Security architecture principles isys 0575general att

1. Security Architecture Principles ISYS 0575 General Attack Process Recon Weaponize Deliver Exploit Control Execute AssetAgent Maintain Proactive Detection and Mitigation Containment and Incident Response “Kill Chain” What is Architecture? Architecture (Latin architectura, from the Greek ἀρχιτέκτων

2. arkhitekton "architect," from ἀρχι- "chief" and τέκτων "builder") is both the process and the product of planning, designing and constructing buildings and other physical structures. Architecture can mean: Different Things to Different People ● A general term to describe buildings and other physical structures ● The art and science of designing buildings and (some) nonbuilding structures ● The style of design and method of construction of buildings and other physical structures ● Knowledge of art, science, technology, and humanity ● The practice of the architect, where architecture means offering or rendering professional services in connection with the design and construction of buildings, or built environments Traditional Security Architecture Starts With the perimeter Network-centric Versus data-centric If work from home and BYOD didn’t kill the perimeter, Cloud

3. certainly did. Sherwood Applied Business Security Architecture Other Architectures Zachman The Open Group Architecture Framework (TOGAF) Modern Architectural View Then Account for the Agile Defense in Depth Another Perspective Horizontal defense in depth - Controls are placed in various places in the path of access for an asset Vertical defense in depth - Control sare placed at different system layers - hardware, OS, application, database

4. Effective Defense in Depth Planning and understanding of each control types strengths and weaknesses and how controls interact. What vulnerabilities are addressed by each layer? How does the layer mitigate the vulnerability? How do controls interact with or depend on the other controls? Security Controls Information Flow Control or Firewalls System or systems that enforce a boundary between one or more networks General features ● Block access to sites on Internet ● Limit traffic on an organization's public service segment to ports and addresses ● Prevent users from accessing certain servers or services ● Monitor and record communications between internal and external networks ● Encrypt packets sent between different physical locations (VPN)

5. Types of Firewall Packet filtering Application firewall Stateful inspection Next generation And web application firewall Isolation and Segmentation Logging and Monitoring What should we log? ● Time of event ● CRUD ● Startup / Shutdown ● Login / Logout (Failures) ● Errors / Violations Challenges of Logs ● Too much data ● Difficulty searching ● Improper configuration ● Modification of logs (integrity)

6. SIEM IDS / IPS Approaches ● Signature ● Statistical ● Neural Network Don’t forget HIPS/HIDS Antivirus / Antimalware Approaches ● Signature ● Heuristic ● Nextgen Security Controls Introduction to Information Security Management ISYS 0575

7. Agenda ● Introductions ● Syllabus review ● Class format ● Intro to Information Security Scott Eigenhuis ● Will respond to ○ Mr. Eigenhuis ○ Professor Eigenhuis ○ Professor Scott ● [email protected] ● Office ○ BUS 309 ○ Monday 5:30 to 6:30 Career Path Liberty University - BS in Journalism, minor in Linguistics University of San Francisco - Masters in Information Systems E

8. du ca tio n W or k ... Class Format ● Lecture / Discussion / Demonstrations ○ Credit for participation ● Quiz at end of class ○ Requires computer ○ Graded ○ Includes reading and lecture ● Two in class essays (TBD) ● One group project (TBD) What I do Information Security Officer Manage the Information Security and Privacy team and

9. programs for my company Work with auditors, engineers, privacy, and legal to evaluate and manage security and privacy risk. Implement, operate and monitor security controls. Detect and respond to security incidents. Remaining a viable business requires that we protect our intellectual property, customer and employee data. What? How? Why? The Security Triad Confidentiality Integrity Availability Different Aspects of Security Information Security deals with information, regardless of its format—it encompasses paper documents, digital and intellectual property in people’s minds, and verbal or visual communications. Cybersecurity is concerned with protecting digital assets— everything from

10. networks to hardware and information that is processed, stored or transported by internetworked information systems. Privacy is additionally concerned with the data subject's right to control information. Notice, choice and consent, data subject access. The Creepiness Factor. Often has legal focus. Security Compliance evaluates a company's stance against requirements. Relationship of Security Domains Information Security Application Security Critical Infrastructure Protection Network Security Internet Security Cybersecurity Cybercrime Cybersafety Source: ISO/IEC 27032:2012

11. Security Jobs CISO Compliance Analyst Application Security Engineer Information Security Architect Network Security Engineer Incident Responder Security Analyst Penetration Tester Auditor Privacy Officer / Analyst Forensics Specialist Cryptographer / Cryptanalyst CSO Sales Engineer Security Researcher Skills Gap in Information Security Source: ISACA 2018 State of Cybersecurity Study

12. Situational Awareness stakeholders controls vulnerabilities assetsthreats threat agents risk value wish to minimize impose to reduce that may be reduced by that may possess leading to that increase to wish to abuse and/or may damage may be aware of give rise to

13. that exploit Source: ISO/IEC 27032:2012 Information Security Governance ● Governance is the responsibility of board and senior management ○ Strategic Direction ○ Ensure objectives are achieved ○ Risk management ○ Use of resources ● Risk management is conducted throughout the organization through assessment and implementation of controls ● Compliance is demonstration of the adherence to mandated laws and regulations Protecting the Digital Assets Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Protect – Develop and implement appropriate safeguards to ensure delivery of critical services. Detect – Develop and implement appropriate activities to identify the occurrence

14. of a cybersecurity event. Respond – Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. Source: NIST Cybersecurity Framework 1.1 Information Security Objectives Confidentiality the protection of information from unauthorized disclosure. Integrity the protection of information from unauthorized modification. Availability the timely and reliable access to and use of information and systems. Nonrepudiation ensures that a message or information is genuine. CIA model and related impacts Requirement Impact and Consequence Methods of Controls Confidentiality ● Disclosure of information protected by law

15. ● Loss of public confidence ● Loss of competitive advantage ● Access controls ● File permissions ● Encryption Integrity ● Inaccuracy ● Erroneous decisions ● Fraud ● Loss of compliance ● Access controls ● Logging ● Hashes ● Backups Availability ● Loss of productive time ● Loss of compliance ● Fines from regulators ● Highly available systems ● Business continuity and disaster recovery Information Security Roles Board of Directors Executive

16. Management Senior Information Security Management Information Security Practitioners Information Security Concepts ISYS 0575 Objectives ● Review the CIA Triad ● Learn about risk, particularly security risk ● Understand the component parts that make up risk ● Learn about the interplay between the different components of risk ● Discuss the various risk treatment options ● Learn about basic controls ● Understand the different types of attacks The Security Triad Confidentiality Integrity Availability

17. Security Concepts and Relationships stakeholders controls vulnerabilities assetsthreats threat agents risk value wish to minimize impose to reduce that may be reduced by that may possess leading to that increase to wish to abuse and/or may damage may be aware of

18. give rise to that exploit Source: ISO/IEC 27032:2012 Terms and Definitions Risk — The combination of probability of an event and impact. P x I = R Threat — Anything that is capable of acting against an asset and causing harm. Asset — Something of either tangible or intangible value that is worth protecting. Vulnerability — A weakness that exposes the asset to adverse impact. Inherent risk — The risk level without taking into account management actions to protect against the risk. Residual Risk — The risk remaining after accounting for management risk response. Security Concepts and Relationships stakeholders

19. controls vulnerabilities assetsthreats threat agents risk value wish to minimize impose to reduce that may be reduced by that may possess leading to that increase to wish to abuse and/or may damage may be aware of give rise to that exploit

20. Source: ISO/IEC 27032:2012 Risk Frameworks COBIT 5 for Risk ISO 27005:2011 Information Security Risk Management NIST 800-30 Guide for Conducting Risk Assessments NIST 800-39 Managing Information Security Risk Risk Identification (Risk Scenarios) The development of risk scenarios from imagination or based on previous occurrences Top-down is based on business goals Bottom-up is based on specific events that are security related Likelihood and Impact Likelihood = Probability Absence of a known vulnerability doesn’t = 0 likelihood A vulnerability doesn’t mean there is a threat A vulnerability with no control and no management acceptance indicates a

21. weakness in the overall program How do we quantify likelihood and impact? Approaches to Risk Subjective or objective? Risk tolerance Size and scope of the environment in question How much data do you have available? Risk versus issue Approaches to Managing Security Risk Ad hoc — implement controls with no particular criteria. Compliance-based — Implement the controls regardless of need. Risk-based — design the controls based on identified risk. Risk Treatment Avoidance means management decides not to engage in the activity that creates the risk. Acceptance means management acknowledges the risk, but proceeds with the activity without taking any action.

22. Mitigation involves management implementing controls to reduce the risk. Transference means that management lets another party take the risk. Security Concepts and Relationships stakeholders controls vulnerabilities assetsthreats threat agents risk value wish to minimize impose to reduce that may be reduced by that may possess leading to

23. that increase to wish to abuse and/or may damage may be aware of give rise to that exploit Source: ISO/IEC 27032:2012 Threat Agents European Union Agency for Network and Information Security (ENISA) conducts ongoing evaluation of the threat landscape. Common Agents: ● Corporations ● Criminals ● Terrorists ● Nation States ● Insiders ● Hactivists ● Script Kiddies ENISA Threat Landscape

24. Security Concepts and Relationships stakeholders controls vulnerabilities assetsthreats threat agents risk value wish to minimize impose to reduce that may be reduced by that may possess leading to that increase to wish to abuse and/or may damage may be aware of

25. give rise to that exploit Source: ISO/IEC 27032:2012 Security Controls Types of controls Preventative, Detective, Responsive Administrative, Technical, Physical Security Policy Policy hierarchy Policy Standards Procedures Guidelines Attack Attributes Risk is potential activity, an attack is the occurence of a threat. The asset is the attackers target.

26. Path to target is the attack vector. Ingress is the focus of most attack analysis. Egress or data exfiltration is the objective of some attackers. An exploit is used to take advantage of a vulnerability. General Attack Process Recon Weaponize Deliver Exploit Control Execute AssetAgent Maintain Proactive Detection and Mitigation Containment and Incident Response “Kill Chain”

27. Nonadversarial Threat Event Mishandling of critical information Incorrect privilege Fire, flood, hurricane, earthquake Disk errors or other equipment failure Malware Worm - Confiker - 9 Million PCs Virus - I Love You Trojan Horse - Zeus Ransomeware - WannaCry Root Kit - Sony BMG Social Engineering Impersonation Phishing (and spear phishing) Other Attacks Advanced Persistent Threat (APT) Web attacks

28. Brute force attacks DoS Attacks

Security architecture principles isys 0575general att

Security architecture principles isys 0575general att

Security architecture principles isys 0575general att

Recomendados

Más contenido relacionado

Was ist angesagt?

Was ist angesagt?(20)

Similar a Security architecture principles isys 0575general att

Similar a Security architecture principles isys 0575general att(20)

Más de SHIVA101531

Más de SHIVA101531(20)

Último

Último(20)

Security architecture principles isys 0575general att