Abstract image of a woman sitting on books and studying on a laptop

Security architecture principles isys 0575general att

Download as DOCX, PDF
S
SHIVA101531

This document discusses key concepts in information security architecture and risk management. It begins with an overview of the general attack process and definitions of architecture. It then covers security architecture principles like defense in depth, the security triad of confidentiality, integrity and availability. The document defines risk management terms and frameworks. It also outlines the security roles and responsibilities of different stakeholders like the board of directors and security practitioners.

1 of 28
Download to read offline
Security Architecture Principles ISYS 0575 General Attack Process Recon Weaponize Deliver Exploit Control Execute AssetAgent Maintain Proactive Detection and Mitigation Containment and Incident Response “Kill Chain” What is Architecture? Architecture (Latin architectura, from the Greek ἀρχιτέκτων
arkhitekton "architect," from ἀρχι- "chief" and τέκτων "builder") is both the process and the product of planning, designing and constructing buildings and other physical structures. Architecture can mean: Different Things to Different People ● A general term to describe buildings and other physical structures ● The art and science of designing buildings and (some) nonbuilding structures ● The style of design and method of construction of buildings and other physical structures ● Knowledge of art, science, technology, and humanity ● The practice of the architect, where architecture means offering or rendering professional services in connection with the design and construction of buildings, or built environments Traditional Security Architecture Starts With the perimeter Network-centric Versus data-centric If work from home and BYOD didn’t kill the perimeter, Cloud
certainly did. Sherwood Applied Business Security Architecture Other Architectures Zachman The Open Group Architecture Framework (TOGAF) Modern Architectural View Then Account for the Agile Defense in Depth Another Perspective Horizontal defense in depth - Controls are placed in various places in the path of access for an asset Vertical defense in depth - Control sare placed at different system layers - hardware, OS, application, database
Effective Defense in Depth Planning and understanding of each control types strengths and weaknesses and how controls interact. What vulnerabilities are addressed by each layer? How does the layer mitigate the vulnerability? How do controls interact with or depend on the other controls? Security Controls Information Flow Control or Firewalls System or systems that enforce a boundary between one or more networks General features ● Block access to sites on Internet ● Limit traffic on an organization's public service segment to ports and addresses ● Prevent users from accessing certain servers or services ● Monitor and record communications between internal and external networks ● Encrypt packets sent between different physical locations (VPN)
Types of Firewall Packet filtering Application firewall Stateful inspection Next generation And web application firewall Isolation and Segmentation Logging and Monitoring What should we log? ● Time of event ● CRUD ● Startup / Shutdown ● Login / Logout (Failures) ● Errors / Violations Challenges of Logs ● Too much data ● Difficulty searching ● Improper configuration ● Modification of logs (integrity)
SIEM IDS / IPS Approaches ● Signature ● Statistical ● Neural Network Don’t forget HIPS/HIDS Antivirus / Antimalware Approaches ● Signature ● Heuristic ● Nextgen Security Controls Introduction to Information Security Management ISYS 0575
Agenda ● Introductions ● Syllabus review ● Class format ● Intro to Information Security Scott Eigenhuis ● Will respond to ○ Mr. Eigenhuis ○ Professor Eigenhuis ○ Professor Scott ● [email protected] ● Office ○ BUS 309 ○ Monday 5:30 to 6:30 Career Path Liberty University - BS in Journalism, minor in Linguistics University of San Francisco - Masters in Information Systems E
du ca tio n W or k ... Class Format ● Lecture / Discussion / Demonstrations ○ Credit for participation ● Quiz at end of class ○ Requires computer ○ Graded ○ Includes reading and lecture ● Two in class essays (TBD) ● One group project (TBD) What I do Information Security Officer Manage the Information Security and Privacy team and
programs for my company Work with auditors, engineers, privacy, and legal to evaluate and manage security and privacy risk. Implement, operate and monitor security controls. Detect and respond to security incidents. Remaining a viable business requires that we protect our intellectual property, customer and employee data. What? How? Why? The Security Triad Confidentiality Integrity Availability Different Aspects of Security Information Security deals with information, regardless of its format—it encompasses paper documents, digital and intellectual property in people’s minds, and verbal or visual communications. Cybersecurity is concerned with protecting digital assets— everything from
networks to hardware and information that is processed, stored or transported by internetworked information systems. Privacy is additionally concerned with the data subject's right to control information. Notice, choice and consent, data subject access. The Creepiness Factor. Often has legal focus. Security Compliance evaluates a company's stance against requirements. Relationship of Security Domains Information Security Application Security Critical Infrastructure Protection Network Security Internet Security Cybersecurity Cybercrime Cybersafety Source: ISO/IEC 27032:2012
Security Jobs CISO Compliance Analyst Application Security Engineer Information Security Architect Network Security Engineer Incident Responder Security Analyst Penetration Tester Auditor Privacy Officer / Analyst Forensics Specialist Cryptographer / Cryptanalyst CSO Sales Engineer Security Researcher Skills Gap in Information Security Source: ISACA 2018 State of Cybersecurity Study
Situational Awareness stakeholders controls vulnerabilities assetsthreats threat agents risk value wish to minimize impose to reduce that may be reduced by that may possess leading to that increase to wish to abuse and/or may damage may be aware of give rise to
that exploit Source: ISO/IEC 27032:2012 Information Security Governance ● Governance is the responsibility of board and senior management ○ Strategic Direction ○ Ensure objectives are achieved ○ Risk management ○ Use of resources ● Risk management is conducted throughout the organization through assessment and implementation of controls ● Compliance is demonstration of the adherence to mandated laws and regulations Protecting the Digital Assets Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Protect – Develop and implement appropriate safeguards to ensure delivery of critical services. Detect – Develop and implement appropriate activities to identify the occurrence
of a cybersecurity event. Respond – Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. Source: NIST Cybersecurity Framework 1.1 Information Security Objectives Confidentiality the protection of information from unauthorized disclosure. Integrity the protection of information from unauthorized modification. Availability the timely and reliable access to and use of information and systems. Nonrepudiation ensures that a message or information is genuine. CIA model and related impacts Requirement Impact and Consequence Methods of Controls Confidentiality ● Disclosure of information protected by law
● Loss of public confidence ● Loss of competitive advantage ● Access controls ● File permissions ● Encryption Integrity ● Inaccuracy ● Erroneous decisions ● Fraud ● Loss of compliance ● Access controls ● Logging ● Hashes ● Backups Availability ● Loss of productive time ● Loss of compliance ● Fines from regulators ● Highly available systems ● Business continuity and disaster recovery Information Security Roles Board of Directors Executive
Management Senior Information Security Management Information Security Practitioners Information Security Concepts ISYS 0575 Objectives ● Review the CIA Triad ● Learn about risk, particularly security risk ● Understand the component parts that make up risk ● Learn about the interplay between the different components of risk ● Discuss the various risk treatment options ● Learn about basic controls ● Understand the different types of attacks The Security Triad Confidentiality Integrity Availability
Security Concepts and Relationships stakeholders controls vulnerabilities assetsthreats threat agents risk value wish to minimize impose to reduce that may be reduced by that may possess leading to that increase to wish to abuse and/or may damage may be aware of
give rise to that exploit Source: ISO/IEC 27032:2012 Terms and Definitions Risk — The combination of probability of an event and impact. P x I = R Threat — Anything that is capable of acting against an asset and causing harm. Asset — Something of either tangible or intangible value that is worth protecting. Vulnerability — A weakness that exposes the asset to adverse impact. Inherent risk — The risk level without taking into account management actions to protect against the risk. Residual Risk — The risk remaining after accounting for management risk response. Security Concepts and Relationships stakeholders
controls vulnerabilities assetsthreats threat agents risk value wish to minimize impose to reduce that may be reduced by that may possess leading to that increase to wish to abuse and/or may damage may be aware of give rise to that exploit
Source: ISO/IEC 27032:2012 Risk Frameworks COBIT 5 for Risk ISO 27005:2011 Information Security Risk Management NIST 800-30 Guide for Conducting Risk Assessments NIST 800-39 Managing Information Security Risk Risk Identification (Risk Scenarios) The development of risk scenarios from imagination or based on previous occurrences Top-down is based on business goals Bottom-up is based on specific events that are security related Likelihood and Impact Likelihood = Probability Absence of a known vulnerability doesn’t = 0 likelihood A vulnerability doesn’t mean there is a threat A vulnerability with no control and no management acceptance indicates a
weakness in the overall program How do we quantify likelihood and impact? Approaches to Risk Subjective or objective? Risk tolerance Size and scope of the environment in question How much data do you have available? Risk versus issue Approaches to Managing Security Risk Ad hoc — implement controls with no particular criteria. Compliance-based — Implement the controls regardless of need. Risk-based — design the controls based on identified risk. Risk Treatment Avoidance means management decides not to engage in the activity that creates the risk. Acceptance means management acknowledges the risk, but proceeds with the activity without taking any action.
Mitigation involves management implementing controls to reduce the risk. Transference means that management lets another party take the risk. Security Concepts and Relationships stakeholders controls vulnerabilities assetsthreats threat agents risk value wish to minimize impose to reduce that may be reduced by that may possess leading to
that increase to wish to abuse and/or may damage may be aware of give rise to that exploit Source: ISO/IEC 27032:2012 Threat Agents European Union Agency for Network and Information Security (ENISA) conducts ongoing evaluation of the threat landscape. Common Agents: ● Corporations ● Criminals ● Terrorists ● Nation States ● Insiders ● Hactivists ● Script Kiddies ENISA Threat Landscape
Security Concepts and Relationships stakeholders controls vulnerabilities assetsthreats threat agents risk value wish to minimize impose to reduce that may be reduced by that may possess leading to that increase to wish to abuse and/or may damage may be aware of
give rise to that exploit Source: ISO/IEC 27032:2012 Security Controls Types of controls Preventative, Detective, Responsive Administrative, Technical, Physical Security Policy Policy hierarchy Policy Standards Procedures Guidelines Attack Attributes Risk is potential activity, an attack is the occurence of a threat. The asset is the attackers target.
Path to target is the attack vector. Ingress is the focus of most attack analysis. Egress or data exfiltration is the objective of some attackers. An exploit is used to take advantage of a vulnerability. General Attack Process Recon Weaponize Deliver Exploit Control Execute AssetAgent Maintain Proactive Detection and Mitigation Containment and Incident Response “Kill Chain”
Nonadversarial Threat Event Mishandling of critical information Incorrect privilege Fire, flood, hurricane, earthquake Disk errors or other equipment failure Malware Worm - Confiker - 9 Million PCs Virus - I Love You Trojan Horse - Zeus Ransomeware - WannaCry Root Kit - Sony BMG Social Engineering Impersonation Phishing (and spear phishing) Other Attacks Advanced Persistent Threat (APT) Web attacks
Brute force attacks DoS Attacks

More Related Content

DOCX
Residency research makeup project acme enterprise scenario resi
SHIVA101531
 
PDF
Introduction to security
Mukesh Chinta
 
PPTX
A holistic approach to risk management 20210210 w acfe france & cyber rea...
Judith Beckhard Cardoso
 
PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
PPTX
Introduction to Network Security
John Ely Masculino
 
PDF
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
UBM_Design_Central
 
PPTX
Information security principles
Dan Morrill
 
PPTX
Security and management
ArtiSolanki5
 
Residency research makeup project acme enterprise scenario resi
SHIVA101531
 
Introduction to security
Mukesh Chinta
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
Judith Beckhard Cardoso
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Introduction to Network Security
John Ely Masculino
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
UBM_Design_Central
 
Information security principles
Dan Morrill
 
Security and management
ArtiSolanki5
 

What's hot(20)

PPT
002.itsecurity bcp v1
Mohammad Ashfaqur Rahman
 
PPT
Introduction to information security
Kumawat Dharmpal
 
PDF
Cisco Cybersecurity Essentials Chapter- 7
Mukesh Chinta
 
PPTX
Dubai Cyber Security 02 Ics Scada Cyber Security Standards, Solution Tips...
Ahmed Al Enizi
 
PDF
Network infrastructure security management solution - A holistic approach in ...
Twinkle Sebastian
 
PPTX
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Michael Noel
 
PPTX
Addressing Healthcare Challenges Today
Ivanti
 
PPTX
SCADA Security Training
Bryan Len
 
PPTX
Microsoft Platform Security Briefing
technext1
 
PDF
Cisco cybersecurity essentials chapter - 6
Mukesh Chinta
 
PPTX
Aspects of data security
SaranSwathi1
 
PDF
Cybersecurity concepts & Defense best practises
WAJAHAT IQBAL
 
PPTX
Data security
Soumen Mondal
 
PPTX
Security Operations Center
MDS CS
 
PDF
Cisco cybersecurity essentials chapter - 2
Mukesh Chinta
 
PPTX
Ics & computer security for nuclear facilities
omriyad
 
PPT
Ne Course Part Two
backdoor
 
PPTX
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
Ahmed Al Enizi
 
PDF
Cisco cybersecurity essentials chapter 8
Mukesh Chinta
 
PDF
From Business Architecture to Security Architecture
Priyanka Aash
 
002.itsecurity bcp v1
Mohammad Ashfaqur Rahman
 
Introduction to information security
Kumawat Dharmpal
 
Cisco Cybersecurity Essentials Chapter- 7
Mukesh Chinta
 
Dubai Cyber Security 02 Ics Scada Cyber Security Standards, Solution Tips...
Ahmed Al Enizi
 
Network infrastructure security management solution - A holistic approach in ...
Twinkle Sebastian
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Michael Noel
 
Addressing Healthcare Challenges Today
Ivanti
 
SCADA Security Training
Bryan Len
 
Microsoft Platform Security Briefing
technext1
 
Cisco cybersecurity essentials chapter - 6
Mukesh Chinta
 
Aspects of data security
SaranSwathi1
 
Cybersecurity concepts & Defense best practises
WAJAHAT IQBAL
 
Data security
Soumen Mondal
 
Security Operations Center
MDS CS
 
Cisco cybersecurity essentials chapter - 2
Mukesh Chinta
 
Ics & computer security for nuclear facilities
omriyad
 
Ne Course Part Two
backdoor
 
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
Ahmed Al Enizi
 
Cisco cybersecurity essentials chapter 8
Mukesh Chinta
 
From Business Architecture to Security Architecture
Priyanka Aash
 

Similar to Security architecture principles isys 0575general att(20)

PPT
Challenges in implementating cyber security
Inderjeet Singh
 
PDF
CCA study group
IIBA UK Chapter
 
PPT
Information security background
Nicholas Davis
 
PPT
Information Security Background
Nicholas Davis
 
PPTX
gkkSecurity essentials domain 1
Anne Starr
 
PPTX
Advanced Operating System Principles.pptx
yuvapapa26
 
PDF
Cervone uof t - nist framework (1)
Stephen Abram
 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
PPTX
Cyber-Security-Unit-1.pptx
TikdiPatel
 
PDF
Cybersecurity_Security_architecture_2023.pdf
abacusgtuc
 
PPTX
)k
Anne Starr
 
PDF
Fundamentals of-information-security
madunix
 
PDF
Effective Cyber Security Technology Solutions for Modern Challenges
CyberPro Magazine
 
PPTX
cybersecurityandthe importance of the that
JayachanduHNJc
 
PPTX
Presentación Diapositivas Propuesta Proyecto Marketing Profesional Corporativ...
juan60m3zz
 
PDF
What is Cyber Security_ The Different Types of Cybersecurity.pdf
APAC Entrepreneur
 
PPTX
CISSP- Security & Risk Management-Domain 1 Overview-Edited.pptx
macraaiclass
 
PPTX
Cybertopic_1security
Anne Starr
 
PPTX
Dancyrityshy 1foundatioieh
Anne Starr
 
PDF
CB3491 Introduction to cryptography and cyber security
heaughfrds1
 
Challenges in implementating cyber security
Inderjeet Singh
 
CCA study group
IIBA UK Chapter
 
Information security background
Nicholas Davis
 
Information Security Background
Nicholas Davis
 
gkkSecurity essentials domain 1
Anne Starr
 
Advanced Operating System Principles.pptx
yuvapapa26
 
Cervone uof t - nist framework (1)
Stephen Abram
 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
Cyber-Security-Unit-1.pptx
TikdiPatel
 
Cybersecurity_Security_architecture_2023.pdf
abacusgtuc
 
)k
Anne Starr
 
Fundamentals of-information-security
madunix
 
Effective Cyber Security Technology Solutions for Modern Challenges
CyberPro Magazine
 
cybersecurityandthe importance of the that
JayachanduHNJc
 
Presentación Diapositivas Propuesta Proyecto Marketing Profesional Corporativ...
juan60m3zz
 
What is Cyber Security_ The Different Types of Cybersecurity.pdf
APAC Entrepreneur
 
CISSP- Security & Risk Management-Domain 1 Overview-Edited.pptx
macraaiclass
 
Cybertopic_1security
Anne Starr
 
Dancyrityshy 1foundatioieh
Anne Starr
 
CB3491 Introduction to cryptography and cyber security
heaughfrds1
 

More from SHIVA101531(20)

DOCX
Answer the following questions in a minimum of 1-2 paragraphs ea.docx
SHIVA101531
 
DOCX
Answer the following questions using scholarly sources as references.docx
SHIVA101531
 
DOCX
Answer the following questions about this case studyClient .docx
SHIVA101531
 
DOCX
Answer the following questions using art vocabulary and ideas from L.docx
SHIVA101531
 
DOCX
Answer the following questions in a total of 3 pages (900 words). My.docx
SHIVA101531
 
DOCX
Answer the following questions No single word responses (at lea.docx
SHIVA101531
 
DOCX
Answer the following questions based on the ethnography Dancing Skel.docx
SHIVA101531
 
DOCX
Answer the following questions to the best of your ability1) De.docx
SHIVA101531
 
DOCX
Answer the following questionDo you think it is necessary to .docx
SHIVA101531
 
DOCX
Answer the following question. Use facts and examples to support.docx
SHIVA101531
 
DOCX
Answer the bottom questions  in apa format and decent answer no shor.docx
SHIVA101531
 
DOCX
Answer the following below using the EXCEL attachment. chapter 5.docx
SHIVA101531
 
DOCX
Answer the following prompts about A Germanic People Create a Code .docx
SHIVA101531
 
DOCX
Answer the following discussion board question below minumun 25.docx
SHIVA101531
 
DOCX
Answer the following questions about IT Project Management. What.docx
SHIVA101531
 
DOCX
Answer the following in at least 100 words minimum each1.Of.docx
SHIVA101531
 
DOCX
Answer the following questions(at least 200 words) and responses 2 p.docx
SHIVA101531
 
DOCX
Answer the following questions in a Word document and upload it by M.docx
SHIVA101531
 
DOCX
Answer the following questions in complete sentences. Each answer sh.docx
SHIVA101531
 
DOCX
ANSWER THE DISCUSSION QUESTION 250 WORDS MINDiscussion Q.docx
SHIVA101531
 
Answer the following questions in a minimum of 1-2 paragraphs ea.docx
SHIVA101531
 
Answer the following questions using scholarly sources as references.docx
SHIVA101531
 
Answer the following questions about this case studyClient .docx
SHIVA101531
 
Answer the following questions using art vocabulary and ideas from L.docx
SHIVA101531
 
Answer the following questions in a total of 3 pages (900 words). My.docx
SHIVA101531
 
Answer the following questions No single word responses (at lea.docx
SHIVA101531
 
Answer the following questions based on the ethnography Dancing Skel.docx
SHIVA101531
 
Answer the following questions to the best of your ability1) De.docx
SHIVA101531
 
Answer the following questionDo you think it is necessary to .docx
SHIVA101531
 
Answer the following question. Use facts and examples to support.docx
SHIVA101531
 
Answer the bottom questions  in apa format and decent answer no shor.docx
SHIVA101531
 
Answer the following below using the EXCEL attachment. chapter 5.docx
SHIVA101531
 
Answer the following prompts about A Germanic People Create a Code .docx
SHIVA101531
 
Answer the following discussion board question below minumun 25.docx
SHIVA101531
 
Answer the following questions about IT Project Management. What.docx
SHIVA101531
 
Answer the following in at least 100 words minimum each1.Of.docx
SHIVA101531
 
Answer the following questions(at least 200 words) and responses 2 p.docx
SHIVA101531
 
Answer the following questions in a Word document and upload it by M.docx
SHIVA101531
 
Answer the following questions in complete sentences. Each answer sh.docx
SHIVA101531
 
ANSWER THE DISCUSSION QUESTION 250 WORDS MINDiscussion Q.docx
SHIVA101531
 

Recently uploaded(20)

PDF
ANAPHYPrelimsssssssssssssssssssssssssssss
4gdrf5297v
 
PDF
College Admissions/Entrance Test/Exams MSU Sase-Reviewer.pdf
denisevalenzuela4
 
PDF
18Presentation_Skills.pdf English grammar book
Butterfly education
 
DOCX
cookery 9 DLL FIRST Q.docx..............
genalynmagsipoc
 
PDF
DIARRHEAL DISEASE.1.pdfDiabetes treatment in 2025.Diabetes treatment in 2025.
NiteshGupta569720
 
PPTX
macro complete discussion with given activities
EricAgayao
 
PDF
2003-theological-education-v39-n1-tai lieu
ranve86
 
DOCX
Ms.SajjdaLodhi Notes Based on Teaching Of Pak.Std (B.Ed)Chap 1 To Chapter 9 I...
lodhisaajjda
 
PDF
BP303T PHARMACEUTICALMICROBIOLOGY UNIT 1
RushiMandali
 
PPTX
788191603-Inclusiveness-Ppt-2022-Dereje-3.pptx
TilahunWami1
 
PPT
Chemical_Kinetics_and_Chemical_Dynamics.ppt
wangchencai0726
 
PDF
New_Round_Up_6_SB.pdf download for free, easy to learn
minhanh112503
 
PPTX
Power of Gratitude: Honouring our teachers
Prabhjot Saini
 
PPTX
Q2 PPT_MA 8_LESSON 1_WEEK 1-2.......pptx
JhudeyJhude
 
PDF
Financial Reporting and Analysis Using Financial Accounting Information by Ch...
DaniellaHarlow
 
DOCX
OA 7- Administrative Office Procedure and Management.docx
SheenaLacaba
 
PDF
17649-Learning By Doing_text-tailieu.pdf
ranve86
 
PDF
3-Elementary-Education-Prototype-Syllabi-Compendium.pdf
jpvoflaria
 
PPTX
CHF refers to the condition wherein heart unable to pump a sufficient amount ...
Ms. Ashatai Patil
 
PPTX
Course 2 ipbt course with answrs an.pptx
DomomoXD
 
ANAPHYPrelimsssssssssssssssssssssssssssss
4gdrf5297v
 
College Admissions/Entrance Test/Exams MSU Sase-Reviewer.pdf
denisevalenzuela4
 
18Presentation_Skills.pdf English grammar book
Butterfly education
 
cookery 9 DLL FIRST Q.docx..............
genalynmagsipoc
 
DIARRHEAL DISEASE.1.pdfDiabetes treatment in 2025.Diabetes treatment in 2025.
NiteshGupta569720
 
macro complete discussion with given activities
EricAgayao
 
2003-theological-education-v39-n1-tai lieu
ranve86
 
Ms.SajjdaLodhi Notes Based on Teaching Of Pak.Std (B.Ed)Chap 1 To Chapter 9 I...
lodhisaajjda
 
BP303T PHARMACEUTICALMICROBIOLOGY UNIT 1
RushiMandali
 
788191603-Inclusiveness-Ppt-2022-Dereje-3.pptx
TilahunWami1
 
Chemical_Kinetics_and_Chemical_Dynamics.ppt
wangchencai0726
 
New_Round_Up_6_SB.pdf download for free, easy to learn
minhanh112503
 
Power of Gratitude: Honouring our teachers
Prabhjot Saini
 
Q2 PPT_MA 8_LESSON 1_WEEK 1-2.......pptx
JhudeyJhude
 
Financial Reporting and Analysis Using Financial Accounting Information by Ch...
DaniellaHarlow
 
OA 7- Administrative Office Procedure and Management.docx
SheenaLacaba
 
17649-Learning By Doing_text-tailieu.pdf
ranve86
 
3-Elementary-Education-Prototype-Syllabi-Compendium.pdf
jpvoflaria
 
CHF refers to the condition wherein heart unable to pump a sufficient amount ...
Ms. Ashatai Patil
 
Course 2 ipbt course with answrs an.pptx
DomomoXD
 

Security architecture principles isys 0575general att

  • 1.
    Security Architecture Principles ISYS0575 General Attack Process Recon Weaponize Deliver Exploit Control Execute AssetAgent Maintain Proactive Detection and Mitigation Containment and Incident Response “Kill Chain” What is Architecture? Architecture (Latin architectura, from the Greek ἀρχιτέκτων
  • 2.
    arkhitekton "architect," from ἀρχι-"chief" and τέκτων "builder") is both the process and the product of planning, designing and constructing buildings and other physical structures. Architecture can mean: Different Things to Different People ● A general term to describe buildings and other physical structures ● The art and science of designing buildings and (some) nonbuilding structures ● The style of design and method of construction of buildings and other physical structures ● Knowledge of art, science, technology, and humanity ● The practice of the architect, where architecture means offering or rendering professional services in connection with the design and construction of buildings, or built environments Traditional Security Architecture Starts With the perimeter Network-centric Versus data-centric If work from home and BYOD didn’t kill the perimeter, Cloud
  • 3.
    certainly did. Sherwood AppliedBusiness Security Architecture Other Architectures Zachman The Open Group Architecture Framework (TOGAF) Modern Architectural View Then Account for the Agile Defense in Depth Another Perspective Horizontal defense in depth - Controls are placed in various places in the path of access for an asset Vertical defense in depth - Control sare placed at different system layers - hardware, OS, application, database
  • 4.
    Effective Defense inDepth Planning and understanding of each control types strengths and weaknesses and how controls interact. What vulnerabilities are addressed by each layer? How does the layer mitigate the vulnerability? How do controls interact with or depend on the other controls? Security Controls Information Flow Control or Firewalls System or systems that enforce a boundary between one or more networks General features ● Block access to sites on Internet ● Limit traffic on an organization's public service segment to ports and addresses ● Prevent users from accessing certain servers or services ● Monitor and record communications between internal and external networks ● Encrypt packets sent between different physical locations (VPN)
  • 5.
    Types of Firewall Packetfiltering Application firewall Stateful inspection Next generation And web application firewall Isolation and Segmentation Logging and Monitoring What should we log? ● Time of event ● CRUD ● Startup / Shutdown ● Login / Logout (Failures) ● Errors / Violations Challenges of Logs ● Too much data ● Difficulty searching ● Improper configuration ● Modification of logs (integrity)
  • 6.
    SIEM IDS / IPS Approaches ●Signature ● Statistical ● Neural Network Don’t forget HIPS/HIDS Antivirus / Antimalware Approaches ● Signature ● Heuristic ● Nextgen Security Controls Introduction to Information Security Management ISYS 0575
  • 7.
    Agenda ● Introductions ● Syllabusreview ● Class format ● Intro to Information Security Scott Eigenhuis ● Will respond to ○ Mr. Eigenhuis ○ Professor Eigenhuis ○ Professor Scott ● [email protected] ● Office ○ BUS 309 ○ Monday 5:30 to 6:30 Career Path Liberty University - BS in Journalism, minor in Linguistics University of San Francisco - Masters in Information Systems E
  • 8.
    du ca tio n W or k ... Class Format ● Lecture/ Discussion / Demonstrations ○ Credit for participation ● Quiz at end of class ○ Requires computer ○ Graded ○ Includes reading and lecture ● Two in class essays (TBD) ● One group project (TBD) What I do Information Security Officer Manage the Information Security and Privacy team and
  • 9.
    programs for mycompany Work with auditors, engineers, privacy, and legal to evaluate and manage security and privacy risk. Implement, operate and monitor security controls. Detect and respond to security incidents. Remaining a viable business requires that we protect our intellectual property, customer and employee data. What? How? Why? The Security Triad Confidentiality Integrity Availability Different Aspects of Security Information Security deals with information, regardless of its format—it encompasses paper documents, digital and intellectual property in people’s minds, and verbal or visual communications. Cybersecurity is concerned with protecting digital assets— everything from
  • 10.
    networks to hardwareand information that is processed, stored or transported by internetworked information systems. Privacy is additionally concerned with the data subject's right to control information. Notice, choice and consent, data subject access. The Creepiness Factor. Often has legal focus. Security Compliance evaluates a company's stance against requirements. Relationship of Security Domains Information Security Application Security Critical Infrastructure Protection Network Security Internet Security Cybersecurity Cybercrime Cybersafety Source: ISO/IEC 27032:2012
  • 11.
    Security Jobs CISO ComplianceAnalyst Application Security Engineer Information Security Architect Network Security Engineer Incident Responder Security Analyst Penetration Tester Auditor Privacy Officer / Analyst Forensics Specialist Cryptographer / Cryptanalyst CSO Sales Engineer Security Researcher Skills Gap in Information Security Source: ISACA 2018 State of Cybersecurity Study
  • 12.
    Situational Awareness stakeholders controls vulnerabilities assetsthreats threat agentsrisk value wish to minimize impose to reduce that may be reduced by that may possess leading to that increase to wish to abuse and/or may damage may be aware of give rise to
  • 13.
    that exploit Source: ISO/IEC 27032:2012 InformationSecurity Governance ● Governance is the responsibility of board and senior management ○ Strategic Direction ○ Ensure objectives are achieved ○ Risk management ○ Use of resources ● Risk management is conducted throughout the organization through assessment and implementation of controls ● Compliance is demonstration of the adherence to mandated laws and regulations Protecting the Digital Assets Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Protect – Develop and implement appropriate safeguards to ensure delivery of critical services. Detect – Develop and implement appropriate activities to identify the occurrence
  • 14.
    of a cybersecurityevent. Respond – Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. Source: NIST Cybersecurity Framework 1.1 Information Security Objectives Confidentiality the protection of information from unauthorized disclosure. Integrity the protection of information from unauthorized modification. Availability the timely and reliable access to and use of information and systems. Nonrepudiation ensures that a message or information is genuine. CIA model and related impacts Requirement Impact and Consequence Methods of Controls Confidentiality ● Disclosure of information protected by law
  • 15.
    ● Loss ofpublic confidence ● Loss of competitive advantage ● Access controls ● File permissions ● Encryption Integrity ● Inaccuracy ● Erroneous decisions ● Fraud ● Loss of compliance ● Access controls ● Logging ● Hashes ● Backups Availability ● Loss of productive time ● Loss of compliance ● Fines from regulators ● Highly available systems ● Business continuity and disaster recovery Information Security Roles Board of Directors Executive
  • 16.
    Management Senior Information Security Management Information SecurityPractitioners Information Security Concepts ISYS 0575 Objectives ● Review the CIA Triad ● Learn about risk, particularly security risk ● Understand the component parts that make up risk ● Learn about the interplay between the different components of risk ● Discuss the various risk treatment options ● Learn about basic controls ● Understand the different types of attacks The Security Triad Confidentiality Integrity Availability
  • 17.
    Security Concepts andRelationships stakeholders controls vulnerabilities assetsthreats threat agents risk value wish to minimize impose to reduce that may be reduced by that may possess leading to that increase to wish to abuse and/or may damage may be aware of
  • 18.
    give rise to that exploit Source: ISO/IEC27032:2012 Terms and Definitions Risk — The combination of probability of an event and impact. P x I = R Threat — Anything that is capable of acting against an asset and causing harm. Asset — Something of either tangible or intangible value that is worth protecting. Vulnerability — A weakness that exposes the asset to adverse impact. Inherent risk — The risk level without taking into account management actions to protect against the risk. Residual Risk — The risk remaining after accounting for management risk response. Security Concepts and Relationships stakeholders
  • 19.
    controls vulnerabilities assetsthreats threat agents risk value wishto minimize impose to reduce that may be reduced by that may possess leading to that increase to wish to abuse and/or may damage may be aware of give rise to that exploit
  • 20.
    Source: ISO/IEC 27032:2012 RiskFrameworks COBIT 5 for Risk ISO 27005:2011 Information Security Risk Management NIST 800-30 Guide for Conducting Risk Assessments NIST 800-39 Managing Information Security Risk Risk Identification (Risk Scenarios) The development of risk scenarios from imagination or based on previous occurrences Top-down is based on business goals Bottom-up is based on specific events that are security related Likelihood and Impact Likelihood = Probability Absence of a known vulnerability doesn’t = 0 likelihood A vulnerability doesn’t mean there is a threat A vulnerability with no control and no management acceptance indicates a
  • 21.
    weakness in theoverall program How do we quantify likelihood and impact? Approaches to Risk Subjective or objective? Risk tolerance Size and scope of the environment in question How much data do you have available? Risk versus issue Approaches to Managing Security Risk Ad hoc — implement controls with no particular criteria. Compliance-based — Implement the controls regardless of need. Risk-based — design the controls based on identified risk. Risk Treatment Avoidance means management decides not to engage in the activity that creates the risk. Acceptance means management acknowledges the risk, but proceeds with the activity without taking any action.
  • 22.
    Mitigation involves managementimplementing controls to reduce the risk. Transference means that management lets another party take the risk. Security Concepts and Relationships stakeholders controls vulnerabilities assetsthreats threat agents risk value wish to minimize impose to reduce that may be reduced by that may possess leading to
  • 23.
    that increase to wish toabuse and/or may damage may be aware of give rise to that exploit Source: ISO/IEC 27032:2012 Threat Agents European Union Agency for Network and Information Security (ENISA) conducts ongoing evaluation of the threat landscape. Common Agents: ● Corporations ● Criminals ● Terrorists ● Nation States ● Insiders ● Hactivists ● Script Kiddies ENISA Threat Landscape
  • 24.
    Security Concepts andRelationships stakeholders controls vulnerabilities assetsthreats threat agents risk value wish to minimize impose to reduce that may be reduced by that may possess leading to that increase to wish to abuse and/or may damage may be aware of
  • 25.
    give rise to that exploit Source: ISO/IEC27032:2012 Security Controls Types of controls Preventative, Detective, Responsive Administrative, Technical, Physical Security Policy Policy hierarchy Policy Standards Procedures Guidelines Attack Attributes Risk is potential activity, an attack is the occurence of a threat. The asset is the attackers target.
  • 26.
    Path to targetis the attack vector. Ingress is the focus of most attack analysis. Egress or data exfiltration is the objective of some attackers. An exploit is used to take advantage of a vulnerability. General Attack Process Recon Weaponize Deliver Exploit Control Execute AssetAgent Maintain Proactive Detection and Mitigation Containment and Incident Response “Kill Chain”
  • 27.
    Nonadversarial Threat Event Mishandlingof critical information Incorrect privilege Fire, flood, hurricane, earthquake Disk errors or other equipment failure Malware Worm - Confiker - 9 Million PCs Virus - I Love You Trojan Horse - Zeus Ransomeware - WannaCry Root Kit - Sony BMG Social Engineering Impersonation Phishing (and spear phishing) Other Attacks Advanced Persistent Threat (APT) Web attacks
  • 28.