Information Technology Security Management EEC10507 2/27/2020 IT Security Management 1 Aim The primary aim of this course to present the student with a full awareness of the values of information technology security management that are used in business enterprises. It also will introduce the student to various frameworks and methods used and discover the suitability of these critically for addressing current business security needs. Credit hours 4 (3hrs theory , 1hr Tutorial ) 2/27/2020 IT Security Management 2 Teaching/Learning Strategy The methods of teaching will depend on computer-based tools along with video lectures, guest lectures for efficient module delivery to students. The Students will be given coursework/ assignments and self-learning tasks which will be focusing on the latest practices done in the industries. There will be a collaboration of students in groups to discuss all current, future and challenges in IT security management. Transferable Skills: By completing this course students will develop skills to plan, conduct and critically appraise research and develop new approaches to problem-solving. Also, will improve their communication and leadership skills. 2/27/2020 IT Security Management 3 Assessment format Course work - 60% (Individual Assignment- 40% , Presentation-20%) Final Exam - 40% (Unseen Written Examination of 3 hours duration) Pass Requirement:50% 2/27/2020 IT Security Management 4 Learning Outcomes On completion of this module students will be able to: 1. Demonstrate an understanding of the key concepts and essentials of information technology security management. 2. Apply IT Security management concepts for designing solutions to manage security risks effectively. 3. Describe mutual relations between the various elements of information security management and their role in protecting business enterprises and organizations. 4. Describe the impact of new technological developments on information technology security management. 5. Demonstrate an understanding of current legal and social contexts where the enterprises impinge on IT Security management. 6. Design an emergency plan for a given IT environment. 2/27/2020 IT Security Management 5 Syllabus The main course topics to be covered are: Introduction to Information Security: Understand the important of information security by awareness of 12 generally accepted basic principles of information security; Distinguish between three main goals of security: confidentiality, Availability and Integrity. Introduction to Certification Programs and the Common Body of Knowledge. Governance and Risk Management: Introduction to Security Policies, Understand the Four Types of Policies Business Continuity Planning and Disaster Recovery Planning: Overview of the Business Continuity Plan and Disaster Recovery; Creating the Business Impact Analysis, Disaster Recovery Planning. Access Control Systems and Methodology :Introduction, Terms and Concepts, Identification, Authentication, Least Privilege , Information Owner , Discretionary Access Control , Access Control Lists ,User Provisioning ,Mandatory Access Control ,Role-Based Access Control Law, Investigations, and Ethics: Introduction, Types of Computer Crime, How Cybercriminals Commit Crimes, The Computer and the Law, Legislative Branch of the Legal System Administrative Branch of the Legal System Judicial Branch of the Legal System, Intellectual Property Law. 2/27/2020 IT Security Management 6 CHAPTER 1 Introduction to Information Security: Understand the important of information security by awareness of 12 generally accepted basic principles of information security; Distinguish between three main goals of security: confidentiality, Availability and Integrity. Introduction to Certification Programs and the Common Body of Knowledge. 2/27/2020 IT Security Management 7 12 generally accepted basic principles of information security Principle 1: There Is No Such Thing As Absolute Security. • Given enough time, tools, skills, and inclination, a malicious person can break through any security measure. E.g. In 2003, the art collection of the Whitworth Gallery in Manchester, England • Four common classes of safe ratings are B-Rate, C-Rate, UL TL-15, and UL TL-30 • Resisting attacks long enough provides the opportunity to catch the attacker in the act and to quickly recover from the incident. 2/27/2020 IT Security Management 8 12 generally accepted basic principles of information security cont.…. Principle 2: The Three Security Goals Are Confidentiality, Integrity, and Availability • All information security measures try to address at least one of three goals: • Protect the confidentiality of data • Preserve the integrity of data • Promote the availability of data for authorized use Integrity Models • Protects system data from intentional or accidental changes. Integrity models have three goals: • Prevent unauthorized users from making modifications to data or programs • Prevent authorized users from making improper or unauthorized modifications • Maintain internal and external consistency of data and programs 2/27/2020 IT Security Management 9 12 generally accepted basic principles of information security cont.…. • Availability models keep data and resources available for authorized use • Three common challenges to availability: • DoS due to intentional attacks or because of undiscovered flaws in implementation (for example, program crash due to unexpected input) • Loss of information system capabilities because of natural disasters or human actions (bombs or strikes) • Equipment failures during normal use Some activities that preserve CIA are: (i)granting access only to authorized personnel, (ii) applying encryption to information that will be sent over the Internet or stored on digital media (iii)periodically testing computer system security to uncover new vulnerabilities (iv)building software defensively (v) developing a disaster recovery plan to ensure that the business continuity 2/27/2020 IT Security Management 10 12 generally accepted basic principles of information security cont.…. Principle 3: Defense in Depth as Strategy • A bank would never leave its assets inside an unguarded safe alone • Layered security, is known as defense in depth. • It is implemented in overlapping layers that provide : prevention, detection, and response to attacks on systems. • In IS world, defense requires layering security devices in a series that protects, detects, and responds to attacks on systems. E.g. routers, firewalls, IDS to protect the network from intruders; traffic analyzers and real-time human monitors to watch for anomalies; automated mechanisms to turn off access or remove the system from the network in response to the detection of an intruder. • Phishing for Dollars 2/27/2020 IT Security Management 11 12 generally accepted basic principles of information security cont.…. Principle 4: When Left on Their Own, People Tend to Make the Worst Security Decisions • The primary reason identity theft, viruses, worms, and stolen passwords are so common is that people are easily duped into giving up the secrets technologies use to secure systems. Principle 5: Computer Security Depends on Two Types of Requirements: Functional and Assurance • Functional requirements describe what a system should do. • Assurance requirements describe how functional requirements should be implemented and tested. • Both sets of requirements are needed to answer the Verification and Validation 2/27/2020 IT Security Management 12 12 generally accepted basic principles of information security cont.…. Principle 6: Security Through Obscurity Is Not an Answer hiding the details of the security mechanisms is not sufficient to secure the system • make sure no one mechanism is responsible for the security of the entire system • Principle 7: Security = Risk Management Risk analysis and risk management are central themes to securing Information systems. • When risks are well understood: easy to mitigate, acquire Insurance , manage consequences. • Determine the degree of a risk and based on the risk rating, take appropriate actions • Vulnerability: a known problem within a system or program. E.g. buffer overflow or overrun • Exploit: a program or “cookbook” on how to take advantage of a specific vulnerability • Attacker: link between a vulnerability and an exploit. • IS practitioner must anticipate who might want to attack the system, how capable they might be, how available the exploits to a vulnerability are, and which systems have the vulnerability. 2/27/2020 IT Security Management 13 12 generally accepted basic principles of information security cont.…. Principle 8: The Three Types of Security Controls Are Preventative, Detective, and Responsive Controls and countermeasures(like firewalls) must be implemented. E.g.Bank safe Principle 9: Complexity Is the Enemy of Security The more complex a system gets, the harder it is to secure. With too many “moving parts” or interfaces between programs and other systems, the system or interfaces become difficult to secure while still permitting them to operate as intended. Principle 10: Fear, Uncertainty, and Doubt Do Not Work in Selling Security At one time, “scaring” management into spending resources on security to avoid the unthinkable was effective. The tactic of fear, uncertainty, and doubt (FUD) no longer works: Information security and IT management is too mature. 2/27/2020 IT Security Management 14 12 generally accepted basic principles of information security cont.…. Principle 11: People, Process, and Technology Are All Needed to Adequately Secure a System or Facility • Implement Process controls like US army having a dual control protocol • Establish procedures, document it and verify it • People, Process, and Technology are 3 pillars of IS Principle 12: Open Disclosure of Vulnerabilities Is Good for Security! • Users have a right to know about defects in the products they purchase, just as they have a right to know about automobile recalls because of defects. 2/27/2020 IT Security Management 15 Basic Components of Security: Confidentiality, Integrity, Availability (CIA) • CIA • Confidentiality: Who is authorized to use data? • Integrity: Is data „good?” • Availability: Can access data whenever need it? CIA or CIAAAN… (other security components added to CIA) Authentication Authorization Non-repudiation … 2/27/2020 IT Security Management I C S A S = Secure 16 CIA • Confidentiality means Hiding the information from unauthorized access. Most commonly enforced through encryption. • Integrity means that data is protected from unauthorized changes. Protection of information and systems from being modified by unauthorized entities and unauthorized mechanisms. • Availability means that authorized users have access to the systems and the resources they need 2/27/2020 IT Security Management 17 Need to Balance CIA Example 1: C vs. I+A Disconnect computer from Internet to increase confidentiality Availability suffers, integrity suffers due to lost updates Example 2: I vs. C+A Have extensive data checks by different people/systems to increase integrity Confidentiality suffers as more people see data, availability suffers due to locks on data under verification) 2/27/2020 IT Security Management 18 Confidentiality • “Need to know” basis for data access • How do we know who needs what data? Approach: access control specifies who can access what • How do we know a user is the person he/she claims to be? Need his/her identity and need to verify this identity Approach: identification and authentication • Confidentiality is: • Difficult to ensure • Easiest to assess in terms of success (binary in nature: Yes / No) 2/27/2020 IT Security Management 19 Integrity • Integrity vs. Confidentiality • Concerned with unauthorized modification of assets (= resources) Confidentiality - concered with access to assets • Integrity is more difficult to measure than confidentiality Not binary – degrees of integrity Context-dependent - means different things in different contexts Could mean any subset of these asset properties: { precision / accuracy / currency / consistency / meaningfulness / usefulness ...} 2/27/2020 IT Security Management 20 Availability • Not understood very well yet “Full implementation of availability is security’s next challenge” E.g. Full implemenation of availability for Internet users (with ensuring security) • Complex-Context-dependent Could mean any subset of these asset (data or service) properties : { usefulness / sufficient capacity /completed in an acceptable period of time / ...} • We can say that an asset (resource) is available if: • • • • • Timely request response Fair allocation of resources (no starvation!) Fault tolerant (no total breakdown) Easy to use in the intended way Provides controlled concurrency (concurrency control, deadlock control, ...) 2/27/2020 IT Security Management 21 Introduction to Certification Programs and the Common Body of Knowledge. • More prominent Information security certifications are: • Certified Information Systems Security Professional (CISSP)- IS certification granted by the International Information System Security Certification Consortium, also known as (IISSCC or ISC ²)-for people in managerial positions or for senior people) • CISSPs define the architecture, design ,management and/or controls that ensure the security of business environments. • Systems Security Certified Practitioner (SSCP)-for people who specialize in areas of security operations • Both CISSP and SSCP are based on Common Body of Knowledge(CBK). • CBK- a collection of relevant topics for IS security professionals worldwide 2/27/2020 IT Security Management 22 10 different areas covered in CISSP exam • • • • • • • • • • Access controls system and methodology Systems and application security development Cryptography Disaster recovery and business continuity plans Investigation laws and ethics Security models and architectures Physical security Best management practices Networking and telecommunications security Operations security Rigorous examination(6 hrs,250 questions) Only 94,000 professionals hold the CISSP certification worldwide (149 countries) 2/27/2020 IT Security Management 23 Certification and IS Benefits of Certifications to employers: • Global Recognition-Provide increased credibility while working with contractors and vendors. • Common language-circumvents ambiguity with industry accepted terms and standards • Experience-Professionals have years of Experience and prescribed educational standard. • Continuing professional education • Certification mandate: Certified staff are most wanted by Organizations/ sub contractors and service providers. 2/27/2020 IT Security Management 24 Benefits of Certifications to Professionals • Higher salary and promotions • Verifiable proof of efficiency • Entry into one of the largest communities of recognized IS professionals in the world • Access to global resources, peer networking, mentoring and wide IS opportunities 2/27/2020 IT Security Management 25 ISC ² • Global, non profit consortium. Its goals are: • Maintaining a common body of knowledge for IS • Certifying industry professionals and practitioners according to the international IS standard • Administering training and certification examinations • Ensuring that credentials are maintained, through continuing education. • Thousands of IS professionals in 149 countries obtained certifications in CISSP or SSCP • Credentials indicate –Individuals have demonstrated experience in IS, passed Rigorous examination, subscribed to code of ethics and will maintain certification with continuing education requirements(3 years). 2/27/2020 • ISO approved CISSP in 2004-the IT Security Management 1st accredited IT certificate(ISO/IEC 17024) 26 The IS CBK • Is a compilation and distillation of all security information collected internationally that is relevant to IS professionals. • ISC² ensures that CISSP certified IS professionals have a working knowledge of all 10 domains of the CBK. 10 domains of CBK are: 1. IS governance and risk management –Focus on the importance of security plans for protecting data and how it is administered. 2. Security Architecture and design Concepts,principles,structures and standards used to design, implement, monitor and secure Oss, equipment, networks ,applications and other controls to enforce various levels of CIA. 3. Business continuity and disaster recovery planning Focusses on BCP along with Business Impact Assessment and the DRP 2/27/2020 IT Security Management 27 CBK Domains cont… 4.Legal Regulations, Investigations, and Compliance Covers the different targets of computer crimes, laws and regulations that apply to computer security. 5.Physical (Environmental) security Focus on securing the physical site using policies and procedures with alarms, IDS,IMS and so on. 6.Operations Security Includes defining controls over media, H/W and operators with special system privileges 7.Access Control Who may access the system and what may they do? Understanding I,A,A and logging and monitoring techniques and technologies 2/27/2020 IT Security Management 28 CBK Domains cont.… 8.Cryptography InfoSec specialist should understand the function of Cryptography Use C to maintain network security, using Dig Sig,understanding PKI,identifying non repudiation 9.Telecommunications and network Security 10.Software Development Security 2/27/2020 IT Security Management 29 Other Programs • Certified IS Auditor • Certified Information Security Manager • Certified in Risk and Information Systems control • Global Information Assurance Certification • (ISC)2 specialization certifications • Certified Cyber Forensic Professional • HealthCare Information Security and Privacy Practitioner. • CCNP • Certificate of Cloud Security Knowledge • Certified Ethical Hacker 2/27/2020 IT Security Management 30 Tutorial 2/27/2020 IT Security Management 31 2/27/2020 IT Security Management 32 2/27/2020 IT Security Management 33 2/27/2020 IT Security Management 34 2/27/2020 IT Security Management 35 References • CISSP – The World's Premier Cyber security Certification [Online]. Available from:https://www.isc2.org/ Certifications/ CISSP. [Accessed:23rd February 2020] • INFOSEC[ONLINE].Availablefrom:https://resources.infosecinstitute.com/ category/certifications-training/cissp/renewal-requirements/#gref. [Accessed:23rd February 2020] • Wheeler, E., 2017. Security Risk Management: Building an Information Security Risk Management Program from the Ground Up. Syngress. 2/27/2020 IT Security Management 36