week - 2 - temple mis€¦ · course web site 4. syllabus 5. textbook and readings, course pack 6....
TRANSCRIPT
Week - 1MIS5214 – Security Architecture
Agenda
1. Welcome and Introductions2. Course Goals 3. Course Web Site4. Syllabus5. Textbook and Readings, Course Pack 6. Grading7. Weekly Cycle 8. Semester Schedule9. Security Architecture and Enterprise Architecture10.Next Week…
Course Goals – Security ArchitectureLearn about how organizations
• Align their IT security capabilities with its business goals and strategy
• Plan, design and develop enterprise security architecture, • Assess IT system security architectures and capabilities
Objectives1. Learn key Enterprise Security Architecture concepts2. Develop an understanding of contextual, conceptual, logical, physical and
component levels or security architectures and how they relate to one another
3. Learn how security architectures are planned, designed and documented4. Gain an overview of how security architectures are evaluated and assessed5. Gain experience working as part of team, developing and delivering a
professional presentation
Course Web Sitehttp://community.mis.temple.edu/mis5214sec001sp2018/
http://community.mis.temple.edu/mis5214sp2018online/
Section 001:
Section 701:
Instructor
Syllabus
http://community.mis.temple.edu/mis5214sp2018online/files/2018/01/MIS5214_Syllabus_Fall2018_Final_701-2.pdf
http://community.mis.temple.edu/mis5214sec001sp2018/files/2018/01/MIS5214_Syllabus_Fall2018_Final_001.pdf
Textbook and Readings
Harvard Business Publishing Course Pack
• Readings• Case Studies
Class Schedule
Assignments
Grading
Assignments
1. One Key Point Taken from Each Assigned ReadingPost one or two sentences of thoughtful analysis about one key point you took from each assigned reading by midnight Sunday the week they are due
2. One Question You Would Ask Your Fellow Students to Facilitate Discussion
3. Problem Solving Assignments
Participation
1. Comment on your classmates’ discussion questions and/or key points they wrote about taking away from the readingsContribute at least three (3) substantive posts that include your thoughtful answers to their discussion questions and/or comments on the key points made by your classmates about the readings. Your posting of your three comments is due Tuesday by noon.
2. Post an “In the News” article (link and brief summary) Be prepared to discuss in class an article you found about a current event in the Information Security arena. An ideal article would be tied thematically to the topic of the week. However, any article you find interesting and would like to share is welcome. The deadline for posting is Tuesday by noon.
Case Studies
Case study analysis1. Individual preparation
2. Group discussion
3. Class discussion
Team ProjectsBy class 4, students will be organized into teams that work together on case studies and on the Team Project
Each team will be responsible for researching, developing and presenting a system security plan (SSP) for a cloud based enterprise information system
SSP will include technical specifications and diagrams illustrating the security architecture of an information system
Teams will develop and deliver a 15-minute presentation on the system’s security architecture, followed by questioning by the other project teams
Exams
Grading
Weekly Cycle
Security Architecture
A comprehensive and rigorous method to plan, design and describe current and desired future structure and behavior of an organization's:
• Business sub-units
• Processes and Personnel
• Information security systems
…so they align with the organization's core goals and strategic direction
Wikipedia: https://en.wikipedia.org/wiki/Enterprise_information_security_architecture
“Information security” is protection of…• Confidentiality, integrity, and availability (“CIA”) of data and
information• Data, information and information systems from unauthorized…
• Access, use, disclosure = Confidentiality
• Modification = Integrity
• Disruption or destruction = Availability
Security Goals - Terminology
Security Goals
•Confidentiality
Confidentiality means that people cannot read sensitive information, either while it is on a computer or while it is traveling across a network
Security Goals
• Integrity
Integrity means that attackers cannot change or destroy information, either while it is on a computer or while it is traveling across a network
Or, at least, if information is changed or destroyed, then the receiver can detect the change or restore destroyed data
Security Goals
•Availability
• Availability means that people who are authorized to use information are not prevented from doing so
Compromises
•Successful attacks•Also called incidents•Also called breaches (not breeches)
Countermeasures
• Tools used to thwart attacks
•Also called safeguards, protections, and controls
• Types of countermeasures• Preventative• Detective• Corrective
Back to “Security Architecture”
“…the art and science of designing and supervising the construction of business systems, usually business information systems, which are:
• Free from danger, damage, etc.• Free from fear, care, etc.• In safe custody• Not likely to fail• Able to be relied upon• Safe from attack”
Sherwood et al. (2005) Enterprise Security Architecture: A Business-Driven Approach
Thinking about security architecture enables understanding enterprise information systems the way attackers do – as large diverse attack surfaces
Security Architecture
https://graquantum.com/blog/cyber-basics-cyber-attack-surface/
Enterprise Information and Security Architecture
Wikipedia: https://en.wikipedia.org/wiki/Enterprise_information_security_architecture, accessed 2017-1-19Huxham, H. (2006) “Own view of Enterprise Information Security Architecture (EIS))Framework”
Sherwood et al. (2005) Enterprise Security Architecture: A Business-Driven Approach
Information Systems - definitionsEnterprise information system is an information system which enable an organization to integrate and improve its business functions
Information systems are software and hardware systems that support data-intensive applications
Programs = Algorithms + Data Structures
Algorithm in a software program is a step-by-step procedure for solving a problem or accomplishing some end especially by a computer
Data Structure in a software program is a particular way of organizing data in a computer so that it can be manipulated by an algorithm
Software are programs used to direct the operation of a computer
Hardware are tangible physical parts of a computer system and IT network
Firmware is software embedded in a piece of hardware
What is meant by the term “abstraction” ?• A fundamental human capability that enables us to
deal with complexity
• Its purpose is to limit the universe so we can do things
• Selective examination of certain aspects of a problem
• Its goal is the purposeful isolation of important aspects and suppression of unimportant aspects (i.e. omitting details)• Purpose determines what is and what is not important
• All abstractions are incomplete and inaccurate – but this is their power and does not limit their usefulness
• Many different abstractions of the same thing are possible• Depending on the purpose for which they are made – The problem solving context
explains the source of their intent
What is a conceptual model ? • Are abstractions of things for the purpose of understanding them
• Enable dealing with systems that are too complex to understand directly
• Omit nonessential details making them easier to manipulate than the original entities• The human mind can cope with only a limited amount of information at one time
• Models reduce complexity by separating out a small number of important things to deal with at a time
• Aid understanding complex systems by enabling visualization and communication of different aspects expressed as individual models (“views”) using precise notations• Communicate an understanding of content, organization and function of a system
• Useful for verifying that the system meets requirements• To be relied on, models must be validated by comparison to the implemented system to assure they accurately
represent and document the implemented system
• Serve several purposes• Testing a physical entity before building it
• Communicating a shared understanding of the system with stakeholders, users, developers, information system auditors and testers
Models of Information Systems
Content & Structure
Function & Use
Models of Information Systems
Content & Structure Function & Use
Database designInformation System Development
Examples of models of IT Design and Development…
Models Help Understand Enterprise Information Systems and their Security
The Open Data Group Architecture Framework (TOGAF) Version 9.1
https://www.opengroup.org/architecture/togaf91/downloads.htm
Sherwood Applied Business Security Architecture
http://www.sabsa.org/white_paper
Horatio Huxham’s BITS
https://en.wikipedia.org/wiki/Enterprise_information_security_architecture
Wikipedia: https://en.wikipedia.org/wiki/Enterprise_information_security_architecture, accessed 2017-1-19
Consists of:• Business Architecture• Information Architecture• Security Architecture
Business Architecture
Information Architecture
The Open Data Group Architecture Framework (TOGAF) Version 9.1
ApplicationArchitecture
DataArchitecture
Information Architecture – Models of Information Flows“Enterprise applications automate processes that span multiple business functions and organizational levels and may extend outside the organization”
Laudon, K.C. and Traver, C.G. (2011), Management Information Systems, Prentice Hall
… …
Enterprise Information System Architecture
Wikipedia: https://en.wikipedia.org/wiki/Enterprise_information_security_architecture, accessed 2017-1-19
Consists of:• Business Architecture• Information Architecture
• Security Architecture
Defense in Depth
•Also known as: • Layered Security• Castle Approach to Security
Defense in Depth
Why is it needed?
5/20/2015
Anatomy of an Attack1. Attacker sends spear fishing e-mail 2. Victim opens attachment
• Custom malware is installed
3. Custom malware communicates to control web site • Pulls down additional malware
4. Attacker establishes multiple backdoors
5. Attacker accesses system• Dumps account names and passwords from domain controller
6. Attacker cracks passwords• Has legitimate user accounts to continue attack undetected
7. Attacker reconnaissance • Identifies and gathers data
8. Data collected on staging server
9. Data ex-filtrated
10.Attacker covers tracts • Deletes files• Can return any time
(MANDIANT, 2015)
Advanced persistent threats (APT) usually maintain remote access to target environments for 6-18 months before being detected (i.e. they are persistent)
(Holcomb & Stapf, 2014)
Threat landscape
Information System Security Architecture Model of What is Needed
Sherwood Applied Business Security Architecture (SABSA)
Viewpoints
• Contextual – Business requirements
• Conceptual – Fundamental concepts that guide the way the business requirements will be met
• Logical – The major security elements, flow of control and relationships among these security elements to protect the information systems
• Physical – Detailed design of the security system components and mechanisms
• Service Management – Operations and management of the security system
Readings listed under SCHEDULEhttp://community.mis.temple.edu/mis5214sec001sp2018/
http://community.mis.temple.edu/mis5214sp2018online/
Section 001:
Section 701:
Readings listed under SCHEDULEhttp://community.mis.temple.edu/mis5214sec001sp2018/welcome-to-security-architecture/
http://community.mis.temple.edu/mis5214sp2018online/welcome-to-security-architecture/
Section 001:
Section 701:
Readings for next week…
Organization of textbook
Orientation of textbook
What is NIST?
• Non-regulatory agency of the United States Department of Commerce
• Measurement standards laboratory
Mission: Promote innovation and industrial competitiveness
NIST is responsible for developing standards, guidelines, and associated methods and techniques for providing adequate information security for all agency operations and assets (excluding national security systems)
Agenda
Welcome and IntroductionsCourse Goals Course Web SiteSyllabusTextbook and Readings, Course Pack GradingWeekly Cycle Semester ScheduleSecurity Architecture and Enterprise ArchitectureNext Week…
Questions?
Week - 2MIS5214 – Security Architecture