Reviewer ITEC 85 Finals PDF

Summary

This document provides an overview of information security policies, standards, and practices. It covers various aspects such as policy development, types of security policies, access control lists, and the importance of effective security programs.

Full Transcript

Reviewer ITEC 85 Finals ISSUE-SPECIFIC SECURITY POLICY (ISSP)
Addresses specific areas of technology
WEEK 10: PLANNING FOR SECURITY Requires frequent updates
Contains a statement on the organization’s
INFORMATION SECURITY POLICY, STANDARDS AND position on a specific issue
PRACTICES
Organization - Collection of people working SYSTEMS- SPECIFIC POLICY (SYSSP)
together toward a common goal. Appear with the managerial guidance expected
Must have clear understanding of the rules in a policy
of acceptable behavior Include detailed technical specifications not
Policy - Conveys management’s intentions to usually found in other types of policy documents
its employees Managerial Guidance SysSPs - Guide the
Effective security program - Use of a formal implementation and configuration of a specific
plan to implement and manage security in the technology
organization Technical Specifications SysSPs - General
methods for implementing technical controls
Policy: Access control lists - Set of specifications that
Set of guidelines or instructions identifies a piece of technology’s authorized
Organization’s senior management implements users.
Idea Configuration rules - Specific instructions
entered into a security system to regulate how it
Standards: reacts to the data it receives
More detailed descriptions of what must be Rule-based policies - More specific to a
done to comply with policy. system’s operation than ACLs
Specifics and outline
WHAT IS ACCESS CONTROL LIST (ACL)?
Procedures:
How to accomplish the policies and standards An Access Control List - Often abbreviated as ACL, is a
list that can be defined as a set of rules.
EFFECTIVE POLICIES
5 TYPES OF ACCESS CONTROL LIST:
Dissemination - Distribution of the information. Standard ACLs - These are fundamental and
Review offer a simple form of packet filtering.
Comprehension Extended ACLs - These provide more granular
Compliance control than standard ACLs.
Uniform enforcement Dynamic ACLs - These are also known as lock-
and-key ACLs.
WHAT DRIVES POLICY DEVELOPMENT? Reflexive ACLs - These are used to allow IP
packets to return to the sender.
Mission of an organization - Written statement Time-based ACLs - These allow administrators
of purpose of organization; Usually Not Modified to limit access to a network or device based on
the time of day and day of the week.
Vision of an organization - Witten statement of
the organization’s long-term goals; Occasionally ISO 17799 / BS 7799 - Standard details the requirements
Modified for setting and implementing an Information Security
Management System.
Strategic planning - Process of moving the
organization toward its vision; Constantly WEEK 11: PLANNING FOR SECURITY P2
Reworked to promote progress.
The Five Pillars of Nist are as Follows:
Security policy - Set of rules that protects an Identify - Utilize tools to remember every IT
organization’s assets asset running in your development and its
related cybersecurity vulnerabilities.
TYPES OF INFORMATION SECURITY POLICIES Protect - Take necessary security steps, like
INFORMATION SECURITY POLICY protecting logins with multi-factor authentication
- Set of rules for the protection of an organization’s and training staff to prevent phishing attempts.
information assets Detect - Setting up the monitoring solutions
such as SIEM and IDS and tie them to your
Enterprise information security policies - organization’s network and a firewall.
General security policy. Respond - Implement automation that flags
Issue-specific security policies - Specific incidents worthy of human attention and directs
technology policy. ticket assignments accordingly.
Systems-specific security policies - Recover - Comprehend how long it takes your
Configurations organization to recover normal functionality after
a cyber-attack or malware vent—then
understand how long it should take depending
on.
RFC 2196 – A site security handbook covers five basic Applications Based IDS (AppIDS) – It looks at apps for
areas of security with detailed discussions on abnormal events.
development and implementation.

Security Area Working Group – Acts as advisory board
for protocols and areas developed and promoted by the
Internet Society.

VISA INTERNATIONAL SECURITY MODEL

Visa International – It promotes strong security measures
and has security guidelines.

NIST SP 800-26 – Management controls cover security
processes designed by the strategic planners and
performed by security administrations.

Defense in Depth
Implementation of security layers
Requires that organizations establish sufficient Intrusion Detection Systems – Detects configuration
security controls. violation, sounds alarm; notify external security org. of
break-in.
Security Perimeter - Point at which an organization’s
security protection ends and outside world begins. IDS Terminologies:
Alert, alarm
Firewall – Device that selectively discriminates against False Negative – IDS fails to detect actual
information flowing into or out of organization. attack
False Positive – Attack alert when none
Demilitarized zone (DMZ) – No man’s land between occurred.
inside and outside networks where some organizations Confidence Value - Estimate of attack
place Web servers. probability.
Alarm Filtering
Intrusion Detection Systems (IDSs) - Detect
unauthorized activity within inner network, or on individual
machines.

WEEK 12: SECURITY TECHNOLOGY: INTRUSION
DETECTION, ACCESS CONTROL AND OTHER
SECURITY TOOLS

Intrusions – Attack on information where malicious
perpetrator tries to break into disrupt system.

Intrusion Detection – Includes procedures and systems
created and operated to detect system intrusions.

Intrusion Reaction – Covers actions organizations takes
upon detecting intrusion.

Intrusion Correction Activities – Restore normal
operations.

Intrusion Prevention – Actions that try to deter intrusions
proactively.

NIDS – Resides on computer or appliance connected to
segment of an organizations network; looks for sign of
attacks.
 Vincent Rijmen together with his fellow researcher Joan
Daemen.

3DES - a symmetric-key block cipher which applies the
DES cipher algorithm three times to each data block.
official name as used by NIST is the Triple Data
Encryption Algorithm (TDEA).

WEEK 14: Cryptography P2

Digital Certificate - is a file or electronic password that
proves the authenticity of a device, server, or user through
the use of cryptography and the public key
WEEK 13: Cryptography infrastructure (PKI). It is a file that verifies the identity of a
device or user and enables encrypted connections.
Cryptography - A secret writing, a type of secure
communication understood by the sender and intended Secure Sockets Layer (SSL) – A digital certificates is to
recipient only. confirm the authenticity of a website to a web browser.

Cryptology - The science of secure communications. There Are Three Different Types of Public Key
Certificates:
Cryptanalysis - The science of breaking those encrypted TLS/SSL certificate - It sits on a server such as
messages to recover their meaning. an application, mail, or web server to ensure
communication with its clients is private and
Cipher - A cryptographic algorithm. encrypted. It comes in three forms:
o Domain Validated - a quick validation
Unencrypted Message – Plaintext method that is acceptable for any
website. It is cheap to obtain.
Encryption - Converts a plaintext to a ciphertext. o Organization Validated – It provides
light business authentication and is
Decryption - Turns a ciphertext back into a plaintext. ideal for organizations selling
products online through e-commerce.
Cryptographic Hash Function - A mathematical function o Extended Validation – offers full
used in cryptography. business authentication, which is
required by larger organizations or
Hash Functions - Are commonly used data structures in any business dealing with highly
computing systems for tasks such as checking the sensitive information.
integrity of messages and authenticating information. Code Signing Certificate - is used to confirm
Considered as weak. the authenticity of software or files downloaded
through the internet.
Collision-Free - No two input hashes should map to the Client Certificate - is a digital ID that identifies
same output hash. an individual user to another user or machine,
or one machine to another.
Examples of Cryptographic Hash Functions
Password Verification CA - is responsible for managing domain control
Signature Generation and Verification verification and verifying that the public key attached to
Verifying File and Message Integrity the certificate belongs to the user or organization that
requested it.
Three General Classes of NIST-Approved
Cryptographic Algorithms: Beneficial Features of Digital Certificates
Hash Functions - A cryptographic hash Security
function does not use keys for its basic Scalability
operation. Authenticity
Symmetric-Key Algorithms - Also referred to Reliability
as a secret-key algorithm, a symmetric-key Public Trust
algorithm transforms data to make it extremely
difficult to view without possessing a secret key. Digital Signature – A hashing approach that uses a
it is used for both encrypting and decrypting. numeric string to provide authenticity and validate identity.
Asymmetric-Key Algorithms - Also referred to
Hybrid Cryptography - a mode of encryption that merges
as public-key algorithms, asymmetric-key
two or more encryption systems.
algorithms use paired keys (a public and a
private key) in performing their function.
Hybrid Encryption – A scheme combines the ease of
use of an asymmetric encryption scheme with the
Private key - cannot be mathematically calculated
effectiveness of a symmetric encryption technique.
through the use of the public key even though they are
cryptographically related.

AES - is based on the Rijndael algorithm, which was
invented by Cryptomathic’s previous chief cryptographer
 Fire Safety - involves the prevention, detection and
suppression of fires. We can do this through the use of
various technologies and systems.
Fire Alarms
Fire Extinguishers
Fire Suppression Systems
Fire Doors or Fire Exits
Fire Sprinkler Systems
Sand/Water Buckets

To encrypt a message first generate a symmetric key Security – involves protecting people and assets from
and then encrypt the data. Then the person to whom we various threats.
wish to send the message will share her public key and Access control systems
keep the private key a secret. After this, encrypt the
Surveillance cameras
symmetric key using the public key of the receiver and
Burglar alarms
send the encrypted symmetric key to the receiver.
Security guards
Advantages:
Manual Fire Alarm System - It relies on individuals to
Provides a high level of security Hybrid
activate the alarm by pulling a lever or pushing a button
encryption
when a fire is detected.
Transmission of data becomes secure.
Automatic Fire Alarm System – It uses sensors such as
WEEK 15: Physical Security
smoke detectors or heat detectors to trigger the alarm
without the need for human intervention.
Physical Security - The protection of personnel,
hardware, software, networks and data from physical
Data Interception - is a specific type of data theft,
actions and events that could cause serious loss or
referring to information that is captured during
damage to an enterprise, agency or institution.
transmission.
Major Sources of Physical Loss:
Data Theft - refers to any way sensitive information is
Extreme temperature: heat, cold compromised.
Gases: war gases, commercial vapors, humid or
dry air, suspended particles How To Prevent Data Interception and Theft:
Liquids: water, chemicals Create password policies
Living organisms: viruses, bacteria, people, Identify and classify sensitive data -
animals, insects Information classification is a process in
Projectiles: tangible objects in motion, powered which organizations assess the data that they
objects hold and the level of protection it should be
Movement: collapse, shearing, shaking, given.
vibration, liquefaction, flow waves, separation, Train your staff to understand the
slide. importance of data security
Energy anomalies: electrical surge or failure, Properly dispose of sensitive data - Paper
magnetism, static electricity, aging circuitry; records must be shredded when you no longer
radiation: sound, light, radio, microwave, need them.
electromagnetic, atomic. Seed your data - Data seeding is the practice
of planting synthetic details in a database.
Security Controls - Are parameters implemented to
protect various forms of data and infrastructure important Why is mobile device security so important?
to an organization. - over 50 percent of business PCs are mobile, and the
increase in Internet of Things devices poses new
Types Of Security Controls: challenges to network security.
Physical Security Controls – It include such
things as data center perimeter fencing, locks, Components Of Mobile Device Security:
guards, access control cards, biometric access Endpoint security – These solutions protect
control systems, surveillance cameras, and corporations by monitoring the files and
intrusion detection sensors processes of every mobile device that accesses
Digital Security Controls – It include such a network.
things as usernames and passwords, two-factor VPN - A virtual private network, or VPN, is an
authentication, antivirus software, and firewalls. encrypted connection over the Internet from a
Cybersecurity Controls – It include anything device to a network.
specifically designed to prevent attacks on data, Secure Web Gateway – It provides a powerful,
including DDoS mitigation, and intrusion overarching cloud security.
prevention systems. Email Security - Email is both the most
Cloud security Controls – It include measures important business communication tool and the
you take in cooperation with a cloud services leading attack vector for security breaches.
provider to ensure the necessary protection for
data and workloads.
 Cloud Access Security Broker - Your network
must secure where and how your employees
work, including in the cloud. You will need a
cloud access security broker.

WEEK 16: Implementing Information Security