SlideShare a Scribd company logo

CISSP - Chapter 1 - Security Concepts

Download as PPTX, PDF
K
Karthikeyan Dhayalan

This document provides an overview of security fundamentals including the CIA triad of confidentiality, integrity and availability. It discusses common security threats and countermeasures for each component. Additional concepts covered include identification, authentication, authorization, auditing, accountability, non-repudiation, data classification, roles in security management, due care/diligence, security policies, standards/guidelines, threat modeling and prioritization. The document is intended as a high-level introduction to fundamental security concepts.

Education
1 of 26
Downloaded 959 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Most read
21
22
23
24
Most read
25
Most read
26
Security Fundamentals Predict – Preempt – Protect Karthikeyan Dhayalan
CIA - Triade
Confidentiality - Anything that needs to be protected - Safeguard against unauthorized access, notice, use - Protecting data at each stage (storage, processing, transit) Threats • Capturing network traffic • Unauthorized access to network • Password dump stealing • Dumpster diving • Social engineering • Port scanning • Eavesdropping Countermeasures • Encryption • Authentication to systems • Access control • Network traffic padding • Data classification • End-user training
Confidentiality Concepts • Sensitivity • Quality of information that could cause harm or damage if released • Nuclear facility • Discretion • Showing prudence or self-restraint when dealing with data of interest • Public release of military operations • Criticality • The level to which the information is critical • HIGH Critical • Concealment • Act of hiding or preventing disclosure • Steganography • Secrecy • Act of keeping information confidential • Coke formula • Privacy • Keeping information about a person under safe custody • PII/PHI • Seclusion • Storing something in an out-of-the way location • Storage Vault • Isolation • Act of keeping something separated from the rest • DMZ, ODC
Integrity • The capability to maintain the veracity and be intentionally modified only by authorized individuals • Enforces Accuracy • Provides Assurance • Prevent unauthorized modifications • Prevent unauthorized modifications by authorized users • Maintain internal and external consistency of objects Threats • Virus • Logic bombs • Errors • Malicious modifications • Intentional replacement • System back door Countermeasures • Activity logging • Access control • Authentication • Hashing • Encryption • Intrusion detection systems Integrity is dependent on Confidentiality
Availability Threats • Device failure • Software error • Natural calamity • Power • Human error • oversight Countermeasures • RAID • Redundant systems • Clustering • Access control • BCP/DR • Fault tolerance • Provisioning un-interrupted and timely access to authorized subjects • Offers high level of assurance that data shall be available to authorized subjects • It includes • Usability • Accessibility • Timeliness Availability is dependent on both Integrity and confidentiality
Security concepts Identification  Subject professes identity  First step in AAA process  Username, smart card, speaking a phrase, biometric, user ID  Without identity there can be no authentication Authentication  Verification of the claimed Identity  Verifies identity by comparing against one or more factors stored in the database  Identification and authentication are always together Authorization  Comparing the subject, object and the intended activity to authorize actions  Identification/ Authentication are all or nothing model, while Authorization can have wide range of options Auditing  Means by which subjects actions as well as system operations are logged and monitored  Helps detect un- authorized or abnormal activities Accountability  Capability to prove a subject’s identity and track their activities.  Established by linking a human to the activities of an online identity  Ultimately dependent on the strength of Authentication factor Nonrepudiation  Ensures the subject of an activity cannot deny the action  Can be established via digital certs, session identifiers, transaction logs
Security Control Concepts  Also known as defense in depth  Multiple controls are applied in series  Layering should be applied in series and not parallel Layering  Putting similar elements in groups, classes or roles that are assigned security controls  Used for efficiency  Includes definition of object and subject Abstraction  Preventing data from being discovered  Some forms include – restricting visibility to high critical application from low level subjects Data Hiding  Hiding the meaning or intent of a communication  It is an important element in security controls Encryption
Security Management Plan • SMP should use a top-down approach • Senior management is responsible for initiating and defining policies; • Middle management is responsible for releasing standards, baselines, guidelines in relation to the policy • Operations management/IT teams implement the controls defined above • End-users must comply with all the functions of the organization • SMP should have Approval from Senior Management before we start to engage.
Security Management Plan Types SMP Type Description Strategic Plan Long term plan Defines the organization’s security posture Useful for at least 5 years. Reviewed annually Helps understand security function and align it with business Should include Risk Assessment Tactical Plan Mid-term plan developed to provide more detailed goal Usually for an year or two More technology oriented Eg: Project plans, acquisition plan, budget plan, hiring plan Operational Plan Short-term plan Highly-detailed plan Must be updated often (monthly, quarterly) Spell-out how to accomplish various goals Eg: resource allotment, budgetary allocation, training plans
Change Management • Goal – Ensure any change does not lead to compromised or reduced security • Purpose – Make all changes subject to detailed documentation, auditing, review and scrutiny by management • Helps • Implement changes in a controlled and orderly manner • Formalized testing process • Back out or roll back procedures • Users are informed before the change • Effects of change are systematically analysed • Negative impact is minimized • Changes are reviewed and approved by CAB
Data Classification - It is the process of organizing items, objects, subjects into groups, categories or collections with similarities - Primary means for data protection - Used to determine how much effort, money and resources are allocated to protect the data and control access to it Benefits • Benefits • Demonstrates organization’s commitment to protecting assets • Assists in identifying assets that are critical for the organization • Lends credence to the selection of protection mechanisms • Required for regulatory compliance • Helps define access levels • Helps with data life-cycle management Criteria • Usefulness • Timeliness • Value • Maturity or age of data • Life time of the data • Association with personal • Disclosure damage assessment • Modification damage • National security • Authorized access to data • Restriction from the data • Maintenance and monitoring • Storage
7 Step Classification scheme Identify owner and define Responsibility Specify evaluation criteria Classify and label each resource Document any exceptions to the classification policy Select the security controls that will be applicable Specify declassification procedures Create awareness program
Classification Scheme •Top Secret •Secret •Confidential •Sensitive •Unclassified Confidential/Private Sensitive Public Government/Military Commercial/Business In Military, Classified is used to denote any data that is ranked above the unclassified level
Security roles •Ultimately responsible for security •Must signoff all policy issues •All activities must be approved •Will be held responsible for overall security success/failure •Responsible for due care and due diligence Senior Management •Responsible for following the directives mandated by SM •Has the functional responsibility for security •They are not decision makers Security Professional •Responsible for classifying information • Ultimately responsible for the data they own •Typically high level management representative Data Owner •Responsible for tasks of implementing the prescribed protection defined by Data owner •Responsibilities include, preforming/testing backups, validating data integrity, deploying security solutions and managing data storage based on classification Data Custodian •Has access to the secure system •Responsible for understanding and upholding the security policyUser •Responsible for reviewing and verifying the security policy implementation •Produces compliance and effectiveness reportsAuditor
Due Care and Due Diligence Due Care • Taking reasonable care in protecting the organization • It’s a legal term – it pertains to the legal duty of the organization • Lack of due care is considered negligence Due Diligence • Practicing the activities that maintain the due care effort • Pertains to best practices that a company should follow • It might not be legally liable
Security Policy - Strategic plan for implementing security - Defines the scope of security needed for the organization - Defines the main security objectives and outlines the security framework - Identifies major functional areas of data processing - Broadly outlines the security goals and practices that should be employed - Its is used to assign responsibilities, define roles, specify audit requirements, outline enforcement process, indicate compliance requirements, and define acceptable risk levels It’s a compulsory document Types Organizational Security policy – focuses on issues relevant to every aspect of the organization Issue-specific policy – focuses on specific service, department, function that is distinct from the organization as a whole System-specific policy – Focuses on individual systems
Security Categories Regulatory • Required whenever industry or legal standards are applicable to your organization Advisory • Discusses behaviors and activities are acceptable and defines consequences of violation Informative • Designed to provide information or knowledge about a specific subject • Not enforceable
Standard/Baseline/Guideline/Procedure Standard • Define compulsory requirements • Provides a course of action for uniform deployment of technology • Tactical documents Baseline • Defines minimum level of security that every system must meet • System-specific • Establishes common secure state Guideline • Offers recommendations on implementation • Servers as an operating guide • Flexible – can be customized for each unique system Procedure • Final element of the formalized security policy structure • Detailed step-by- step document describes actions necessary to implement security mandates • System and software specific • Purpose is to ensure integrity of business process
Threat Modelling - A process where potential threats are identified, categorized, and analysed - Can be performed both pro-actively as well as reactively - Two goals of threat modelling - Reduce the number of security related coding and design defects - Reduce the severity of remaining defects Proactive Approach - Also known as defensive approach - Takes place during early stages of systems development - Based on predicting threats and design specific counter measures during the coding and crafting process Reactive Approach - Also known as adversarial approach - Takes place after a product has been created and deployed - This is the core concept behind ethical hacking, PT, source code review and Fuzz testing
Threat Modelling Steps Identifying Threats Determining and Diagramming Potential attacks Performing Reduction Analysis Prioritization and Response
Identifying Threats – STRIDE approach Microsoft Threat categorization scheme SPOOFING TAMPERING REPUDIATION INFORMAITON DISCLOSURE DENIAL OF SERICE ELEVATION OF PRIVILEGES
Determining and Diagramming Potential Attacks • Post identifying threats, the next step is to determine the potential attack concepts that could materialize • Often accomplished by data flow diagrams, privilege boundaries, and elements involved • Once diagram has been crafted, identify all the technologies involved. • Identify attacks that could be targeted at each element of the diagram • Attacks should include all forms – logical, physical, social
Perform Reduction Analysis • Involves decomposing the application, system or environment • Purpose of this process is to get a greater understanding on the purpose of the product and its interactions with external entities • Each element should be evaluated to understand inputs, processing, security, data management, storage and output • 5 key concepts to be aware of • Trust Boundaries – location where the level of trust changes • Data flow paths – movement of data between locations • Input points – locations where external input is received • Privilege Operations – Activity that requires greater privileges • Security stance and approach – Declaration of the security policy, security foundation and security assumptions
Prioritization and Response • Document the threat – define the means, target and consequences of a threat • After documentation, rank or rate the threats • DREAD Rating System • Damage potential • Reproducibility • Exploitability • Affected Users • Discoverability
Karthikeyan Dhayalan

More Related Content

PPTX
CISSP - Chapter 2 - Asset Security
Karthikeyan Dhayalan
 
PPTX
CISSP - Chapter 3 - CPU Architecture
Karthikeyan Dhayalan
 
PPTX
CISSP Chapter 1 BCP
Karthikeyan Dhayalan
 
PPTX
CISSP Chapter 1 Risk Management
Karthikeyan Dhayalan
 
PPTX
CISSP - Chapter 3 - Cryptography
Karthikeyan Dhayalan
 
PPTX
Chapter 5 - Identity Management
Karthikeyan Dhayalan
 
PPTX
CISSP - Chapter 4 - Network Topology
Karthikeyan Dhayalan
 
PPTX
Cissp Training PPT
ADEPT TECHNOLOGY
 
CISSP - Chapter 2 - Asset Security
Karthikeyan Dhayalan
 
CISSP - Chapter 3 - CPU Architecture
Karthikeyan Dhayalan
 
CISSP Chapter 1 BCP
Karthikeyan Dhayalan
 
CISSP Chapter 1 Risk Management
Karthikeyan Dhayalan
 
CISSP - Chapter 3 - Cryptography
Karthikeyan Dhayalan
 
Chapter 5 - Identity Management
Karthikeyan Dhayalan
 
CISSP - Chapter 4 - Network Topology
Karthikeyan Dhayalan
 
Cissp Training PPT
ADEPT TECHNOLOGY
 

What's hot (20)

PDF
Introduction: CISSP Certification
Sam Bowne
 
PPTX
CISSP Chapter 7 - Security Operations
Karthikeyan Dhayalan
 
PDF
Information security management system (isms) overview
Julia Urbina-Pineda
 
PPTX
Iso 27001 awareness
Ãsħâr Ãâlâm
 
PPTX
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
PPTX
27001.pptx
AvniJain836319
 
PDF
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
PPSX
8 Access Control
Alfred Ouyang
 
PPTX
Information Security Governance and Strategy
Dam Frank
 
PPT
Security policy
Dhani Ahmad
 
PPTX
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
PPTX
ISA/IEC 62443: Intro and How To
Jim Gilsinn
 
PPT
IT Security management and risk assessment
CAS
 
PDF
1. Security and Risk Management
Sam Bowne
 
PDF
Cissp Study notes.pdf
MAHESHUMANATHGOPALAK
 
PDF
Introduction to Cybersecurity
Krutarth Vasavada
 
PPTX
Introduction to PCI DSS
Saumya Vishnoi
 
PPTX
27001 awareness Training
Dr Madhu Aman Sharma
 
PPT
isms-presentation.ppt
HasnolAhmad2
 
PPTX
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Introduction: CISSP Certification
Sam Bowne
 
CISSP Chapter 7 - Security Operations
Karthikeyan Dhayalan
 
Information security management system (isms) overview
Julia Urbina-Pineda
 
Iso 27001 awareness
Ãsħâr Ãâlâm
 
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
27001.pptx
AvniJain836319
 
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
8 Access Control
Alfred Ouyang
 
Information Security Governance and Strategy
Dam Frank
 
Security policy
Dhani Ahmad
 
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
ISA/IEC 62443: Intro and How To
Jim Gilsinn
 
IT Security management and risk assessment
CAS
 
1. Security and Risk Management
Sam Bowne
 
Cissp Study notes.pdf
MAHESHUMANATHGOPALAK
 
Introduction to Cybersecurity
Krutarth Vasavada
 
Introduction to PCI DSS
Saumya Vishnoi
 
27001 awareness Training
Dr Madhu Aman Sharma
 
isms-presentation.ppt
HasnolAhmad2
 
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Ad

Viewers also liked (6)

PPTX
Chapter 1 Law & Ethics
Karthikeyan Dhayalan
 
PPTX
CISSP - Chapter 4 - Intranet and extranets
Karthikeyan Dhayalan
 
PPTX
Chapter 1 Personal security
Karthikeyan Dhayalan
 
PPTX
CISSP - Chapter 3 - Physical security
Karthikeyan Dhayalan
 
PPTX
CISSP - Chapter 4 - Network Fundamental
Karthikeyan Dhayalan
 
PPTX
CISSP - Chapter 3 - System security architecture
Karthikeyan Dhayalan
 
Chapter 1 Law & Ethics
Karthikeyan Dhayalan
 
CISSP - Chapter 4 - Intranet and extranets
Karthikeyan Dhayalan
 
Chapter 1 Personal security
Karthikeyan Dhayalan
 
CISSP - Chapter 3 - Physical security
Karthikeyan Dhayalan
 
CISSP - Chapter 4 - Network Fundamental
Karthikeyan Dhayalan
 
CISSP - Chapter 3 - System security architecture
Karthikeyan Dhayalan
 
Ad

Similar to CISSP - Chapter 1 - Security Concepts (20)

PDF
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
PDF
1. Security and Risk Management
Sam Bowne
 
PDF
CNIT 125: Ch 2. Security and Risk Management (Part 1)
Sam Bowne
 
PPTX
Security & Risk Mgmt_WK1.pptx
Technocracy2
 
PPTX
Security & Risk Mgmt_WK1.pptx
dotco
 
PPTX
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
drsajjad13
 
PPTX
IT Security Bachelor in information technology.pptx
MahmadKasimAnsari
 
PPTX
Introduction to Information security ppt
krishkiran2408
 
PPTX
Introduction to Information security ppt
krishkiran2408
 
PPTX
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
PPTX
Dancyrityshy 1foundatioieh
Anne Starr
 
PPT
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
PPTX
crisc_wk_2a.pptx
dotco
 
PPTX
GDPR | Cyber security process resilience
Rishi Kant
 
PPTX
Introduction to information security
KATHEESKUMAR S
 
PPTX
IS Chap 1 by whitman chapter 1 pptx.pptx
sania82678
 
PDF
How can the ISO 27701 help to design, implement, operate and improve a privac...
Hernan Huwyler, MBA CPA
 
PPT
Module - 6 - Data and Information Management.ppt
AvinashAvuthu2
 
PPTX
insider threat research
Asma Al-maskaria
 
PPT
Information security
Praveen Minz
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
1. Security and Risk Management
Sam Bowne
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
Sam Bowne
 
Security & Risk Mgmt_WK1.pptx
Technocracy2
 
Security & Risk Mgmt_WK1.pptx
dotco
 
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
drsajjad13
 
IT Security Bachelor in information technology.pptx
MahmadKasimAnsari
 
Introduction to Information security ppt
krishkiran2408
 
Introduction to Information security ppt
krishkiran2408
 
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
Dancyrityshy 1foundatioieh
Anne Starr
 
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
crisc_wk_2a.pptx
dotco
 
GDPR | Cyber security process resilience
Rishi Kant
 
Introduction to information security
KATHEESKUMAR S
 
IS Chap 1 by whitman chapter 1 pptx.pptx
sania82678
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
Hernan Huwyler, MBA CPA
 
Module - 6 - Data and Information Management.ppt
AvinashAvuthu2
 
insider threat research
Asma Al-maskaria
 
Information security
Praveen Minz
 

Recently uploaded (20)

PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PPTX
Open Quiz Monsoon Mind Game Prelims.pptx
Sourav Kr Podder
 
PDF
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
pascalgumisiriza1
 
PPTX
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
PPTX
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PPTX
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PDF
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
Mithil Fal Desai
 
PPTX
Open Quiz Monsoon Mind Game Final Set.pptx
Sourav Kr Podder
 
PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PPTX
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
PPTX
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PDF
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
Open Quiz Monsoon Mind Game Prelims.pptx
Sourav Kr Podder
 
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
pascalgumisiriza1
 
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
Mithil Fal Desai
 
Open Quiz Monsoon Mind Game Final Set.pptx
Sourav Kr Podder
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 

CISSP - Chapter 1 - Security Concepts

  • 1. Security Fundamentals Predict – Preempt – Protect Karthikeyan Dhayalan
  • 3. Confidentiality - Anything that needs to be protected - Safeguard against unauthorized access, notice, use - Protecting data at each stage (storage, processing, transit) Threats • Capturing network traffic • Unauthorized access to network • Password dump stealing • Dumpster diving • Social engineering • Port scanning • Eavesdropping Countermeasures • Encryption • Authentication to systems • Access control • Network traffic padding • Data classification • End-user training
  • 4. Confidentiality Concepts • Sensitivity • Quality of information that could cause harm or damage if released • Nuclear facility • Discretion • Showing prudence or self-restraint when dealing with data of interest • Public release of military operations • Criticality • The level to which the information is critical • HIGH Critical • Concealment • Act of hiding or preventing disclosure • Steganography • Secrecy • Act of keeping information confidential • Coke formula • Privacy • Keeping information about a person under safe custody • PII/PHI • Seclusion • Storing something in an out-of-the way location • Storage Vault • Isolation • Act of keeping something separated from the rest • DMZ, ODC
  • 5. Integrity • The capability to maintain the veracity and be intentionally modified only by authorized individuals • Enforces Accuracy • Provides Assurance • Prevent unauthorized modifications • Prevent unauthorized modifications by authorized users • Maintain internal and external consistency of objects Threats • Virus • Logic bombs • Errors • Malicious modifications • Intentional replacement • System back door Countermeasures • Activity logging • Access control • Authentication • Hashing • Encryption • Intrusion detection systems Integrity is dependent on Confidentiality
  • 6. Availability Threats • Device failure • Software error • Natural calamity • Power • Human error • oversight Countermeasures • RAID • Redundant systems • Clustering • Access control • BCP/DR • Fault tolerance • Provisioning un-interrupted and timely access to authorized subjects • Offers high level of assurance that data shall be available to authorized subjects • It includes • Usability • Accessibility • Timeliness Availability is dependent on both Integrity and confidentiality
  • 7. Security concepts Identification  Subject professes identity  First step in AAA process  Username, smart card, speaking a phrase, biometric, user ID  Without identity there can be no authentication Authentication  Verification of the claimed Identity  Verifies identity by comparing against one or more factors stored in the database  Identification and authentication are always together Authorization  Comparing the subject, object and the intended activity to authorize actions  Identification/ Authentication are all or nothing model, while Authorization can have wide range of options Auditing  Means by which subjects actions as well as system operations are logged and monitored  Helps detect un- authorized or abnormal activities Accountability  Capability to prove a subject’s identity and track their activities.  Established by linking a human to the activities of an online identity  Ultimately dependent on the strength of Authentication factor Nonrepudiation  Ensures the subject of an activity cannot deny the action  Can be established via digital certs, session identifiers, transaction logs
  • 8. Security Control Concepts  Also known as defense in depth  Multiple controls are applied in series  Layering should be applied in series and not parallel Layering  Putting similar elements in groups, classes or roles that are assigned security controls  Used for efficiency  Includes definition of object and subject Abstraction  Preventing data from being discovered  Some forms include – restricting visibility to high critical application from low level subjects Data Hiding  Hiding the meaning or intent of a communication  It is an important element in security controls Encryption
  • 9. Security Management Plan • SMP should use a top-down approach • Senior management is responsible for initiating and defining policies; • Middle management is responsible for releasing standards, baselines, guidelines in relation to the policy • Operations management/IT teams implement the controls defined above • End-users must comply with all the functions of the organization • SMP should have Approval from Senior Management before we start to engage.
  • 10. Security Management Plan Types SMP Type Description Strategic Plan Long term plan Defines the organization’s security posture Useful for at least 5 years. Reviewed annually Helps understand security function and align it with business Should include Risk Assessment Tactical Plan Mid-term plan developed to provide more detailed goal Usually for an year or two More technology oriented Eg: Project plans, acquisition plan, budget plan, hiring plan Operational Plan Short-term plan Highly-detailed plan Must be updated often (monthly, quarterly) Spell-out how to accomplish various goals Eg: resource allotment, budgetary allocation, training plans
  • 11. Change Management • Goal – Ensure any change does not lead to compromised or reduced security • Purpose – Make all changes subject to detailed documentation, auditing, review and scrutiny by management • Helps • Implement changes in a controlled and orderly manner • Formalized testing process • Back out or roll back procedures • Users are informed before the change • Effects of change are systematically analysed • Negative impact is minimized • Changes are reviewed and approved by CAB
  • 12. Data Classification - It is the process of organizing items, objects, subjects into groups, categories or collections with similarities - Primary means for data protection - Used to determine how much effort, money and resources are allocated to protect the data and control access to it Benefits • Benefits • Demonstrates organization’s commitment to protecting assets • Assists in identifying assets that are critical for the organization • Lends credence to the selection of protection mechanisms • Required for regulatory compliance • Helps define access levels • Helps with data life-cycle management Criteria • Usefulness • Timeliness • Value • Maturity or age of data • Life time of the data • Association with personal • Disclosure damage assessment • Modification damage • National security • Authorized access to data • Restriction from the data • Maintenance and monitoring • Storage
  • 13. 7 Step Classification scheme Identify owner and define Responsibility Specify evaluation criteria Classify and label each resource Document any exceptions to the classification policy Select the security controls that will be applicable Specify declassification procedures Create awareness program
  • 15. Security roles •Ultimately responsible for security •Must signoff all policy issues •All activities must be approved •Will be held responsible for overall security success/failure •Responsible for due care and due diligence Senior Management •Responsible for following the directives mandated by SM •Has the functional responsibility for security •They are not decision makers Security Professional •Responsible for classifying information • Ultimately responsible for the data they own •Typically high level management representative Data Owner •Responsible for tasks of implementing the prescribed protection defined by Data owner •Responsibilities include, preforming/testing backups, validating data integrity, deploying security solutions and managing data storage based on classification Data Custodian •Has access to the secure system •Responsible for understanding and upholding the security policyUser •Responsible for reviewing and verifying the security policy implementation •Produces compliance and effectiveness reportsAuditor
  • 16. Due Care and Due Diligence Due Care • Taking reasonable care in protecting the organization • It’s a legal term – it pertains to the legal duty of the organization • Lack of due care is considered negligence Due Diligence • Practicing the activities that maintain the due care effort • Pertains to best practices that a company should follow • It might not be legally liable
  • 17. Security Policy - Strategic plan for implementing security - Defines the scope of security needed for the organization - Defines the main security objectives and outlines the security framework - Identifies major functional areas of data processing - Broadly outlines the security goals and practices that should be employed - Its is used to assign responsibilities, define roles, specify audit requirements, outline enforcement process, indicate compliance requirements, and define acceptable risk levels It’s a compulsory document Types Organizational Security policy – focuses on issues relevant to every aspect of the organization Issue-specific policy – focuses on specific service, department, function that is distinct from the organization as a whole System-specific policy – Focuses on individual systems
  • 18. Security Categories Regulatory • Required whenever industry or legal standards are applicable to your organization Advisory • Discusses behaviors and activities are acceptable and defines consequences of violation Informative • Designed to provide information or knowledge about a specific subject • Not enforceable
  • 19. Standard/Baseline/Guideline/Procedure Standard • Define compulsory requirements • Provides a course of action for uniform deployment of technology • Tactical documents Baseline • Defines minimum level of security that every system must meet • System-specific • Establishes common secure state Guideline • Offers recommendations on implementation • Servers as an operating guide • Flexible – can be customized for each unique system Procedure • Final element of the formalized security policy structure • Detailed step-by- step document describes actions necessary to implement security mandates • System and software specific • Purpose is to ensure integrity of business process
  • 20. Threat Modelling - A process where potential threats are identified, categorized, and analysed - Can be performed both pro-actively as well as reactively - Two goals of threat modelling - Reduce the number of security related coding and design defects - Reduce the severity of remaining defects Proactive Approach - Also known as defensive approach - Takes place during early stages of systems development - Based on predicting threats and design specific counter measures during the coding and crafting process Reactive Approach - Also known as adversarial approach - Takes place after a product has been created and deployed - This is the core concept behind ethical hacking, PT, source code review and Fuzz testing
  • 21. Threat Modelling Steps Identifying Threats Determining and Diagramming Potential attacks Performing Reduction Analysis Prioritization and Response
  • 22. Identifying Threats – STRIDE approach Microsoft Threat categorization scheme SPOOFING TAMPERING REPUDIATION INFORMAITON DISCLOSURE DENIAL OF SERICE ELEVATION OF PRIVILEGES
  • 23. Determining and Diagramming Potential Attacks • Post identifying threats, the next step is to determine the potential attack concepts that could materialize • Often accomplished by data flow diagrams, privilege boundaries, and elements involved • Once diagram has been crafted, identify all the technologies involved. • Identify attacks that could be targeted at each element of the diagram • Attacks should include all forms – logical, physical, social
  • 24. Perform Reduction Analysis • Involves decomposing the application, system or environment • Purpose of this process is to get a greater understanding on the purpose of the product and its interactions with external entities • Each element should be evaluated to understand inputs, processing, security, data management, storage and output • 5 key concepts to be aware of • Trust Boundaries – location where the level of trust changes • Data flow paths – movement of data between locations • Input points – locations where external input is received • Privilege Operations – Activity that requires greater privileges • Security stance and approach – Declaration of the security policy, security foundation and security assumptions
  • 25. Prioritization and Response • Document the threat – define the means, target and consequences of a threat • After documentation, rank or rate the threats • DREAD Rating System • Damage potential • Reproducibility • Exploitability • Affected Users • Discoverability