Network Security, Change Control, Outsourcing
-
Upload
nicholas-davis -
Category
Documents
-
view
102 -
download
2
Transcript of Network Security, Change Control, Outsourcing
![Page 1: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/1.jpg)
Information System 365/765Lecture 12
Network Security, Change Control, Outsourcing
![Page 2: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/2.jpg)
Today’s Chocolate BarSnickers – AGAIN!
• In 1930, the Mars family introduced its second product, Snickers, named after one of their favorite horses
• Snickers is the best selling chocolate bar of all time and has annual global sales of US$2 billion
![Page 3: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/3.jpg)
Nutty Cisco Video
• Watch video• Think about what you would
do to protect you server area, using your knowledge gained so far in the class
• Split into groups of four, come up with a mini presentation
• Talk to class for 3 minutes
![Page 4: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/4.jpg)
Network Security
• Why didn’t we talk about this on day one?
• Bringing it all together• protect the network and the
network-accessible resources from unauthorized access and consistent and continuous monitoring and measurement of its effectiveness
![Page 5: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/5.jpg)
Network Security vs. Computer Security
• Securing network infrastructure is like securing possible entry points of attacks on a country by deploying appropriate defense.
• Computer security is more like providing means to protect a single PC against outside intrusion.
![Page 6: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/6.jpg)
Network Security
• Prevents users from ever being exposed to attacks
• Protection of all entry points and shared resources
• Printers, Network attached storage (NAS), Iphones, etc.
• Attacks stop at entry points, BEFORE they spread
![Page 7: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/7.jpg)
Computer Security
• Focused on an individual host• A computer’s security is
vulnerable to people who have higher access privileges than the protection mechanism.
• While this is also true with Network Security, it is less likely.
![Page 8: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/8.jpg)
Attributes Of A Secure Network
• Authentication• Authorization• Firewall• Intrusion Prevention System• Antivirus• Honeypots• Monitoring
![Page 9: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/9.jpg)
Authentication
• Providing proof that you are who you claim to be
![Page 10: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/10.jpg)
Authorization
• Determining the level of access that a given individual should have
• Authorization is done after authentication
![Page 11: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/11.jpg)
Firewall• An integrated collection of
security measures designed to prevent unauthorized electronic access to a networked computer system. It is also a device or set of devices configured to permit, deny, or proxy all computer traffic between different security domains based upon a set of rules and other criteria.
![Page 12: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/12.jpg)
Intrusion Prevention System
• An intrusion prevention system is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities.
![Page 13: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/13.jpg)
Antivirus and Anti-Malware
• Scans and cleanses data in storage and as it travels across the network, so end users are not exposed to this type of threat
![Page 14: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/14.jpg)
Honeypots
• Essentially decoy network-accessible resources, could be deployed in a network as surveillance and early-warning tools.
![Page 15: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/15.jpg)
Security Management
• Depends on environment• Small, medium and large
businesses, educational institutions, government.
![Page 16: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/16.jpg)
Small Business• A basic firewall. • For Windows users, basic antivirus
and anti-spyware/anti-malware software.
• When using a wireless connection, use a robust password.
• Use the strongest security supported by your wireless devices, such as WPA or WPA2.
![Page 17: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/17.jpg)
Medium Business• A strong firewall • Strong Antivirus software and
Internet Security Software. • For authentication, use strong
passwords and change it on a monthly basis.
• When using a wireless connection, use a robust password.
• Raise awareness about physical security to employees.
• Use an optional network analyzer or network monitor.
![Page 18: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/18.jpg)
Large Business• A strong firewall and proxy to keep
unwanted people out. • A strong Antivirus software
package and Internet Security Software package.
• For authentication, use strong passwords and change it on a weekly/bi-weekly basis.
• When using a wireless connection, use a robust password.
• Exercise physical security precautions to employees.
![Page 19: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/19.jpg)
Large Business• Prepare a network analyzer or network
monitor and use it when needed. • Implement physical security
management like closed circuit television for entry areas and restricted zones.
• Security fencing to mark the company's perimeter.
• Fire extinguishers for fire-sensitive areas like server rooms and security rooms.
• Security guards can help to maximize security.
![Page 20: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/20.jpg)
Educational Institutions• An adjustable firewall • Strong Antivirus software and Internet
Security Software packages. • Wireless connections that lead to
firewalls. • Children's Internet Protection Act
compliance. • Supervision of network to guarantee
updates and changes based on popular site usage.
• Constant supervision by teachers, librarians, and administrators to guarantee protection against attacks by both internet and sneakernet sources.
![Page 21: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/21.jpg)
Federal Government• A strong strong firewall and proxy to
keep unwanted people out. • Strong Antivirus software and Internet
Security Software suites. • Strong encryption, usually with a 256 bit
key. • Whitelist authorized wireless connection,
block all else. • All network hardware is in secure zones. • All host should be on a private network
that is invisible from the outside. • Put all servers in a DMZ, or a firewall
from the outside and from the inside. • Security fencing to mark perimeter and
set wireless range to this.
![Page 22: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/22.jpg)
Change Control
• A general term describing the procedures used to ensure that changes (normally, but not necessarily, to IT systems) are introduced in a controlled and coordinated manner
![Page 23: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/23.jpg)
Goals of Change Management
• Minimal disruption to services • Reduction in back-out
activities • Economic utilization of
resources involved in implementing change
• Ensure that a product, service or process is only modified in line with the identified necessary change
![Page 24: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/24.jpg)
Why Is Change Control Important In IS Security?
• It is particularly related to software development because of the danger of unnecessary changes being introduced without forethought, introducing faults (bugs) into the system or undoing changes made by other users of the software. Later it became a fundamental process in quality control.
![Page 25: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/25.jpg)
The Change Control Process
• Record / Classify • Assess • Plan • Build / Test • Implement • Close / Gain Acceptance.
![Page 26: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/26.jpg)
Record and Classify• A formal request is received for
something to be changed, known as the "Change Initiation".
• Someone then records and classifies or categorizes that request. Part of the classification would be to assign a Category to the change, i.e. is the change a "major business change", "normal business change" or "minor business change".
![Page 27: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/27.jpg)
Assigning a Priority
• Emergency• Expedited• Normal
![Page 28: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/28.jpg)
Assessment• The impact assessor make
their risk analysis typically by answering a set of questions concerning risk, both to the business and to the IT estate, and follow this by making a judgment on who or whom should carry out the change.
![Page 29: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/29.jpg)
Build and Test
• Plan their change in detail, and also construct a regression plan, if it all goes wrong
• The plan should be checked out by an independent reviewer
• Build the solution, which will then be tested
• Seek approval and maybe a review and request a time and date to carry out the implementation phase.
![Page 30: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/30.jpg)
Implementation• The Change Manager
approves the change with an “Authority to Implement” flag
• The change can then be implemented but only at the time and date agreed
• Following Implementation, it is usual to carry out a “Post Implementation Review”
• When the client agrees all is OK, the change can be closed.
![Page 31: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/31.jpg)
Outsourcing Related Security Issues
• Two main issues with collaborative design (outsourcing) revolve around TRUST:– Confidentiality (of product design data
in storage or in transit)– Access Control (read, write, delete
privileges)
• Suppliers can be competitors, or have close relationships with competitors
![Page 32: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/32.jpg)
Potential Threats of Outsourcing
• Theft of trade secrets, or intellectual property
• Introduction of viruses/malware to the network
• Lack of understanding of corporate systems could result in damage or data loss
• Loss of control over sharing of sensitive data
![Page 33: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/33.jpg)
Potential Threats of Outsourcing• Spoofing: A competitor uses
manager’s or outsourcer’s ID to gain access to valuable product data to use in their own designs
• Tampering: Changing the product information in the database to ruin the final product design. Changing access controls allowing competing companies access to each other’s information
• Repudiation: User goes in and performs a malicious act (submits false product data) and says that it was not him who did it
![Page 34: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/34.jpg)
Countermeasures
• Electronic Vault• Engineering Change Control• Release-Management Process• Flexible Access Control• Data Set Access Control• Scheduled Access Control
![Page 35: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/35.jpg)
Electronic Vault
• Keeps files in native formwhile still encrypting files• End-to-end security
–Encryption–Access Control
• Creates tamper-evident audit trails (any and all access to a document is logged)
![Page 36: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/36.jpg)
Electronic Vault Advantages
Document accuracy – Maintains print streams in native format
• Document quality – Streams are compressed in electronic
vault without loss of resolution
• Flexibility – Easy to enhance, modify, combine,
engineer streams
![Page 37: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/37.jpg)
Electronic Vault Advantages (cont.)
Speed– Loaded into vault with almost no
disruption of operations
Long-term viability– Since native format is allowed,
electronic vault can be used in the future
![Page 38: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/38.jpg)
Engineering Change Control
• Defines and controls the process of reviewing and approving changes to the product data
• Prevents tampering with accountability factor
• New version of data is released in database to allow for reversal if necessary
![Page 39: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/39.jpg)
Release-Management Process
• Data released when approved• Access based on project,
password, and other controls that user defines
• Allows for auditing and tracking of information
• Creates relationships among product data
• Prevents information leaking of competing suppliers actions
![Page 40: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/40.jpg)
Flexible Access Control
• Role-based• Allows for project to have
users change groups and roles• Enables distributed design
data access and sharing
![Page 41: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/41.jpg)
Scheduled Access Control
• Schedule for suppliers to work on certain resources
• Privileges granted at certain periods when they are needed in the design process
• Revoked when not needed
![Page 42: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/42.jpg)
Data Set Access Control
• Data are assigned roles• Different views of data based
on how organizations and individuals behave in a task
• Least Privilege Security Principle
![Page 43: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/43.jpg)
Access Control Diagram
![Page 44: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/44.jpg)
Security Principles Applied
• Practice defense in depth–Role based access control, data
based access control, electronic vault, release management
• Follow the principle of least privilege–Access controls only allow
privileges to those who need it
![Page 45: Network Security, Change Control, Outsourcing](https://reader034.fdocuments.us/reader034/viewer/2022052316/55a7cc581a28abf3408b4639/html5/thumbnails/45.jpg)
Security Principles Applied (cont.)
• Compartmentalize– Various versions of data. Information
split up based on part of design for users who will need access to it
• Promote privacy– Accountability so users will want to
keep passwords and information secret
• Be reluctant to trust– System is based on least privilege and
does not disclose information until necessary