Transcript Introduction to Web Graphics Understanding the Basics of Web

Chapter 1
Introduction to Information
Security
Web Security for Network and System Administrators
1
Objectives
In this chapter, you will:
• Define basic security concepts
• Begin to assess security risks
• Outline a security policy
• Locate information security resources
Web Security for Network and System Administrators
2
Basic Security Concepts
• Confidentiality – only
authorized individuals
can access data
• Integrity – data changes
are tracked and properly
controlled
• Availability – systems
are accessible for
business needs
Web Security for Network and System Administrators
3
Basic Security Concepts
• Physical security – protect
people, equipment, and
facilities
• Privacy – critical data is
not released to the wrong
people
• Marketplace perception –
the way the company is
perceived by customers,
partners, and competitors
Web Security for Network and System Administrators
4
Assessing Risk
•
Check existing security policies and processes
•
Analyze, prioritize, and categorize resources by determining:
total cost of ownership, internal value, and external value.
– TCO refers to the total monetary and labor costs
calculated over a specific time period
– Internal value refers to the monetary assessment of the
importance of a particular asset to the internal working of
a company
– External value refers to the money or another commodity
that the asset brings to the company from external
sources
Web Security for Network and System Administrators
5
Assessing Risk
•
Consider business concerns through the
annualized loss expectancy (ALE = SLE * ARO)
– Single loss expectancy (SLE) is equal to the
asset’s value times the exposure factor (EF)
•
•
Asset value = TCO + internal value + external value
EF is the percentage of asset loss that is expected
from a particular threat
– Annualized rate of occurrence (ARO) is the
estimated frequency with which a particular threat
may occur each year
Web Security for Network and System Administrators
6
Assessing Risk
•
•
Evaluate existing security controls to determine
what controls are deployed and effective
Leverage existing management and control
architecture to build a persuasive business case
for, or against, implementing new security
controls
Web Security for Network and System Administrators
7
Building a Security Policy
• A security policy has the following three
important benefits:
– Communicates a common vision for security
throughout a company
– Represents a single easy-to-use source of security
requirements
– Exists as a flexible document that should be
updated at least annually to address new security
threats
Web Security for Network and System Administrators
8
Building a Security Policy
An organization’s security policy should cover
the following:
• Foreword: Purpose, scope, responsibilities, and
penalties for noncompliance
• Physical security: Controls to protect the people,
equipment, facilities, and computer assets
• User ID and rights management: Only authorized
individuals have access to the necessary
systems and network devices
Web Security for Network and System Administrators
9
Building a Security Policy
•
•
•
•
An organization’s security policy should cover
the following:
Network security: Protect the network devices
and data in transit
System security: Necessary defenses to protect
computer systems from compromise
Testing: Authorized security tools and testing
Auditing: Procedures to periodically check
security compliance
Web Security for Network and System Administrators
10
Building a Security Policy
Foreword
• Purpose: Why is this policy being established?
• Scope: What people, systems, software,
information, and facilities are covered?
• Responsibilities: Who is responsible for the
various computing roles in a company?
• Compliance: What are the penalties for
noncompliance? Which organization is
responsible for auditing compliance?
Web Security for Network and System Administrators
11
Building a Security Policy
Physical Security
• Human threats: theft, vandalism, sabotage, and
terrorism
• Building damage: fire, water damage, and toxic
leaks
• Natural disasters: floods, hurricanes, and
tornadoes
• Infrastructure disruption: loss of power, loss of
HVAC, and downed communication lines
• Equipment failure: computer system damage and
network device failure
Web Security for Network and System Administrators
12
Building a Security Policy
User ID and Rights Management
• User Account Creation, Deletion, and Validation –
manage user accounts
• Password Policies – manage password
parameters
• Access Controls - determine who gets what
access to what
Web Security for Network and System Administrators
13
Building a Security Policy
Network Security
• Specific timeframes for changing passwords on
the network devices
• Use of secure network protocols
• Firewalls at specific chokepoints in a network
architecture
• Use of authentication servers to access network
devices
Web Security for Network and System Administrators
14
Building a Security Policy
System Security
• The systems section is used to outline the
specific settings required to secure a particular
operating system or application
– For example, for Windows NT 4.0, it may be a
requirement that every logical drive be installed
with NTFS
– For a particular UNIX flavor, shadow password files
may be required to hide user IDs and passwords
from general users
Web Security for Network and System Administrators
15
Building a Security Policy
Testing and Auditing
• Specify requirements for vulnerability scanners,
compliance checking tools, and other security
tools run within the environment
• Require auditing logs on specific devices,
periodic self-audits performed by the system
administrators, and the use of security
compliance checking tools
• Specify corporate auditing requirements,
frequencies, and organizations
Web Security for Network and System Administrators
16
Security Resources
Security Certifications
•
•
•
•
•
CISSP
SSCP
GIAC
CISA
CIW Security Professional
Web Security for Network and System Administrators
17
Security Resources
Web Resources
Web Security for Network and System Administrators
18
Summary
• The CIA triad categorizes aspects of information that
must be protected from attacks: confidentiality,
integrity, and availability.
• The PPP triad depicts security, privacy, and
marketplace perception as three additional abstract
concepts that should drive security efforts.
Web Security for Network and System Administrators
19
Summary
•
•
•
The first step in creating an effective security policy is to perform
a risk assessment within the environment. A risk assessment
consists of five steps:
– Check for existing security policies and processes
– Analyze, prioritize, and categorize resources
– Consider business concerns
– Evaluate existing security controls
– Leverage existing management and control architecture
To estimate potential financial loss from security threats, the
following formula works well by accounting for the most important
cost factors associated with security: ALE = SLE * ARO.
A security policy has three major benefits. It:
– Communicates a common vision for security throughout a
company
– Represents a single easy-to-use source of security
requirements
– Exists as a flexible document that should be updated at least
annually to address new security threats
Web Security for Network and System Administrators
20
Summary
•
•
•
An effective security policy includes security requirements in the
following areas:
– Physical security
– User ID and rights management
– Systems
– Network
– Security tools
– Auditing
There are a number of security-related certifications to help
security professionals quantify their knowledge on a resume.
Every security professional must stay current about the latest
threats through Web resources, mailing lists, and printed
materials.
Web Security for Network and System Administrators
21