Chapter 2 Information Security Overview

The Executive Guide to Information Security manual

Introduction • Infor Security Programs requires solutions

from:• People • Process• Technology

• People administers security programs & processes to ensure info are protected

• Using Technology, Layered Security (defense in depth) can be develop to protect information assets.

Overview

• Information Security Principles & components of Info Sec program for Enterprises

• Review of major security technologies & best practices

• Foundation for more in-depth security review in subsequent classes.

3 Major components of Info. Sec. Program

• People play a critical role in Information Security .

• Processes provides guidelines for securing information assets

• Technology enables security programs to be executed.

• What is the weakest link in Info Sec.?

People

• Having the right people in Key positions is paramount to a successful Security Program.

WHY???• Skills • Change management• SOD• Many other reasons

Process • Provides a framework/standards for People to execute security operations

• What are some of the processes?– Policies– Procedures– Guidelines– Work Aids – Training– Risks & Security Assessments

• Access on the Principle of Lease Privilege (Need-to-Know)

– Others • Process serves as the “glue” bwt

PEOPLE & TECH to ensure Security Programs are operating effectively

• The most vast and complicated component of the Security Program.

Why is Technology the most complicated components?

• Variety of products currently in market

• Products don’t all work in sync together

• Need special knowledge to run different security applications.

• Constant upgrades/maintenance to ensure product operates in an optimal manner

Defense – in – Depth • Layer security for– Gateway – entryway btw 1 part of the environment to

another (internet to network)– Server – PCs that performs shared functions (ERP, SAP,

PeopleSoft) – Client – desktops, laptops, PDAs, others that

employees used daily • 4 Major zones for defense

1. External (internet)2. Extranet3. Intranet4. Missions Critical systems

Example of Layering Security

Today’s Security Technology

• Authentication, Authorization & Accounting (AAA)

• Firewalls/Virtual Private Network (VPN)• Anti-Virus software• Intrusion Detection/Intrusion Prevention

(IDS/IPS)• Content filtering• Encryption

Authentication, Authorization & Accounting (AAA)

What are some examples of Security tools?• Access Control List (ACL)

• RSA tokens • Smart cards• Biometric

What is a 2 factor authentication?• Something you know• Something you have

Privilege Access

• What is privilege access?– Admin, Super user, sys admin, utility, etc.

• How should privilege access be controlled?– Limit access, daily/wkly/monthly monitoring,

mandatory access change control, etc.• What is Single Sign on (SSO) & how should this be

controlled?– Access on the concept of Lease privilege– Monitor & timely removal of access when not in use

for 30 days. – Periodic password change

Firewalls

• What is a firewall?– Filters electronic traffics to allow only certain types

of information to flow to the CO’s network• What are the 3 type of firewalls?– Packet Filtering – reviews the header/address– Statefull Inspection- verify the inbound packet

matches the outbound request (identifies legitimacy of source ie addresses on a letter)

– Proxy firewall-read & rewrite ea. packet to only allow valid messages to pass to the network. More secure at a slower speed.

Virtual Private Networks (VPN)

• What is VPN?– Tool that enables secure connection the network

when using public network (internet)– Use encryption to protect data (tunnel)– Uses hardware & software combo to secure access

Anti-Virus Software

• Why should you install updated anti-virus?– Prevent pc infection from virus, worms, Trojan

horse, malware in general– Virus vs Worms- what is the difference?

• Signature vs Heuristic virus– Signature relays on know pattern – Heuristic looks for pattern of potential virus (lots

of false positives)

Vulnerability Management

• Network based & Host based– Network base identify know vulnerabilities on the

network – Host based scan physical devices ( servers)

• Patch management• Intrusion Detection System (IDS)• Intrusion Prevention System (IPS)• Content Filtering • Encryption (symmetric & asymetric)

Summary Key Points

• Effective info sec program use a combination of People, Process & Technology

• People are the weakest link, therefore, it is the most important aspect of the program

• Process is the gel that binds People & Technology to effectively protect information assets

• Technology can be use to layer security for Defense –in-Depth approach to protect information asset.