Security architecture principles isys 0575general att
1. Security Architecture Principles
ISYS 0575
General Attack Process
Recon
Weaponize
Deliver
Exploit
Control
Execute
AssetAgent
Maintain
Proactive Detection and Mitigation Containment and Incident
Response
“Kill Chain”
What is Architecture?
Architecture (Latin architectura, from the Greek ἀρχιτέκτων
2. arkhitekton "architect,"
from ἀρχι- "chief" and τέκτων "builder") is both the process and
the product of
planning, designing and constructing buildings and other
physical structures.
Architecture can mean:
Different Things to Different People
● A general term to describe buildings and other physical
structures
● The art and science of designing buildings and (some)
nonbuilding structures
● The style of design and method of construction of buildings
and other physical
structures
● Knowledge of art, science, technology, and humanity
● The practice of the architect, where architecture means
offering or rendering
professional services in connection with the design and
construction of
buildings, or built environments
Traditional Security Architecture Starts
With the perimeter
Network-centric
Versus data-centric
If work from home and BYOD didn’t kill the perimeter, Cloud
3. certainly did.
Sherwood Applied Business Security Architecture
Other Architectures
Zachman
The Open Group Architecture Framework (TOGAF)
Modern Architectural View
Then Account for the Agile
Defense in Depth
Another Perspective
Horizontal defense in depth - Controls are placed in various
places in the path of
access for an asset
Vertical defense in depth - Control sare placed at different
system layers -
hardware, OS, application, database
4. Effective Defense in Depth
Planning and understanding of each control types strengths and
weaknesses and
how controls interact.
What vulnerabilities are addressed by each layer?
How does the layer mitigate the vulnerability?
How do controls interact with or depend on the other controls?
Security Controls
Information Flow Control or Firewalls
System or systems that enforce a boundary between one or more
networks
General features
● Block access to sites on Internet
● Limit traffic on an organization's public service segment to
ports and
addresses
● Prevent users from accessing certain servers or services
● Monitor and record communications between internal and
external networks
● Encrypt packets sent between different physical locations
(VPN)
5. Types of Firewall
Packet filtering
Application firewall
Stateful inspection
Next generation
And web application firewall
Isolation and Segmentation
Logging and Monitoring
What should we log?
● Time of event
● CRUD
● Startup / Shutdown
● Login / Logout (Failures)
● Errors / Violations
Challenges of Logs
● Too much data
● Difficulty searching
● Improper configuration
● Modification of logs (integrity)
7. Agenda
● Introductions
● Syllabus review
● Class format
● Intro to Information Security
Scott Eigenhuis
● Will respond to
○ Mr. Eigenhuis
○ Professor Eigenhuis
○ Professor Scott
● [email protected]
● Office
○ BUS 309
○ Monday 5:30 to 6:30
Career Path
Liberty University - BS in
Journalism, minor in
Linguistics
University of San
Francisco - Masters in
Information Systems
E
8. du
ca
tio
n
W
or
k
...
Class Format
● Lecture / Discussion / Demonstrations
○ Credit for participation
● Quiz at end of class
○ Requires computer
○ Graded
○ Includes reading and lecture
● Two in class essays (TBD)
● One group project (TBD)
What I do
Information Security Officer
Manage the Information
Security and Privacy team and
9. programs for my company
Work with auditors, engineers,
privacy, and legal to evaluate
and manage security and
privacy risk. Implement, operate
and monitor security controls.
Detect and respond to security
incidents.
Remaining a viable business
requires that we protect our
intellectual property, customer
and employee data.
What? How? Why?
The Security Triad
Confidentiality Integrity
Availability
Different Aspects of Security
Information Security deals with information, regardless of its
format—it
encompasses paper documents, digital and intellectual property
in people’s minds,
and verbal or visual communications.
Cybersecurity is concerned with protecting digital assets—
everything from
10. networks to hardware and information that is processed, stored
or transported by
internetworked information systems.
Privacy is additionally concerned with the data subject's right to
control
information. Notice, choice and consent, data subject access.
The Creepiness
Factor. Often has legal focus.
Security Compliance evaluates a company's stance against
requirements.
Relationship of Security Domains
Information Security
Application Security
Critical Infrastructure Protection
Network
Security
Internet
Security
Cybersecurity
Cybercrime Cybersafety
Source: ISO/IEC 27032:2012
11. Security Jobs
CISO Compliance Analyst
Application Security
Engineer
Information Security
Architect
Network Security
Engineer
Incident Responder
Security Analyst Penetration Tester Auditor
Privacy Officer /
Analyst
Forensics Specialist
Cryptographer /
Cryptanalyst
CSO Sales Engineer Security Researcher
Skills Gap in Information Security
Source: ISACA 2018 State of Cybersecurity Study
13. that
exploit
Source: ISO/IEC 27032:2012
Information Security Governance
● Governance is the responsibility of board and senior
management
○ Strategic Direction
○ Ensure objectives are achieved
○ Risk management
○ Use of resources
● Risk management is conducted throughout the organization
through
assessment and implementation of controls
● Compliance is demonstration of the adherence to mandated
laws and
regulations
Protecting the Digital Assets
Identify – Develop an organizational understanding to manage
cybersecurity risk
to systems, people, assets, data, and capabilities.
Protect – Develop and implement appropriate safeguards to
ensure delivery of
critical services.
Detect – Develop and implement appropriate activities to
identify the occurrence
14. of a cybersecurity event.
Respond – Develop and implement appropriate activities to take
action regarding
a detected cybersecurity incident.
Recover – Develop and implement appropriate activities to
maintain plans for
resilience and to restore any capabilities or services that were
impaired due to a
cybersecurity incident.
Source: NIST Cybersecurity Framework 1.1
Information Security Objectives
Confidentiality the protection of information from
unauthorized disclosure.
Integrity the protection of information
from unauthorized modification.
Availability the timely and reliable
access to and use of information and
systems.
Nonrepudiation ensures that a message or information is
genuine.
CIA model and related impacts
Requirement Impact and Consequence Methods of Controls
Confidentiality ● Disclosure of information
protected by law
15. ● Loss of public confidence
● Loss of competitive
advantage
● Access controls
● File permissions
● Encryption
Integrity ● Inaccuracy
● Erroneous decisions
● Fraud
● Loss of compliance
● Access controls
● Logging
● Hashes
● Backups
Availability ● Loss of productive time
● Loss of compliance
● Fines from regulators
● Highly available systems
● Business continuity and
disaster recovery
Information Security Roles
Board of
Directors
Executive
16. Management
Senior Information
Security Management
Information
Security Practitioners
Information
Security Concepts
ISYS 0575
Objectives
● Review the CIA Triad
● Learn about risk, particularly security risk
● Understand the component parts that make up risk
● Learn about the interplay between the different components of
risk
● Discuss the various risk treatment options
● Learn about basic controls
● Understand the different types of attacks
The Security Triad
Confidentiality Integrity
Availability
17. Security Concepts and Relationships
stakeholders
controls
vulnerabilities
assetsthreats
threat agents risk
value
wish to minimize
impose
to reduce
that may be
reduced by
that may
possess
leading to
that increase
to
wish to abuse and/or may damage
may be aware of
18. give
rise to
that
exploit
Source: ISO/IEC 27032:2012
Terms and Definitions
Risk — The combination of probability of an event and impact.
P x I = R
Threat — Anything that is capable of acting against an asset and
causing harm.
Asset — Something of either tangible or intangible value that is
worth protecting.
Vulnerability — A weakness that exposes the asset to adverse
impact.
Inherent risk — The risk level without taking into account
management actions to
protect against the risk.
Residual Risk — The risk remaining after accounting for
management risk
response.
Security Concepts and Relationships
stakeholders
20. Source: ISO/IEC 27032:2012
Risk Frameworks
COBIT 5 for Risk
ISO 27005:2011 Information Security Risk Management
NIST 800-30 Guide for Conducting Risk Assessments
NIST 800-39 Managing Information Security Risk
Risk Identification (Risk Scenarios)
The development of risk scenarios from imagination or based on
previous
occurrences
Top-down is based on business goals
Bottom-up is based on specific events that are security related
Likelihood and Impact
Likelihood = Probability
Absence of a known vulnerability doesn’t = 0 likelihood
A vulnerability doesn’t mean there is a threat
A vulnerability with no control and no management acceptance
indicates a
21. weakness in the overall program
How do we quantify likelihood and impact?
Approaches to Risk
Subjective or objective?
Risk tolerance
Size and scope of the environment in question
How much data do you have available?
Risk versus issue
Approaches to Managing Security Risk
Ad hoc — implement controls with no particular criteria.
Compliance-based — Implement the controls regardless of need.
Risk-based — design the controls based on identified risk.
Risk Treatment
Avoidance means management decides not to engage in the
activity that creates
the risk.
Acceptance means management acknowledges the risk, but
proceeds with the
activity without taking any action.
22. Mitigation involves management implementing controls to
reduce the risk.
Transference means that management lets another party take the
risk.
Security Concepts and Relationships
stakeholders
controls
vulnerabilities
assetsthreats
threat agents risk
value
wish to minimize
impose
to reduce
that may be
reduced by
that may
possess
leading to
23. that increase
to
wish to abuse and/or may damage
may be aware of
give
rise to
that
exploit
Source: ISO/IEC 27032:2012
Threat Agents
European Union Agency for Network and Information Security
(ENISA) conducts
ongoing evaluation of the threat landscape.
Common Agents:
● Corporations
● Criminals
● Terrorists
● Nation States
● Insiders
● Hactivists
● Script Kiddies
ENISA Threat Landscape
24. Security Concepts and Relationships
stakeholders
controls
vulnerabilities
assetsthreats
threat agents risk
value
wish to minimize
impose
to reduce
that may be
reduced by
that may
possess
leading to
that increase
to
wish to abuse and/or may damage
may be aware of
25. give
rise to
that
exploit
Source: ISO/IEC 27032:2012
Security Controls
Types of controls
Preventative, Detective, Responsive
Administrative, Technical, Physical
Security Policy
Policy hierarchy
Policy
Standards
Procedures
Guidelines
Attack Attributes
Risk is potential activity, an attack is the occurence of a threat.
The asset is the attackers target.
26. Path to target is the attack vector.
Ingress is the focus of most attack analysis.
Egress or data exfiltration is the objective of some attackers.
An exploit is used to take advantage of a vulnerability.
General Attack Process
Recon
Weaponize
Deliver
Exploit
Control
Execute
AssetAgent
Maintain
Proactive Detection and Mitigation Containment and Incident
Response
“Kill Chain”
27. Nonadversarial Threat Event
Mishandling of critical information
Incorrect privilege
Fire, flood, hurricane, earthquake
Disk errors or other equipment failure
Malware
Worm - Confiker - 9 Million PCs
Virus - I Love You
Trojan Horse - Zeus
Ransomeware - WannaCry
Root Kit - Sony BMG
Social Engineering
Impersonation
Phishing (and spear phishing)
Other Attacks
Advanced Persistent Threat (APT)
Web attacks