Relationships Among Components of Systems Reliability
-Info security (base) is foundation of systems reliability that holds up Confidentiality, Privacy, Processing integrity, and Availability (4 columns) which maintain SYSTEMS RELIABILITY (roof).
Access to the system and its data is controlled/restricted to legitimate users
**Foundation of systems reliability
-Security is a mgmt issue, not an IT issue
Sensitive organizational info is protected from unauthorized disclosure
personal info about customers is used in compliance with internal policies and external regs
data is processed accurately, completely, in a timely manner, and only with proper authorization
system and its info is available to meet operational and contractual obs
Trust Services Framework Essential Criteria (4)
1. Developing and documenting policies
2. Effectively communicating policies to all authorized users
3. Designing/employing appropriate control procedures to implement policies
4. Monitoring the system and taking corrective action to maintain compliance with policies.
Time-Based Model of Security
Any P ctrl can be circumvented, so D & C must be timely b/c once P is breached it takes a little amount of time to compromise org's economic and info resources.
-P = time it takes an attacker to break through org's p controls
D = time it takes to detect an attack
C = time to respond to attack
- if P > (D+C) then org's security prod are effective. Otherwise, security is ineffective.
Employ multiple layers of ctrls in order to avoid having a single point of failure.
-Redundancy increases effectiveness
-Physical and information security controls - must have multiple layers
-Uses combo of firewalls, passwords, border routers, and other preventive procedures to restrict access
7 Types of Preventive Controls
1. Authentication ctrls
2. Authorization ctrls
4. Physical access ctrls
5. Remote access ctlrs
6. Hardening procedures (firewall, antivirus software)
-Verifying identity of person/device attempting to access the system. Obj = ensure only legitimate users can access
-Passwords or PINs, Smart Cards/ID Badges, and Biometric Identifier (using body for identification)
-Problems: Invasive and can't change if someone steals it
-Restricts access of authenticated users to specific portions of the system and specifies what action they are permitted to perform
-Access Control Matrix - table specifying which portions of the system users are permitted to access and what actions they may perform. The compatibility test matches the user credentials against the matrix to see if they are allowed access
-must update these for promotions hiring and firing.
All employees should be taught why the measures are important. Effectiveness of ctrl prod depend on training
-Must also show how to use safe computing practices
-Most important security measure
-Need to train IS pros as well for new developments - continuing ed
Physical Access Controls
-Begin with entry points to the bldg. there should be one regular unlocked entry point during office hours, with receptionist to greet them
-Rooms inside the bldg may also be restricted. Multiple failed access attempts should trigger an alarm
-always lock laptops to an immovable object and only store sensitive data on external drives, not internal hard drive
-Must be cost-effective
connects an org's IS to the internet
Behind the border router
either a special-purpose hardware device or software running on a general-purpose cpu
-act as a filter to control which info is allowed to enter and leave the system
Demilitarized Zone (DMZ)
separate network that permits controlled access from the internet to selected resources
Remote Access Control
firewall, border router, and IPS (intrusion prevention system)
-Process of transferring normal text (plaintext) into unreadable gibberish (ciphertext).
process that takes plaintext of any length and transforms it into a short code called hash
-Always produces a fixed short length hash despite how long the original plaintext is. Encryption has the same length
-Encryption is reversible, while hashing is not
-Destroys data, which cannot be recovered.
An authorized attempt by eitehr an internal audit team or an external security consulting firm to break into the org's IS.
set of instructions for taking advantage of a vulernability
Code released by software developers that fixes a particular vulernability
-Modifications to already complex software
Symantec Security Responses
-Turn off and remove unneeded services
-Disable/block access to services with threats
-always keep patch levels up-to-date
-enforce password policy - very complex
-block/remove email that contains file attachments. NEVER open .vbs, .bat, .exe, .scr and .pif
-isolate infected cpu quickly
-train employees to not open attachments that are odd
Info provided to mgmt should be... (7)
-Efficient (relevant and timely)
-Confidential (sensitive info must be protected from unauthorized disclosure)
-have integrity (accurate, complete, and valid)
-availability (whenever needed)
-compliance (internal policies and external regs)
-reliability (appropriate info needed to conduct daily activities)
Basic Mgmt Activities (Domains) - 4
1. Plan and Organize.
2. Acquire and Implement.
3. Deliver and Support
4. Monitor and Evaluate.
-Mgmt needs to develop a set of security policies before implementing ctrl procedures.
-Once the org's IS resources have been identified, they need to be valued in order to select the most cost-effective control procedures
Preventive Controls Examples
-authentication (passwords, tokens, biometrics, MAC addresses)
-authorization (access ctrl matrixes and compatibility tests)
-training, physical and remote access controls,
-host and app hardening prod - firewalls, antivirus, disabling of unnecessary features, user account mgmt
Detective Controls Examples
-log analysis, intrusion detection systems, managerial reports, security testing (vulnerability scanners, penetration tests, and war dialing)
Corrective Control Examples
-cpu emergency response team
Social Engineering attacks
use deception to obtain unauthorized access to info resources
When data is transmitted over the internet in packets.
-Go from point A to B, doesn't matter method of transportation. Take message and split up the contents into packets.
-Very difficult to intercept and reassemble packets.
-Message is whole at only Points A & B
Stateful Packet Filtering
Examines header of each packet in isolation