About the Course Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu Objectives INFOSEC CISSP CBK Pedagogy DHS EBK IST 515 Objectives This module will familiarize you with the following: • Current trend of computer crime and security. • Why information security is not just a technical problem? • The common body of knowledge in information security proposed by (ISC)2. • The essential body of knowledge in security suggested by Department of Homeland Security. • The purposes, coverage and policy of the course. • Concept of “Defense in depth (DID)” in security. Reading List SANS 2008 Salary and Certification Survey. http://www.sans.org/resources/salary_survey_2008.pdf Robert Richardson, “2009 CSI Computer Crime & Security Survey.” (Required) Wikipedia, “Certified Information Systems Security Professional (CISSP).” http://en.wikipedia.org/wiki/Certified_Information_Systems_Security _Professional Department of Homeland Security, “Information Technology Security Essential Body of Knowledge,” 2007. ISACA, Information Security career Progression. http://www.isaca.org/ContentManagement/ContentDisplay.cfm?Conte ntID=42042 Wikipedia, “Defense in Depth (computing).” http://en.wikipedia.org/wiki/Defense_in_Depth_(computing) Sun Tzu's Art of War • If you know your enemies and know yourself, you can win a hundred battles without a single loss (知彼知己,百戰不殆). • If you only know yourself, but not your opponent, you may win or may lose (不知彼而知己, 一勝 一負). • If you know neither yourself nor your enemy, you will always endanger yourself (不知彼,不知己, 每戰必殆). (http://en.wikipedia.org/wiki/The_Art_of_War) SANS Security Salary Survey (2008) • Salaries for information security professionals are high. Only 1.65% of respondents earn less than US $40,000 per year and over 38% earn US $100,000 or more per year. • 81% of respondents with hiring responsibilities consider certification a factor in their hiring decisions. • 41% of the respondents said their organizations use certifications as a factor when determining salary increases. • Digital forensics, intrusion detection, and penetration testing are the technical topics respondents are most interested in learning in 2009. 2010 IT Skills and Salary Report (http://www.examland.com/it-certification/1865/1865/) Security Certifications Mean Median Responses CCNA (Cisco Certificated Network Associate) Security $89,911 $80,500 110 CCSA – Check Point Certified Security Administrator $99,512 $93,000 49 CCSE – Check Point Certified Security Expert $98,254 $91,000 30 CEH – Certified Ethical Hacker $92,794 $86,500 76 CISA – Certified Information Systems Auditor $100,855 $94,500 78 CISM – Certified Information Security Manager $113,846 $96,250 64 CISSP – Certified Information Systems Security Professional $99,928 $96,000 373 Security+ – CompTIA Security+ $76,844 $73,000 417 2008 CSI Security Survey The most expensive computer security incidents were those involving financial fraud. Virus incidents occurred most frequently. Almost one in ten organizations reported they’d had a Domain Name System incident. Twenty-seven percent of those responding to a question regarding “targeted attacks.” The vast majority of respondents (68 percent) said their organizations had a formal information security policy. Summary of Key Types of Incident Key Types of Incident 2004 2005 2006 2007 2008 2009 Virus / Malware Infection 78% 74% 65% 52% 50% 64% Insider Abuse 59% 48% 42% 59% 44% 30% Laptop Theft 49% 48% 47% 50% 42% 42% Unauthorized Access 37% 32% 32% 25% 29% Denial of Service 39% 32% 25% 25% 21% 29% Instant Messaging Abuse 25% 21% 8% Bots 21% 20% 23% Theft/loss of Customer Data 17% 17% Abuse of Wireless Network 15% 16% 14% 17% 14% 8% System Penetration 17% 14% 15% 13% 13% 14% Financial Fraud 8% 7% 9% 12% 12% 20% Misuse of Web Application 10% 5% 6% 9% 11% Theft/loss of proprietary Info 10% 9% 9% 8% 9% Password Sniffing 10% 9% 17% DNS Attacks 6% 8% 7% 14% Web Site defacement 7% 5% 6% 10% 6% Telecom Fraud 10% 10% 8% 5% 5% Sabotage 5% 2% 3% 4% 2% Trends of Key Incidents Security Technologies Used (2008) Technologies Percentage Anti-virus software 97% Firewalls 94% Virtual Private Network (VPN) 85% Anti-spyware software 80% Encryption of data in transit 71% Intrusion detection systems 69% Vulnerability / patch management tools 65% Web / URL filtering 61% Intrusion prevention systems 54% Application-level firewalls 53% Encryption of data at rest (in storage) 53% Test Your Understanding • What percentage of corporations experienced at least one security incident? • Name the two highest-prevalence threats, which are experienced by a majority of firms? • Describe trends for the three traditional hacker attacks. • Describe trends in the three low-prevalence, high-impact attacks. • Why do you think companies may have a difficult time planning for low-prevalence, high-impact attacks? • Describe trends for wiretapping, telecommunications eavesdropping, and telecommunications fraud. • Does media coverage typically mirror the importance of threats? CSI Security Survey 2009 • Big jumps in incidence of password sniffing, financial fraud, and malware infection. • One-third of respondents' organizations were fraudulently represented as the sender of a phishing message. • Average losses due to security incidents are down again this year (from $289,000 per respondent to $234,244 per respondent), though they are still above 2006 figures. • Twenty-five percent felt that over 60 percent of their financial losses were due to non-malicious actions by insiders. • Respondents were satisfied, though not overjoyed, with all security technologies. CSI Security Survey 2009 • Investment in end-user security awareness training was inadequate, but investments in other components of their security program were adequate. • Actions Taken: 22 percent - notified individuals whose personal information was breached and 17 percent - provided new security services to users or customers. • Security Solutions: Use tools that would improve their visibility - better log management, security information and event management, security data visualization, security dashboards and the like. • Regulatory compliance efforts have had a positive effect on their organization's security programs. Types of Attack Let us Talk • What kind of knowledge and skills are needed to succeed in information security career? - CBK vs. EBK - Similarities and differences • What professionals have to say about the field? - Hard vs. soft skills • How about IST 515? • How about your degree? CISSP CBK Common Body of Knowledge Information Systems Security • Information security and risk management • Telecommunications and network security • Access control • Application security • Cryptography basics • Operations security • Physical (environmental) security • Business continuity and disaster recovery planning • Security architecture and design • Legal, regulations, compliance and investigations Roles and Competencies (EBK) Strategic Management IT Security Training & Awareness Risk Management Data Security Physical & Environmental Security System & Application Security IT Systems Operations & Maintenance Procurement; Personnel Security Enterprise Continuity Incident Management Regulatory & Standards Compliance Digital Forensics Network Security & Telecom. Ten Most Common Activities Performed Rank Current Position % Prior Position % 1 Risk Management 76.6 Data Security 56.6 2 Security Program Management 74.0 Risk Management 54.8 3 Data Security 70.7 Network Security 53.5 4 Policy Creation and Maintenance 65.3 Security Program Management 49.0 5 Regulatory Compliance 63.4 Policy Creation and Maintenance 48.8 6 Security Project Management 59.6 7 Incident Management 58.5 System and Application Security 45.2 8 Network Security 57.3 Security Architecture 45.1 9 Business Continuity/Disaster Recovery 56.1 Incident Management 44.8 10 Security Architecture 55.9 Security Project Management 44.8 Business Continuity/Disaster Recovery 45.8 Critical Skills Necessary for Advancement* Areas Writing ability Verbal communication ability Technical knowledge Critical thinking and judgment Teamwork and collaboration Ability to lead change Business knowledge Cross-functional influence Influence Facilitation Mentoring and coaching Strategic business planning Very Not Important Important Important 69% 68% 66% 69% 52% 52% 40% 35% 33% 24% 19% 22% * SANS Information Security Survey, 2007 28% 29% 31% 26% 42% 39% 50% 50% 52% 56% 57% 48% 0% 0% 2% 2% 3% 5% 6% 7% 8% 11% 17% 21% No Opinion 1% 1% 1% 3% 3% 4% 3% 9% 7% 10% 7% 10% IST 515 covers the interdisciplinary theoretical, conceptual, methodological, and practical foundations of information security and assurance, with emphases on information systems security, security and risk management, economic aspects of security, trust management, human factors in security, and enterprise security. Course Coverage Common Body of Knowledge (CBK) – CISSP and Essential Body of Knowledge (EBK) – DHS. Penetration Testing / Ethical Hacking – EC Council Topics to be covered (CBK): - Information Security & Risk Management - Access Control - Physical & Environmental Security - Security Architecture and Design - Application Security - Operation Security - Business continuity and disaster recovery planning - Legal, regulations, compliance and investigations Course Objectives • Understand the Basics of information security and assurance. • Understand the core technologies used in making a networked information system secure and assured. • Understand how to build information systems with assurances and the role of “trust” in delivering these assurances. • Take an interdisciplinary approach to analyze the security and assurance of modern information systems. • Understand the economic aspects of security. • Understand the impact of human factors in security. • Policy/Regulation • Firewall/DMZ • Access Control/VPN • Qualitative models • Quantitative models Prevention Prediction Response Recovery Security Defense In Depth Monitoring Detection • Scanner • IDS • Data mining • Risk analysis • Plans Forensics • Tracing • Investigation Defense In Depth of Security Feedback Prediction Prevention • Qualitative models • Quantitative models Detection • Policy/Regulation • Firewall/DMZ • Access Control/VPN IST 515 IST 554 • • • • • • Scanner • IDS • Data mining Forensics Response • Tracing • Investigation • Plans • Risk analysis SRA 868 IST 452 IST 451 IST 453 IST 456 SRA 472 IN SC 561 IST 454 IST 564 IST 451: Network Security IST 452: Legal & Regulatory Issues IST 453: Computer Forensics Law IST 454: Computer & Cyber Forensics IST 456: Security & Risk Management • • • • • • IST 554: Network Management & Security IST 515: Information Security & Assurance IST 564: Crisis, Disaster & Risk Management IN SC 561: Web Security & Privacy SRA 472: Integration of Privacy & Security SRA 868: Visual Analytics for Security • HLS: Homeland Security • INSC: Information Science IST 554 Network Management and Security • IS: Information Sciences • IST: Information Sciences & Technology • SRA: Security & Risk Analysis IST 451 Network Security IST 454 Cyber Forensics IST 554 Independent Studies IST 515 Information Security and Assurance INSC 516 Web Sec. & Privacy SRA 472 Privacy & Security IST 594 Research Paper IST 564 Crisis, Disaster and Risk Management IST 456 Security Mgmt SRA 868 Visual Analytics Required for IS & HLS Required for HLS Elective Security Defense in Depth Data Defenses Application Defenses Host Defenses Network Defenses Perimeter Defenses Physical Security Policies, Procedures, and Awareness Certificate of Accomplishment The Center for Information Assurance at the Pennsylvania State University, through its curricula, certify that Student has acquired the knowledge and skills that meet the National Training Standard NSTISSI-4011 for the Information Systems Security (INFOSEC) Professionals, established by the Committee on National Security Systems (CNSS) and the National Security Agency (NSA), on December 201x Dr. Hank Foley, Dean College of Information Sciences and Technology Dr. Chao H. Chu, Executive Director Center for Information Assurance INFOSEC Certificate Required Courses (6 credits): • IST 515. Information Security and Assurance • IST 554. Network Management and Security Elective Courses (Select 9 credits): • IST 451. Network Security • IST 454. Computer and Cyber Forensics • IST 456. Security and Risk Management • IST 564. Crisis, Disaster, and Risk Management • IN SC 561. Web Security and Privacy Thank You? Any Question?