information security management. security solutions copy

Information Security Management

Security Solutions

By Yuliana MartirosyanBased on Bell G. Reggard, Information Security

Management. Concepts and Practices.

13. Security Solutions

Information protection is not a goal in itself but rather the reduction of owner’s harm resulting from it.

American Bar association reported a decade ago that hackers caused harm as high as $10 million.

FBA reports that business lose $7.5 billion a year to attacks.

13.1 Introduction


13.2 Security Solutions

Organization of security solutions

Security Solution

Cryptography

Access Control

Traffic Control PhysicalSecurity Analysis

Hash

Symmetric Cryptograph

y

Public-Key Cryptograph

y

DS

VPN

Passwords

Authentication

Biometrics

VPN

IP Packet Filter

Firewalls

IP App Level Firewalls

Hybrid Firewall

Cyberwall

Statefull Insp. Firewall

VPN

Audit

Penetration

Security Plan

Reviews

Risk Analysis

VulnerabilityAssessment

Intrusion Detection

Locks

Disconnect

Backup

Higher Availability Clusters

Security Mngmt


13.2.1 Security Management13.2.1.1 Information Security ManagementThis is the most important class of security solutions. It is related to organizational security of the company.

There are two main components:1. Effectiveness in securing the system (ISO 27002)2. Information Security Management system (ISO 27001)



13.2.1 Security Management13.2.1.2 Simple Network ManagementMajor components used in networking are routers, switches, firewalls and access servers. (Network topology)Routers draw a hierarchy of LANs and autonomous systems to find optimal paths to information recourses worldwide.


Network Management

Data CentersUnicenter from IBM

Network Management System tools

Open View from HP

Enterprise System Management

ESM


13.2.2 Cryptographic Solutions

13.2.2.1 Cryptography

Hash Functions

Symmetric Cryptography

Public-Key Cryptography

Digital Signatures

Virtual Private Networks

13.2.2.1 The Main Cryptographic Mechanisms

Symmetric Cryptography: Private Key (AES)

Asymmetric Cryptography: Public Key (RSA)




13.2.2.3 Block and Stream Ciphers in Symmetric Cryptography

Symmetric ciphers are now usually implemented using:

• Block ciphers: a fixed-length block of plain text is converted into cipher text of the same length

• Stream ciphers: data is encrypted bit/byte at a time

13.2.2.4 Digital Signatures

Used to or demonstrating the authenticity of a digital message or document.

DS algorithms: RSA, DSS, Elliptic Curves

Crypto-systems : PGP, S/MIME




13.2.2.5 Virtual Private Networks (VPN)

A virtual private network (VPN) is a computer network that uses a public telecommunication infrastructure such as the Internet to provide remote offices or individual users with secure access to their organization's network.Intranet VPN:

several buildings may be connected to a data center (strong encryption)

Remote Access VPN

laptops that connect intermittently from different locations (authentication)

Extranet VPN

access corporate resources across various network architectures




13.2.2.5.1 Dial-Up VPN (PPTP VPN)


Firewall

Intranet

13.2.2 Cryptographic Solutions: PPP VPN implementation

13. Security Solutions13.2 Security Solutions

Firewall

Firewall



13.2.2.5.2 Layer Two Tunnel Protocol (L2TP)

Layer Two Tunneling Protocol (L2TP) is a combination of PPTP and Layer 2 Forwarding.

The main rival to PPTP for VPN tunneling was Cisco’s L2F.

13.2.2.5.1 Internet Protocol Security (IPSEC)

IPsec is a collection of protocols that provide low-level network security.

IPsec exists at the network layer.



13.2.3 Access Control

Access control is a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system.

The three most widely recognized models are:• Discretionary Access Control (DAC)• Mandatory Access Control (MAC)• Role Based Access Control (RBAC)




Access Control Technologies:• Passwords, tokens, smart cards, encrypted keys• Authentication• Biometrics• VPN




AuthenticationEncryption can be used not only to hide data from prying eyes. For example, cryptographic method, Tripwire. It build database of cryptographic checksums for selected files. Attempts to unauthorized access to data will be detected by TripwireBiometricsFingerprints, Facial Recognition, Hand geometry, DNA



13.2.4 Data Traffic Control

Security Rules:

Rule1: Trust Inside

Rule 2: Least privilege

Rule 3: Selective blocking Opposite of Rule 2

Firewalls:

Network firewalls

Application firewalls

Stateful inspection firewalls



13.2.5 Security Analysis

Security Testing: Penetration testing

External Source Penetration Test

Internal source penetration Test

Target system penetration test

Vulnerability Assessment

The process of identifying and quantifying weaknesses of the system, and determine their effect.

Analyze threats that potentially can cause compromise, spoofing, or denial of service.



13.2.5 Security Analysis: Security Review• System, Network and Topology evaluation

• Administration checklist

• File servers and workstations

• Individual accountability

• Disaster recovery

• Connectivity

• E-mail Controls

• Policy Review

• Logical Security

• Managerial security

• Physical Security




Forensic Investigation• Use of sterile media• Hardware investigation• Original data• Write protected media• Deleted, hidden or recored files• File revision documentation• Data manipulation• Files’ organization• Potential evidence• Report generation




Security Audit• Planning the audit• Auditing• Report and post-mortem• Action


Security Control Management Class, Family and Identifier

Class Family IdentifierManageme

ntRisk Assessment RA

Management

Planning PL

Management

System and Services Acquisition

SA

Management

Certification, Accreditation, and Security Assessment

CA

13. Security Solutions13.3 The NIST Security Solution Taxonomy

Class Family Identifier

Operational Personnel Security PS

OperationalPhysical and Environmental Protection

PE

Operational Contingency Planning CP

Operational Configuration Management CM

Operational Maintenance MA

OperationalSystem and Information Integrity

SI

Operational Media Protection MP

Operational Incident Response IR

Operational Awareness and Training AT


13.3 The NIST Security Solution Taxonomy

Security Control Technical Class, Family and Identifier

Security Control Technical Class, Family and Identifier

Class Family Identifier

OperationalIdentification and Authentication

IA

Operational Access Control AC

Operational Audit and Accountability AU

OperationalSystem and Communications Protection

SC

13. Security Solutions13.3 The NIST Security Solution Taxonomy

1 Risk Assessment and Treatment2 Security Policy3 Organization of Information Security4 Asset Management5 Human Resources Security6 Physical Security7 Communications and Ops Management8 Access Control9 Information Systems Acquisition, Development, Maintenance10 Information Security Incident management11 Business Continuity12 Compliance

13. Security Solutions13.4 The ISO Security Taxonomy

information security management. security solutions copy

Technology

network security

cryptographic solutions

organizational security

vpn pptp vpn

access control rbac

secure access

unauthorized access

access servers