IA 2 - UNIT 3 Flashcards
Benefits of Incorporating Security Considerations
- Early integration reduces disruptions and costs.
- Ongoing security adaptation to evolving threats.
- Retrofitting post-incident is costly and less effective.
- Regular updates to the security plan are vital.
- Documenting decisions aids comprehensive coverage and audits.
is the overall process of creating, implementing, and decommissioning information systems through a multistep process from initiation, analysis, design, implementation, and maintenance to disposal.
system development life cycle
SDLC Phases
- Initiation
- Development
- Implementation
- Maintenance
- Disposal
INITIATION PHASE
- Need establishment
- Security categorization
- Initial Risk Assessment
DEVELOPMENT/ACQUISITION PHASE
- Requirement analysis/ development
- Risk assessment
- Budgeting
- Security planning
- Security control development
- Security test and evaluation
IMPLEMENTATION PHASE
- Security test and evaluation
- Inspection and acceptance
- System integration/installation
- Security accreditation
OPERATION/MAINTENANCE PHASE
- Configuration management and control
- Continuous monitoring and continuous accreditation (authorization)\
2 Layer of Defense
- Physical security of premises and offices
- Physical security of equipment
Main Threats For Physical and Environmental Security
- Energy (Electricity)
- Equipment (Mechanical or electronic components) Fire and Chemical Hazard (smoke, industrial pollution)
- Manmade Disasters (war, terrorist attack, bombing) Natural Disaster (earthquake, volcano, landslide, storms)
- Pandemic Disease (bacteria, virus) Radiation (electromagnetic pulse)
- Weather (Sandstorm, humidity, flood, lightning)
DISPOSAL PHASE
Information preservation Media sanitization
Hardware and software disposal
- Premises that contain critical information or systems require special protection.
The following controls are related to the physical security of premises.
* One of the controls is to establish the security perimeter as the outer boundary.
* This perimeter should contain all critical assets. Within this perimeter, there may be more secure areas or enclaves.
Physical security of premises and offices
- Protect information-processing equipment physically to minimize the risk of unauthorized access to information and to safeguard against loss or damage.
- Offsite computing systems for reconstitution or contingency operations should also be addressed in a physical security plan.
Physical security of equipment
Physical Entry Controls
- Employee Access
- Visitor Access
Positive identification and access control are mandatory; therefore, all employees should be required to always wear some form of visible identification (ID badge) whenever they are on the premises.
Employee Access
require redundancy in electric power system availability. (UPS or Backup Generators)
Electrical Power
- Maintenance of information processing equipment based on the manufacturer’s recommended service intervals and specifications.
- All maintenance services to the equipment either onsite or sent off from the premises also need to be recorded and tracked.
Equipment Maintenance
Use of any equipment outside an organization’s premises should be authorized by management.
PHYSICAL SECURITY OF EQUIPMENT OFF-PREMISES
Careless disposal, disposition, or recycling of equipment can put information at risk.
SECURE DISPOSAL AND REUSE OF EQUIPMENT
These devices can help mitigate the risks associated with malicious code and the loss of proprietary information by raising employee awareness about removable media usage policies and minimizing potential damage.
MANAGEMENT OF REMOVABLE MEDIA
Disposal of Media
The following are some guidelines of proper media disposal:
- Electronic media
- Printed materials
- containing sensitive customer information should be degaussed prior to disposal.
- Degaussing completely erases the information stored on the magnetic surface.
Electronic media
which hold confidential and restricted data, should be
destroyed in a secure way, such as by shredding
Printed materials
An effective AT&E program has four stages:
literacy, awareness, training, and education (LATE).
- To cultivate a strong information assurance culture among employees, emphasize the organization’s commitment to safeguarding information assets through training
Purpose of the AT&E Program
Types of Learning Programs
- IA AWARENESS
- IA TRAINING
- IA EDUCATION
serve to motivate a sense of responsibility and encourage employees to be more cautious about their work environment.
IA AWARENESS
Training aims to teach or improve an individual’s skill, knowledge, or attitude, which allows a person to carry out a specific function.
IA TRAINING
Using internalized concepts and skills to perform operations such as analyzing, evaluating, and judging to reach **higher cognitive-level decisions **.
IA EDUCATION
Restrict internet access for end users, enabling administrators to block specific websites based on local policies.
Content Filters
Examples of protocols that implement network services
- Secure Sockets Layer (SSL)
- Transport Layer Security (TLS)
- IP Security (IPSec) protocols
preferred information security protocols in web environments
TLS and SSL
are preferred for implementing virtual private networks (VPNs).
IPSec
Preventive Information Assurance Tools
- backup
- Change and Configuration Management
- IT Support
- Media Controls and Documentation
- Patch Management
Primary information assurance control.
FIREWALLS
Enforces organizational infosec policies by analyzing network traffic (Content- based and Anomaly-based)
NETWORK INTRUSION PREVENTION SYSTEM
Serve as intermediaries between clients and the internet. (e.g., gateway)
PROXY SERVERS
A secure network that uses the Internet for user connections, ensuring security through encryption. (e.g., IPSec, SSL, and PPTP)
VIRTUAL PRIVATE NETWORKS
Provides secure communication over unsecured networks.
PUBLIC KEY INFRASTRUCTURE
In a dynamic tech landscape, organizations must adapt and bolster their security measures.
Preventive Information Assurance Controls
Vital for information assurance, providing copies of data, software, and hardware. (e.g., full, differential, incremental, and mirror)
Backups
Organizations must adapt constantly in an ever-changing environment. (e.g., alliances, market demands, competition, operations, and regulations)
Change and Configuration Management
Handles various issues. Trained technicians
address security problems.
IT Support
Securing information goes beyond servers;
* Environmental safeguards against fires, temperature, and humidity issues.
* Usage logging (e.g., check-in/check-out).
* Maintenance (data overwriting, disposal).
* Unauthorized access prevention.
* Proper labeling (owner, date, version, classification).
* Storage options (off-site or locked server rooms).
Media Controls and Documentation
Involves timely and planned updates
* Establishing dedicated resources
* Monitoring/identifying patches
* Identifying risk in applying a patch
* Testing a patch before installing
Patch Management
should protect vital resources not only from unauthorized external access but also from internal attacks.
ACCESS CONTROL SYSTEM
prevents actions on an object (target to be accessed) by unauthorized users (subjects).
ACCESS CONTROL SYSTEM
is the first line of defense to protect the system from unauthorized modification
ACCESS CONTROL SYSTEM
ACCESS CONTROL TYPES
- physical
- logical
it serves as an auditing tool (to trace information security breaches, incidents, and events).
ACCESS CONTROL SYSTEM
- Organizations usually manage physical access with human, technological, or mechanical controls.
- A physical control might be biometric identification technology used to restrict entry to a property, a building, or a room to authorized persons.
PHYSICAL
- Logical access controls manage access based on processes such as identification, authentication, authorization, and accountability.
- Examples of logical access controls are digital signatures and hashing.
LOGICAL
Access Control Models
- Discretionary
- Mandatory
- Role-based
- Owner of the object determines the access policy.
- Owner decides which subjects may access the object and what privileges the subject has.
- This model is adapted by Windows, Apple and various linux system
Discretionary
- control access to sensitive or controlled data in systems with multiple level classification
- Owner does not establish access policy since the system decides on the access control based on the information security classification and policy rules
Mandatory
- Uses a centrally managed set of rules, which grants access to objects based on the roles of the subject
- Since subjects are not assigned permission directly like other models, they acquire it through roles and the management of access becomes relatively easier
Role-based
- uses simple rules to determine the result of privileges, which a subject can have over an object.
- determines what can and cannot be allowed.
RULE-BASED ACCESS CONTROL
- a static, abstract, formal computer protection and information assurance model used in computer systems
- represents the relationship of subjects and objects in a tabulated form
ACCESS CONTROL MATRIX
a list containing information about the individual or group permission given to an object; the ACL specifies the access level and functions allowed onto the object.
ACCESS CONTROL LISTS
ACCESS CONTROL LISTS TWO TYPES
- Network
- File system
implemented on servers and routers
Network
implement file access by tracking subjects’ access to objects
File System
Access Control Techniques
- rule-based access control
- access control matrix
- access control list
- capability table
- contrained user interfaces
- content-dependent access control
- context-dependent access control
- an authorization table that identifies a subject and specifies the access right allowed to that subject
- the rows list the capabilities that the subject can have
- frequently used to implement the RBAC model
CAPABILITY TABLES
- technique is used in databases
- access to objects is dependent on the content of the objects aims at controlling the availability of information by means of views
CONTENT-DEPENDENT ACCESS CONTROL
defines the access controls of a subject on objects based on a context or situation
CONTEXT-DEPENDENT ACCESS CONTROL
- contained in a department, unit or information security administrator
- ensures uniformity
- simplified method and cost effective
- slow because all changes are processed by single entity
ACCESS CONTROL ADMINISTRATION - CENTRALIZED
- gives control to people who are closer to the objects
- does not ensure uniformity more relaxed
- faster since changes are made to function rather to the whole organization
ACCESS CONTROL ADMINISTRATION -DECENTRALIZED
a way to limit access of subjects to a resource or information by presenting them with only the information, function, or access to the resource for which they have privileges.
CONSTRAINED USER INTERFACES
