Network Security
Network Security - prevention from unauthorized access
3 key principles of Network Security (C-I-A)
Guidelines - are suggestions to the personal of an organization on how to effectively secure their network and computers
Procedures - are compulsory, detailed steps to be followed in order to accomplish tasks
Baselines - are similar to standards and represent a level of implementation of security controls that provide protection of available to other similar reference entities.
Physical Security
3 key principles of Network Security (C-I-A)
- Confidentiality - concerned with preventing the authorized disclosure of sensitive information
- Integrity - 3 goals
- Prevention of the modification of information by unauthorized users
- Prevention of the unauthorized or unintentional modification of information by authorized users
- Preservation of the internal and external consistency.
- Availability
Other C-I-A related terms
- Identification -- Log-in
- Authentication - password
- Accountability - the person who is responsible into the whole account
- Authorization
3 Critical Elements of Security According in IATO
- People
- Development of information assurance policies and procedures
- Assignment of role and responsibility
- Training of critical Personnel
- Enforcement of personal accountability
- Commitment of Resources
- Establishment of physical security control
- Establishment of personnel Security Control
- Penalties Associated with Unauthorized behavior
- Technology
- Security Policy
- System-level information assurance architecture
- Information assurance principle
- Specification criteria for the required information assurance products
- Acquisition of reliable, 3rd party validated products
- Configuration recommendations
- Risk Assessment process for the integrated system
- operations
- A visible and up-to-date security policies
- Enforcement of file information security policy
- Certification and accreditation
- Information Security posture management
- Key management Services
- Readiness Assessment
- Protection of the infrastructure
- Performing system security assessment
- Monitory and reacting to threats
- Attack sensing, warning, and response (ASW + R)
- Recovery and reconstitution
The System Development Life Cycle
- Initiation
- documentation
- involves sensitivity assessment
- Development / Acquisition
- security requirement
- level of awareness
- Implementation
- installation, testing, security testing and accreditation
- Operation / Maintenance
- operation assurance
- identify the measure
- back-up, training process
- Disposal
- involves disk sanitation, archiving files, moving equipment.
Risk Management
- According to NIST, Risk management comprises of 3 process
- risk assessment
- identification and evaluation of risks
- identification and evaluation of risk impacts
- recommendation of risk-reducing measures
- risk mitigation
- prioritizing appropriate risk-reducing measures recommended from the risk assessment process.
- implementing appropriate risk-reducing measures recommended from the risk assessment
- maintaining the appropriate risk-reducing measures recommendation from the risk assessment.
- evaluation and assessment
- continuous process center residual risk in the system is acceptable
- implement additional security controls for accreditation of the IT system
Security Vs Privacy
Security - is need by an organization to protect Intruders
Privacy - is wanted by an organization to protect the rights of an individual
3 Aspects of Information Security
- Security Attack -- compromise the information
- Security Mechanism
- Security Service
- enhance the security measures
- counter security attacks
Four General Category of an attack
- Interruption - attack on availability
- Interception - attack on confidentiality
- Fabrication - attack on authentication
- Modification - attacked on Integrity
3 Classes of Intruders
- Masquerader
- Misfeasor
- Clandestine User
Reasons Behind an Attack
- Skill
- General Skill Level
- Custom Skill Level
- Motivation
- Satisfaction - struggle
- Tenacity - patience
- Ego - pride
- Opportunity
- Parsimony
- Justififiability - other people still can access
- Completeness
- Awareness
- Robustness - limitation
Security Policies and Security Awareness
Senior Management Policy Statement
↓
Organizational Policy
↓
Functional Policy
↓
Standards
Guidelines ← Baselines
↓
Procedures
Advisory Policies
- strong recommendations
- recommend course of action / approaches but allow for independent judgement in the event of special case
- intended to ensure that an organization implements the standard procedures and best practices of its industry
Informative Policies
- provide information and generally require no action by the affected individual
- inform the user of the prohibited activities and resultant consequences of practicing these activities
Standards, Guidelines, Procedures and Baselines
Standards - are compulsory and usually refer to specific hardware and / or softwareGuidelines - are suggestions to the personal of an organization on how to effectively secure their network and computers
Procedures - are compulsory, detailed steps to be followed in order to accomplish tasks
Baselines - are similar to standards and represent a level of implementation of security controls that provide protection of available to other similar reference entities.
Security Awareness
- Refers to the collective consciousness of an organizations employees relative to security controls and their application to the protection of the organization's critical and sensitive information
Training
- is a tool that can increase employee security awareness and capabilities in identifying, reporting and handling comprises of confidentiality, integrity and availability of information system.
Types of Internet Security Training
Training Type
|
Target
|
Awareness | Personnel and Security-Sensitive Positions |
Security - related job training | Operator and other designated Users |
High - Level Security Training | Semi-managers final managers and business unit managers |
Technical Security training | IT Support and System Ad |
Advanced Info Security training | Security Practitioners and Info System Auditors |
Specific Security Software and Hardware Product Training | Operators; IT personnel System Ad; Security Fractitioners and Selected Users |
Physical Security
- is concerned with the protection of personnel, sensitive information facilities, and equipment through the use of physical controls.
Controls in physical security can be partitioned into physical technical and administrative type.
Possible threats to Physical Security
- Murderers
- rapist
- terrorist
- Car Jackers
- Spy
- Fire
- disease
- item thief
- inside job
- bomb
- natural calamities and disaster
- vandalisms
- Sabotage
- Lost of electrical security
- strike
- environmental conditions
- water damage
- smoke particles
- hackers
- extreme temperature and humidity
- employee, abuse of powers
Physical Controls
- Security Guards
- K9 dogs / units
- Lock with chain
- Safe / Vault
- Location of equipment
- Temperature Monitoring
- Warning Signs
- Security Cage / Fencing
- Disabling USB Ports
- Paper Shredder
- Man trap
- Lighting
- TV
- Instrusion Detectors
- Dry Contact Switches
Administrative Controls
- Hire and monitoring security experts
- Implement and design safety measures
- Training of critical personnel
- Installation of safety devices
- Regular health monitoring
- Security policy
- Performing security assessment
Technical Controls
- Fire
- Fire extinguishers
- sprinklers
- smoke detectors
- thermal security camera
- Bomb
- radar
- Hackers
- Anti-viruses
- System Firewalls
- System Restrictions
- Natural Calamities
- Sensor
- Cameras
- Satellites
Comments
Post a Comment