. This type of attack is an attack against the integrity of the information.
Types of Attacks – Modification Attacks Changes in Data Insertion of Data Deletion of Data Changes to databases, files and systems is hard to detect without proper countermeasures.
Types of Attacks – Denial of Service Denial-of-Service (DoS) attacks are attacks that deny the use of resources to legitimate users of the system. DoS Attacks do not generally allow the attacker to change or access data, rather just prevents the use of the data. DoS Attacks are little more than vandalism Denial of Access to Information Denial of Access to Applications Denial of Access to Systems/ Communications
Types of Attacks – Repudiation Attacks Repudiation is an attack against accountability of information. In other words, repudiation is an attempt to give false information or deny that the real event or transaction should have occurred.
Network Security
Why Security? Security needs to be implemented at many levels. Most important security measures is network security. There are many potential risks and preventive measure to network.
Networking Basics Before securing networks , we must understand about the networks. There are many different networking protocols. At the Internet Protocol TCP/IP ( TCP and IP ) The Internet Protocol is based on the common networking model called OSI.
OSI and TCP/IP Stack
Packet Packets are comprised of smaller chunks of data that each layer apends onto the packet data it receives from the layer directly above it. The smaller chunks of data are refered to as datagram. The destination address is included in the packet by the network(IP) layer.
Packet Sniffing Packet sniffing is a technique of monitoring every packet that crosses the network. A packet sniffer is a piece of software or hardware that monitors all network traffic. The security threat presented by sniffers is their ability to capture all incoming and outgoing traffic, including clear text passwords and usernames or other sensitive material.
Use of Packet sniffer Searching for clear-text usernames and passwords from the network. Conversion of network traffic into human readable form. Network analysis to find bottlenecks. Network intrusion detection to monitor for attackers.
Use of Sniffer (cont) Sniffers are very powerful tools for capturing data on the network such as passwords, and other system related data. As network have become larger, switches have made it only slightly harder to sniff traffic. Switches are not security devices, and can be abused so that sniffing is possible.
Sniffing Methods There are three types of sniffing methods. Some methods works in non-switched network while others work in switched networks. The three main methods. IP based sniffing ( non switched network) MAC-based sniffing( hardware address match) ARP based sniffing ( man in the middle attack)
Other network vulnerabilities The packet sniffing is one of the top vulnerabilities at the internet. The various protocol such as TCP, ICMP, and other well designed protocols has still some design problem which attackers take advantage. IP Spoofing is one of others threat.
IP Spoofing A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host. Newer routers and firewall arrangements can offer protection against IP spoofing.
Firewall A firewall is a hardware or software solution to enforce security policies. In the physical security analogy, a firewall is equivalent to a door lock on a perimeter door or on a door to a room inside of the building - it permits only authorized users such as those with a key or access card to enter. A firewall has built-in filters that can disallow unauthorized or potentially dangerous material from entering the system. It also logs attempted intrusions.
Firewalls Types of Firewalls Application Layer Firewalls Also called Proxy Firewalls, the rules of the firewall allow specific types of traffic to pass while others on the same service are denied Packet Filtering Firewalls By far the most popular out there, these firewalls allow for the blocking of packets based on state, port, protocol, size, etc, etc. Proxy A firewall mechanism that replaces the IP address of a host on the internal (protected) network with its own IP address for all traffic passing through it.
Proxy (cont) A software agent that acts on behalf of a user, typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination.
Security Policy
Why policy is important Policy provides the rules that govern how systems should be configured, how users interact with systems. Also how to treat these systems in normal and unusual situations. Policy defines what security there should be within an organization Policy puts everyone on the same page so everyone understands that is expected of them.
Policy defines what security should be Policy defines how security should be implemented. This includes proper configurations on computers and netwrok devices. Policy also defines how users should perform certain security-related duties, such as administration. Policy also should define how an organization reacts when met with an unusual situation
Putting everyone on the same page Rules are an important part of running a good security program. It is important to understand that the security of an organization requires an organization to work together. Everyone needs to be subject to the same policies, and nobody should ever be above such policies.
Types of Policies Information Policy Defines what information is sensitive and how that information is to be protected. Sensitive information should be identified and protected accordingly. Security Policy Defines the technical requirements for security on computer systems and network devices. Defines configuration of the network with regard to security. Should define requirements to be implemented, but not specific configuration steps.
Types of Policies Computer Use Policy Defines the “Law” when it comes to who and how the computer systems can be used. Defines Ownership of computers, Ownership of information, Acceptable Use, and Privacy Internet Use Policy Connectivity to the internet is for business purposes and to perform their jobs, and should not be used for personal use.
Types of Policies Email Policy Defines the use of Email for personal and business use, access to the system, and what information can be sent via email. User Management Policy Defines the process and requirements when: New employee Hire Transferred or Change in Responsibilities Employee Termination
Types of Policies System Administration Policy Defines how security and system administration will work together to secure the organizations systems. Made up of parts including: Software Upgrades, Patching Vulnerability Scans Auditing of Systems Policy reviews Backup Policy Frequency Storage What is backed up
Types of Policies Incident Response Procedure Defines how the organization will react when a computer security incident occurs. Most Security incidents are different, and thus the policy needs to define who has authority, and what needs to be done, not necessarily HOW things should be done. Parts of this policy include Objectives Event Identification Escalation Information Control Response
Types of Policies Configuration Management Procedures Defines the steps that will be taken to modify the state of the organizations computer or network systems. Purpose is to communicate changes, document changes, and update the state of the organization. Change control procedures are also a very important part of this process.
Types of Policies Other Policies you should consider Design Methodology How things are designed with security in mind Disaster Recovery Plans How to recover from a disaster
Creating Appropriate Policy What is Important Find which policies are right for you in your organization Policy templates are useful Defining Acceptable Behavior Regardless of organization type, there are certain types of behavior that is unacceptable and needs to be defined.
Creating Appropriate Policy Identify Stakeholders Policy created in a vacuum rarely succeeds. It is up to the Security professional to drive policy development with help from the stakeholders of the organization, and have the policy fit the way the organization runs.
Creating Appropriate Policy Policy Development Security should be the driving purpose for most policies, and completely for Security Policies. This does not mean that Security should write the policies without stakeholder input, rather that Security should take ownership of the project, and see it gets done. Begin the process with your outline, and then expand on it with stakeholder involvement
Deploy Policy Gaining Buy-in Every department of the organization that is effected by the policy must buy into the concept behind it. The policy process needs to be supported by upper management Allow input to the policy from the stakeholders and users.
Deploy Policy Education This process cannot be understated. Education on the policy, its objectives and user responsibilities is necessary for good policy deployment Education should be given by the security departments. Security Awareness training is a good time educate users.
Deploy Policy Implementation Radical changes in the environment can have adverse effects on the organization. Gradual, and well planned transitions are much better. Don’t completely sacrifice security for gradual transitions.
Using the Policy Policy can be used as a CLUB, but is much better if used as an education tool. New Systems and Projects As new projects begin, the new policy and procedures should be followed from the start. If a new project cannot meet the requirements, it allows time for the organization to understand the added risk, and look into mechanisims to manage or mitigate it.
Using the Policy Existing Systems and Projects As new policies are approved, each existing project and system in place should be examined to see if it is in compliance or not, and if it can be made to comply with the policy. Security should work with the system administrators to develop fixes or changes to help the project comply with the policies. Some delay in work can be expected as part of this process, and understand of this issue is necessary.
Using the Policy Audits Security should begin a process of audits to verify compliance of devices and users with the policy. Auditors need to understand the policy and its objective before they are asked to audit against it. Periodic auditing is a necessary part of enforcement
Using the Policy Policy Reviews Even good policy does not last forever. Circumstances change, and changes to the policy will be necessary. Review of the policies should be on a regular basis.
Security Best Practices
Administrative Security Resources Resources must be assigned to implement proper security practices. There is no formula that can be used to define how many resources should be put into security program based on size alone.
Administrative Security Staff No matter how large or small an organization is, someone must be given the tasks associated with managing information security. Security Staff should have the following skills Security Administration – Understanding the day-to-day administration of security devices Policy Development – Experience in development and maintenance of security policies, procedures and plans. Architecture – An understanding of network and system architectures and the implementation of new systems Research – The examination of new security technologies to see how they may effect the risk to the organization. Assessment – Experience conducting risk assessments Audit – Experience in conducting audits of systems or procedures
Administrative Security Budget The size of a security budget of an organization is dependent on the scope and timeframe of the security project rather than the size of the organization. The expectation of many organizations is that more automation in security tools will allow the decrease in security staff and expenditures. Unfortunately this is rarely the case. Very little about security can be automated because of the constantly changing issues of security, and threats
Administrative Security Responsibility Some person in the organization MUST have the responsibility fro managing information security risk. Generally the larger the organization the higher the need for a Chief Information Security Officer (CISO) Regardless of the title, this person needs to take point on the issues and problems surrounding security in their organization.
Administrative Security Education Education of employees is one of the most important parts of managing security risk. Preventative Measures Employees should be told why it is important to protect the information resources Provide details on how they can comply with policies Security Best Practices Education Latest Threats and Techniques of Miscreants Current Vulnerabilities and Patches
Administrative Security Security Project Plans Improvement Plans – Projects that provide more in-depth security to existing or new implementations Assessment Plans – Security needs to develop plans for assessing risk to the organization. Vulnerability Assessment – Security departments should perform vulnerability assessments and scan on a regular basis
Technical Security Network Connectivity Internet Connections Network connections to outside entities or Internet should be protected with a Firewall. Firewalls Separate the internet from the internal network. This prevents damage from an unsecured network interacting directly with an internal network.
Technical Security Education Network Are Unique Internal networks are hostile too. Labs, students, and teacher machines can provide internal problems. Segment information resources with firewalls from internal attacks as well.
Technical Security Malicious Code Protection Malicious code is one of the most prevalent threats to an organizations information. Files shared between home and work computers Files downloaded from the internet Email attachments Inserted through vulnerabilities Instant messenger Manage the threat Anti-virus software needs to be installed on all computers Anti-virus on email systems is also a necessity
Technical Security Authentication The most popular form of authentication being passwords. Prevents unauthorized access to information. Issues that should be considered as part of password policy and procedure Password length – Should be a minimum of 8 Chars. Change frequency – Should not be older than 60 days Password History – Used passwords should not be re-used Password Content – Should be made up of complex characters an content Other authentication methods are available but generally have an added cost One time Passwords Tokens Biometrics
Technical Security Monitoring Monitoring systems for unexpected activity has become a required activity. Generally we divide this activity into: Audit and Intrusion Detection Audit Auditing is a mechanism that records activity. Logs are the main source of this data. Log files contain information about: Logins/Logoffs, Failed Logins, Connection Attempts, Privileged access and functions, Sensitive File Access
Technical Security Intrusion Detection IDS monitor the network for know types of attacks and sends out an alarm when suspicious activity is noticed.
Technical Security Patching Systems Vendors release patches to correct bugs and vulnerabilities on software. Patches that correct vulnerabilities are of high importance to security because without them, the systems become vulnerable to attack. Testing patches is important Checking for patches on the various platforms is a critical exercise needing to be performed by Security and System Administrators

More Related Content

Ne Course Part Two

  • 1. Network Professional Course Information & Network Security U Nyein Oo Director/COO Myanma Computer Co., Ltd
  • 2. Information Security Basics Define Information Security Defined as: Measures adopted to prevent the unauthorized use, misuse, modification, or denial of use of knowledge, facts, data, or capabilities.
  • 3. Information Security Basics Different Type of Security Physical Security Communication Security Network Security
  • 4. Security is a Process Obviously, you cannot rely on just one of the types of security to protect your organization. Likewise, you cannot rely on a single security product “ie. Firewall” to provide protection to your computers and networks.
  • 5. Security is a Process Kinds of Security Process Anti Virus Software Access Control Firewall Intrusion Detection Policy Management Vulnerability Scanning
  • 6. Security is a Process Anti-Virus Software Anti-Virus software is necessary as part of a good security program. If properly implemented and configured, it can greatly reduce the networks exposure to malicious programs Anti-Virus will not however protect the network from being misused through exploiting a legitimate program or service.
  • 7. Security is a Process Access Controls Nearly all devices on a network have the ability to perform Access Control. If a system is properly implemented and configured, access to restricted or sensitive data becomes much more difficult. Access Controls will not necessarily prevent someone from using a system vulnerability and restricted data.
  • 8. Security is a Process Firewalls Firewalls are designed to protect an internal network from external attacks. By their nature, they are border security devices, and protect the networks at the border only. Properly configured, firewalls have become a network security necessity. However, a firewall cannot prevent a webserver with a vulnerability from being compromised if access to that web server is permitted. Firewalls will also not protect the internal network from internal attacks.
  • 9. Security is a Process Intrusion Detection IDS has the ability to recognize attack signatures and in some cases act what they identify. IDS is a system that generally only alerts someone of an attack attempt. However, IDS in many cases never prevents the attack from being successful. New technology in this arena is promising in being able to detect an attack and block it on the fly.
  • 10. Security is a Process Policy Management Policies and procedures are and important part of a good security program, and management of policies across computer systems is equally important. With policy management systems, an organization can be alerted when any system does not conform to a policy. However, policy management systems do not take into account vulnerabilities in systems or mis-configuration of applications. It also doesn’t guarantee that users will not write down passwords, or other access sensitive data.
  • 11. Security is a Process Vulnerability Scanning Scanning for vulnerabilities is another good part to a security program. Such scanning will help identify potential entry points for intruders. Vulnerability scanning does not protect computers. Security measures need to be implemented immediately after a vulnerability is identified. Vulnerability scanning will also not detect users who may already have illegitimate access to systems.
  • 12. Type of Attack The Following are kinds of Attack Access Attack Spoofing Eavesdropping Interception Modification Attack Changes in Data Insertion of Data Deletion of Data Denial of Service Attack Repudiation Attack
  • 13. Types of Attacks – Access Attacks An access attack is an attempt to gain access to information that the attacker is not authorized to see. This type of attack can occur wherever the information resides, or exists during transmission.
  • 14. Types of Attacks – Access Attacks Snooping Snooping is looking through information files in the hopes of finding something interesting. If the files are on a computer, the attacker will open file after file in an attempt to find valuable information.
  • 15. Types of Attacks – Access Attacks Eavesdropping Eavesdropping is when an attacker listens in on a conversation they are not part of. To gain access to unauthorized information via eavesdropping, an attacker must position himself in a location where the information of interest is likely to pass. Introduction of wireless networks has made this process much easier for attackers and their ability to “listen in”.
  • 16. Types of Attacks – Access Attacks Interception Eavesdropping is when an attacker listens in on a conversation they are not part of. To gain access to unauthorized information via eavesdropping, an attacker must position himself in a location where the information of interest is likely to pass. Introduction of wireless networks has made this process much easier for attackers and their ability to “listen in”. This type of attack can be very complex, and work on nearly every type of network.
  • 17. Types of Attacks – Modification Attacks A Modification attack is an attempt to modify information that an attacker is not authorized to modify. This attack can occur wherever the information resides. It may also be attempted while information is in transit. This type of attack is an attack against the integrity of the information.
  • 18. Types of Attacks – Modification Attacks Changes in Data Insertion of Data Deletion of Data Changes to databases, files and systems is hard to detect without proper countermeasures.
  • 19. Types of Attacks – Denial of Service Denial-of-Service (DoS) attacks are attacks that deny the use of resources to legitimate users of the system. DoS Attacks do not generally allow the attacker to change or access data, rather just prevents the use of the data. DoS Attacks are little more than vandalism Denial of Access to Information Denial of Access to Applications Denial of Access to Systems/ Communications
  • 20. Types of Attacks – Repudiation Attacks Repudiation is an attack against accountability of information. In other words, repudiation is an attempt to give false information or deny that the real event or transaction should have occurred.
  • 22. Why Security? Security needs to be implemented at many levels. Most important security measures is network security. There are many potential risks and preventive measure to network.
  • 23. Networking Basics Before securing networks , we must understand about the networks. There are many different networking protocols. At the Internet Protocol TCP/IP ( TCP and IP ) The Internet Protocol is based on the common networking model called OSI.
  • 24. OSI and TCP/IP Stack
  • 25. Packet Packets are comprised of smaller chunks of data that each layer apends onto the packet data it receives from the layer directly above it. The smaller chunks of data are refered to as datagram. The destination address is included in the packet by the network(IP) layer.
  • 26. Packet Sniffing Packet sniffing is a technique of monitoring every packet that crosses the network. A packet sniffer is a piece of software or hardware that monitors all network traffic. The security threat presented by sniffers is their ability to capture all incoming and outgoing traffic, including clear text passwords and usernames or other sensitive material.
  • 27. Use of Packet sniffer Searching for clear-text usernames and passwords from the network. Conversion of network traffic into human readable form. Network analysis to find bottlenecks. Network intrusion detection to monitor for attackers.
  • 28. Use of Sniffer (cont) Sniffers are very powerful tools for capturing data on the network such as passwords, and other system related data. As network have become larger, switches have made it only slightly harder to sniff traffic. Switches are not security devices, and can be abused so that sniffing is possible.
  • 29. Sniffing Methods There are three types of sniffing methods. Some methods works in non-switched network while others work in switched networks. The three main methods. IP based sniffing ( non switched network) MAC-based sniffing( hardware address match) ARP based sniffing ( man in the middle attack)
  • 30. Other network vulnerabilities The packet sniffing is one of the top vulnerabilities at the internet. The various protocol such as TCP, ICMP, and other well designed protocols has still some design problem which attackers take advantage. IP Spoofing is one of others threat.
  • 31. IP Spoofing A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host. Newer routers and firewall arrangements can offer protection against IP spoofing.
  • 32. Firewall A firewall is a hardware or software solution to enforce security policies. In the physical security analogy, a firewall is equivalent to a door lock on a perimeter door or on a door to a room inside of the building - it permits only authorized users such as those with a key or access card to enter. A firewall has built-in filters that can disallow unauthorized or potentially dangerous material from entering the system. It also logs attempted intrusions.
  • 33. Firewalls Types of Firewalls Application Layer Firewalls Also called Proxy Firewalls, the rules of the firewall allow specific types of traffic to pass while others on the same service are denied Packet Filtering Firewalls By far the most popular out there, these firewalls allow for the blocking of packets based on state, port, protocol, size, etc, etc. Proxy A firewall mechanism that replaces the IP address of a host on the internal (protected) network with its own IP address for all traffic passing through it.
  • 34. Proxy (cont) A software agent that acts on behalf of a user, typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination.
  • 36. Why policy is important Policy provides the rules that govern how systems should be configured, how users interact with systems. Also how to treat these systems in normal and unusual situations. Policy defines what security there should be within an organization Policy puts everyone on the same page so everyone understands that is expected of them.
  • 37. Policy defines what security should be Policy defines how security should be implemented. This includes proper configurations on computers and netwrok devices. Policy also defines how users should perform certain security-related duties, such as administration. Policy also should define how an organization reacts when met with an unusual situation
  • 38. Putting everyone on the same page Rules are an important part of running a good security program. It is important to understand that the security of an organization requires an organization to work together. Everyone needs to be subject to the same policies, and nobody should ever be above such policies.
  • 39. Types of Policies Information Policy Defines what information is sensitive and how that information is to be protected. Sensitive information should be identified and protected accordingly. Security Policy Defines the technical requirements for security on computer systems and network devices. Defines configuration of the network with regard to security. Should define requirements to be implemented, but not specific configuration steps.
  • 40. Types of Policies Computer Use Policy Defines the “Law” when it comes to who and how the computer systems can be used. Defines Ownership of computers, Ownership of information, Acceptable Use, and Privacy Internet Use Policy Connectivity to the internet is for business purposes and to perform their jobs, and should not be used for personal use.
  • 41. Types of Policies Email Policy Defines the use of Email for personal and business use, access to the system, and what information can be sent via email. User Management Policy Defines the process and requirements when: New employee Hire Transferred or Change in Responsibilities Employee Termination
  • 42. Types of Policies System Administration Policy Defines how security and system administration will work together to secure the organizations systems. Made up of parts including: Software Upgrades, Patching Vulnerability Scans Auditing of Systems Policy reviews Backup Policy Frequency Storage What is backed up
  • 43. Types of Policies Incident Response Procedure Defines how the organization will react when a computer security incident occurs. Most Security incidents are different, and thus the policy needs to define who has authority, and what needs to be done, not necessarily HOW things should be done. Parts of this policy include Objectives Event Identification Escalation Information Control Response
  • 44. Types of Policies Configuration Management Procedures Defines the steps that will be taken to modify the state of the organizations computer or network systems. Purpose is to communicate changes, document changes, and update the state of the organization. Change control procedures are also a very important part of this process.
  • 45. Types of Policies Other Policies you should consider Design Methodology How things are designed with security in mind Disaster Recovery Plans How to recover from a disaster
  • 46. Creating Appropriate Policy What is Important Find which policies are right for you in your organization Policy templates are useful Defining Acceptable Behavior Regardless of organization type, there are certain types of behavior that is unacceptable and needs to be defined.
  • 47. Creating Appropriate Policy Identify Stakeholders Policy created in a vacuum rarely succeeds. It is up to the Security professional to drive policy development with help from the stakeholders of the organization, and have the policy fit the way the organization runs.
  • 48. Creating Appropriate Policy Policy Development Security should be the driving purpose for most policies, and completely for Security Policies. This does not mean that Security should write the policies without stakeholder input, rather that Security should take ownership of the project, and see it gets done. Begin the process with your outline, and then expand on it with stakeholder involvement
  • 49. Deploy Policy Gaining Buy-in Every department of the organization that is effected by the policy must buy into the concept behind it. The policy process needs to be supported by upper management Allow input to the policy from the stakeholders and users.
  • 50. Deploy Policy Education This process cannot be understated. Education on the policy, its objectives and user responsibilities is necessary for good policy deployment Education should be given by the security departments. Security Awareness training is a good time educate users.
  • 51. Deploy Policy Implementation Radical changes in the environment can have adverse effects on the organization. Gradual, and well planned transitions are much better. Don’t completely sacrifice security for gradual transitions.
  • 52. Using the Policy Policy can be used as a CLUB, but is much better if used as an education tool. New Systems and Projects As new projects begin, the new policy and procedures should be followed from the start. If a new project cannot meet the requirements, it allows time for the organization to understand the added risk, and look into mechanisims to manage or mitigate it.
  • 53. Using the Policy Existing Systems and Projects As new policies are approved, each existing project and system in place should be examined to see if it is in compliance or not, and if it can be made to comply with the policy. Security should work with the system administrators to develop fixes or changes to help the project comply with the policies. Some delay in work can be expected as part of this process, and understand of this issue is necessary.
  • 54. Using the Policy Audits Security should begin a process of audits to verify compliance of devices and users with the policy. Auditors need to understand the policy and its objective before they are asked to audit against it. Periodic auditing is a necessary part of enforcement
  • 55. Using the Policy Policy Reviews Even good policy does not last forever. Circumstances change, and changes to the policy will be necessary. Review of the policies should be on a regular basis.
  • 57. Administrative Security Resources Resources must be assigned to implement proper security practices. There is no formula that can be used to define how many resources should be put into security program based on size alone.
  • 58. Administrative Security Staff No matter how large or small an organization is, someone must be given the tasks associated with managing information security. Security Staff should have the following skills Security Administration – Understanding the day-to-day administration of security devices Policy Development – Experience in development and maintenance of security policies, procedures and plans. Architecture – An understanding of network and system architectures and the implementation of new systems Research – The examination of new security technologies to see how they may effect the risk to the organization. Assessment – Experience conducting risk assessments Audit – Experience in conducting audits of systems or procedures
  • 59. Administrative Security Budget The size of a security budget of an organization is dependent on the scope and timeframe of the security project rather than the size of the organization. The expectation of many organizations is that more automation in security tools will allow the decrease in security staff and expenditures. Unfortunately this is rarely the case. Very little about security can be automated because of the constantly changing issues of security, and threats
  • 60. Administrative Security Responsibility Some person in the organization MUST have the responsibility fro managing information security risk. Generally the larger the organization the higher the need for a Chief Information Security Officer (CISO) Regardless of the title, this person needs to take point on the issues and problems surrounding security in their organization.
  • 61. Administrative Security Education Education of employees is one of the most important parts of managing security risk. Preventative Measures Employees should be told why it is important to protect the information resources Provide details on how they can comply with policies Security Best Practices Education Latest Threats and Techniques of Miscreants Current Vulnerabilities and Patches
  • 62. Administrative Security Security Project Plans Improvement Plans – Projects that provide more in-depth security to existing or new implementations Assessment Plans – Security needs to develop plans for assessing risk to the organization. Vulnerability Assessment – Security departments should perform vulnerability assessments and scan on a regular basis
  • 63. Technical Security Network Connectivity Internet Connections Network connections to outside entities or Internet should be protected with a Firewall. Firewalls Separate the internet from the internal network. This prevents damage from an unsecured network interacting directly with an internal network.
  • 64. Technical Security Education Network Are Unique Internal networks are hostile too. Labs, students, and teacher machines can provide internal problems. Segment information resources with firewalls from internal attacks as well.
  • 65. Technical Security Malicious Code Protection Malicious code is one of the most prevalent threats to an organizations information. Files shared between home and work computers Files downloaded from the internet Email attachments Inserted through vulnerabilities Instant messenger Manage the threat Anti-virus software needs to be installed on all computers Anti-virus on email systems is also a necessity
  • 66. Technical Security Authentication The most popular form of authentication being passwords. Prevents unauthorized access to information. Issues that should be considered as part of password policy and procedure Password length – Should be a minimum of 8 Chars. Change frequency – Should not be older than 60 days Password History – Used passwords should not be re-used Password Content – Should be made up of complex characters an content Other authentication methods are available but generally have an added cost One time Passwords Tokens Biometrics
  • 67. Technical Security Monitoring Monitoring systems for unexpected activity has become a required activity. Generally we divide this activity into: Audit and Intrusion Detection Audit Auditing is a mechanism that records activity. Logs are the main source of this data. Log files contain information about: Logins/Logoffs, Failed Logins, Connection Attempts, Privileged access and functions, Sensitive File Access
  • 68. Technical Security Intrusion Detection IDS monitor the network for know types of attacks and sends out an alarm when suspicious activity is noticed.
  • 69. Technical Security Patching Systems Vendors release patches to correct bugs and vulnerabilities on software. Patches that correct vulnerabilities are of high importance to security because without them, the systems become vulnerable to attack. Testing patches is important Checking for patches on the various platforms is a critical exercise needing to be performed by Security and System Administrators