Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
-
Upload
avery-sawyer -
Category
Documents
-
view
220 -
download
1
Transcript of Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
![Page 1: Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.](https://reader036.fdocuments.us/reader036/viewer/2022062511/55140223550346e2488b496c/html5/thumbnails/1.jpg)
Web Security for Network and System Administrators 1
Chapter 1
Introduction to Information Security
![Page 2: Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.](https://reader036.fdocuments.us/reader036/viewer/2022062511/55140223550346e2488b496c/html5/thumbnails/2.jpg)
Web Security for Network and System Administrators 2
Objectives
In this chapter, you will:• Define basic security concepts• Begin to assess security risks• Outline a security policy• Locate information security resources
![Page 3: Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.](https://reader036.fdocuments.us/reader036/viewer/2022062511/55140223550346e2488b496c/html5/thumbnails/3.jpg)
Web Security for Network and System Administrators 3
Basic Security Concepts
• Confidentiality – only authorized individuals can access data
• Integrity – data changes are tracked and properly controlled
• Availability – systems are accessible for business needs
![Page 4: Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.](https://reader036.fdocuments.us/reader036/viewer/2022062511/55140223550346e2488b496c/html5/thumbnails/4.jpg)
Web Security for Network and System Administrators 4
Basic Security Concepts
• Physical security – protect people, equipment, and facilities
• Privacy – critical data is not released to the wrong people
• Marketplace perception – the way the company is perceived by customers, partners, and competitors
![Page 5: Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.](https://reader036.fdocuments.us/reader036/viewer/2022062511/55140223550346e2488b496c/html5/thumbnails/5.jpg)
Web Security for Network and System Administrators 5
Assessing Risk
• Check existing security policies and processes
• Analyze, prioritize, and categorize resources by determining: total cost of ownership, internal value, and external value. – TCO refers to the total monetary and labor costs
calculated over a specific time period – Internal value refers to the monetary assessment of the
importance of a particular asset to the internal working of a company
– External value refers to the money or another commodity that the asset brings to the company from external sources
![Page 6: Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.](https://reader036.fdocuments.us/reader036/viewer/2022062511/55140223550346e2488b496c/html5/thumbnails/6.jpg)
Web Security for Network and System Administrators 6
Assessing Risk
• Consider business concerns through the annualized loss expectancy (ALE = SLE * ARO)– Single loss expectancy (SLE) is equal to the
asset’s value times the exposure factor (EF)• Asset value = TCO + internal value + external value• EF is the percentage of asset loss that is expected
from a particular threat
– Annualized rate of occurrence (ARO) is the estimated frequency with which a particular threat may occur each year
![Page 7: Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.](https://reader036.fdocuments.us/reader036/viewer/2022062511/55140223550346e2488b496c/html5/thumbnails/7.jpg)
Web Security for Network and System Administrators 7
Assessing Risk
• Evaluate existing security controls to determine what controls are deployed and effective
• Leverage existing management and control architecture to build a persuasive business case for, or against, implementing new security controls
![Page 8: Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.](https://reader036.fdocuments.us/reader036/viewer/2022062511/55140223550346e2488b496c/html5/thumbnails/8.jpg)
Web Security for Network and System Administrators 8
Building a Security Policy
• A security policy has the following three important benefits:– Communicates a common vision for security
throughout a company
– Represents a single easy-to-use source of security requirements
– Exists as a flexible document that should be updated at least annually to address new security threats
![Page 9: Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.](https://reader036.fdocuments.us/reader036/viewer/2022062511/55140223550346e2488b496c/html5/thumbnails/9.jpg)
Web Security for Network and System Administrators 9
Building a Security Policy
An organization’s security policy should cover the following:
• Foreword: Purpose, scope, responsibilities, and penalties for noncompliance
• Physical security: Controls to protect the people, equipment, facilities, and computer assets
• User ID and rights management: Only authorized individuals have access to the necessary systems and network devices
![Page 10: Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.](https://reader036.fdocuments.us/reader036/viewer/2022062511/55140223550346e2488b496c/html5/thumbnails/10.jpg)
Web Security for Network and System Administrators 10
Building a Security Policy
An organization’s security policy should cover the following:
• Network security: Protect the network devices and data in transit
• System security: Necessary defenses to protect computer systems from compromise
• Testing: Authorized security tools and testing • Auditing: Procedures to periodically check
security compliance
![Page 11: Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.](https://reader036.fdocuments.us/reader036/viewer/2022062511/55140223550346e2488b496c/html5/thumbnails/11.jpg)
Web Security for Network and System Administrators 11
Building a Security Policy Foreword
• Purpose: Why is this policy being established?• Scope: What people, systems, software,
information, and facilities are covered?• Responsibilities: Who is responsible for the
various computing roles in a company?• Compliance: What are the penalties for
noncompliance? Which organization is responsible for auditing compliance?
![Page 12: Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.](https://reader036.fdocuments.us/reader036/viewer/2022062511/55140223550346e2488b496c/html5/thumbnails/12.jpg)
Web Security for Network and System Administrators 12
Building a Security Policy Physical Security
• Human threats: theft, vandalism, sabotage, and terrorism
• Building damage: fire, water damage, and toxic leaks
• Natural disasters: floods, hurricanes, and tornadoes
• Infrastructure disruption: loss of power, loss of HVAC, and downed communication lines
• Equipment failure: computer system damage and network device failure
![Page 13: Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.](https://reader036.fdocuments.us/reader036/viewer/2022062511/55140223550346e2488b496c/html5/thumbnails/13.jpg)
Web Security for Network and System Administrators 13
Building a Security Policy User ID and Rights Management
• User Account Creation, Deletion, and Validation – manage user accounts
• Password Policies – manage password parameters
• Access Controls - determine who gets what access to what
![Page 14: Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.](https://reader036.fdocuments.us/reader036/viewer/2022062511/55140223550346e2488b496c/html5/thumbnails/14.jpg)
Web Security for Network and System Administrators 14
Building a Security Policy Network Security
• Specific timeframes for changing passwords on the network devices
• Use of secure network protocols• Firewalls at specific chokepoints in a network
architecture• Use of authentication servers to access network
devices
![Page 15: Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.](https://reader036.fdocuments.us/reader036/viewer/2022062511/55140223550346e2488b496c/html5/thumbnails/15.jpg)
Web Security for Network and System Administrators 15
Building a Security Policy System Security
• The systems section is used to outline the specific settings required to secure a particular operating system or application– For example, for Windows NT 4.0, it may be a
requirement that every logical drive be installed with NTFS
– For a particular UNIX flavor, shadow password files may be required to hide user IDs and passwords from general users
![Page 16: Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.](https://reader036.fdocuments.us/reader036/viewer/2022062511/55140223550346e2488b496c/html5/thumbnails/16.jpg)
Web Security for Network and System Administrators 16
Building a Security Policy Testing and Auditing
• Specify requirements for vulnerability scanners, compliance checking tools, and other security tools run within the environment
• Require auditing logs on specific devices, periodic self-audits performed by the system administrators, and the use of security compliance checking tools
• Specify corporate auditing requirements, frequencies, and organizations
![Page 17: Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.](https://reader036.fdocuments.us/reader036/viewer/2022062511/55140223550346e2488b496c/html5/thumbnails/17.jpg)
Web Security for Network and System Administrators 17
Security ResourcesSecurity Certifications
• CISSP• SSCP• GIAC• CISA• CIW Security Professional
![Page 18: Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.](https://reader036.fdocuments.us/reader036/viewer/2022062511/55140223550346e2488b496c/html5/thumbnails/18.jpg)
Web Security for Network and System Administrators 18
Security ResourcesWeb Resources
![Page 19: Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.](https://reader036.fdocuments.us/reader036/viewer/2022062511/55140223550346e2488b496c/html5/thumbnails/19.jpg)
Web Security for Network and System Administrators 19
Summary
• The CIA triad categorizes aspects of information that must be protected from attacks: confidentiality, integrity, and availability.
• The PPP triad depicts security, privacy, and marketplace perception as three additional abstract concepts that should drive security efforts.
![Page 20: Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.](https://reader036.fdocuments.us/reader036/viewer/2022062511/55140223550346e2488b496c/html5/thumbnails/20.jpg)
Web Security for Network and System Administrators 20
Summary• The first step in creating an effective security policy is to perform a
risk assessment within the environment. A risk assessment consists of five steps:– Check for existing security policies and processes– Analyze, prioritize, and categorize resources– Consider business concerns– Evaluate existing security controls– Leverage existing management and control architecture
• To estimate potential financial loss from security threats, the following formula works well by accounting for the most important cost factors associated with security: ALE = SLE * ARO.
• A security policy has three major benefits. It:– Communicates a common vision for security throughout a
company– Represents a single easy-to-use source of security
requirements– Exists as a flexible document that should be updated at least
annually to address new security threats
![Page 21: Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.](https://reader036.fdocuments.us/reader036/viewer/2022062511/55140223550346e2488b496c/html5/thumbnails/21.jpg)
Web Security for Network and System Administrators 21
Summary• An effective security policy includes security requirements in the
following areas:– Physical security– User ID and rights management– Systems– Network– Security tools– Auditing
• There are a number of security-related certifications to help security professionals quantify their knowledge on a resume.
• Every security professional must stay current about the latest threats through Web resources, mailing lists, and printed materials.