Copyright © Pearson Education Limited 2015. Controls for Information Security Chapter 8 8-1.
-
Upload
janice-newton -
Category
Documents
-
view
213 -
download
1
Transcript of Copyright © Pearson Education Limited 2015. Controls for Information Security Chapter 8 8-1.
![Page 1: Copyright © Pearson Education Limited 2015. Controls for Information Security Chapter 8 8-1.](https://reader036.fdocuments.net/reader036/viewer/2022082709/56649d705503460f94a530b7/html5/thumbnails/1.jpg)
Copyright © Pearson Education Limited 2015.
Controls for Information Security
Chapter 8
8-1
![Page 2: Copyright © Pearson Education Limited 2015. Controls for Information Security Chapter 8 8-1.](https://reader036.fdocuments.net/reader036/viewer/2022082709/56649d705503460f94a530b7/html5/thumbnails/2.jpg)
Copyright © Pearson Education Limited 2015.
Learning Objectives
•Explain how information security affects information systems reliability.
•Discuss how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about the security of an organization’s information system.
8-2
![Page 3: Copyright © Pearson Education Limited 2015. Controls for Information Security Chapter 8 8-1.](https://reader036.fdocuments.net/reader036/viewer/2022082709/56649d705503460f94a530b7/html5/thumbnails/3.jpg)
Copyright © Pearson Education Limited 2015.
Trust Services Framework
• Security▫Access to the system and data is controlled and
restricted to legitimate users.• Confidentiality
▫Sensitive organizational data is protected. • Privacy
▫Personal information about trading partners, investors, and employees are protected.
• Processing integrity▫Data are processed accurately, completely, in a
timely manner, and only with proper authorization.• Availability
▫System and information are available. 8-3
![Page 4: Copyright © Pearson Education Limited 2015. Controls for Information Security Chapter 8 8-1.](https://reader036.fdocuments.net/reader036/viewer/2022082709/56649d705503460f94a530b7/html5/thumbnails/4.jpg)
Copyright © Pearson Education Limited 2015.
8-4
![Page 5: Copyright © Pearson Education Limited 2015. Controls for Information Security Chapter 8 8-1.](https://reader036.fdocuments.net/reader036/viewer/2022082709/56649d705503460f94a530b7/html5/thumbnails/5.jpg)
Copyright © Pearson Education Limited 2015.
Security Life CycleSecurity is a management issue
8-5
See pages 256-257 fordetails.
![Page 6: Copyright © Pearson Education Limited 2015. Controls for Information Security Chapter 8 8-1.](https://reader036.fdocuments.net/reader036/viewer/2022082709/56649d705503460f94a530b7/html5/thumbnails/6.jpg)
Copyright © Pearson Education Limited 2015.
Security Approaches
•Defense-in-depth▫Multiple layers of control (preventive and
detective) to avoid a single point of failure•Time-based model, security is effective if:
▫P > D + C where P is time it takes an attacker to break
through preventive controls D is time it takes to detect an attack is in
progress C is time it takes to respond to the attack and
take corrective action8-6
![Page 7: Copyright © Pearson Education Limited 2015. Controls for Information Security Chapter 8 8-1.](https://reader036.fdocuments.net/reader036/viewer/2022082709/56649d705503460f94a530b7/html5/thumbnails/7.jpg)
Copyright © Pearson Education Limited 2015.
Steps criminals use to attack an organization’s information systems•Conduct reconnaissance•Attempt social engineering•Scan and map the target•Research•Execute the attack•Cover tracks
8-7
![Page 8: Copyright © Pearson Education Limited 2015. Controls for Information Security Chapter 8 8-1.](https://reader036.fdocuments.net/reader036/viewer/2022082709/56649d705503460f94a530b7/html5/thumbnails/8.jpg)
Copyright © Pearson Education Limited 2015.
How to Mitigate Risk of Attack
Preventive Controls
Detective Controls•People•Process•IT Solutions•Physical security•Change controls
and change management
•Log analysis•Intrusion detection
systems•Penetration testing•Continuous
monitoring
8-8
Table 8-1
![Page 9: Copyright © Pearson Education Limited 2015. Controls for Information Security Chapter 8 8-1.](https://reader036.fdocuments.net/reader036/viewer/2022082709/56649d705503460f94a530b7/html5/thumbnails/9.jpg)
Copyright © Pearson Education Limited 2015.
Preventive: People
•Culture of security▫Tone set at the top with management
•Training▫Follow safe computing practices
Never open unsolicited e-mail attachments Use only approved software Do not share passwords Physically protect laptops/cellphones
▫Protect against social engineering
8-9
![Page 10: Copyright © Pearson Education Limited 2015. Controls for Information Security Chapter 8 8-1.](https://reader036.fdocuments.net/reader036/viewer/2022082709/56649d705503460f94a530b7/html5/thumbnails/10.jpg)
Copyright © Pearson Education Limited 2015.
Preventive: Process
• Authentication—verifies the person 1.Something person knows2.Something person has3.Some biometric characteristic4.Combination of all three
Focus 8-1 on Effective of passwords
• Authorization—determines what a person can access Access control matrix
8-10
![Page 11: Copyright © Pearson Education Limited 2015. Controls for Information Security Chapter 8 8-1.](https://reader036.fdocuments.net/reader036/viewer/2022082709/56649d705503460f94a530b7/html5/thumbnails/11.jpg)
Copyright © Pearson Education Limited 2015.
Preventive: IT Solutions
•Antimalware controls•Network access controls•Device and software hardening controls•Encryption
8-11
![Page 12: Copyright © Pearson Education Limited 2015. Controls for Information Security Chapter 8 8-1.](https://reader036.fdocuments.net/reader036/viewer/2022082709/56649d705503460f94a530b7/html5/thumbnails/12.jpg)
Copyright © Pearson Education Limited 2015.
Preventive: Other
•Physical security access controls▫Limit entry to building▫Restrict access to network and data
•Change controls and change management▫Formal processes in place regarding
changes made to hardware, software, or processes
8-12
![Page 13: Copyright © Pearson Education Limited 2015. Controls for Information Security Chapter 8 8-1.](https://reader036.fdocuments.net/reader036/viewer/2022082709/56649d705503460f94a530b7/html5/thumbnails/13.jpg)
Copyright © Pearson Education Limited 2015.
Corrective
•Computer Incident Response Team (CIRT)•Chief Information Security Officer (CISO)•Patch management
8-13
![Page 14: Copyright © Pearson Education Limited 2015. Controls for Information Security Chapter 8 8-1.](https://reader036.fdocuments.net/reader036/viewer/2022082709/56649d705503460f94a530b7/html5/thumbnails/14.jpg)
Copyright © Pearson Education Limited 2015.
Key Terms• Defense-in-depth• Time-based model of
security• Social engineering• Authentication• Biometric identifier• Multifactor authentication• Multimodal authentication• Authorization• Access control matrix• Compatibility test• Border router• Firewall• Demilitarized zone (DMZ)• Routers
• Access control list (ACL)• Packet filtering• Deep packet inspection• Intrusion prevention system• Remote Authentication Dial-
in User Service (RADIUS)• War dialing• Endpoints• Vulnerabilities• Vulnerability scanners• Hardening• Change control and change
management• Log analysis• Intrusion detection system
(IDS) 8-14
![Page 15: Copyright © Pearson Education Limited 2015. Controls for Information Security Chapter 8 8-1.](https://reader036.fdocuments.net/reader036/viewer/2022082709/56649d705503460f94a530b7/html5/thumbnails/15.jpg)
Copyright © Pearson Education Limited 2015.
Key Terms (continued)
• Penetration test• Computer incident
response team (CIRT)• Exploit• Patch• Patch management• Virtualization• Cloud computing
8-15