Information System Security. Nguyen Ho Minh Duc, M.Sc

Similar documents
A (sample) computerized system for publishing the daily currency exchange rates

Chapter 4. Network Security. Part I

Industrial Control System Security white paper

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Wireless LAN Security (RM12/2002)

Cyber Criminal Methods & Prevention Techniques. By

SECURITY PRACTICES OVERVIEW

Information Technology Enhancing Productivity and Securing Against Cyber Attacks

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

Fundamentals of Information Systems Security Lesson 8 Mitigation of Risk and Threats to Networks from Attacks and Malicious Code

Checklist: Credit Union Information Security and Privacy Policies

Security Assessment. Prepared For: Prospect Or Customer Prepared By: Your Company Name

The Honest Advantage

Locking down a Hitachi ID Suite server

Lab #3 Defining the Scope and Structure for an IT

4 Information Security

How can I use ISA/IEC (Formally ISA 99) to minimize risk? Standards Certification Education & Training Publishing Conferences & Exhibits

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Complying with RBI Guidelines for Wi-Fi Vulnerabilities

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Wireless Attacks and Countermeasures

TestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified

Lab #3 Defining an Information Systems Security Policy Framework for an IT Infrastructure

A Security Model for Space Based Communication. Thom Stone Computer Sciences Corporation

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

2. INTRUDER DETECTION SYSTEMS

Annual Report on the Status of the Information Security Program

Chapter 11: Networks

K12 Cybersecurity Roadmap

Network Security Assessment

Cyber security tips and self-assessment for business

DoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel

Chapter 11: It s a Network. Introduction to Networking

PrecisionAccess Trusted Access Control

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

CompTIA Network+ Study Guide Table of Contents

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

IoT & SCADA Cyber Security Services

Securing Access to Network Devices

Vulnerability Assessment. Detection. Aspects of Assessment. 1. Asset Identification. 1. Asset Identification. How Much Danger Am I In?

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

Automating the Top 20 CIS Critical Security Controls

Management of IT Infrastructure Security by Establishing Separate Functional Area with Spiral Security Model

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Xceedium Xio Framework: Securing Remote Out-of-band Access

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Pass Microsoft Exam

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11

VIVOTEK. Security Hardening Guide

MEETING ISO STANDARDS

FRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

Effective Strategies for Managing Cybersecurity Risks

Writer Corporation. Data Protection Policy

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

CYBERSECURITY RISK LOWERING CHECKLIST

A network is two or more computers, or other electronic devices, connected together so that they can exchange data.

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Bank Infrastructure - Video - 1

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

HIPAA Assessment. Prepared For: ABC Medical Center Prepared By: Compliance Department

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Secure Network Design Document

Education Network Security

IS Today: Managing in a Digital World 9/17/12

Security. Bob Shantz Director of Infrastructure & Cloud Services Computer Guidance Corporation. All Rights Reserved.

Securing Network Devices with the IEC Standard What You Should Know. Vance Chen Product Manager

Identify the features of network and client operating systems (Windows, NetWare, Linux, Mac OS)

ClearPath OS 2200 System LAN Security Overview. White paper

Area Covered is small Area covered is large. Data transfer rate is high Data transfer rate is low

Perspectives on Threat

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Best Practices With IP Security.

Information Security Management Criteria for Our Business Partners

PCI DSS Compliance. White Paper Parallels Remote Application Server

Network Security and Cryptography. 2 September Marking Scheme

Security Assessment Checklist

Chapter 24 Wireless Network Security

Identity-Based Cyber Defense. March 2017

7.16 INFORMATION TECHNOLOGY SECURITY

CTS2134 Introduction to Networking. Module 08: Network Security

Information Technology General Control Review

DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY

NEN The Education Network

Define information security Define security as process, not point product.

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Information Technology Cyber Security Policy. Convergint Technologies, LLC

Chapter Topics Part 1. Network Definitions. Behind the Scenes: Networking and Security

CCNA R&S: Introduction to Networks. Chapter 11: It s a Network

Intelligent and Secure Network

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

epldt Web Builder Security March 2017

Transcription:

Information System Security Nguyen Ho Minh Duc, M.Sc

Contact 2 Nguyen Ho Minh Duc Phone: 0935 662211 E-mail: duc.nhm@gmail.com Web:http://nhmduc.wordpress.com

3 Lecture 01 INTRODUCTION

Topics 4 What information system security is What the tenets of information systems security are What the seven domains of an IT infrastructure are What the weakest link in an IT infrastructure is How an IT security policy framework can reduce risks How a data classification standard affects an IT infrastructure's security needs

Goals Relate how availability, integrity and confidentiality requirements affect the seven domains of a typical IT infrastructure Descibe the threats and vulnerabilities commonly found within the seven domains Identify a layered security approach throughout the seven domains Develop an IT security policy framework to help reduce risk 5

What is Enterprise Security Basics of communication One to one One to many Many to one Many to many WWW Cyberspace 6

7

Why Enterprise Security 8 Because you can t wait for thing to go bad because when they do, they go bad in a BIG way

The Web Connects Wed sites, Web pages, digital content Cyberspace is the collection of Web Users Networks Applications that can communicate ecommerce 9

Cyber security Cyberspace are not automatically secure The heart of problem is the lack of security in TCP/IP communications protocol Protocol? IT is in great need of proper security controls 10

Definitions Risks probability that something bad could happen to an asset Threat actions that poses potential damage or data compromise Virus software designed to cause damage to system, application or data Malware (malicious code) code that causes specific action Vulnerability - Any weakness that allow a threat to occur (or be realized) 11

Defining Information Systems Security An information system consists of the hardware, operating system, and application software that work together to collect, process, and store data for individuals and organizations. Information systems security is the collection of activities that protect the information system and the data stored in it 12

Three tenets of Information Systems Security 13

Three tenets of Information Systems Security Availability Information must be available to authorized users when available Uptime, downtime, availability, mean time to failure, mean time to repair,... Integrity Only authorized users can access and change information Confidentiality Only authorized users can see sensitive information 14

Three tenets of Information Systems Security 15 Data integrity

Seven Domains of a Typical IT Infrastructure 16

Seven Domains of a Typical IT Infrastructure User Domain - defines the people who access an organization s information system Workstation Domain - is where most users connect to the IT infrastructure. It can be a desktop computer, or any device that connects to your network. LAN Domain - is a collection of computers connected to one another or to a common connection medium. Network connection mediums can include wires, fiber optic cables, or radio waves. 17

18 LAN to WAN Domain - is where the IT infrastructure links to a wide area network and the Internet. WAN Domain - connects remote locations. WAN services can include dedicated Internet access and managed services for customer s routers and firewalls. Remote Access Domain - connect remote users to the organization s IT infrastructure. The scope of this domain is limited to remote access via the Internet and IP communications.

19 System Application Domain - holds all the mission-critical systems, applications, and data.

Seven Domains of a Typical IT Infrastructure For each domain Roles and tasks Responsibilities Accountability 20

Common Threats in the User Domain Lack of user awareness User apathy toward policies User violating security policy User inserting CD/DVD/USB with personal files User access to media with questionable lineage (inserting, copying) 21

Common Threats in the User Domain User downloading photos, music, or videos User destructing systems, applications, and data Disgruntled employee attacking organization or committing sabotage Employee blackmail or extortion 22

Common Threats in the Workstation Domain Unauthorized workstation access Unauthorized access to systems, applications, and data Desktop or laptop operating system vulnerabilities Desktop or laptop application software vulnerabilities or patches 23

Common Threats in the Workstation Domain Viruses, malicious code, and other malware User inserting CD/DVD/USB into organization computer User downloading photos, music, or videos via Internet 24

Common Threats in the LAN Domain Unauthorized physical access to LAN Unauthorized access to systems, applications, and data LAN server operating system vulnerabilities LAN server application software vulnerabilities and software patch updates 25

Common Threats in the LAN Domain Rogue users on WLANs Confidentiality of data on WLANs LAN servers have different hardware, OS and softwares, making it difficult to manage and troubleshoot 26

Common Threats in the LAN to WAN Domain Unauthorized probing and port scanning Unauthorized access Internet Protocol (IP) router, firewall, and network appliance operating system vulnerability IP router, firewall, and network appliance configuration file errors or weakness Remote users can access the organization's infrastructure and download sensitive data Local users downloading unknown file types from unknown sources (surfing) WAN Accessing malicious web sites 27

Common threats in WAN domain Open, public, easily accessible to anyone that wants to connect Most Internet traffc is sent in cleartext. Vulnerable to eavesdropping Vulnerable to malicious attacks Vulnerable to denial of service (DoS), distributed denial of service (DDoS), TCP SYN fooding, and IP spoofng attacks Vulnerable to corruption of information and data TCP/IP applications are inherently insecure (HTTP, FTP, TFTP, etc.). 28

Threats in Remote Access Domain Brute-force user ID and password attacks Multiple logon retries and access control attacks Unauthorized remote access to IT systems, applications, and data Private data or confdential data is compromised remotely. Data leakage in violation of existing data classifcation standards Mobile worker laptop is stolen Mobile worker token or other authentication are stolen 29

Threats in System/Application Domain Unauthorized access to data centers, computer rooms, and wiring closets Servers must sometimes be shutdown to perform maintenance. Cloud computing virtual environments are by default not secure. Client-server and Web applications are susceptible to attack. Unauthorized accessed to systems. Private data is compromised. 30

Threats in System/Application Domain Data is corrupted or lost. Backed-up data may be lost as backup media is reused. Recovering critical business functions may take too long to be useful. IT systems may be down for an extended period after a disaster. 31

IT Security Policy Framework An IT security policy framework contains four main components: Policy Standard Procedures Guidelines 32

IT Security Policy Framework Policy A policy is a short written statement that the people in charge of an organization have set as a course of action or direction. A policy comes from upper management and applies to the entire organization. Standard A standard is a detailed written defnition for hardware and software and how it is to be used. Standards ensure that consistent security controls are used throughout the IT system. 33

IT Security Policy Framework Procedures These are written instructions for how to use policies and standards. They may include a plan of action, installation, testing, and auditing of security controls. Guidelines A guideline is a suggested course of action for using the policy, standards, or procedures. Guidelines can be specifc or fexible regarding use. 34

Data Classifcation Standards The goal and objective of a data classifcation standard is to provide a consistent defnition for how an organization should handle and secure different types of data Typically include the following major categories: Private data Confidential Internal used only Public domain data 35

Summary Introducing information systems security and the system security profession A common definition of a typical IT infrastucture Risks, threats and vulnerabilities within the seven domains. Each of these domains requires the use of strategies to reduce risks, threats and vulnerabilities IT security framework Data classification standards provide organization with a roadmap for how to handle different types of data 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback