date security introduction
TRANSCRIPT
DATA SECURITY
INFORMATION SECURITY
• Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction• Protecting data from attackers invading networks,
natural disasters, adverse environmental conditions, power failures, theft or vandalism, or other undesirable states
INFORMATION SECURITY
• In any environment, where we plan to put heightened levels of security in place, we also need to take into account the cost of replacing our assets if we do happen to lose them, and make sure we establish reasonable levels of protection for their value.• The cost of security we put in place should never
outstrip the value of what it is protecting.
WHEN ARE WE SECURE ?
Even if our systems are properly patched, there will always be
new attacks to which we are vulnerable.
WHEN ARE WE INSECURE ?
• Not patching our systems• Using weak passwords• Downloading programs from the internet• Opening email attachments from unknown
senders• Using wireless networks without encryption
• The good thing is that once we are able to point out the areas in the environment that can cause it to be insecure, we can take steps to mitigate these issues. • This problem is akin to cutting something in
half over and over; there will always be some small portion left to cut again. • Although we may never get to state that we
can definitively call “secure”, we can take steps in the right direction.
MODELS FOR DISCUSSING SECURITY ISSUES
• The Confidentiality, Integrity and Availability ( CIA ) Triad
Confidentiality
AvailabilityIntegrity
CONFIDENTIALITY
• Refers to the ability to protect data from those who are not authorized to view it.
• Examples of breaches / compromised confidentiality• Loss of laptop containing data• Person looking over our shoulder while typing our
password• Email attachment sent to the wrong person• Attacker penetrating our systems
INTEGRITY
• Refers to the ability to prevent data from being changed in an unauthorized or undesirable manner.
• Means to prevent unauthorized changes to the data• Means to reverse authorized changes that needs
to be undone.
• Example : undo, rollback
AVAILABILITY
• Refers to the ability to access our data when we need it.
• Examples of loss of availability• Power loss• Operating system or application problems• Network attacks• Compromise of a system• Denial of service attack
AVAILABILITY
• Refers to the ability to access our data when we need it.
• Examples of loss of availability• Power loss• Operating system or application problems• Network attacks• Compromise of a system• Denial of service attack
THE PARKERIAN HEXAD
• Named after Donn Parker
Confidentiality Integrity AvailabilityPossession
or Control
Authenticity Utility
CONFIDENTIALITY
• Refers to the ability to protect data from those who are not authorized to view it.
• Examples of breaches / compromised confidentiality• Loss of laptop containing data• Person looking over our shoulder while typing our
password• Email attachment sent to the wrong person• Attacker penetrating our systems
INTEGRITY
• Refers to the state of data itself in the sense of completeness
AVAILABILITY
• Refers to the ability to access our data when we need it.
• Examples of loss of availability• Power loss• Operating system or application problems• Network attacks• Compromise of a system• Denial of service attack
POSSESSION OR CONTROL
• Refers to the physical disposition of the media on which the data is stored
AUTHENTICITY
• Proper attribution as to the owner or creator of the data in question.
UTILITY
• Refers to how useful the data is to us
ATTACKS
• What makes up an attack ?• Type of attack that it represents• The risk the attack represents• Controls to use when mitigating the attack
TYPES ATTACKS
Confidentiality • Interception
Integrity• Interruption• Modification• Fabrication
Availability• Interruption• Modification• Fabrication
INTERCEPTION
• Attacks that allows unauthorized users to access data, applications or environments
• Examples :• Unauthorized file viewing or copying• Eavesdropping on phone conversations• Reading emails not yours
INTERRUPTION
• Attacks that cause our assets to become unusable or unavailable for our use, on a temporary or permanent basis.
• Examples :• Denial of Service attack
MODIFICATION
• Attacks that involves tampering with our assets.
FABRICATION
• Attacks that involves generating data, processes, communications, or other similar activities with a system
THREATS
• Things that have potential to cause harm to our assets• Identify the possibility of something happening
that can cause a security breach or network outage
• example : • Natural threats• Intentional
VULNERABILITIES
• Weakness that can be used to harm the asset.• Holes that can be exploited by threats to cause
harm
• Example• Poor coding in software installed• OS vulnerabilities1. Problems in hardware or physical structure of the
machines
RISK
• The likelihood that something bad will happen
• The best strategy is to spend our time mitigating the most likely attacks.
RISK MANAGEMENT
• Evaluation of threats and the cost of protection
IMPACT
• Effect that an attack can cause harm considering the value of the asset being threatened.
CONTROL
• measures in place to help ensure that a given threat us accounted for.• Categories• Physical• Logical• Administrative
PHYSICAL CONTROL
• Controls to protect the physical environment in which the system sits or where the data is stored
• examples :• Fences, gates, locks, guards, cameras, air conditioning
system, backup power generators
LOGICAL CONTROL
• Also called Technical Controls• Controls that protect the system, network, and
environment that process, transmit, and store data
• examples :• Passwords, encryption, logical access controls, firewalls
ADMINISTRATIVE CONTROL
• Controls based on rules, policies, laws, procedures, guidelines, and other items that are “paper” in nature.• Set out the rules for how users are expected in the
environment to behave• These controls must be totally enforced for
compliance.
• examples :• Change of password every 90 days• Differing levels of authority
DEFENSE IN DEPTH
• Strategy to formulate a multi-layered defense what will allow to still mount a successful defense should one or more defensive measures fail.
Internal networkhostapplicationdata
external network
DEFENSIVE IN DEPTH
EXTERNAL NETWORK
• DMZ• VPN• Logging• Auditing• Penetration
Testing• Vulnerability
Analysis
NETWORKPERIMETER
• Firewalls• Proxy• Logging• Stateful
Packet Inspection
• Auditing• Penetration
Testing• Vulnerability
Analysis
INTERNAL NETWORK
• IDS• IPS• Logging• Auditing• Penetration
Testing• Vulnerability
Analysis
HOST
• Authentication
• Antivirus• IDS• IPS• Password
Hashing• Logging• Auditing• Penetration
Testing• Vulnerability
Analysis
APPLICATION
• SSO• Content
Filtering• Data
Validation• Auditing• Penetration
Testing• Vulnerability
Analysis
DATA
• Encryption• Access
Controls• Backup• Penetration
Testing• Vulnerability
Analysis