1 Security Defense Strategy Basics Joseph E. Cannon, PhD Professor of Computer and Information Sciences Harrisburg University of Science and Technology
2 Only two things in the water after dark. Gators and gator food. Old Florida Saying
3 Information Security Defense Strategy Basics Abstract As more and more people become wired, an increasing number of people need to understand the basics of information security in a networked world. This presentation was developed with the information systems manager in mind and explains the concepts needed to understand Computer and Network Security. The presentation goes on to consider risk management, network threats, firewalls, and more special-purpose secure networking devices. This presentation is designed to make all managers aware of the full spectrum of threats and vulnerabilities in information systems. The participant will recognize that information security is more than just technical solutions but is a defense strategy that balances Technology, Policy, Practice, Awareness, and Training. Each participant will come to understand that information security is a complicated subject, which historically was only tackled by well-trained and experienced experts.
4 What is Security? The quality or state of being secure to be free from danger. What is Computer Security? Answer depends upon the perspective of the person you re asking. The Network Administrator has a different perspective than an end user or a security professional. A computer is secure if you can depend on it and its software to behave as you expect. [Garfinkel, Spafford]
5 What is Computer Security? The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information. Principles of Information Security, 3 rd Edition
6 Security Vulnerabilities People are the weakest link. You can have the best technology: firewalls, intrusion-detection systems, biometric devices... and somebody can call an unsuspecting employee. That's all she wrote, baby. They got everything. Kevin Mitnick Phishing: an attempt to gain personal/financial information from individual, usually by posing as legitimate entity. Perfect security is impossible Lock computer in a safe and don t use it Or, accept some risk
7 Computer Security Basics 1 CIA Triad - Goals for implementing security practices. Information Security Availability
8 Confidentiality CIA Triad Confidential information should not be accessible to unauthorized users. Integrity Data may only be modified through an authorized mechanism. Availability Authorized users should be able to access data for legitimate purposes as necessary.
9 Computer Security Basics DAD Triad - Goals for defeating the security of an organization. Information Security Availability Denial
10 DAD Triad Disclosure Unauthorized individuals gain access to confidential information. Alteration Data is modified through some unauthorized mechanism. Denial Authorized users cannot gain access to a system for legitimate purposes. DAD activities may be malicious or accidental.
11 Threats to Security Hacker Anyone who attempts to penetrate the security of an information system, regardless of intent. Early definition included anyone very proficient in computer use. Malicious code object Virus, worm, Trojan horse A computer program that carries out malicious actions when run on a system. Malicious insider Someone from within the organization that attempts to go beyond the rights and permissions that they legitimately hold. Security professionals and system administrators are particularly dangerous.
12 Risk Analysis Actions involved in risk analysis: Determine which assets are most valuable Identify risks to assets Determine the likelihood of each risk occurring Take action to manage the risk First steps of risk analysis process: Identify the information assets in the organization hardware, software, and data Assign value to those assets using a valuation method Assigning value to assets is the foundation for decisions about cost/benefit tradeoffs
13 Risk Analysis Second step in risk analysis process: Two major classifications of risk assessment techniques Qualitative Quantitative Vulnerability An internal weakness in a system that may potentially be exploited Not having antivirus software is an example Threat A set of external circumstances that may allow a vulnerability to be exploited The existence of a particular virus for example Risk occurs when a threat and a corresponding vulnerability both exist
14 Identifying and Assessing Risk Qualitative Risk Assessment Focuses on analyzing intangible properties of an asset rather than monetary value. Prioritizes risks to aid in the assignment of security resources. Relatively easy to conduct
15 Identifying and Assessing Risk Quantitative Risk Assessment Assigns dollar values to each risk based on measures such as asset value, exposure factor, annualized rate of occurrence, single loss expectancy, and annualized loss expectancy. Uses potential loss amount to decide if it is worth implementing a security measure.
16 Managing Risks Risk Avoidance Used when a risk overwhelms the benefits gained from having a particular mechanism available. Avoid any possibility of risk by disabling the mechanism that is vulnerable. Disabling is an example of risk avoidance. Risk Mitigation Used when a threat poses a great risk to a system. Takes preventative measures to reduce the risk. A firewall is an example of risk mitigation.
17 Risk Acceptance Managing Risk Do nothing to prevent or avoid the risk. Useful when risk or potential damage is small. Risk Transference Ensure that someone else is liable if damage occurs. Buy insurance for example. Combinations of the above techniques are often used.
19 Considering Security Tradeoffs Security can be looked at as a tradeoff between risks and benefits. Cost of implementing the security mechanism and the amount of damage it may prevent. Tradeoff considerations are security, user convenience, business goals, and expenses.
20 Considering Security Tradeoffs An important tradeoff involves user convenience Between difficulty of use and willingness of users. If users won t use a system because of cumbersome security mechanisms, there is no benefit to having security. If users go out of their way to circumvent security, the system may be even more vulnerable.
21 Policy and Education Cornerstone of a security effort is to Implement proper policies Educate users about those policies Information security policies should be Flexible enough not to require frequent rewrites Comprehensive enough to ensure coverage of situations Available to all members of the organization Readable and understandable
22 Common Security Policies Separation of Privileges: No single person should have enough authority to cause a critical event to happen. Tradeoff between security gained and manpower required to achieve it. Least Privilege: An individual should have only the minimum level of access controls necessary to carry out job functions. A common violation of this principle occurs because of administrator inattention. Users are placed in groups that are too broad. Another common violation occurs because of privilege creep. Users are granted new privileges when they change roles without reviewing existing privileges.
23 Common Security Policies Defense in Depth Defenses should be layered. Layers begin with points of access to a network and continue with cascading security at bottleneck points. Security through Obscurity In early days of computing, administrators depended upon secrecy about the security that was in place. No longer very effective in most cases because so much information is freely available.
24 Defense in Depth 1
25 Security Policies Goal is to have clearly defined security objectives: Design specific controls Keep users informed of expected behavior A security policy should be a written document. Available to all users of an organizational information system. Security policies range from single documents to multiple documents for specialized use or for specific groups of users.
26 Acceptable Use Policy Defines allowable uses of an organization s information resources. Must be specific enough to guide user activity but flexible enough to cover unanticipated situations Should answer key questions What activities are acceptable? What activities are not acceptable? Where can users get more information as needed? What to do if violations are suspected or have occurred?
27 Confidentiality Policy Outlines procedures used to safeguard sensitive information. Should cover all means of information dissemination including telephone, print, verbal, and computer. Questions include What data is confidential and how should it be handled? How is confidential information released? What happens if information is released in violation of the policy? Employees may be asked to sign nondisclosure agreements.
28 Wireless Device Policy Includes mobile phones, PDAs, palm computers. Users often bring personal devices to the workplace. Policy should define Types of equipment that can be purchased by the organization. Type of personal equipment that may be brought into the facility. Permissible activities. Approval authorities for exceptions.
29 Education Includes education and training programs for affected employees. Users should be aware of their responsibilities with regard to policies. Two types of training Initial training is a one-time program early in an employee s tenure with company Refresher training should be done periodically to Remind employees of their responsibilities Provide employees with updates of policies and technologies that affect their responsibilities
30 Enforcement and Maintenance Policies should define responsibilities for Reporting violations. Procedures when violations occur. Policies should be strictly enforced. Policy changes occur as companies and technologies change. Policies should contain provisions for modification through maintenance procedures. Common to have periodic reviews mandated.
31 Personnel Security People are the weakest link in a security system. Perform background investigations Should include criminal record checks, reference evaluations. Monitor employee activity Can include monitoring Internet activity, surveillance cameras, telephone recording. Exit procedures for employees leaving the company. Remind employees of any nondisclosure agreements.
32 Authentication Authentication is validation of a client s identity. Four general ways in which authentication is carried out: What a client knows What a client has Who a client is What a client produces
33 Effectiveness of Biometrics Biometric technologies evaluated on three basic criteria: False reject rate False accept rate Crossover error rate (CER) Balance must be struck between how acceptable security system is to users and its effectiveness in maintaining security. Many biometric systems that are highly reliable and effective are considered intrusive. As a result, many information security professionals, in an effort to avoid confrontation and possible user boycott of biometric controls, don t implement them.
34 Principles of Information Security
35 Some Web Articles Flash on College Web Sites Why Can't Johnny Develop Secure Software? Wanted: Young cyber experts to defend Internet Fighting back against web attacks
36 10 Web Articles on Security AIRLINE SECURITY: THE TECHNICAL TASK OF CONNECTING DOTS As attacks increase, U.S. struggles to recruit computer security experts Carnegie Mellon Researcher Says Privacy Concerns Could Limit Benefits from Real-Time Data Analysis Cell phone Encryption Code Is Divulged How could Santa know if you ve been good or bad? HP researchers try to tell you who your friends are In Shift, U.S. Talks to Russia on Internet Security Motion-sensing phones that predict your every move Moving Video to "Captcha" Robot Hackers Securing the Information Highway
37 References 1. Principles of Information Security, 3rd Edition 2. Information Security Risk Assessment GAO Practices of Leading Organizations A Supplement to GAO s May 1998 Executive Guide on Information Security Management
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
1- A (firewall) is a computer program that permits a user on the internal network to access the internet but severely restricts transmissions from the outside 2- A (system failure) is the prolonged malfunction
Cyber Security: Beginners Guide to Firewalls A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers This appendix is a supplement to the Cyber Security: Getting Started
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
Chapter 4 Information Security Program Development Introduction Formal adherence to detailed security standards for electronic information processing systems is necessary for industry and government survival.
Data Management & Protection: Common Definitions Document Version: 5.5 Effective Date: April 4, 2007 Original Issue Date: April 4, 2007 Most Recent Revision Date: November 29, 2011 Responsible: Alan Levy,
Appendix A to 11-02-P1-NJOIT NJ OFFICE OF INFORMATION TECHNOLOGY P.O. Box 212 www.nj.gov/it/ps/ 300 Riverview Plaza Trenton, NJ 08625-0212 NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT The Intent
SECURITY CONSIDERATIONS FOR LAW FIRMS Enterprise Risk Management Professional consulting firm that specializes in cyber security Founded in 1998 in Miami, Florida Serves more than 150 clients, locally,
E-Commerce Security and Fraud Protection CHAPTER 9 LEARNING OBJECTIVES 1. Understand the importance and scope of security of information systems for EC. 2. Describe the major concepts and terminology of
Cybersecurity for the C-Level Director Glossary of Defined Cybersecurity Terms A Active Attack An actual assault perpetrated by an intentional threat source that attempts to alter a system, its resources,
Managing Information Resources and IT Security Management Information Code: 164292-02 Course: Management Information Period: Autumn 2013 Professor: Sync Sangwon Lee, Ph. D D. of Information & Electronic
Course: Information Security Management in e-governance Day 1 Session 5: Securing Data and Operating systems Agenda Introduction to information, data and database systems Information security risks surrounding
National Cyber Security Month 2015: Daily Security Awareness Tips October 1 New Threats Are Constantly Being Developed. Protect Your Home Computer and Personal Devices by Automatically Installing OS Updates.
IIABSC 2015 - Spring Conference Cyber Security With enough time, anyone can be hacked. There is no solution that will completely protect you from hackers. March 11, 2015 Chris Joye, Security + 1 2 Cyber
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
Internet Safety and Security: Strategies for Building an Internet Safety Wall Sylvanus A. EHIKIOYA, PhD Director, New Media & Information Security Nigerian Communications Commission Abuja, NIGERIA Internet
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
Chapter 11 Manage Computing Securely, Safely and Ethically Discovering Computers 2012 Your Interactive Guide to the Digital World Objectives Overview Define the term, computer security risks, and briefly
CSCI 454/554 Computer and Network Security Instructor: Dr. Kun Sun About Instructor Dr. Kun Sun, Assistant Professor of Computer Science http://www.cs.wm.edu/~ksun/ Phone: (757) 221-3457 Email: firstname.lastname@example.org
Understanding and evaluating risk to information assets in your software projects ugh.. what a mouthful Dana Epp Windows Security MVP Who am I? Microsoft Windows Security MVP Information Security Professional
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is
University of Illinois at Urbana-Champaign BADM 557 Enterprise IT Governance Guide to Vulnerability Management for Small Companies Andrew Tan Table of Contents Table of Contents... 1 Abstract... 2 1. Introduction...
BE SAFE ONLINE: Lesson Plan Overview Danger lurks online. Web access, social media, computers, tablets and smart phones expose users to the possibility of fraud and identity theft. Learn the steps to take
Security aspects of e-tailing Chapter 7 1 Learning Objectives Understand the general concerns of customers concerning security Understand what e-tailers can do to address these concerns 2 Players in e-tailing
Wireless Network Security Bhavik Doshi Privacy and Security Winter 2008-09 Instructor: Prof. Warren R. Carithers Due on: February 5, 2009 Table of Contents Sr. No. Topic Page No. 1. Introduction 3 2. An
Test Out Online Lesson 12 Schedule Section 12 MUST BE COMPLETED BY: 4/22 Section 12.1: Best Practices This section discusses the following security best practices: Implement the Principle of Least Privilege
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
Cyber Security: An Introduction Security is always a trade-off between convenience and protection. A good security policy is convenient enough to prevent users from rebelling, but still provides a reasonable
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Department of Agriculture Network Security Controls Information Technology Audit July 1, 2010 Report 10-23 FINANCIAL
POLICIES AND PROCEDURES NEW JERSEY EARLY INTERVENTION SYSTEM No: NJEIS-17 Subject: Computers & Electronic Records Effective Date: May 1, 2011 Responsible Party: Part C Coordinator I. Purpose To protect
Information Security Policy Steve R. Hutchens, CISSP EDS, Global Leader, Homeland Security Agenda Security Architecture Threats and Vulnerabilities Design Considerations Information Security Policy Current
E-BUSINESS THREATS AND SOLUTIONS E-BUSINESS THREATS AND SOLUTIONS E-business has forever revolutionized the way business is done. Retail has now a long way from the days of physical transactions that were
Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement
KirkpatrickPrice Assessment Guide Designed Exclusively for PRISM International Members KirkpatrickPrice. innovation. integrity. delivered. KirkpatrickPrice Assessment Guide 2 Document Purpose The Assessment
Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com WHITE PAPER Malicious Code and Mobile Devices: Best Practices for Securing Mobile Environments Sponsored
VOIP for Telerehabilitation: A Risk Analysis for Privacy, Security, and HIPAA Compliance Valerie J.M. Watzlaf, PhD, RHIA, FAHIMA, Sohrab Moeini, MS, and Patti Firouzan, MS, RHIA Department of Health Information
HIPAA Training Part III Health Insurance Portability and Accountability Act POLICIES & PROCEDURES Goals Learn simple ways to protect information. Learn how to continually give training. Learn how to continually
Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance
Gerry Cochran, IT Specialist Jennifer Van Tassel, Associate Examiner Office of the State Comptroller Thomas P. DiNapoli State & Local Government Accountability Andrew A. SanFilippo Executive Deputy Comptroller
The Ministry of Information & Communication Technology MICT Document Reference: ISGSN2012-10-01-Ver 1.0 Published Date: March 2014 1 P a g e Table of Contents Table of Contents... 2 Definitions... 3 1.
82-10-43 Social Engineering and Reverse Social Engineering Ira S. Winkler Payoff Social engineering is the term that hackers use to describe attempts to obtain information about computer systems through
Electronic Fraud Awareness Advisory Indiana Bankers Association Fraud Awareness Task Force February, 2012 Electronic Fraud Awareness Advisory Purpose/Summary The Indiana Bankers Association (IBA) was involved
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK With organizations rushing to adopt Voice over IP (VoIP) technology to cut costs and integrate applications designed to serve customers better,
10 Best Practices to Protect Your Network presented by Saalex Information Technology and Citadel Group Presented by: Michael Flavin and Stan Stahl Saalex Information Technology Overview Saalex Information
Chapter 10 Objectives Describe the major concepts and terminology of EC security. Understand phishing and its relationship to financial crimes. Describe the information assurance security principles. Identify
Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines 1. Implement anti-virus software An anti-virus program is necessary to protect your computer from malicious programs,
Meaningful Use and Core Requirement 15 How can I comply the lack of time and staff... www.compliancygroup.com 1 Meaningful Use and Core Requirement 15 Meaningful Use Protection of Protected Health Information
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
IY2760/CS3760: Part 6 In this part of the course we give a general introduction to network security. We introduce widely used security-specific concepts and terminology. This discussion is based primarily
INFORMATION SECURITY FOR YOUR AGENCY Presenter: Chad Knutson Secure Banking Solutions, LLC CONTACT INFORMATION Dr. Kevin Streff Professor at Dakota State University Director - National Center for the Protection
Small Business Security Issues (Research Project) Introduction Small companies have a gamete of security problems or issues in today s competitive market place including vulnerabilities, threats, and risks.
O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Department of Education Network Security Controls Information Technology Audit May 5, 2010 Report 10-17 FINANCIAL
WHITE PAPER CHALLENGES Protecting company systems and data from costly hacker intrusions Finding tools and training to affordably and effectively enhance IT security Building More Secure Companies (and
The FBI Cyber Program Bauer Advising Symposium October 11, 2012 Today s Agenda What is the threat? Who are the adversaries? How are they attacking you? What can the FBI do to help? What can you do to stop
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,
Technology Help Desk 412 624-HELP  technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
Introduction to Information Security Chapter 1 Information Security Basics Winter 2015/2016 Stefan Mangard, www.iaik.tugraz.at What is Information Security? 2 Security vs. Safety The German word Sicherheit
Cambridge TECHNICALS OCR LEVEL 3 CAMBRIDGE TECHNICAL CERTIFICATE/DIPLOMA IN IT NETWORKED SYSTEMS SECURITY J/601/7332 LEVEL 3 UNIT 28 GUIDED LEARNING HOURS: 60 UNIT CREDIT VALUE: 10 NETWORKED SYSTEMS SECURITY
Welcome to Valley Express (VE) Valley Express is Valley Health Plan s (VHP) Authorization and Referral data system. By signing this document, the individual signifies that the County s User Responsibility
61-04-69 Getting a Secure Intranet Stewart S. Miller The Internet and World Wide Web are storehouses of information for many new and legitimate purposes. Unfortunately, they also appeal to people who like
Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential
1 Austin Peay State University Identity Theft Operating Standards (APSUITOS) I. PROGRAM ADOPTION Austin Peay State University establishes Identity Theft Operating Standards pursuant to the Federal Trade
Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT)
A WHITE PAPER SDX Technologies Today s Cybersecurity Technology: Is Your Business Getting Full Protection? 1 Today s Cybersecurity Technology EXECUTIVE SUMMARY Information technology has benefited virtually
Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer
Michael Almvig Skagit County Information Services Director 1 AGENDA 1 2 HIPAA How Did Privacy The Breach Happen? HIPAA Incident Security Response 3 Corrective Action Plan 4 What We Learned Questions? ACRONYMS