Security Concepts and Goals PDF
Document Details
STI
Tags
Summary
This document discusses security concepts and goals, with a focus on security tactics for people, processes, and technology. It emphasizes the importance of employee training, incident response planning, threat research, and asset prioritization in cybersecurity.
Full Transcript
IT1914 Security Concepts and Goals Subjects and Objects of Security Security Tactics for People, Processes, and Technology As IT teams seek to create a...
IT1914 Security Concepts and Goals Subjects and Objects of Security Security Tactics for People, Processes, and Technology As IT teams seek to create a layered security environment, they should consider the following tactics: 1. People – Employees can create some of the greatest risks to cybersecurity. When they are well informed, however, they can also be an asset and the first line of defense. Often, cybercriminals will specifically target employees as an attack vector based on their lack of knowledge for security practices. For example, cybercriminals might target employees with phishing e- mails to get them to click on a malicious link or divulge credentials. With this in mind, it’s imperative that organizations conduct regular training sessions throughout the year to keep employees aware of potential scams and how they can make their organization vulnerable. Training programs like these will create a strong culture of cybersecurity that can go a long way toward minimizing threats. A few of the cyber hygiene points IT teams will want to inform employees of include the following: Creating strong passwords that are unique to each account and not reused Ensuring personal and work passwords are separate Not opening or clicking links in suspicious e-mails or from unfamiliar senders Ensuring applications and operating systems are regularly updated as soon as patches are released Not installing any unknown outside software, as these can open security vulnerabilities in the network Immediately reporting any unusual behavior or something strange happening on their computers. 2. Processes – This layer of cybersecurity ensures that IT teams have strategies in place to proactively prevent and to respond quickly and effectively in the event of a cybersecurity incident. IT security teams should have a cyber-incident response plan in place. A good incident response plan will provide an organization with repeatable procedures and an operational approach to address cybersecurity incidents to recover business processes as quickly and efficiently as possible. Additionally, ensuring proper backups are in place; regularly testing these backups is imperative to minimize downtime and increase the chances of data recovery from a cyber-event. Next are the collection and analysis of threat research. Every security strategy and tool must be informed by current threat intelligence to detect and respond to threats effectively. For example, threat research might reveal that cybercriminals have been carrying out attacks through a specific vulnerability, or targeting endpoints with a specific malware. Armed with this information, IT teams can then take proactive measures by making any necessary system updated and increasing monitoring to detect behavior indicative of one of these attacks. It is also important that IT teams consult both local and global threat data for the most comprehensive understanding of the threat landscape. Another important process for achieving effective cybersecurity is the prioritization of assets. While IT teams remain strained from a cybersecurity skills gap, networks have become increasingly sophisticated, making it impossible to monitor each area of the network at all times manually. Security teams can develop policies and deploy strategies to keep these data more secure and minimize consequences. This might mean using network segmentation to add an extra level of security or creating access control policies based on who needs access to these specific sets of data. 02 Handout 1 *Property of STI [email protected] Page 1 of 6 IT1914 3. Technology – There are hosts of technologies that security teams can implement to layer their defenses. It is important that IT teams do not implement isolated point solutions as they layer their defenses, but rather select those tools based on their ability to be integrated and automated to create a security fabric that can facilitate the rapid detection and mitigation of threats. Another tactic that IT teams should leverage is deception technology. Network complexity is an Achilles heel for adversaries. Deception technologies level the playing field by automating the creation of dynamic decoys that are dispersed throughout the IT environment, making it harder for the adversary to determine which assets are fake and which are real. When an adversary can’t make this distinction, cybercriminals are forced to waste time on fake assets and exercise caution as they look for tripwires embedded in these fake environment. Emerging Technologies in Cybersecurity Hardware authentication is a well-known fact that a majority of data users’ passwords and usernames are weak. This makes it easy for hackers to get access to the information systems and compromise sensitive data of a business entity or government agency. This has also exerted pressure on experts of systems security to come up with more secure authentication methods. One of the ways is the development of user hardware authentication. Hardware authentication can be especially important when it comes to the Internet of Things (IoT) where the network of connected devices ensures that any device that seeks to be connected has the rights for connectivity to that particular network. Cloud technology is set to have a significant impact on the transformation of systems security technology. More business enterprises and government agencies have embraced cloud technology to store the vast amounts of information that they generate daily. There will be more approaches to information systems security that will be developed for use in the cloud. Techniques for on-premise data storage will be migrated to the cloud. Components such as virtualized intrusion detection and prevention systems, virtualized firewalls and virtualized systems security will now be used from the cloud as opposed to the traditional forms. Both private and public entities have doubled up their data center security by the use of Infrastructure as a Service (IaaS) services such as FireHost and Amazon. Deep learning encompasses some technologies like machine learning and artificial intelligence. There is a significant deal of interest for systems security in these technologies. Deep learning, just like behavior analytics, focuses on anomalous behavior. Whenever artificial intelligence and machine learning systems are fed with the right data regarding potential systems security threats, they can make decisions on how to prevent hacks depending on their immediate environment without any human point. The system scrutinizes entities, instead of users, that have access to the information system. The most recent developments in machine learning technology and exact business analytics mean that we can now analyze different entities that are found in the enterprise at both the macro and the micro levels. Business organizations and government agencies can now stamp out any persistent or advanced cyber threats using artificial intelligence and machine learning. 02 Handout 1 *Property of STI [email protected] Page 2 of 6 IT1914 Five (5) Types of Cybersecurity (Security rendered in the network) Types Description Example Critical Infrastructure This consists of the cyber-physical systems that modern Electricity grid, water Security societies rely on. purification traffic lights, shopping centers, and hospitals Application Security This is more accessible over networks, causing the Antivirus programs, adoption of security measures during the development firewalls, and phase to be an imperative phase of the project. encryption Network Security This ensures that internal networks are secured by Extra logins, new protecting the infrastructure and inhibiting access to it. passwords, and application security (firewalls, monitored Internet access, antispyware, antivirus) Cloud Security It is a software-based security tool that protects and Software as a Service, monitors data in cloud resources. Cloud providers are Infrastructure as a constantly creating and implementing new security Service, private, on-site tools to help enterprise users better secure their data. cloud, and virtualization Internet of Things (IoT) IoT refers to a wide variety of critical and non-critical Connected security Security cyber-physical systems like appliances, sensors, systems, thermostats, televisions, Wi-Fi routers, printers, and security cars, electronic cameras. appliances, and speaker systems Security Objectives Security Policy A security policy is a set of rules that applies to activities for the computer and communications resources that belong to an organization. These rules include areas such as physical security, personnel security, administrative security, and network security. The security policy defines what an organization wants to protect and what it expects of its system users. It provides a basis for security planning when designing new applications or expanding the current network. It describes user responsibilities like protecting confidential information and creating nontrivial passwords. The security policy should also describe how the effectiveness of security measures will be monitored. Such monitoring helps in determining whether someone is attempting to circumvent the safeguards. To develop a security policy, clearly define the security objectives. Afterward, take steps to put into effect the rules it contains. These steps should include training employees and adding the necessary software and hardware to enforce the rules. When making changes in computing environment, update the security policy as well. Security Objectives When creating and carrying out a security policy, one must have clear objectives. These objectives must fall into one (1) or more of the following categories: Resource Protection – The resource protection scheme ensures that only authorized users can access objects on the system. The ability to secure all types of system resources is a system strength. As such, 02 Handout 1 *Property of STI [email protected] Page 3 of 6 IT1914 carefully define the different categories of users that can access the system. In addition, define what access authorization can be given to these groups of users as part of creating security policy. Authentication – The assurance or verification that the resource (human or machine) at the other end of the session really is what it claims to be. Solid authentication defends a system against the security risk of impersonation, in which a sender or receiver uses a false identity to access a system. Traditionally, systems used passwords and usernames for authentication. Now, digital certificates can provide a more secure method for authentication while offering other security benefits as well. Authorization – This is an assurance that the person or computer at the other end of the session has permission to carry out the request. Authorization is the process of determining who or what can access the system resources or perform certain activities on a system. Typically, authorization is performed in context application. Integrity – This is an assurance that the arriving information is the same as what was sent out. Understanding integrity requires understanding the concepts of data integrity and system integrity. o Data Integrity – Data is protected from unauthorized changes or tampering. Data integrity defends against the security risk of manipulation, or the act of intercepting and changing information to which s/he is not authorized. o System Integrity – The system provides consistent and expected results with expected performance. Nonrepudiation – This is the proof that a transaction occurred, or that a user sent or received a message. The use of digital certificates and public key cryptography to sign transactions, messages, and documents support nonrepudiation. Both the sender and the receiver agree that the exchange takes place. The digital signature on the data provides the necessary proof. Confidentiality – This is the assurance that sensitive information remains private and is not visible to an eavesdropper. Confidentiality is critical to total data security. Auditing Security Activities – These monitor security-relevant events to provide a log of both successful and unsuccessful (denied) access. Successful access records tell who is doing what on the systems. Unsuccessful (denied) access records tell either that someone is attempting to break the security or that someone is having difficulty accessing the system. IT Security Framework Below are some key frameworks that are widely used in the industry. 1. National Institute of Standards and Technology (NIST) – It is a federal agency within the United States Department of Commerce. NIST’s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. It also establishes IT standards and guidelines for federal agencies. This cybersecurity framework is completely optional, but it is designed to increase the resilience of an organization’s defenses. The Cybersecurity Framework consists of three (3) main components: Framework core – It provides a set of desired cybersecurity activities and outcomes using a common language that is easy to understand. Framework implementation tiers – These assist organizations by providing context on how an organization views cybersecurity risk management. Framework profiles – These are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization. 02 Handout 1 *Property of STI [email protected] Page 4 of 6 IT1914 2. ISO/IEC – 27000 family – The International Organization for Standardization developed the ISO 27000 series. Because it is broad in scope, any type or size of organization can benefit from being familiar with it and adopting its recommendations, as appropriate to an industry and business type. ISO 27000 is a systematic approach to managing sensitive information securely (also known as the Information Security Management System [ISMS]). It includes managing risk for people, processes, and IT systems. This family is divided into different sub-standards—some of which apply to specific industries, while others are specific to operational choices. ISO 27000 includes a six-part approach: I. Define a security policy. II. Define the scope of the ISMS. III. Conduct a risk assessment. IV. Manage identified risks. V. Select control objectives and controls to be implemented. VI. Prepare a statement of applicability. 3. Payment Card Industry Data Security Standard (PCI DSS) – It was initiated to ensure businesses process card payments were secure and to help reduce card fraud. This payment standard has principle requirements, all of which are covered by these six (6) categories: I. Build and maintain a secure network. II. Protect card data. III. Maintain a vulnerability program. IV. Implement strong access control measures. V. Regularly monitor and test networks. VI. Maintain an Information security policy Security Architecture Security architecture is a unified security design that addresses the necessities and potential risks involved in a particular scenario or environment. It also specifies when and where to apply security controls. The design process is generally reproducible. In security architecture, the design principles are clearly reported and in-depth security control specifications are generally documented in independent documents. A system architecture can be considered a design that includes a structure and can address the connection between the components of that structure. The key attributes of security architecture are as follows: Relationships and Dependencies – These signify the relationship between the various components inside IT architecture and how they depend on each other. Benefits – Security architecture’s main advantage is its standardization, which makes it affordable. It is cost-effective due to the re-use of controls described in the architecture. Form – Security architecture is associated with IT architecture; however, it may take a variety of forms. It includes a catalog of conventional controls in addition to relationship diagrams and principles. Drivers – Security controls are determined based on these four (4) factors: o Risk management o Benchmarking and good practice o Financial o Legal and regulatory 02 Handout 1 *Property of STI [email protected] Page 5 of 6 IT1914 The key phases in the security architecture process are as follows: Architecture Risk Assessment – This evaluates the business influence of vital business assets and the odds and effects of vulnerabilities and security threats. Security Architecture and Design – This is the design and architecture of security services, which facilitate business risk exposure objectives. Implementation – Security services and processes are implemented, operated and controlled. Assurance services are designed to ensure that the security policy and standards, security architecture decisions, and risk management are mirrored in the real runtime implementation. Operations and Monitoring – These are the day by day processes, such as threat and vulnerability management and threat management. Measures are taken to supervise and handle the operational state in addition to the depth and breadth of the systems security. References: IBM Knowledge Center. (n.d.). Security policy and objectives [Web log post]. Retrieved from https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_73/rzaj4/rzaj40j0securitypolco.htm on April 26, 2019 Mind-core.com (2018, September 5). 5 types of cyber security [Web log post]. Retrieved from https://mind-core.com/5- types-of-cyber-security/ on May 3, 2019 Security Architecture (n.d.). In Techopedia. Retrieved from https://www.techopedia.com/definition/72/security- architecture on April 26, 2019 Tarun, R. (2018, December 10). A layered approach to cybersecurity: People, Processes, and Technology [Web log post]. Retrieved from https://www.csoonline.com/article/3326301/a-layered-approach-to-cybersecurity-people- processes-and-technology.html on April 24, 2019 Theriault, C. (2019, March 28). What is an information security framework and why do I need one? [Web log post]. Retrieved from https://tbgsecurity.com/what-is-an-information-security-framework-and-why-do-i-need-one/ on April 26, 2019 Tripwire.com (2018, March 25). 3 emerging innovations in technology that will impact cyber security [Web log post]. Retrieved from https://www.tripwire.com/state-of-security/featured/emerging-technology-cyber-security/ on April 25, 2019 02 Handout 1 *Property of STI [email protected] Page 6 of 6