network security, change control, outsourcing
TRANSCRIPT
Information System 365/765Lecture 12
Network Security, Change Control, Outsourcing
Today’s Chocolate BarSnickers – AGAIN!
• In 1930, the Mars family introduced its second product, Snickers, named after one of their favorite horses
• Snickers is the best selling chocolate bar of all time and has annual global sales of US$2 billion
Nutty Cisco Video
• Watch video• Think about what you would
do to protect you server area, using your knowledge gained so far in the class
• Split into groups of four, come up with a mini presentation
• Talk to class for 3 minutes
Network Security
• Why didn’t we talk about this on day one?
• Bringing it all together• protect the network and the
network-accessible resources from unauthorized access and consistent and continuous monitoring and measurement of its effectiveness
Network Security vs. Computer Security
• Securing network infrastructure is like securing possible entry points of attacks on a country by deploying appropriate defense.
• Computer security is more like providing means to protect a single PC against outside intrusion.
Network Security
• Prevents users from ever being exposed to attacks
• Protection of all entry points and shared resources
• Printers, Network attached storage (NAS), Iphones, etc.
• Attacks stop at entry points, BEFORE they spread
Computer Security
• Focused on an individual host• A computer’s security is
vulnerable to people who have higher access privileges than the protection mechanism.
• While this is also true with Network Security, it is less likely.
Attributes Of A Secure Network
• Authentication• Authorization• Firewall• Intrusion Prevention System• Antivirus• Honeypots• Monitoring
Authentication
• Providing proof that you are who you claim to be
Authorization
• Determining the level of access that a given individual should have
• Authorization is done after authentication
Firewall• An integrated collection of
security measures designed to prevent unauthorized electronic access to a networked computer system. It is also a device or set of devices configured to permit, deny, or proxy all computer traffic between different security domains based upon a set of rules and other criteria.
Intrusion Prevention System
• An intrusion prevention system is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities.
Antivirus and Anti-Malware
• Scans and cleanses data in storage and as it travels across the network, so end users are not exposed to this type of threat
Honeypots
• Essentially decoy network-accessible resources, could be deployed in a network as surveillance and early-warning tools.
Security Management
• Depends on environment• Small, medium and large
businesses, educational institutions, government.
Small Business• A basic firewall. • For Windows users, basic antivirus
and anti-spyware/anti-malware software.
• When using a wireless connection, use a robust password.
• Use the strongest security supported by your wireless devices, such as WPA or WPA2.
Medium Business• A strong firewall • Strong Antivirus software and
Internet Security Software. • For authentication, use strong
passwords and change it on a monthly basis.
• When using a wireless connection, use a robust password.
• Raise awareness about physical security to employees.
• Use an optional network analyzer or network monitor.
Large Business• A strong firewall and proxy to keep
unwanted people out. • A strong Antivirus software
package and Internet Security Software package.
• For authentication, use strong passwords and change it on a weekly/bi-weekly basis.
• When using a wireless connection, use a robust password.
• Exercise physical security precautions to employees.
Large Business• Prepare a network analyzer or network
monitor and use it when needed. • Implement physical security
management like closed circuit television for entry areas and restricted zones.
• Security fencing to mark the company's perimeter.
• Fire extinguishers for fire-sensitive areas like server rooms and security rooms.
• Security guards can help to maximize security.
Educational Institutions• An adjustable firewall • Strong Antivirus software and Internet
Security Software packages. • Wireless connections that lead to
firewalls. • Children's Internet Protection Act
compliance. • Supervision of network to guarantee
updates and changes based on popular site usage.
• Constant supervision by teachers, librarians, and administrators to guarantee protection against attacks by both internet and sneakernet sources.
Federal Government• A strong strong firewall and proxy to
keep unwanted people out. • Strong Antivirus software and Internet
Security Software suites. • Strong encryption, usually with a 256 bit
key. • Whitelist authorized wireless connection,
block all else. • All network hardware is in secure zones. • All host should be on a private network
that is invisible from the outside. • Put all servers in a DMZ, or a firewall
from the outside and from the inside. • Security fencing to mark perimeter and
set wireless range to this.
Change Control
• A general term describing the procedures used to ensure that changes (normally, but not necessarily, to IT systems) are introduced in a controlled and coordinated manner
Goals of Change Management
• Minimal disruption to services • Reduction in back-out
activities • Economic utilization of
resources involved in implementing change
• Ensure that a product, service or process is only modified in line with the identified necessary change
Why Is Change Control Important In IS Security?
• It is particularly related to software development because of the danger of unnecessary changes being introduced without forethought, introducing faults (bugs) into the system or undoing changes made by other users of the software. Later it became a fundamental process in quality control.
The Change Control Process
• Record / Classify • Assess • Plan • Build / Test • Implement • Close / Gain Acceptance.
Record and Classify• A formal request is received for
something to be changed, known as the "Change Initiation".
• Someone then records and classifies or categorizes that request. Part of the classification would be to assign a Category to the change, i.e. is the change a "major business change", "normal business change" or "minor business change".
Assigning a Priority
• Emergency• Expedited• Normal
Assessment• The impact assessor make
their risk analysis typically by answering a set of questions concerning risk, both to the business and to the IT estate, and follow this by making a judgment on who or whom should carry out the change.
Build and Test
• Plan their change in detail, and also construct a regression plan, if it all goes wrong
• The plan should be checked out by an independent reviewer
• Build the solution, which will then be tested
• Seek approval and maybe a review and request a time and date to carry out the implementation phase.
Implementation• The Change Manager
approves the change with an “Authority to Implement” flag
• The change can then be implemented but only at the time and date agreed
• Following Implementation, it is usual to carry out a “Post Implementation Review”
• When the client agrees all is OK, the change can be closed.
Outsourcing Related Security Issues
• Two main issues with collaborative design (outsourcing) revolve around TRUST:– Confidentiality (of product design data
in storage or in transit)– Access Control (read, write, delete
privileges)
• Suppliers can be competitors, or have close relationships with competitors
Potential Threats of Outsourcing
• Theft of trade secrets, or intellectual property
• Introduction of viruses/malware to the network
• Lack of understanding of corporate systems could result in damage or data loss
• Loss of control over sharing of sensitive data
Potential Threats of Outsourcing• Spoofing: A competitor uses
manager’s or outsourcer’s ID to gain access to valuable product data to use in their own designs
• Tampering: Changing the product information in the database to ruin the final product design. Changing access controls allowing competing companies access to each other’s information
• Repudiation: User goes in and performs a malicious act (submits false product data) and says that it was not him who did it
Countermeasures
• Electronic Vault• Engineering Change Control• Release-Management Process• Flexible Access Control• Data Set Access Control• Scheduled Access Control
Electronic Vault
• Keeps files in native formwhile still encrypting files• End-to-end security
–Encryption–Access Control
• Creates tamper-evident audit trails (any and all access to a document is logged)
Electronic Vault Advantages
Document accuracy – Maintains print streams in native format
• Document quality – Streams are compressed in electronic
vault without loss of resolution
• Flexibility – Easy to enhance, modify, combine,
engineer streams
Electronic Vault Advantages (cont.)
Speed– Loaded into vault with almost no
disruption of operations
Long-term viability– Since native format is allowed,
electronic vault can be used in the future
Engineering Change Control
• Defines and controls the process of reviewing and approving changes to the product data
• Prevents tampering with accountability factor
• New version of data is released in database to allow for reversal if necessary
Release-Management Process
• Data released when approved• Access based on project,
password, and other controls that user defines
• Allows for auditing and tracking of information
• Creates relationships among product data
• Prevents information leaking of competing suppliers actions
Flexible Access Control
• Role-based• Allows for project to have
users change groups and roles• Enables distributed design
data access and sharing
Scheduled Access Control
• Schedule for suppliers to work on certain resources
• Privileges granted at certain periods when they are needed in the design process
• Revoked when not needed
Data Set Access Control
• Data are assigned roles• Different views of data based
on how organizations and individuals behave in a task
• Least Privilege Security Principle
Access Control Diagram
Security Principles Applied
• Practice defense in depth–Role based access control, data
based access control, electronic vault, release management
• Follow the principle of least privilege–Access controls only allow
privileges to those who need it
Security Principles Applied (cont.)
• Compartmentalize– Various versions of data. Information
split up based on part of design for users who will need access to it
• Promote privacy– Accountability so users will want to
keep passwords and information secret
• Be reluctant to trust– System is based on least privilege and
does not disclose information until necessary