an enterprise perspective information systems...
TRANSCRIPT
![Page 1: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/1.jpg)
1
An Enterprise Perspective
Information Systems Security
Ed Crowley ITEC 5321
Fall ‘09
![Page 2: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/2.jpg)
2
Security Qualifications
NSA Information Security (INFOSEC) Certifications : Assessment Methodology (IAM) Evaluation Methodology (IEM)
Designed NSA/NTISSI Certified (4011, 4014) Security Specialization at UH, College of Technology.
Dozen+ earned certificates from the usual suspects ISC2, Cisco, Microsoft, Novell, CompTIA…
Former IS Director, Network Administrator, Heathkit/Zenith Educational Media Designer …
US Army, Military Police Academy Graduate (’70) Former security clearance holder German Shepherd Sentry Dog Handler
![Page 3: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/3.jpg)
3
UH Security Specialization
Enterprise assessment and evaluation focus. Houston’s only NSA/NTISSI certified program.
4011-- Information Systems Security Professionals 4014 -- Information Systems Security Officers 4016 – Information Assurance Risk Management
UH recognized by the NSA and DHS as a Center of Excellence in Information Assurance Education (June 09)
![Page 4: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/4.jpg)
4
Topics
Introduction Security Models Boyd’s OODA Model
Philosophy Background Tools Course Content
Integrated Approach MOM DID
Trends Attacks, Attackers, and
Defenders Risk Primitives
Vulnerabilities, Threats, and Risk
Attacks and Attackers Threat Vulnerability
Pairs Qualitative Risk
Analysis Threats
Social Engineering Passwords Buffer Overflow System Flaws Exploits
Risk and Risk Management Assessment and evaluation
![Page 5: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/5.jpg)
Boyd’s OODA Loop
• Decisions based on observations of evolving situation tempered with implicit filtering of problem being addressed.
• Observations the raw information on which decisions and actions are based.
• Prior to making a decision, observed information must first be processed to orient it.
Boyd has said:
The second O, orientation – as the repository of our genetic heritage, cultural tradition, and previous experiences – is the most important part of the O-O-D-A loop since it shapes the way we observe, the way we decide, the way we act.
-- from “Organic Design for Command and Control”
![Page 6: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/6.jpg)
![Page 7: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/7.jpg)
Orientation
The only action that Boyd himself defined.• Can be thought of as the focus of the OODA
Loop.• In many ways, the purpose of our class is to
facilitate your ability to orientate i.e.– Previous Experience– New Information– Analysis and SynthesisNow, lets look at some of my previous security experiences.
![Page 8: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/8.jpg)
8
US Army, ‘69-’71
German Shepherd Sentry Dog Handler
.
![Page 9: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/9.jpg)
9
Sentry Dog Team Rules of Engagement Mission: detection and warning.
– Walk the perimeter
– Anyone within a five foot radius goes down. Be polite and professional.
Have a plan to kill everyone you meet.
– Always have a back-up plan. Optimize situational awareness
– Utilize darkness, knowledge of terrain, and your dog's senses...
When warranted, radio for a back up team. Your radio won’t work every night, have a back-up plan.
![Page 10: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/10.jpg)
Sentry Dog Tools
German Shepherd Dog
Colt 45 Automatic
M-16 (Optional)
Ammo, Flashlight, Poncho, Compression Bandages
![Page 11: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/11.jpg)
![Page 12: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/12.jpg)
Program Goals
Our Specialization prepares graduates for success in each of three career paths:
1. Practitioners with enterprise operations responsibilities
2. Technical enterprise security managers or planners
3. Auditors/Investigators with responsibilities for investigating computer incidents or for maintaining regulatory compliance
![Page 13: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/13.jpg)
Cyber Security Tools
Insecure.org--From online
security tools survey
In our active learning modules, we will use many of top rated security tools.
Now, lets look at the separate class modules.
![Page 14: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/14.jpg)
![Page 15: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/15.jpg)
15
Opportunity Theft Model
Sometimes
described as
Desire,
Skill,
Opportunity.
![Page 16: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/16.jpg)
16
Information Assurance: An Integrated Approach*
*V Maconachy, S Schou, D Ragsdale, D Welch
![Page 17: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/17.jpg)
PPT Model
![Page 18: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/18.jpg)
18
Layered Defense
AKA DID
![Page 19: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/19.jpg)
19
Trends Identified in a National Strategy to Secure Cyberspace*Over time: Cyber incidents increasing in:
Number Sophistication Severity Cost.
The nation’s economy increasingly dependent on cyberspace Unknown interdependencies and single points of failure. A digital disaster strikes some enterprise every day.
Infrastructure disruptions have cascading impacts, multiplying their cyber and physical effects.
*www.dhs.gov/xlibrary/assets/National_Cyberspace_Strategy.pdf
![Page 20: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/20.jpg)
20
Required Knowledge Trend
high
low
Sophistication of Attacker Tools
Required Knowledge of Attackers
1980 1985 1990 1995
•Password Guessing
•Self-Replicating Code•Password Cracking
•Exploiting KnownVulnerabilities
•Disabling Audits
•Backdoors•Hijacking Sessions
•Sweepers•Sniffers
•Stealth Diagnostics
•Packet Spoofing
•Tools with GUI
Attackers Require Less Knowledge as Tool Sophistication Increases
•Attack Scripts•etc
![Page 21: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/21.jpg)
![Page 22: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/22.jpg)
![Page 23: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/23.jpg)
23
Attackers?
Adrian LamoKevin MitnickKevin Poulsen Mafia Boy
Alexey Ivanov
Vasiliy Gorshkov
John Walker
![Page 24: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/24.jpg)
24
Defenders? Spring 05
Security
Seminar
![Page 25: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/25.jpg)
25
Terms
Vulnerability A weakness in system security procedures, system design,
implementation, internal controls, etc., that could be exploited to violate system security ...
Threat Any circumstance or event with the potential to cause harm
to a system in the form of destruction, disclosure, modification of data, and/or denial of service.
Risk The probability that a particular threat will exploit a
particular vulnerability ... From NCSC-TG-004 Aqua Book
See also RFC 2828
![Page 26: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/26.jpg)
26
Vulnerabilities? Vulnerabilities can be found in:
People Lack of situational awareness Social engineering Insiders (bribes and incompetence)
Processes Online Financial Transactions Conventional Financial Transactions Credit, debit, and ATM cards
Technology Computer and Communications Systems Point of sale terminals VA databases, etc…
Vulnerabilities are Dynamic
![Page 27: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/27.jpg)
27
Technology Alone is Not Enough
Technology alone is not enough
![Page 28: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/28.jpg)
28
Technical Solutions
If you think technology can solve your security problems, then:
1. You don’t understand the problems and
2. You don’t understand the technology.
B. Schneier
![Page 29: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/29.jpg)
29
Why Hack?
That’s where the money is! Online, I can attack my opponent without
exposing myself! Online, I can express my political views! Because to Law Enforcement is weak. Because I can!
For example, Kevin Mitnick claims to have never directly made money on any of his attacks.
He did however use other peoples services.
![Page 30: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/30.jpg)
30
Why Hack the Internet?
The Cyber Economy is the Economy! Condoleezza Rice
On the Internet it is difficult to tell where my country’s borders stop No one country can police the Internet International LE agencies will forge agreements but it
will take time. Any system directly connected to the Internet is
exposed to about a half billion other users and systems.
![Page 31: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/31.jpg)
31
Internet Threat Attributes, one
Automation Automated infections (Worms and Trojan Horses)
Morris Worm, 1988 Honey Pot Project Record (17 seconds)
Speed of Exploit Propagation Negates traditional commerce reaction response
Distance doesn’t matter No International Borders on the Internet Legal jurisdiction scope
![Page 32: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/32.jpg)
32
Threat Characteristics, two Blue color represents Slammer, 30 minutes
after release
In the first minute, the infected population doubled in size every 8.5 (±1) seconds.
After approximately three minutes, the worm achieved max scanning rate (over 55 million scans per second)
![Page 33: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/33.jpg)
33
Worms and Viruses
Robert Morris Internet Worm, 1988 First conviction under
the 1987 Computer Security Act
Father was the chief scientist at NSA’s, National Computer Security Center (NCSC)
![Page 34: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/34.jpg)
34
Malicious Software
Trojans Email
A virus posing as a photo of Russian tennis player Anna Kournikova. Spread twice as fast as I Love You. Polymorphic Encrypted
DDOS Distributed Denial of Service Attack Mafia Boy and Tribal Flood knocked down
Yahoo and Ebay.
Spyware
![Page 35: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/35.jpg)
35
Potential Attackers
Common criminals Financial gain
Industrial spies Competitive advantage
Hackers People skilled beyond their maturity
National Intelligence organizations Malicious Insiders Internet Businesses (Spyware)
![Page 36: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/36.jpg)
36
Threat Attributes
Attackers may have different : Objectives Skill levels Risk tolerance
The appropriate incident response depends, in part, to the threat attributes found in that particular situation
![Page 37: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/37.jpg)
37
Exploits
Tools that automate the process of breaking into systems
Readily available on the Internet
![Page 38: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/38.jpg)
38
Malicious Insiders
Not necessarily employees Consultants Contractors
Not necessarily in the same country as you Many security measures firewalls, intrusion
detection systems, etc. deal with external threats.
Insiders aren’t impacted by perimeter security. Certain technologies (VPNs for example) may screen an
insider’s activities from your ID systems.
![Page 39: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/39.jpg)
39
INFOWar
A military adversary who tries to undermine his target’s ability to wage war by attacking the information or network infrastructure.
Short term focus of affecting his target’s ability to wage war.
Objects: Military advantage Chaos
Assymetrical Warfare
![Page 40: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/40.jpg)
40
Security Principles and Models Security is a process.
Needs to be based upon a model.
Some helpful data points: Generally Accepted Security Principles (GASSP)
(OCED and NIST 800-14)
Layered Security Model (aka DID) NSA Security Model Risk Management (NIST 800-30) ISC2 Ten Domains
![Page 41: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/41.jpg)
41
Systems and Security
Effective security has to be thought of as a system within larger systems
Real world issues include design tradeoffs, unseen variables, and imperfect implementations.
Not a product but a process. Dynamic
Layered Security Model
![Page 42: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/42.jpg)
42
Security is a Process
Each layer adds security over existing layers Theoretically, not possible to penetrate multiple
layers simultaneously
Like a chain, security is only as secure as the weakest link
Security is not a product It can’t be bought.
Like the context that it exists within, information system security is dynamic
![Page 43: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/43.jpg)
43
Systems Theory
In order to understand system security of, you need to look at the entire system and its context.
Viewing any component in isolation is flawed.
Security should not depend on any particular technology.
![Page 44: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/44.jpg)
44
Information Assurance: An Integrated Approach
Developed and modified over time. Primary author, Vic Maconachy
![Page 45: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/45.jpg)
45
Other Models
PPT ISC2 Ten Domains NSA IAM/IEM NIST SP 800-30
![Page 46: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/46.jpg)
46
Nine Risk Assessment Steps (NIST)1. System
Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
1. Likelihood Determination
2. Impact Analysis
3. Risk Determination
4. Control Recommendations
5. Results Documentation
Note
Steps 2, 3, 4, 5, and 6, may be conducted in parallel.
![Page 47: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/47.jpg)
47
Proactive Solutions
The notion of fixing a security flaw after it becomes a problem won’t work on the Internet.
Education and Training are critical components of any security plan.
![Page 48: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/48.jpg)
48
Questions?
![Page 49: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/49.jpg)
49
References, OneKevin Mitnick
http://www.defensivethinking.com/
Kevin Lee Poulsen http://www.well.com/user/fine/journalism/jail.html
Adrian Lamo http://online.securityfocus.com/news/595 http://online.securityfocus.com/news/358
Alexey Ivanov and Vasiliy Gorshkov http://www.fbi.gov/page2/seattle.htm http://research.yale.edu/lawmeme/modules.php?
name=News&file=article&sid=384
![Page 50: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/50.jpg)
50
References Two
Rome Labs http://www.spirit.com/Network/net0598.txt http://www.fas.org/irp/congress/1996_hr/s960605b.htm Love Bug http://www.chguy.net/news/may00/hack.html http://www.lloydsoflondon.com/america/library/atlloyds14.10.htm http://exn.ca/Stories/2000/05/09/03.asp Forrester Research http://www.glreach.com/eng/ed/art/2004.ecommerce.php3 GASSP http://web.mit.edu/security/www/gassp1.html I Love You http://home.planet.nl/~faase009/iloveyou.html ISC2 http://www.isc2.org/
![Page 51: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/51.jpg)
51
Questions?
![Page 52: An Enterprise Perspective Information Systems Securitycybersd.com/5321Fa09/Lectures/IntroNew3.pdf · 2009-09-17 · 3 UH Security Specialization Enterprise assessment and evaluation](https://reader033.vdocuments.us/reader033/viewer/2022050422/5f91653f4b433d3d83771b8a/html5/thumbnails/52.jpg)
Operation Red Hat