unit1-network security
TRANSCRIPT
![Page 1: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/1.jpg)
COMPUTER & NETWORK SECURITY
![Page 2: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/2.jpg)
Unit 1 Objectives
1. Recognize the growing importance of information security specialists to the information technology (IT) infrastructure.
2. Comprehend information security in the context of the mission of a business.
3. Build an awareness of 12 generally accepted basic principles of information security to help you determine how these basic principles are applied to real-life situations.
![Page 3: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/3.jpg)
Unit 1 Objectives cont…
4. Distinguish between the three main security goals.
5. Learn how to design and apply the principle of "Defense in Depth."
6. Comprehend human vulnerabilities in security systems to better design solutions to counter them.
![Page 4: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/4.jpg)
Unit 1 Objectives cont…
7. Explain the difference between functional and assurance requirements.
8. Comprehend the fallacy of security through obscurity to avoid using it as a measure of security.
9. Comprehend the importance of risk analysis and risk management tools and techniques for balancing the needs of business.
10. Determine which side of the open disclosure debate you would take.
![Page 5: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/5.jpg)
Unit 1 Objectives cont…
11. Analyze the Certified Information Systems Security Professional (CISSP) certificate program as the gold standard in information technology (IT) security certification.
12. Define and describe the role of the International Information Systems Security Certifications Consortium.
13. Distinguish the contents of the 10 domains of the Common Body of Knowledge.
14. Distinguish the CISSP from other security certification programs in the industry.
![Page 6: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/6.jpg)
What is Network Security
Network Security consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources.
![Page 7: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/7.jpg)
What is Information Security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
![Page 8: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/8.jpg)
Discussion
What would computing be like today if no standards had been adopted?
Why are standards so important to the computing Industry?
![Page 9: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/9.jpg)
Importance of I.S. to the Business
“To protect computers, networks, and the information they store, organizations are increasingly turning to information security specialists.”
![Page 10: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/10.jpg)
How is this acheived
• To support business operations a number of common positions and career opportunities are needed.– Network Administrator– Network Engineer– Security Engineer– Programmer and Application Tester– Chief Security Officer
![Page 11: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/11.jpg)
Importance of I.S. to the Business
• Implement Security Practices
• Perform Risk Analysis
• Configure Rights and Permission
• Implement Access Controls and Changes
• Secure Network Data
![Page 12: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/12.jpg)
Importance cont…
• Recognize Attack Vectors
• Understand Life Cycles
• Conduct Security Audit and Testing
• Develop BCP, BIA and DRP
• Comprehend Laws and Regulations
![Page 13: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/13.jpg)
• An organization’s security posture defines its tolerance for risk and outlines how it plans to protect information and resources within its charge.
![Page 14: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/14.jpg)
12 basic principles of information security.
Principle 1: There Is No Such Thing as Absolute Security Explains that no information system can ever be totally secure, but can be configured to minimize risks.
![Page 15: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/15.jpg)
Principle 2: The Three Security Goals Are Confidentiality, Integrity, and Availability
![Page 16: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/16.jpg)
![Page 17: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/17.jpg)
C.I.A.
Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems.
Integrity means that data cannot be modified undetectably
For any information system to serve its purpose, the information must be available when it is needed.
![Page 18: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/18.jpg)
Principle 3
Principle 3: Defense in Depth as Strategy Explains the importance of creating a layered defense around any information system.
![Page 19: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/19.jpg)
Principle 3 cont…
• Defense in depth is an information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited which can cover aspects of personnel, procedural, technical and physical for the duration of the system's life cycle.
![Page 20: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/20.jpg)
![Page 21: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/21.jpg)
![Page 22: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/22.jpg)
Principle 4
Principle 4: When Left on Their Own, People Tend to Make the Worst Security Decisions
![Page 23: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/23.jpg)
Principle 4: Discussion
What are the need for security minded professionals in any organization where people use the information system.
![Page 24: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/24.jpg)
Principle 5
Principle 5: Computer Security Depends on Two Types of Requirements: Functional and Assurance
![Page 25: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/25.jpg)
Verify and Validate
Verification and validation of products, processes, and systems to ensure they function correctly.
![Page 26: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/26.jpg)
Principle 6
Principle 6: Security Through Obscurity Is Not an Answer Dispels the myth that hiding details about security mechanisms enhances security.
![Page 27: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/27.jpg)
Principle 6: Arguments
Arguments for: Security through obscurity may (but cannot be guaranteed to) act as a temporary "speed bump" for attackers while a resolution to a known security issue is implemented. Here, the goal is simply to reduce the short-run risk of exploitation of a vulnerability in the main components of the system.
![Page 28: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/28.jpg)
Arguments against: In cryptography proper, the argument against security by obscurity dates back to at least Kerckhoffs' principle, put forth in 1883 by Auguste Kerckhoffs. The principle holds that design of a cryptographic system should not require secrecy and should not cause "inconvenience" if it falls into the hands of the enemy.
Principle 6: Arguments
![Page 29: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/29.jpg)
Principle 7
Principle 7: Security = Risk Management Explains simple methods for evaluating the risk level of any information system.
![Page 30: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/30.jpg)
Principle 8
Principle 8: The Three Types of Security Controls Are Preventative, Detective, and Responsive
![Page 31: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/31.jpg)
Prevention:
Detection:
Responsive:
Principle 8 cont…
![Page 32: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/32.jpg)
Principle 9
Principle 9: Complexity Is the Enemy of Security Explains the need for simplicity in designing and maintaining an information system.
![Page 33: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/33.jpg)
Principle 10
Principle 10: Fear, Uncertainty, and Doubt Do Not Work in Selling Security
![Page 34: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/34.jpg)
Principle 10 - Discussion
Why is it better to taking a business-centric approach (as opposed to scare tactics) when convincing management to make security investment
![Page 35: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/35.jpg)
Principle 11
Principle 11: People, Process, and Technology Are All Needed to Adequately Secure a System or Facility
![Page 36: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/36.jpg)
Principle 11 - Discussions
What role does people, processes, and technology play in information security, and how they interact to enhance security.
![Page 37: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/37.jpg)
Principle 12
Principle 12: Open Disclosure of Vulnerabilities Is Good for Security!
![Page 38: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/38.jpg)
Principle 12 – Discussions
How does open communications among IT professionals and users can improve security
![Page 39: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/39.jpg)
Vendor Neutral CertificationsCertified Information Systems Auditor (CISA) and
Certified Information Security Manager CISM) - To assure that information security manager has the required knowledge and ability to provide effective security management and consulting
Global Information Assurance Certifications (GIAC) - Intended primarily for practitioners or hands-on personnel such as system administrators and network engineers
CompTIA Security+ Certification – Tests the security knowledge mastery of an individual with two years on-the-job networking security experience
![Page 40: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/40.jpg)
(ISC)2 - Certified Information Systems Security Professional (CISSP)
(ISC)2 - System Security Certified Practitioner (SSCP)
Vendor Neutral Certifications
![Page 41: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/41.jpg)
Vendor-Specific Certification Programs
Check Point Certified SecurityPrinciples AssociateCisco Security Certifications*INFOSEC ProfessionalMicrosoft Certified Information Technology SpecialistRSA Certified Systems EngineerSun Certified Security Administrator for the Solaris
Operating SystemSymantec Technology ArchitectTivoli Certified Consultant
![Page 42: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/42.jpg)
CISSP
Provides Employers with the confidenceIndustry assuranceFirst certification accredited by ANSI ISO/IEC
Standard 17024:2003Globally recognized
![Page 43: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/43.jpg)
10 Domains – CBK• Access Control • Application Development Security • Business Continuity and Disaster Recovery Planning • Cryptography • Information Security Governance and Risk
Management • Legal, Regulations, Investigations and Compliance • Operations Security • Physical (Environmental) Security • Security Architecture and Design • Telecommunications and Network Security
![Page 44: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/44.jpg)
How to become a CISSP
1. Criteria– 5 years experience or 4 years with a BSc.
2. Examination– Pass the CISSP examination with a scaled score of
700 points or greater3. Endorsement– All candidate must be endorsed by a active CISSP in
good standing4. Audit– Candidates may be randomly selected for audit
![Page 45: Unit1-Network Security](https://reader034.vdocuments.us/reader034/viewer/2022052620/557202ba4979599169a3fff4/html5/thumbnails/45.jpg)
Maintaining a CISSPAll CISSP must recertify every 3 years:This is primarily accomplished through
continuing professional education [CPE], 120 credits of which are required every three years. A minimum of 20 CPEs must be posted during each year of the three-year certification cycle.
CISSPs must also pay an annual maintenance fee of $85 per year.