Chapter 1

Report
Fundamentals of Information
Systems Security
Lesson 1
Information Systems Security
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
www.jblearning.com
All rights reserved.
All rights reserved.
Page 1
Learning Objective
 Explain the concepts of information
systems security (ISS) as applied to an IT
infrastructure.
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 2
Key Concepts
 Confidentiality, integrity, and availability (C-I-A)
concepts
 Layered security solutions implemented for the
seven domains of a typical IT infrastructure
 Common threats for each of the seven domains
 IT security policy framework
 Impact of data classification standard on the
seven domains
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 3
DISCOVER: CONCEPTS
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 4
Introducing ISS
ISS
Information
Systems
Information
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 5
Introducing ISS
 Information is a person’s private data, a company’s intellectual
property, or a country’s national security interest.
 Information Systems are the hardware, operating system software,
and applications that make up a system to provide access to
information.
 ISS (Information Systems Security) protects the system and the
information stored in the system. It also enables transmission and
archival of information. It also takes care of accessibility of information
to users. ISS deals with risks, threats, and vulnerabilities.
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 6
The C-I-A Triad
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 7
Confidentiality
Personal Data and Information
• Credit card account numbers and bank account numbers
• Social security numbers and address information
Intellectual Property
• Copyrights, patents, and secret formulas
• Source code, customer databases, and technical
specifications
National Security
• Military intelligence
• Homeland security and government-related information
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 8
Integrity
Maintain valid, uncorrupted, and accurate
information.
 User names
and passwords
 Patents and copyrights
 Source code
 Diplomatic information
 Financial data
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 9
Integrity (Cont.)
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 10
Availability
X
X
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
X
Page 11
Availability
 Availability refers to the measurement of time applied to how and whether
systems, applications, and data can be used.
 Availability measurements include the following:
• Uptime: The total amount of time that a system, application, and data is
available for use. It is typically measured in seconds, minutes, and hours per
calendar month.
• Downtime: The total amount of time that a system, application, or data is not
available. This is also measured in seconds, minutes, and hours per calendar
month.
• Availability: (Total Uptime) divided by (Total Uptime + Total Downtime)
• Mean Time to Failure (MTTF): The average amount of time between failures
for a particular system. MTTF varies according to the type of system being
measured.
• Mean Time to Repair (MTTR): The average amount of time it takes to repair
a system, application, or component.
• Recovery Time Objective (RTO): The amount of time it takes to recover and
make systems, applications, and data available after an outage.
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 12
Risks, Threats, and Vulnerabilities
 Risk: The likelihood that something bad will
happen to an asset (e.g., loosing data, loosing
business after a disaster, failing to comply with
laws or regulations).
 Threat: Any action that could damage an
asset (e.g., theft, fire, hacking)
 Vulnerability: A weakness that allows a threat
to be realized or have an effect on an asset
e.g., not painting the walls of computer center
with material to withstand fire)
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 13
Compliance Laws Driving ISS
Health Insurance Portability and
Accountability Act (HIPAA)
Sarbanes-Oxley (SOX) Act
Children’s Internet Protection Act (CIPA)
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 14
Compliance Laws Driving ISS
 Corporations and other entities must comply with a number of U.S. and
international regulations related to data and privacy. More focus on
compliance means more focus on information security, driving the demand for
security professionals.
 Cover the following:
• HIPAA requires healthcare providers to secure patient data.
• SOX requires corporations to produce accurate and reliable financial reports.
It requires direct security controls to protect the integrity of reporting.
• CIPA requires public schools to use and enforce an Internet safety policy.
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 15
IT Security Policy Framework
POLICY
Standard
A short written statement that defines a
course of action that applies to the entire
organization
A detailed written definition of how
software and hardware are to be used
Procedure
Written instructions for how to use
the policy and standard
Guideline
Suggested course of action for using
the policy, standard, or procedure
An IT security policy framework is a hierarchical framework for
documenting and implementing a set of IT security policies.
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 16
Seven Domains of a Typical IT
Infrastructure
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 17
Seven Domains of a Typical IT Infrastructure
 User domain: Made up of typical IT users and the hardware, software, and
data they use
 Workstation domain: The “desktop domain” where most users enter the IT
infrastructure
 LAN domain: Small network organized by function or department, allowing
access to all resources on the LANs
 LAN-to-WAN domain: The point at which the IT infrastructure joins a WAN
and the Internet
 WAN domain: The point at which the WAN connects to other WANs via the
Internet
 Remote Access domain: Connects remote employees and partners to the IT
infrastructure
 Systems/Applications domain: Holds all of the mission-critical systems,
applications, and data
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 18
Common Threats in the User Domain
 Lack of user awareness
 User apathy toward policies
 User violating security policy
 User inserting CD/DVD/USB with personal
files
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 19
Mitigation of Common Threats in the User Domain
 Lack of user awareness: Conduct security awareness training, display
security awareness posters, insert reminders in banner greetings, and send
e-mail reminders to employees.
 User apathy toward policies: Conduct annual security awareness training,
implement AUP, update staff manual and handbook, and discuss status
during performance reviews.
 User violating security policy: Place employee on probation, review AUP
and employee manual, and discuss status during performance reviews.
 User inserting CD/DVD/USB with personal files: Enable automatic
antivirus scans for inserted media drives, files, and e-mail attachments. An
antivirus scanning system examines all new files on your computer’s hard
drive for viruses. Enable e-mail antivirus scanning for e-mails with
attachments.
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 20
Common Threats in the User
Domain (Continued)
 User downloading photos, music, or videos
 User destructing systems, applications, and
data
 Disgruntled employee attacking organization
or committing sabotage
 Employee blackmail or extortion
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 21
Mitigation of Common Threats in the User Domain (Continued)
 User downloading photos, music, or videos: Enable content filtering and
antivirus scanning on e-mail attachments. Content filtering security appliances
configured to permit or deny specific domain names in accordance with AUP
definition.
 User destructing systems, applications, and data: Restrict access for users to
only those systems, applications, and data needed to perform their job. Minimize
write or delete permissions to the data owner only.
 Disgruntled employee attacking organization or committing sabotage: Track
and monitor abnormal employee behavior, erratic job performance, and use of IT
infrastructure during off-hours. Begin IT access control lockout procedures based
on AUP monitoring and compliance.
 Employee blackmail or extortion: Track and monitor abnormal employee
behavior and use of IT infrastructure during off-hours. Enable intrusion detection
system/intrusion prevention system (IDS/IPS) monitoring for sensitive employee
positions and access. IDS/IPS security appliances examine the Internet Protocol
(IP) data streams for inbound and outbound traffic. Alarms and alerts
programmed within an IDS/IPS help identify abnormal traffic and can block IP
traffic per policy definition.
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 22
Common Threats in the
Workstation Domain
 Unauthorized workstation access
 Unauthorized access to systems, applications,
and data
 Desktop or laptop operating system
vulnerabilities
 Desktop or laptop application software
vulnerabilities or patches
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 23
Mitigation of Common Threats in the Workstation Domain
 Unauthorized workstation access: Enable password protection on
workstations for access.
 Unauthorized access to systems, applications, and data: Define strict
access control policies, standards, procedures, and guidelines. Implement a
second-level test to verify a user’s right to gain access.
 Desktop or laptop operating system vulnerabilities: Define workstation
operating system vulnerability window policy. A vulnerability window is the
gap in time that you leave a computer unpatched with a security update. Start
periodic workstation domain vulnerability tests to find gaps.
 Desktop or laptop application software vulnerabilities or patches: Define
a workstation application software vulnerability window policy. Update
application software and security patches according to defined policies,
standards, procedures, and guidelines.
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 24
Common Threats in the
Workstation Domain (Continued)
 Viruses, malicious code, and other malware
 User inserting CD/DVD/USB with personal
files
 User downloading photos, music, or videos
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 25
Mitigation of Common Threats in the Workstation
Domain (Continued)
 Viruses, malicious code, and other malware: Use workstation antivirus and
malicious code policies, standards, procedures, and guidelines. Enable an
automated antivirus protection solution that scans and updates individual
workstations with proper protection.
 User inserting CD/DVD/USB with personal files: Deactivate all CD-ROM,
DVD, and USB ports. Enable automatic virus scans for all installed media
containing files.
 User downloading photos, music, or videos: Enable user content filtering
and antivirus scanning at Internet entry and exit points. Enable workstation
auto-scans and auto-quarantine for unknown file types.
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 26
Common Threats in the LAN
Domain
 Unauthorized physical access to LAN
 Unauthorized access to systems, applications,
and data
 LAN server operating system vulnerabilities
 LAN server application software vulnerabilities
and software patch
updates
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 27
Mitigation of Common Threats in the LAN Domain
 Unauthorized physical access to LAN: Make sure wiring closets, data
centers, and computer rooms are secure. No access is there without proper
credentials.
 Unauthorized access to systems, applications, and data: Strict access
control policies, standards, procedures, and guidelines should be
implemented. Second-level identity required to access sensitive systems,
applications, and data.
 LAN server operating system vulnerabilities: Define vulnerability window
policies, standards, procedures, and guidelines. Conduct LAN domain
vulnerability assessments.
 LAN server application software vulnerabilities and software patch
updates: Define a strict software vulnerability window policy requiring quick
software patching.
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 28
Common Threats in the LAN
Domain (Continued)
 Rogue users on WLANs
 Confidentiality of data on WLANs
 LAN server configuration guidelines and
standards
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 29
Mitigation of Common Threats in the LAN Domain (Continued)
 Rogue users on WLANs: Eliminate rogue users from unauthorized access.
Use WLAN network keys that require a password for wireless access. Turn
off broadcasting on wireless access points (WAPs). Enable second-level
authentication prior to granting WLAN access.
 Confidentiality of data on WLANs: Maintain confidentiality of data
transmissions. Implement encryption between workstation and WAP to
maintain confidentiality.
 LAN server configuration guidelines and standards: LAN servers have
different hardware, operating systems, and software, making it difficult to
manage and troubleshoot consistently.
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 30
Common Threats in the
LAN-to-WAN Domain
 Unauthorized probing and port scanning
 Unauthorized access
 Internet Protocol (IP) router, firewall, and
network appliance operating system
vulnerability
 Local users downloading
unknown file types from unknown
sources
WAN
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 31
Mitigation of Common Threats in the LAN-to-WAN Domain
 Unauthorized probing and port scanning: Disable ping, probing,
and port scanning on all exterior IP devices within the LAN-to-WAN
domain. Ping uses the Internet Control Message Protocol (ICMP)
echo-request and echo-reply protocol. Disallow IP port numbers used
for probing and scanning and monitor with intrusion detection
system/intrusion prevention system (IDS/IPS).
 Unauthorized access: Apply strict security monitoring controls for
intrusion detection and prevention. Monitor traffic and block it right
away if malicious.
 IP router, firewall, and network appliance operating system
vulnerability: Define a strict zero-day vulnerability window definition.
Update devices with security fixes and software patches right away.
 Local users downloading unknown file types from unknown
sources: Apply file transfer monitoring, scanning, and alarming for
unknown file types/sources.
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 32
Common Threats in the WAN
Domain
 Open, public, and accessible data
 Most of the traffic being sent as clear text
 Vulnerable to eavesdropping
 Vulnerable to malicious attacks
 Vulnerable to denial of service
WAN
(DoS) and distributed denial of
service (DDoS) attacks
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 33
Mitigation of Common Threats in the WAN Domain
 Open, public, and accessible data: Apply AUPs modeled after RFC 1087,
Ethics and the Internet.
 Most of the traffic being sent as clear text: Stop the use of the Internet for
private communications unless encryption and virtual private network (VPN)
tunnels are used. Enforce the organization’s data classification standard.
 Vulnerable to eavesdropping: Use encryption and VPN tunneling for secure
IP communications.
 Vulnerable to malicious attacks: Deploy layered LAN-to-WAN security
countermeasures.
 Vulnerable to DoS and DDoS attacks: Apply filters on exterior IP stateful
firewalls and IP router WAN interfaces.
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 34
Common Threats in the WAN
Domain (Continued)
 Vulnerable to corruption of information and
data
 Insecure Transmission Control
Protocol/Internet Protocol
(TCP/IP) applications
 Hackers and attackers e-mailing
WAN
Trojans, worms, and malicious
software freely and constantly
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 35
Mitigation of Common Threats in the WAN Domain (Continued)
 Vulnerable to corruption of information and data: Encrypt IP data
transmission with VPNs. Back up and store data in offline data vaults. Test
regularly.
 Insecure TCP/IP) applications: Never use TCP/IP applications for private
transmission without proper encryption. Create a network management
Virtual LAN (VLAN).
 Hackers and attackers e-mailing Trojans, worms, and malicious
software freely and constantly: Scan all e-mail attachments for type,
antivirus, and malicious software at the LAN-to-WAN domain.
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 36
Common Threats in the Remote
Access Domain
 Brute-force user ID and password attacks
 Multiple logon retries and access control attacks
 Unauthorized remote access to
IT systems, applications, and data
 Confidential data compromised
remotely
Internet
 Data leakage in violation of data
classification standards
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 37
Mitigation of Common Threats in the Remote Access Domain
 Brute force user ID and password attacks: Define user ID and password
policy definitions. Use of passwords must be strictly more than eight
characters and alphanumeric.
 Multiple logon retries and access control attacks: Set automatic blocking
for attempted for logon retries.
 Unauthorized remote access to IT systems, applications, and data: Apply
first-level and second-level security for remote access to sensitive systems
and data.
 Confidential data compromised remotely: Encrypt all confidential data in
the database or hard drive. If the data is stolen, it’s encrypted and can’t be
used.
 Data leakage in violation of data classification standards: Apply security
countermeasures in the LAN-to-WAN domain.
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 38
Common Threats in the
Systems/Applications Domain
 Unauthorized access to data centers, computer
rooms, and wiring closets
 Difficult-to-manage servers that require high
availability
 Server operating systems software
vulnerability management
 Security required by cloud computing
virtual environments
Cloud
 Corrupt or lost data
Computing
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 39
Mitigation of Common Threats in the
Systems/Applications Domain
 Unauthorized access to data centers, computer rooms, and wiring
closets: Apply policies, standards, procedures, and guidelines for staff and
visitors to secure facilities.
 Difficult-to-manage servers that require high availability: Create a system
that brings together servers, storage, and networking.
 Server operating systems software vulnerability management: Define
vulnerability window for server operating system environments. Maintain
hardened production server operating systems.
 Security required by cloud computing virtual environments: Implement
virtual firewalls and server segmentation on separate VLANs. A virtual firewall
is a software-based firewall used in virtual environments.
 Corrupt or lost data: Implement daily data backups and off-site data storage
for monthly data archiving. Define data recovery procedures based on defined
Recovery Time Objectives (RTOs).
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 40
DISCOVER: PROCESS
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 41
Layered security solution to an IT infrastructure
• The next three slides explain the process of
applying a layered security solution to an IT
infrastructure and conforming to the A-I-C triad.
• The key point is how the process is a layered
solution in which all parts of the A-I-C triad are
served only when layered together across the
entire infrastructure.
• Security policy examples are given on the left of
each slide.
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 42
Implementing the C-I-A Triad
Confidentiality
AUP
Security Awareness
Policy
Enhanced Access
Control
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 43
Implementing the C-I-A Triad
(Continued)
Integrity
AUP
Threat Assessment
and Monitoring
Security Awareness
Policy
Vulnerability Assessment
and Management
Enhanced Access Control
Asset Protection Policy
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 44
Implementing the C-I-A Triad
(Continued)
Data Classification
Standard
Availability
AUP
Threat Assessment
and Monitoring
Security Awareness
Policy
Vulnerability Assessment
and Management
Enhanced Access
Control
Asset Protection Policy
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 45
DISCOVER: ROLES
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 46
Who Implements the C-I-A Triad?
Confidentiality
 User
 IT administrator
 Network
administrator
 Human
resources
 Senior
management
Fundamentals of Information Systems Security
Integrity
Availability
 User
 IT administrator
 Network
administrator
 Human
resources
 Senior
management
 IT administrator
 Network
administrator
 Third-party
vendor, for
example,
telecommunication
company
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 47
•DAD Triad
•Disclosure
•Alteration
•Denial
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 48
DISCOVER: RATIONALE
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 49
Cyberspace: The New Frontier
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 50
Conduct and Ethics in ISS
 ISS is a classic battle of “good vs. evil.”
 No global laws, rules, or regulations govern
cyberspace.
 U.S. government and Internet Architecture
Board (IAB) have developed joint Internet
acceptable use policy (AUP).
 Security professionals are in high demand as
the “good guys.”
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 51
Hacking and Ethical hacking
• In this lesson, you discovered the risks,
threats, and vulnerabilities within the seven
domains of a typical IT infrastructure. You
also learned that a proper security policy
framework includes comprehensive mitigation
strategies. One of the most common risks to
organizations comes from unauthorized access
via the LAN-to-WAN domain.
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 52
Hacking and Ethical hacking
• Hackers, will first attempt to perform network
probing and port scanning to identify IP hosts,
open ports, and services that might be
vulnerable.
• Ethical hackers must follow the same route to
do “Performing Reconnaissance and Probing
Using Common Tools”, by using Wireshark to
capture and analyze network traffic, use
OpenVAS to scan a network, and review the
collected data using NetWitness Investigator.
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 53
Hacking and Ethical hacking
• To use OpenVAS to scan a network, visit:
http://www.openvas.org then choose OpenVas
via Greenbone for Windows and download it.`
• Review the collected data using NetWitness
Investigator. To install version 9.5 go to:
http://netwitnessinvestigator.software.informer.com/9.5/
Check this video:
http://www.emc.com/collateral/demos/microsites/
mediaplayer-video/rsa-advanced-cyber-defensepractice-cyber-attack-protection-emc.htm#!
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 54
Hacking and Ethical hacking
• Before using Wireshark to capture and
analyze network traffic, make sure that you
have WinPcap software on your machine.
• If you don’t have it visit:
http://www.winpcap.org and install version
4.1.3
• To use Wireshark visit:
http://www.wireshark.org
• Download the 32 bit version 1.12.0
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 55
Hacking and Ethical hacking
• Then the hackers will use Zenmap
(http://nmap.org/zenmap/) to perform a
targeted IP subnetwork Intense Scan, which
will identify what hosts are available on the
network, what services (application name and
version) those hosts are offering, what
operating systems (and OS versions) they are
running, and what type of packet filters or
firewalls are in use. Hackers perform this
same type of scan as part of their initial
reconnaissance to learn about a target before
an attack.”
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 56
Summary
 Terms associated with ISS include risks,
threats, and vulnerabilities
 Layered security strategy protects an IT
infrastructure’s C-I-A
 IT policy framework includes policies,
standards, procedures, and guidelines
 Data classification standard defines how data
is to be handled within an IT infrastructure
Fundamentals of Information Systems Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 57

similar documents