Management Information Security

profileAbhignya92
merkow_ppt_02f.ppt

Information Security
Principles and Practices, 2nd Edition

Dr. Cindi Nadelman

New England College

Chapter 2: Information Security Principles of Success

*

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

Objectives

  • Build an awareness of 12 basic principles of information security
  • Distinguish among the three main security goals
  • Learn how to design and apply the principle of “Defense in Depth”
  • Comprehend human vulnerabilities are security systems

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

Objectives (cont.)

  • Explain the difference between functional and assurance requirements
  • Comprehend the fallacy of security through obscurity
  • Comprehend the importance of risk analysis and risk management tools and techniques
  • Determine which side of open disclosure debate you would take

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

Introduction

  • Best security specialists combine practical knowledge and technical skills with understanding of human nature
  • No two systems or situations are identical, and there are no cookbooks to consult on how to solve security problems

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

  • Given enough time, tools, skills, and inclination, a hacker can break through any security measure
  • Security testing can buy additional time so the attackers are caught in the act

Principle 1:There Is No Such Thing as Absolute Security

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

  • All information security measures try to address at least one of the three goals:
  • Confidentiality
  • Integrity
  • Availability
  • The three security goals form the CIA triad

Principle 2: The Three Security Goals Are Confidentiality, Integrity, and Availability

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

  • Protect the confidentiality of data
  • Confidentiality models are primarily intended to ensure that no unauthorized access to information is permitted and that accidental disclosure of sensitive information is not possible
  • Preserve the integrity of data
  • Integrity models keep data pure and trustworthy by protecting system data from intentional and accidental changes
  • Promote the availability of data for authorized use
  • Availability models keep data and resources available for authorized use during denial-of-service attacks, natural disasters, and equipment failures

Principle 2: The Three Security Goals Are Confidentiality, Integrity, and Availability (cont.)

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

  • Defense in depth
  • Involves implemented security in overlapping layers that provide the three elements needed to secure assets: prevention, detection, and response
  • The weaknesses of one security layer are offset by the strengths of two or more layers

Principles 3: Defense in Depth as Strategy

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

  • Takes little to convince someone to give up their credentials in exchange for trivial or worthless goods
  • Many people are easily convinced to double-click the attachment or links inside emails

Subject: Here you have, ;o)

Message body: Hi: Check This!

Attachment: AnnaKournikova.jpg.vbs

Principle 4: When Left on Their Own, People Tend to Make the Worst Security Decisions

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

  • Functional requirements
  • Describe what a system should do
  • Assurance requirements
  • Describe how functional requirements should be implemented and tested

Does the system do the right things in the right way?

  • Verification: The process of confirming that one or more predetermined requirements or specifications are met
  • Validation: A determination of the correctness or quality of the mechanisms used in meeting the needs

Principle 5: Computer Security Depends on Two Types of Requirements: Functional and Assurance

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

  • Many people believe that if hackers don’t know how software is secured, security is better
  • Although this seems logical, it’s actually untrue
  • Obscuring security leads to a false sense of security, which is often more dangerous than not addressing security at all

Principle 6: Security Through Obscurity Is Not an Answer

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

  • Security is not concerned with eliminating all threats within a system or facility but with eliminating known threats and minimizing losses if an attacker succeeds in exploiting a vulnerability
  • Spending more on security than the cost of an asset is a waste of resources
  • Risk assessment and risk analysis are used to place an economic value on assets to best determine appropriate countermeasures that protect them from losses

Principle 7: Security = Risk Management

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

Principle 7: Security = Risk Management cont.

  • Two factors to determine risk
  • What is the consequence of a loss?
  • What is the likelihood the loss will occur?
  • Consequences/likelihood matrix

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

Likelihood Consequences
1. Insignificant 2. Minor 3. Moderate 4. Major 5. Catastrophic
A (almost certain) High High Extreme Extreme Extreme
B (likely) Moderate High High Extreme Extreme
C (moderate) Low Moderate High Extreme Extreme
D (unlikely) Low Low Moderate High Extreme
E (rare) Low Low Moderate High High

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

  • Vulnerability
  • A known problem within a system or program
  • Exploit
  • A program or a “cookbook” on how to take advantage of a specific vulnerability
  • Attacker
  • The link between a vulnerability and an exploit

Principle 7: Security = Risk Management

cont.

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

  • A security mechanism serves a purpose by preventing a compromise, detecting that a compromise or compromise attempt is underway, or responding to a compromise while it is happening or after it has been discovered

Principle 8: The Three Types of Security Controls Are Preventative, Detective, and Responsive

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

  • The more complex a system gets, the harder it is to secure

Principle 9: Complexity Is the Enemy of Security

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

  • Information security managers must justify all investments in security using techniques of the trade
  • When spending resources can be justified with good, solid business rationale, security requests are rarely denied

Principle 10: Fear, Uncertainty, and Doubt (FUD) Do Not Work in Selling Security

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

  • People controls
  • Dual control and separation of duties
  • Process controls
  • Different people can perform the same operation the same way every time
  • Technology alone without people and process controls can fail
  • People, process, and technology controls are essential elements of security practices including operations security, applications development security, physical security, and cryptography

Principle 11: People, Process, and Technology Are All Needed to Adequately Secure a System or Facility

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

  • Keeping a given vulnerability secret from users and from the software developer can only lead to a false sense of security
  • The need to know trumps the need to keep secrets to give users the right to protect themselves

Principle 12: Open Disclosure of Vulnerabilities Is Good for Security!

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

Users have a right to know about defects in the products they purchase, just as they have a right to know about automobile recalls because of defects.

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

Summary

  • Computer security specialists must not only know the technical side of their jobs but also must understand the principles behind information security
  • These principles are mixed and matched to describe why certain security functions and operations exist in the real world of IT

© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

Users have a right to know about defects in the products they purchase, just as they have a right to know about automobile recalls because of defects.

*