Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Andere mochten auch (20)
Ähnlich wie Information Security Management. Security solutions copy
Ähnlich wie Information Security Management. Security solutions copy (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Information Security Management. Security solutions copy
- 1. Information Security Management Security Solutions By Yuliana Martirosyan Based on Bell G. Reggard, Information Security Management. Concepts and Practices.
- 2. 13. Security Solutions Information protection is not a goal in itself but rather the reduction of owner’s harm resulting from it. American Bar association reported a decade ago that hackers caused harm as high as $10 million. FBA reports that business lose $7.5 billion a year to attacks. 13.1 Introduction
- 3. 13. Security Solutions 13.2 Security Solutions Organization of security solutions Security Solution Cryptography Access Control Traffic Control PhysicalSecurity Analysis Hash Symmetric Cryptography Public-Key Cryptography DS VPN Passwords Authentication Biometrics VPN IP Packet Filter Firewalls IP App Level Firewalls Hybrid Firewall Cyberwall Statefull Insp. Firewall VPN Audit Penetration Security Plan Reviews Risk Analysis Vulnerability Assessment Intrusion Detection Locks Disconnect Backup Higher Availability Clusters Security Mngmt
- 4. 13. Security Solutions 13.2.1 Security Management 13.2.1.1 Information Security Management This is the most important class of security solutions. It is related to organizational security of the company. There are two main components: 1. Effectiveness in securing the system (ISO 27002) 2. Information Security Management system (ISO 27001) 13.2 Security Solutions
- 5. 13. Security Solutions 13.2.1 Security Management 13.2.1.2 Simple Network Management Major components used in networking are routers, switches, firewalls and access servers. (Network topology) Routers draw a hierarchy of LANs and autonomous systems to find optimal paths to information recourses worldwide. 13.2 Security Solutions Network Management Data Centers Unicenter from IBM Network Management System tools Open View from HP Enterprise System Management ESM
- 6. 13. Security Solutions 13.2.2 Cryptographic Solutions 13.2.2.1 Cryptography Hash Functions Symmetric Cryptography Public-Key Cryptography Digital Signatures Virtual Private Networks 13.2.2.1 The Main Cryptographic Mechanisms Symmetric Cryptography: Private Key (AES) Asymmetric Cryptography: Public Key (RSA) 13.2 Security Solutions
- 7. 13. Security Solutions 13.2.2 Cryptographic Solutions 13.2.2.3 Block and Stream Ciphers in Symmetric Cryptography Symmetric ciphers are now usually implemented using: • Block ciphers: a fixed-length block of plain text is converted into cipher text of the same length • Stream ciphers: data is encrypted bit/byte at a time 13.2.2.4 Digital Signatures Used to or demonstrating the authenticity of a digital message or document. DS algorithms: RSA, DSS, Elliptic Curves Crypto-systems : PGP, S/MIME 13.2 Security Solutions
- 8. 13. Security Solutions 13.2.2 Cryptographic Solutions 13.2.2.5 Virtual Private Networks (VPN) A virtual private network (VPN) is a computer network that uses a public telecommunication infrastructure such as the Internet to provide remote offices or individual users with secure access to their organization's network. Intranet VPN: several buildings may be connected to a data center (strong encryption) Remote Access VPN laptops that connect intermittently from different locations (authentication) Extranet VPN access corporate resources across various network architectures 13.2 Security Solutions
- 9. 13. Security Solutions 13.2.2 Cryptographic Solutions 13.2.2.5.1 Dial-Up VPN (PPTP VPN) 13.2 Security Solutions Firewall Intranet
- 10. 13.2.2 Cryptographic Solutions: PPP VPN implementation 13. Security Solutions 13.2 Security Solutions Firewall Firewall
- 11. 13. Security Solutions 13.2.2 Cryptographic Solutions 13.2.2.5.2 Layer Two Tunnel Protocol (L2TP) Layer Two Tunneling Protocol (L2TP) is a combination of PPTP and Layer 2 Forwarding. The main rival to PPTP for VPN tunneling was Cisco’s L2F. 13.2.2.5.1 Internet Protocol Security (IPSEC) IPsec is a collection of protocols that provide low-level network security. IPsec exists at the network layer. 13.2 Security Solutions
- 12. 13. Security Solutions 13.2.3 Access Control Access control is a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system. The three most widely recognized models are: • Discretionary Access Control (DAC) • Mandatory Access Control (MAC) • Role Based Access Control (RBAC) 13.2 Security Solutions
- 13. 13. Security Solutions 13.2.3 Access Control Access Control Technologies: • Passwords, tokens, smart cards, encrypted keys • Authentication • Biometrics • VPN 13.2 Security Solutions
- 14. 13. Security Solutions 13.2.3 Access Control Authentication Encryption can be used not only to hide data from prying eyes. For example, cryptographic method, Tripwire. It build database of cryptographic checksums for selected files. Attempts to unauthorized access to data will be detected by Tripwire Biometrics Fingerprints, Facial Recognition, Hand geometry, DNA 13.2 Security Solutions
- 15. 13. Security Solutions 13.2.4 Data Traffic Control Security Rules: Rule1: Trust Inside Rule 2: Least privilege Rule 3: Selective blocking Opposite of Rule 2 Firewalls: Network firewalls Application firewalls Stateful inspection firewalls 13.2 Security Solutions
- 16. 13. Security Solutions 13.2.5 Security Analysis Security Testing: Penetration testing External Source Penetration Test Internal source penetration Test Target system penetration test Vulnerability Assessment The process of identifying and quantifying weaknesses of the system, and determine their effect. Analyze threats that potentially can cause compromise, spoofing, or denial of service. 13.2 Security Solutions
- 17. 13. Security Solutions 13.2.5 Security Analysis: Security Review • System, Network and Topology evaluation • Administration checklist • File servers and workstations • Individual accountability • Disaster recovery • Connectivity • E-mail Controls • Policy Review • Logical Security • Managerial security • Physical Security 13.2 Security Solutions
- 18. 13. Security Solutions 13.2.5 Security Analysis Forensic Investigation • Use of sterile media • Hardware investigation • Original data • Write protected media • Deleted, hidden or recored files • File revision documentation • Data manipulation • Files’ organization • Potential evidence • Report generation 13.2 Security Solutions
- 19. 13. Security Solutions 13.2.5 Security Analysis Security Audit • Planning the audit • Auditing • Report and post-mortem • Action 13.2 Security Solutions
- 20. Security Control Management Class, Family and Identifier Class Family Identifier Management Risk Assessment RA Management Planning PL Management System and Services Acquisition SA Management Certification, Accreditation, and Security Assessment CA 13. Security Solutions 13.3 The NIST Security Solution Taxonomy
- 21. Class Family Identifier Operational Personnel Security PS Operational Physical and Environmental Protection PE Operational Contingency Planning CP Operational Configuration Management CM Operational Maintenance MA Operational System and Information Integrity SI Operational Media Protection MP Operational Incident Response IR Operational Awareness and Training AT 13. Security Solutions 13.3 The NIST Security Solution Taxonomy Security Control Technical Class, Family and Identifier
- 22. Security Control Technical Class, Family and Identifier Class Family Identifier Operational Identification and Authentication IA Operational Access Control AC Operational Audit and Accountability AU Operational System and Communications Protection SC 13. Security Solutions 13.3 The NIST Security Solution Taxonomy
- 23. 1 Risk Assessment and Treatment 2 Security Policy 3 Organization of Information Security 4 Asset Management 5 Human Resources Security 6 Physical Security 7 Communications and Ops Management 8 Access Control 9 Information Systems Acquisition, Development, Maintenance 10 Information Security Incident management 11 Business Continuity 12 Compliance 13. Security Solutions 13.4 The ISO Security Taxonomy
Hinweis der Redaktion
- We organize information security solutions into six classes: security management, cryptography, access control, data traffic control, security analysis, and physical security.
- Sophisticated computer management systems, called system controllers, have been around for decades. This units were hooked up in mainframes in data centers. OpenView has built-in IP network management standard Simple Network Management Protocol (SNMP). ESM: fuziness in the area separating networks and computers from the development of the client-serve technology that moved data from data centers to internetworking topology.
- Symmetric Algorithm main parts are: Plaintext Encryption Algorithm Secret Key – the main secret Cipher Text Decryption
- Modern symmetric block encryption algorithms are mainly based on the Feistel block cipher structure. Feistel proposed the use of a cipher that alternates substitutions and permutations. In fact, this is a practical application of a proposal by Claude Shannon to develop a product cipher that alternates confusion and diffusion functions. Diffusion, when each cipher text digit is affected by many plaintext digits. Confusion, when the relationship between the statistics of the cipher text and the value of the encryption key is as complex as possible. Block ciphers include DES, IDEA, SAFER, Blowfish… Also I would like to mention that the Skipjack -- this last being the algorithm used in the US National Security Agency (NSA) Clipper chip, used for U. S. government's Escrowed Encryption Standard (EES), is block cipher.
- Intranet VPN This is considered "client transparent" VPN. It is usually implemented for networks within a common network infrastructure but across various physical locations. For instance several buildings may be connected to a data center, that they can access securely through private lines. Those VPNs need to be especially secure with strong encryption and meet strict performance and bandwidth requirements. Remote Access VPN Here VPN is "client initiated". It is intended for remote users that need to connect to their corporate LAN from various point of connections. It is intended for telecommuters and salesmen equipped with laptops that connect intermittently from different locations (homes, hotels, conference halls...). The key factor here is flexibility as performance and bandwidth are usually minimal and less of an issue. More than encryption, authentication will be the main security concern. Extranet VPN In this case VPN uses the Internet as main backbone. It usually addresses a wider scale of users and locations, enabling users to access corporate resources across various network architectures. They rely on VPN standards to ensure maximum compatibility while trying not to overly compromise security.
- Computers can use the PPTP protocol to securely connect to a private network as a remote access client by using a public data network such as the Internet. In other words, PPTP enables on-demand, virtual private networks over the Internet or other public TCP/IP-based data networks. PPTP can also be used by computers connected to a LAN to create a virtual private network across the LAN. PPTP is configured by adding virtual devices referred to as virtual private networks (VPNs) to the RAS and Dial-Up Networking. Most PPTP sessions are started by a client dialing up an ISP network access server.
- The Point-to-Point Protocol (PPP) is a data link layer protocol which encapsulates other network layer protocols for transmission on synchronous and asynchronous communication lines. Two precise definitions of "point-to-point" in the context of data communications follow: A network configuration in which a connection is established between two, and only two points. The connection may include switching facilities. A circuit connecting two points without the use of any intermediate terminal or computer. The PPP protocol is used to create the dial-up connection between the client and network access server and performs the following three functions: Establishes and ends the physical connection. The PPP protocol uses a sequence defined in RFC 1661 to establish and maintain connections between remote computers. Authenticates users. PPTP clients are authenticated by using the PPP protocol. Clear text, encrypted, or Microsoft encrypted authentication can be used by the PPP protocol. Creates PPP datagrams that contain encrypted IPX, NetBEUI, or TCP/IP packets . PPP creates datagrams which contain one or more encrypted TCP/IP, IPX, or NetBEUI data packets. Because the network packets are encrypted, all traffic between a PPP client and a network access server is secure.
- Layer Two Tunneling Protocol (L2TP) is a combination of PPTP and Layer 2 Forwarding (L2F), a technology proposed by Cisco® Systems, Inc. Rather than having two incompatible tunneling protocols competing in the marketplace and causing customer confusion, the IETF mandated that the two technologies be combined into a single tunneling protocol that represents the best features of PPTP and L2F. L2TP is documented in RFC 2661.
- Access control techniques Access control techniques are sometimes categorized as either discretionary or non-discretionary. The three most widely recognized models are Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role Based Access Control (RBAC). MAC and RBAC are both non-discretionary. (DAC) is an access policy determined by the owner of an object. The owner decides who is allowed to access the object and what privileges they have. (MAC) is an access policy determined by the system, not the owner. MAC is used in multilevel systems that process highly sensitive data, such as classified government and military information. A multilevel system is a single computer system that handles multiple classification levels between subjects and objects. (RBAC) is an access policy determined by the system, not the owner. RBAC is used in commercial applications and also in military systems, where multi-level security requirements may also exist. RBAC differs from DAC in that DAC allows users to control access to their resources, while in RBAC, access is controlled at the system level, outside of the user's control. Although RBAC is non-discretionary, it can be distinguished from MAC primarily in the way permissions are handled. MAC controls read and write permissions based on a user's clearance level and additional labels. RBAC controls collections of permissions that may include complex operations such as an e-commerce transaction, or may be as simple as read or write. A role in RBAC can be viewed as a set of permissions.
- The principle of least privilege states that only the minimum access necessary to perform an operation should be granted, and that access should be granted only for the minimum amount of time necessary. Network firewalls protect the perimeter of a network by watching traffic that enters and leaves. An application firewall is a form of firewall which controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the firewall. Stateful firewall (any firewall that performs stateful packet inspection (SPI) or stateful inspection) is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall; others will be rejected.
- A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source. The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities. External testing(Black box) refers to attacks on the organization's network perimeter using procedures performed from outside the organization's systems, that is, from the Internet or Extranet. Internal testing (White box) penetration test evaluates the efficacy of a network’s internal protection. Network configurations, source codes and the occasional password are provided in the white box penetration test.
- Security controls in the security control catalog (NIST SP 800-53, Appendix F) have a well-defined organization and structure. The security controls are organized into classes and families for ease of use in the control selection and specification process. There are three general classes of security controls (i.e., management, operational, and technical18). Each family contains security controls related to the security function of the family. A standardized, two-character identifier is assigned to uniquely identify each control family. Table summarizes the classes and families in the security control catalog and the associated family identifiers.
- An agency has the flexibility to tailor the security control baseline in accordance with the terms and conditions set forth in the standard. Tailoring activities include: (i) the application of scoping guidance; (ii) the specification of compensating controls; (iii) the specification of agency-defined parameters in the security controls, where allowed. The system security plan should document all tailoring activities.