COMPUTER & NETWORK SECURITY

Unit 1 Objectives
1. Recognize the growing importance of information security specialists to the information technology (IT) infrastructure. 2. Comprehend information security in the context of the mission of a business. 3. Build an awareness of 12 generally accepted basic principles of information security to help you determine how these basic principles are applied to real-life situations.

Unit 1 Objectives cont

4. Distinguish between the three main security goals. 5. Learn how to design and apply the principle of "Defense in Depth." 6. Comprehend human vulnerabilities in security systems to better design solutions to counter them.

Unit 1 Objectives cont

7. Explain the difference between functional and assurance requirements. 8. Comprehend the fallacy of security through obscurity to avoid using it as a measure of security. 9. Comprehend the importance of risk analysis and risk management tools and techniques for balancing the needs of business. 10. Determine which side of the open disclosure debate you would take.

Unit 1 Objectives cont

11. Analyze the Certified Information Systems Security Professional (CISSP) certificate program as the gold standard in information technology (IT) security certification. 12. Define and describe the role of the International Information Systems Security Certifications Consortium. 13. Distinguish the contents of the 10 domains of the Common Body of Knowledge. 14. Distinguish the CISSP from other security certification programs in the industry.

What is Network Security

Network Security consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources.

What is Information Security

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

Discussion What would computing be like today if no standards had been adopted?
Why are standards so important to the computing Industry?

Importance of I.S. to the Business

To protect computers, networks, and the information they store, organizations are increasingly turning to information security specialists.

How is this acheived

To support business operations a number of common positions and career opportunities are needed.
Network Administrator Network Engineer Security Engineer Programmer and Application Tester Chief Security Officer

Importance of I.S. to the Business

Implement Security Practices Perform Risk Analysis

Configure Rights and Permission

Implement Access Controls and Changes

Secure Network Data

Importance cont
Recognize Attack Vectors Understand Life Cycles Conduct Security Audit and Testing Develop BCP, BIA and DRP

Comprehend Laws and Regulations

 An organizations security posture defines its tolerance for risk and outlines how it plans to protect information and resources within its charge.

12 basic principles of information security.

Principle 1: There Is No Such Thing as Absolute Security Explains that no information system can ever be totally secure, but can be configured to minimize risks.

Principle 2: The Three Security Goals Are Confidentiality, Integrity, and Availability

C.I.A.
Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. Integrity means that data cannot be modified undetectably For any information system to serve its purpose, the information must be available when it is needed.

Principle 3
Principle 3: Defense in Depth as Strategy Explains the importance of creating a layered defense around any information system.

Principle 3 cont
Defense in depth is an information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited which can cover aspects of personnel, procedural, technical and physical for the duration of the system's life cycle.

Principle 4
Principle 4: When Left on Their Own, People Tend to Make the Worst Security Decisions

Principle 4: Discussion
What are the need for security minded professionals in any organization where people use the information system.

Principle 5
Principle 5: Computer Security Depends on Two Types of Requirements: Functional and Assurance

Verify and Validate

Verification and validation of products, processes, and systems to ensure they function correctly.

Principle 6
Principle 6: Security Through Obscurity Is Not an Answer Dispels the myth that hiding details about security mechanisms enhances security.

Principle 6: Arguments
Arguments for: Security through obscurity may (but cannot be guaranteed to) act as a temporary "speed bump" for attackers while a resolution to a known security issue is implemented. Here, the goal is simply to reduce the short-run risk of exploitation of a vulnerability in the main components of the system.

Principle 6: Arguments
Arguments against: In cryptography proper, the argument against security by obscurity dates back to at least Kerckhoffs' principle, put forth in 1883 by Auguste Kerckhoffs. The principle holds that design of a cryptographic system should not require secrecy and should not cause "inconvenience" if it falls into the hands of the enemy.

Principle 7
Principle 7: Security = Risk Management Explains simple methods for evaluating the risk level of any information system.

Principle 8
Principle 8: The Three Types of Security Controls Are Preventative, Detective, and Responsive

Principle 8 cont
Prevention: Detection: Responsive:

Principle 9
Principle 9: Complexity Is the Enemy of Security Explains the need for simplicity in designing and maintaining an information system.

Principle 10
Principle 10: Fear, Uncertainty, and Doubt Do Not Work in Selling Security

Principle 10 - Discussion
Why is it better to taking a business-centric approach (as opposed to scare tactics) when convincing management to make security investment

Principle 11
Principle 11: People, Process, and Technology Are All Needed to Adequately Secure a System or Facility

Principle 11 - Discussions
What role does people, processes, and technology play in information security, and how they interact to enhance security.

Principle 12
Principle 12: Open Disclosure of Vulnerabilities Is Good for Security!

Principle 12 Discussions How does open communications among IT professionals and users can improve security

Vendor Neutral Certifications

Certified Information Systems Auditor (CISA) and Certified Information Security Manager CISM) - To assure that information security manager has the required knowledge and ability to provide effective security management and consulting Global Information Assurance Certifications (GIAC) Intended primarily for practitioners or hands-on personnel such as system administrators and network engineers CompTIA Security+ Certification Tests the security knowledge mastery of an individual with two years onthe-job networking security experience

Vendor Neutral Certifications

(ISC)2 - Certified Information Systems Security Professional (CISSP) (ISC)2 - System Security Certified Practitioner (SSCP)

Vendor-Specific Certification Programs

Check Point Certified Security Principles Associate Cisco Security Certifications* INFOSEC Professional Microsoft Certified Information Technology Specialist RSA Certified Systems Engineer Sun Certified Security Administrator for the Solaris Operating System Symantec Technology Architect Tivoli Certified Consultant

CISSP
Provides Employers with the confidence Industry assurance First certification accredited by ANSI ISO/IEC Standard 17024:2003 Globally recognized

10 Domains CBK
Access Control Application Development Security Business Continuity and Disaster Recovery Planning Cryptography Information Security Governance and Risk Management Legal, Regulations, Investigations and Compliance Operations Security Physical (Environmental) Security Security Architecture and Design Telecommunications and Network Security

How to become a CISSP

1. Criteria
5 years experience or 4 years with a BSc.

2. Examination
Pass the CISSP examination with a scaled score of 700 points or greater

3. Endorsement
All candidate must be endorsed by a active CISSP in good standing

4. Audit
Candidates may be randomly selected for audit

Maintaining a CISSP
All CISSP must recertify every 3 years: This is primarily accomplished through continuing professional education [CPE], 120 credits of which are required every three years. A minimum of 20 CPEs must be posted during each year of the three-year certification cycle. CISSPs must also pay an annual maintenance fee of $85 per year.