Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Chapter 1 Introduction to Information Security Web Security for Network and System Administrators 1 Objectives In this chapter, you will: • Define basic security concepts • Begin to assess security risks • Outline a security policy • Locate information security resources Web Security for Network and System Administrators 2 Basic Security Concepts • Confidentiality – only authorized individuals can access data • Integrity – data changes are tracked and properly controlled • Availability – systems are accessible for business needs Web Security for Network and System Administrators 3 Basic Security Concepts • Physical security – protect people, equipment, and facilities • Privacy – critical data is not released to the wrong people • Marketplace perception – the way the company is perceived by customers, partners, and competitors Web Security for Network and System Administrators 4 Assessing Risk • Check existing security policies and processes • Analyze, prioritize, and categorize resources by determining: total cost of ownership, internal value, and external value. – TCO refers to the total monetary and labor costs calculated over a specific time period – Internal value refers to the monetary assessment of the importance of a particular asset to the internal working of a company – External value refers to the money or another commodity that the asset brings to the company from external sources Web Security for Network and System Administrators 5 Assessing Risk • Consider business concerns through the annualized loss expectancy (ALE = SLE * ARO) – Single loss expectancy (SLE) is equal to the asset’s value times the exposure factor (EF) • • Asset value = TCO + internal value + external value EF is the percentage of asset loss that is expected from a particular threat – Annualized rate of occurrence (ARO) is the estimated frequency with which a particular threat may occur each year Web Security for Network and System Administrators 6 Assessing Risk • • Evaluate existing security controls to determine what controls are deployed and effective Leverage existing management and control architecture to build a persuasive business case for, or against, implementing new security controls Web Security for Network and System Administrators 7 Building a Security Policy • A security policy has the following three important benefits: – Communicates a common vision for security throughout a company – Represents a single easy-to-use source of security requirements – Exists as a flexible document that should be updated at least annually to address new security threats Web Security for Network and System Administrators 8 Building a Security Policy An organization’s security policy should cover the following: • Foreword: Purpose, scope, responsibilities, and penalties for noncompliance • Physical security: Controls to protect the people, equipment, facilities, and computer assets • User ID and rights management: Only authorized individuals have access to the necessary systems and network devices Web Security for Network and System Administrators 9 Building a Security Policy • • • • An organization’s security policy should cover the following: Network security: Protect the network devices and data in transit System security: Necessary defenses to protect computer systems from compromise Testing: Authorized security tools and testing Auditing: Procedures to periodically check security compliance Web Security for Network and System Administrators 10 Building a Security Policy Foreword • Purpose: Why is this policy being established? • Scope: What people, systems, software, information, and facilities are covered? • Responsibilities: Who is responsible for the various computing roles in a company? • Compliance: What are the penalties for noncompliance? Which organization is responsible for auditing compliance? Web Security for Network and System Administrators 11 Building a Security Policy Physical Security • Human threats: theft, vandalism, sabotage, and terrorism • Building damage: fire, water damage, and toxic leaks • Natural disasters: floods, hurricanes, and tornadoes • Infrastructure disruption: loss of power, loss of HVAC, and downed communication lines • Equipment failure: computer system damage and network device failure Web Security for Network and System Administrators 12 Building a Security Policy User ID and Rights Management • User Account Creation, Deletion, and Validation – manage user accounts • Password Policies – manage password parameters • Access Controls - determine who gets what access to what Web Security for Network and System Administrators 13 Building a Security Policy Network Security • Specific timeframes for changing passwords on the network devices • Use of secure network protocols • Firewalls at specific chokepoints in a network architecture • Use of authentication servers to access network devices Web Security for Network and System Administrators 14 Building a Security Policy System Security • The systems section is used to outline the specific settings required to secure a particular operating system or application – For example, for Windows NT 4.0, it may be a requirement that every logical drive be installed with NTFS – For a particular UNIX flavor, shadow password files may be required to hide user IDs and passwords from general users Web Security for Network and System Administrators 15 Building a Security Policy Testing and Auditing • Specify requirements for vulnerability scanners, compliance checking tools, and other security tools run within the environment • Require auditing logs on specific devices, periodic self-audits performed by the system administrators, and the use of security compliance checking tools • Specify corporate auditing requirements, frequencies, and organizations Web Security for Network and System Administrators 16 Security Resources Security Certifications • • • • • CISSP SSCP GIAC CISA CIW Security Professional Web Security for Network and System Administrators 17 Security Resources Web Resources Web Security for Network and System Administrators 18 Summary • The CIA triad categorizes aspects of information that must be protected from attacks: confidentiality, integrity, and availability. • The PPP triad depicts security, privacy, and marketplace perception as three additional abstract concepts that should drive security efforts. Web Security for Network and System Administrators 19 Summary • • • The first step in creating an effective security policy is to perform a risk assessment within the environment. A risk assessment consists of five steps: – Check for existing security policies and processes – Analyze, prioritize, and categorize resources – Consider business concerns – Evaluate existing security controls – Leverage existing management and control architecture To estimate potential financial loss from security threats, the following formula works well by accounting for the most important cost factors associated with security: ALE = SLE * ARO. A security policy has three major benefits. It: – Communicates a common vision for security throughout a company – Represents a single easy-to-use source of security requirements – Exists as a flexible document that should be updated at least annually to address new security threats Web Security for Network and System Administrators 20 Summary • • • An effective security policy includes security requirements in the following areas: – Physical security – User ID and rights management – Systems – Network – Security tools – Auditing There are a number of security-related certifications to help security professionals quantify their knowledge on a resume. Every security professional must stay current about the latest threats through Web resources, mailing lists, and printed materials. Web Security for Network and System Administrators 21