funsec_Ch01.pdf

Full Transcript

CHAPTER 1

Information
Systems Security

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Learning Objective(s) and Key Concepts

Learning Objective(s) Key Concepts

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Explain information systems  Information systems security
security and its effect on people concepts
and businesses.
 Confidentiality, integrity, and
availability (C-I-A)
 The seven domains of an IT
infrastructure
 The weakest link in the security of
an IT infrastructure
 IT security policy framework and
data classification standard
Information Systems Security (1 of 3)

 Internet
 A worldwide network with approximately 5 billion users

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Includes governments, businesses, and organizations
 Links communication networks to one another

 World Wide Web
 A system that defines how documents and resources are related across a network
of computers
Information Systems Security (2 of 3)

 First American Financial Corporation, 2019
 885 million users had sensitive personal financial data leaked

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Hackers were able to extract data
 Customers were at a higher risk of identity theft because personal financial data
was breached

 FireEye, 2020
 Its penetration testing tools were stolen
 Tools could be used to maliciously hack into companies
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Cyberspace: The New Frontier
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
TCP/IP Communications Are in Cleartext
Information Systems Security (3 of 3)

 Internet of Things (IoT) connects personal devices, home devices, and vehicles
to the Internet

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 More data to steal
 Cybersecurity is duty of every government that wants to ensure its national
security
 Data security is the responsibility of every organization that needs to protect its
information assets and sensitive data
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
IoT
Risks, Threats, and Vulnerabilities

 Risk
 The level of exposure to some event that has an effect on an asset

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Threat
 Any action, either natural or human induced, that could damage an asset

 Vulnerability
 A weakness that allows a threat to be realized or to have an effect on an asset
What Is Information Systems Security?

 Information system
 Hardware, operating system, and application software that work together to collect,

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
process, and store data for individuals and organizations

 Security
 Being free from danger or risk

 Information systems security
 The collection of activities that protect the information system and the data stored in
it
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
What Are We Securing?
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Compliance Laws and Regulations Drive the Need for
Information Systems Security
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Tenets of Information Security
Confidentiality (1 of 2)

Confidential information includes:

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Private data of individuals
 Intellectual property of businesses
 National security for countries and governments
Confidentiality (2 of 2)

 Cryptography
 Practice of hiding data and keeping it away from unauthorized users

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Encryption
 The process of transforming data from cleartext into ciphertext

 Ciphertext
 The scrambled data that results from encrypting cleartext
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Encryption of Cleartext into Ciphertext
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
accurate information
 Maintain valid and
Integrity
Availability

 In the context of information security
 The amount of time users can use a system, application, and data

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Availability Time Measurements

 Uptime

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Downtime
 Availability [A = (Total Uptime)/(Total Uptime + Total Downtime)]
 Mean time to failure (MTTF)
 Mean time to repair (MTTR)
 Mean time between failures (MTBF)
 Recovery point objective (RPO)
 Recovery time objective (RTO)
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Seven Domains of a Typical IT Infrastructure
User Domain

 Roles and tasks
 Users can access systems, applications, and data depending upon their defined

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
access rights

 Responsibilities
 Employees are responsible for their use of IT assets

 Accountability
 Human resources department is accountable for implementing proper employee
background checks
Common Threats in the User Domain

 Unauthorized access  User destroying systems,
applications, and data

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Lack of user awareness
 Disgruntled employee attacking
 User apathy toward policies
organization or committing
 Security policy violations sabotage

 User inserting CD/DVD/USB with  Employee romance gone bad
personal files
 Employee blackmail or extortion
 User downloading photos, music,
or videos
Workstation Domain

 Roles and tasks
 Configure hardware, harden systems, and verify antivirus files

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Responsibilities
 Ensure the integrity of user workstations and data

 Accountability
 Ensure that the Workstation Domain conforms to policy
Common Threats in the Workstation Domain

 Unauthorized workstation access

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Unauthorized access to systems, applications, and data
 Desktop or laptop operating system and software vulnerabilities
 Desktop or laptop application software vulnerabilities and patches
 Viruses, malicious code, and other malware
 User inserting CD/DVD/USB with personal files
 User downloading photos, music, or videos
 Security risk due to user violation of acceptable use policy (AUP)
 Bring Your Own Device (BYOD)
LAN Domain

 Roles and tasks
 Includes both physical network components and logical configuration of services for

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
users

 Responsibilities
 Physical components and logical elements

 Accountability
 Maximize use and integrity of data within the local area network (LAN) Domain
Common Threats in the LAN Domain

 Unauthorized access to LAN

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Unauthorized access to systems, applications, and data
 LAN server operating system software vulnerabilities
 LAN server application software vulnerabilities and software patch updates
 Unauthorized access by rogue users on wireless LANs (WLANs)
 Compromised confidentiality of data on WLANs
 LAN servers with different hardware, operating systems, and software make
them difficult to manage and troubleshoot
LAN-to-WAN Domain

 Roles and tasks
 Includes both the physical pieces and logical design of security appliances; physical

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
parts need to be managed to give easy access to the service

 Responsibilities
 Physical components, logical elements, and applying the defined security controls

 Accountability
 Ensure that LAN-to-Wide Area Network (WAN) Domain security policies, standards,
procedures, and guidelines are used
Common Threats in the LAN-to-WAN Domain

 Unauthorized network probing and port scanning

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Unauthorized access through the LAN-to-WAN Domain
 Denial of service (DoS)/distributed denial of service (DDoS) attacks
 IP router, firewall, and network appliance operating system vulnerability
 IP router, firewall, and network appliance configuration file errors or
weaknesses
 Remote user download of sensitive data
 Download of unknown file type attachments from unknown sources
 Unknown email attachments and embedded URL links received by local users
 Lost productivity due to local users surfing the web
WAN Domain

 Roles and tasks
 Allow users the most access possible while making sure what goes in and out is

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
safe

 Responsibilities
 Physical components and logical elements

 Accountability
 Maintain, update, and provide technical support and ensure that the company
meets security policies, standards, procedures, and guidelines
Common Threats in the WAN Domain (Internet)

 Open, public, and accessible data

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Most Internet traffic sent as cleartext
 Vulnerable to eavesdropping
 Vulnerable to malicious attacks
 Vulnerable to DoS and DDoS attacks, TCP synchronize (SYN) flooding, and IP
spoofing attacks
 Vulnerable to corruption of information/data
 Insecure Transmission Control Protocol/Internet Protocol (TCP/IP) applications
 Hackers, attackers, and perpetrators email Trojans, worms, and malicious
software
Common Threats in the WAN Domain (Connectivity)

 Commingling of WAN IP traffic on the same service provider router and
infrastructure

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Maintaining high WAN service availability
 Maximizing WAN performance and throughput
 Using Simple Network Management Protocol (SNMP) applications and
protocols maliciously (ICMP, Telnet, SNMP, DNS, etc.)
 SNMP alarms and security monitoring 24/7/365
Remote Access Domain

 Roles and tasks
 Connect mobile users to their IT systems through the public Internet

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Responsibilities
 Maintain, update, and troubleshoot the hardware and logical remote access
connection

 Accountability
 Ensure that the Remote Access Domain security plans, standards, methods, and
guidelines are used
Common Threats in the Remote Access Domain

 Brute-force user ID and password attacks

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Multiple logon retries and access control attacks
 Unauthorized remote access to IT systems, applications, and data
 Private or confidential data compromised remotely
 Data leakage in violation of data classification standards
 A mobile worker’s laptop is stolen
 Mobile worker token or other authentication stolen
System/Application Domain

 Roles and tasks
 Includes hardware, operating system software, applications, and data and includes

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
logical design
 Secure mission-critical applications and intellectual property assets both physically
and logically

 Responsibilities
 Server systems administration, database design and management, designing
access rights to systems and applications, and more

 Accountability
 Ensure that the System/Application Domain is in compliance with security policies,
standards, procedures, and guidelines
Common Threats in the System/Application Domain

 Unauthorized access to data  Unauthorized access to systems
centers, computer rooms, and

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Data breach where private data is
wiring closets
compromised
 Downtime of servers to perform
 Corrupt or lost data
maintenance
 Loss of backed-up data as backup
 Server operating systems software
media are reused
vulnerability
 Recovery of critical business
 Insecure cloud computing virtual
functions potentially too time
environments by default
consuming to be useful
 Susceptibility of client-server and
 Downtime of IT systems for an
web applications
extended period after a disaster
Weakest Link in the Security of an IT Infrastructure

 Humans are the weakest link in security

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Strategies for reducing risk:
 Check background of job candidates carefully
 Evaluate staff regularly
 Rotate access to sensitive systems, applications, and data among staff positions
 Test applications and software and review for quality
 Regularly review security plans
 Perform annual security control audits
Ethics and the Internet

 Human behavior online is often less mature than in normal social settings

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Demand for systems security professionals is growing rapidly
 U.S. government and Internet Architecture Board (IAB) defined a policy
regarding acceptable use of Internet geared toward U.S. citizens
 Policy is not a law nor mandated

 Systems security professionals are responsible for is doing what is right and
stopping what is wrong
IT Security Policy Framework

 Policy
 A short written statement that defines a course of action that applies to entire

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
organization

 Standard
 A detailed written definition of how software and hardware are to be used

 Procedures
 Written instructions for how to use policies and standards

 Guidelines
 Suggested course of action for using policy, standard, or procedure
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Hierarchical IT Security Policy Framework
Foundational IT Security Policies

 Acceptable use policy (AUP)

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Security awareness policy
 Asset classification policy
 Asset protection policy
 Asset management policy
 Vulnerability assessment/management policy
 Threat assessment and monitoring policy
Data Classification Standards (1 of 2)

 Private data
 Data about people that must be kept private

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Confidential
 Information or data owned by the organization

 Internal use only
 Information or data shared internally by an organization

 Public domain data
 Information or data shared with the public
Data Classification Standards (2 of 2)

U.S. federal government data classification standards:

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Top secret
 Applies to information that the classifying authority finds would cause grave
damage to national security if it were disclosed

 Secret
 Applies to information that the classifying authority finds would cause serious
damage to national security if it were disclosed

 Confidential
 Applies to information that the classifying authority finds would cause damage to
national security
Summary

 Information systems security concepts

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Confidentiality, integrity, and availability (C-I-A)
 The seven domains of a typical IT infrastructure
 The weakest link in the security of an IT infrastructure
 IT security policy framework and data classification standards