Académique Documents
Professionnel Documents
Culture Documents
Pintu R Shah
In this unit..
Various Security attacks Method of defense Design Principles
Security policies
Types of security policies
Threat
Threat: an object, person, or other entity that represents a
the organization
By examining each threat category, management effectively
transmissions to:
10
Impersonation
11
Phishing
"Reproduced with permission. Please visit www.SecurityCartoon.com for more material." Pintu R Shah MPSTME SVKM's NMIMS 12
Spoofing
Web spoofing
Web spoofing
"Reproduced with permission. Please visit www.SecurityCartoon.com for more material." 15 Pintu R Shah MPSTME SVKM's NMIMS
Email Spoofing
"Reproduced with permission. Please visit www.SecurityCartoon.com for more material." Pintu R Shah MPSTME SVKM's NMIMS 16
Malware
Pest on your PC
"Reproduced with permission. Please visit www.SecurityCartoon.com for more material." 17 Pintu R Shah MPSTME SVKM's NMIMS
Other examples
Botnet DoS Net Threats
18
Methods of Defense
Five basic approaches to defense of computing systems
Prevent attack Block attack / Close vulnerability Deter attack Make attack harder (cant make it impossible ) Deflect attack Make another target more attractive than this target
19
Separation of Privileges Principle Least Privilege Principle Defense in Depth Principle Security through Obscurity Fail safe defaults Economy of mechanism Complete mediation Psychological Acceptability
20
event to happen Many examples from outside of computing, e.g., two keys needed to launch a missile Tradeoff between security gained and manpower required to achieve it CIO should not have access to all systems DBA should not have access to encryption key Example:
Accountant with privilege to write check as well as balance the businesses account is potential for abuse
21
access controls necessary to carry out job functions A common violation of this principle occurs because of administrator inattention
Users are placed in groups that are too broad
Another common violation occurs because of privilege
creep
Users are granted new privileges when they change roles without reviewing existing privileges
22
Defenses should be layered Layers begin with points of access to a network and continue
23
Defense in Depth
24
secrecy about the security that was in place No longer very effective in most cases because so much information is freely available
25
26
Economy of mechanism
Economy of mechanism states that security mechanism
27
Complete mediation
Complete mediation requires that all accesses to objects be
28
Psychological acceptability
Psychological acceptability states that security mechanism
should not make the difficult to access than if the security mechanisms were not present.
29
30
benefits
Cost of implementing the security mechanism and the amount of damage it may prevent
Tradeoff considerations are security, user convenience,
31
32
Cornerstone of a security effort is to Implement proper policies Educate users about those policies Information security policies should be Flexible enough not to require frequent rewrites Comprehensive enough to ensure coverage of situations Available to all members of the organization Readable and understandable
33
34
A Standard
A mandatory action or rule designed to support and conform
to a policy. A standard should make a policy more meaningful and effective. A standard must include one or more accepted specifications for hardware, software, or behavior.
35
A guideline
General statements, recommendations, or administrative
instructions designed to achieve the policys objectives by providing a framework within which to implement procedures. A guideline can change frequently based on the environment and should be reviewed more frequently than standards and policies. A guideline is not mandatory, rather a suggestion of a best practice. Hence guidelines and best practice are interchangeable
36 Pintu R Shah MPSTME SVKM's NMIMS
Policies Standards
Guideline
37 Pintu R Shah MPSTME SVKM's NMIMS
Policy Analogy
Think of a company that builds cabinet and has hammer
policy
38
Policy
All boards must be nailed together using company issues
39
Standard
Eleven inch fiberglass hammers will be used. Only hardened-
steel nails will be used with the hammers. Automatic hammers are to be used for the repetitive jobs that are > 1 hr.
40
Guideline
To avoid splitting the wood, a pilot hole should be drilled
first.
41
Procedure
Position the nail in the upright position on the board. Strike nail with full swing of hammer Repeat until nail is flush with board
If the thumb is caught between the nail and board, see Nail
42
43
44
frameworks (ISO 27002) Documented Written and maintained with clear ownership and version history. Updated Periodically reviewed for updates based on the latest risks. Communicated Policies are read and understood by all people in the organization.
45
security program.
Issue-specific policies address specific issues of concern to the
organization.
System-specific policies focus on decisions taken by management to
Program-Level Policies
Establish a security program Assign program management responsibilities
47
Coverage may include: Facilities, Lines of business, Employees or departments ,Technology, Processes Responsibilities for the implementation and management of the policy are assigned in this section. Organizational units or individuals are potential assignment candidates. Compliance provides for the policy's enforcement. Describe oversight activities and disciplinary considerations clearly. But the contents of this section are meaningless unless an effective awareness program is in place.
48
Examples
Business continuity planning (BCP) framework Physical security requirements framework for
49
50
Example (cont)
System business requirements
Design Design exceptions Input validation Control of internal processing Message authentication Output validation Application auditing / logging Application review Acceptance testing criteria User acceptance testing Post implementation review Protection of System test data
Application testing
51
Email policy Backup policy Wireless device policy Use of telecommunication policy
52
Issue-Specific Policies
Basic components Issue statement defines a security issue, along with any relevant terms, distinctions, and conditions Statement of the organizations position clearly states an organizations position on the issue Applicability clearly states where, how, when, to whom, and to what a particular policy applies Roles and responsibilities assigns roles and responsibilities to the issue Compliance gives descriptions of the infractions and states the corresponding penalties Points of contact and supplementary information lists the names of the appropriate individuals to contact for further information and lists any applicable standards or guidelines
53 Pintu R Shah MPSTME SVKM's NMIMS
What activities are acceptable? What activities are not acceptable? Where can users get more information as needed? What to do if violations are suspected or have occurred?
54
Backup Policy
Data backups protect against corruption and loss of data To support the integrity and availability goals of security Backup policy should answer key questions What data should be backed up and how? Where should backups be stored? Who should have access? How long should backups be retained? How often can backup media be reused?
55
Confidentiality Policy
Outlines procedures used to safeguard sensitive information Should cover all means of information dissemination including
What data is confidential and how should it be handled? What happens if information is released in violation of the policy?
56
57
58
System-Specific Policies
State security objectives of a specific system Define how the system should be operated to achieve
objectives Specify how the protections and features of the technology used to support or enforce the security objectives Examples : ACL
Who is allowed to read or modify data in the system? Under what conditions can data be read or modified? Are users allowed to dial into the computer system from home
or while on travel?
59
Exercise
60