Scribd
Upload
56 views

Chapter 1 - Controls On Security

This document discusses controls on security. It covers the CIA triad of confidentiality, integrity and availability. It also discusses access controls, authentication, authorization, non-repudiation and privacy. It describes the security life cycle and approaches to security including preventive controls like access controls, detective controls like log analysis, and response strategies like computer incident response teams. Finally, it discusses security implications of virtualization, cloud computing and the internet of things.

Uploaded by

Mohammad Rafsun Islam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
56 views

Chapter 1 - Controls On Security

This document discusses controls on security. It covers the CIA triad of confidentiality, integrity and availability. It also discusses access controls, authentication, authorization, non-repudiation and privacy. It describes the security life cycle and approaches to security including preventive controls like access controls, detective controls like log analysis, and response strategies like computer incident response teams. Finally, it discusses security implications of virtualization, cloud computing and the internet of things.

Uploaded by

Mohammad Rafsun Islam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 15

Chapter 1: Controls on Security

Tirthankar Ghosh
Computer Science and Information Technology
St Cloud State University

06/02/2020 1
Basic Principles
• CIA Triad
– Confidentiality
– Integrity
– Availability
• Access Control
• Authentication and Authorization
• Non-repudiation
• Privacy
06/02/2020 2
Trust Services Framework
• Security
– Access to the system and data is controlled and restricted to legitimate
users.
• Confidentiality
– Sensitive organizational data is protected.
• Privacy
– Personal information about trading partners, investors, and employees
are protected.
• Processing integrity
– Data are processed accurately, completely, in a timely manner, and only
with proper authorization.
• Availability
– System and information are available.

06/02/2020 3
Security Life Cycle

06/02/2020 4
Security Approach
• Time-based model, security is effective if:
– P > D + C where
• P is time it takes an attacker to break through preventive
controls
• D is time it takes to detect an attack is in progress
• C is time it takes to respond to the attack and take
corrective action
– This can be thought of from a time-complexity
perspective
06/02/2020 5
Understanding Targeted Attacks
• Conduct reconnaissance
• Attempt social engineering
• Scan and map the target
• Research
• Execute the attack
• Cover tracks

06/02/2020 6
How to Mitigate Risk of Attack
Preventive Controls Detective Controls

• People • Log analysis


• Process • Intrusion detection systems
• IT Solutions • Continuous monitoring
• Physical security

Response

• Computer Incident Response


Teams (CIRT)
• Chief Information Security Officer
(CISO)
• Counter offense

7
Preventive: People
• Culture of security
– Tone set at the top with management
• Training
– Follow safe computing practices
• Never open unsolicited e-mail attachments
• Use only approved software
• Do not share passwords
• Physically protect laptops/cellphones
– Protect against social engineering

06/02/2020 8
Preventive Process: User Access Controls

• Authentication—verifies the person


1. Something person knows
2. Something person has
3. Some biometric characteristic
4. Combination of all three
• Authorization—determines what a person can
access

06/02/2020 9
Preventive Process: Change Controls and
Change Management
• Formal process used to ensure that modifications to
hardware, software, or processes do not reduce
systems reliability
• Good change management and control requires
– Documentation
– Approval
– Testing
– Develop “backout” plan
– Monitoring

06/02/2020 10
Preventive: IT Solutions
• Antimalware controls
• Network access controls
• Device and software hardening controls
• Encryption

06/02/2020 11
Preventive: Physical Security: Access Controls

• Physical security access controls


– Limit entry to building
– Restrict access to network and data

06/02/2020 12
Detecting Attacks
• Log Analysis—examining logs to identify evidence of
possible attacks
• Intrusion Detection Systems (IDSs) —system that creates
logs of network traffic that was permitted to pass the
firewall and then analyzes those logs for signs of
attempted or successful intrusions
• Continuous Monitoring—employee compliance with
organization’s information security policies and overall
performance of business processes
– Threat Hunting by businesses using machine learning

06/02/2020 13
Responding to Attacks
• Computer Incident Response Team (CIRT)
• Chief Information Security Officer (CISO)
• Counter offense

06/02/2020 14
Security Implications of Virtualization, Cloud
Computing, and the Internet of Things
• Virtualization and Cloud Computing
– Positive impact on security
• Implementing strong access controls is good security
overall for the systems
– Negative impact on security
• Reliability issues
• Risk of theft or destruction if unsupervised physical
access

06/02/2020 15

You might also like