Certifications, management homework help

User Generated

hqnlxvenaencnegul

Business Finance

Description

Chapter 14 of your text identifies various certifications available to IT professionals. Select 2 specific certifications and research and write a 2-3 page APA-formatted (including cover page, running head, page numbers, APA headers, in-text citations and final references page) paper discussing the requirements, training offered, value and costs associated with these certifications.

Unformatted Attachment Preview

JONES AND BARTLETT LEARNING LEARNING JONES & BARTLETT INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES Fundamentals of Information Systems Security DAVID KIM AND MICHAEL G. SOLOMON World Headquarters Jones & Bartlett Learning 40 Tall Pine Drive Sudbury, MA 01776 978-443-5000 info@jblearning.com www.jblearning.com Jones & Bartlett Learning Canada 6339 Ormindale Way Mississauga, Ontario L5V 1J2 Canada Jones & Bartlett Learning International Barb House, Barb Mews London W6 7PA United Kingdom Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett Learning directly, call 800-832-0034, fax 978-443-8000, or visit our website, www.jblearning.com. Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional associations, and other qualified organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above contact information or send an email to specialsales@jblearning.com. Copyright © 2012 by Jones & Bartlett Learning, LLC All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the service of a competent professional person should be sought. Production Credits Chief Executive Officer: Ty Field President: James Homer SVP, Chief Operating Officer: Don Jones, Jr. SVP, Chief Technology Officer: Dean Fossella SVP, Chief Marketing Officer: Alison M. Pendergast SVP, Chief Financial Officer: Ruth Siporin SVP, Business Development: Christopher Will VP, Design and Production: Anne Spencer VP, Manufacturing and Inventory Control: Therese Connell Editorial Management: High Stakes Writing, LLC, Editor and Publisher: Lawrence J. Goodrich Reprints and Special Projects Manager: Susan Schultz Associate Production Editor: Tina Chen Director of Marketing: Alisha Weisman Senior Marketing Manager: Andrea DeFronzo Cover Design: Anne Spencer Composition: Mia Saunders Design Cover Image: © ErickN/ShutterStock, Inc. Chapter Opener Image: © Rodolfo Clix/Dreamstime.com Printing and Binding: Malloy, Inc. Cover Printing: Malloy, Inc. ISBN: 978-0-7637-9025-7 6048 Printed in the United States of America 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 Contents Letter from (ISC) 2 Executive Director W. Hord Tipton Preface xvii xix Acknowledgments xxi PART onE The Need for Information Security CHAPTER 1 Information Systems Security Information Systems Security 1 2 3 Risks, Threats, and Vulnerabilities 6 Defining Information Systems Security 8 U.S. Compliance Laws Drive Need for Information Systems Security Tenets of Information Systems Security 8 10 Availability 11 Integrity 12 Confidentiality 12 The Seven Domains of a Typical IT Infrastructure 15 User Domain 15 Workstation Domain 18 LAN Domain 20 LAN-to-WAN Domain 23 WAN Domain 26 Remote Access Domain 30 System/Application Domain 33 Weakest Link in the Security of an IT Infrastructure Ethics and the Internet 37 (ISC)2: Information Systems Security Certification SSCP Professional Certification 38 CISSP Professional Certification 39 39 (ISC)2 Code of Ethics IT Security Policy Framework 38 40 Definitions 40 Foundational IT Security Policies Data Classification Standards 37 41 42 iii iv    Contents CHAPTER SUMMARY   44 Key Concepts and TERMS Chapter 1 ASSESSMEnT CHAPTER 2 44 45 Changing How People and Businesses Communicate   47 Evolution of Voice Communications   48 From Analog to Digital   50 Telephony Risks, Threats, and Vulnerabilities   51 Telephony Security Best Practices   52 From Digital to Voice over IP (VoIP)   54 VoIP and SIP Risks, Threats, and Vulnerabilities   57 VoIP and SIP Security Best Practices   57 Converting to a TCP/IP World   60 How Different Groups Communicate   62 Broadband Boom of the 1990s   63 IP Transformation of Telecommunication Service Providers   64 Multimodal Communications   68 Voice over IP (VoIP) Migration   69 Unified Communications (UC)   71 Solving Business Challenges with Unified Communications   72 Evolution from Brick-and-Mortar to e-Commerce   74 Solving Business Challenges with e-Business Transformation   75 Why Businesses Today Need an Internet Marketing Strategy   76 The Web Effect on People, Businesses, and Other Organizations   77 CHAPTER SUMMARY   78 Key Concepts and TERMS Chapter 2 ASSESSMEnT CHAPTER 3 78 79 Malicious Attacks, Threats, and Vulnerabilities   81 Malicious Activity on the Rise   82 What Are You Trying to Protect?   83 IT and Network Infrastructure   84 Intellectual Property   84 Finances and Financial Data   85 Service Availability and Productivity   85 Reputation   87 Whom Are You Trying to Catch?   87 v Contents Attack Tools   88 Vulnerability Scanners   89 Port Scanners   89 Sniffers   89 Wardialers   89 Keyloggers   90 What Is a Security Breach?   90 Denial of Service Attacks   91 Distributed Denial of Service Attacks   92 Unacceptable Web Browsing   92 Wiretapping   93 Backdoor   93 Data Modifications   93 Additional Security Challenges   94 What Are Vulnerabilities and Threats?   96 Threat Targets   98 Threat Types   99 What Is a Malicious Attack?   101 Brute-Force Attacks   102 Dictionary Attacks   102 Address Spoofing   102 Hijacking   103 Replay Attacks   104 Man-in-the-Middle Attacks   104 Masquerading   104 Eavesdropping   104 Social Engineering   105 Phreaking   105 Phishing   106 Pharming   106 What Is Malicious Software?   107 Viruses   108 Worms   108 Trojan Horses   109 Rootkits   109 Spyware   110 What Are Countermeasures?   111 Countering Malware   112 Protecting Your System with Firewalls   113 CHAPTER SUMMARY   114 Key Concepts and TERMS Chapter 3 ASSESSMEnT 115 115 vi Contents CHAPTER 4 The drivers of the Information Security Business Defining Risk Management 117 118 Risk Identification 120 Risk Analysis 121 Risk-Response Planning 123 Risk Monitoring and Control 124 Implementing a BIA, a BCP, and a DRP Business Impact Analysis Business Continuity Plan Disaster Recovery Plan 124 125 126 127 Assessing Risks, Threats, and Vulnerabilities Closing the Information Security Gap Adhering to Compliance Laws 134 Keeping Private Data Confidential CHAPTER SUMMARY 131 133 136 138 KEY ConCEPTS And TERMS 138 CHAPTER 4 ASSESSMEnT 139 PART TWo The Systems Security Certified Practitioner (SSCP®) 141 Professional Certification from (ISC)2 CHAPTER 5 Access Controls 142 The Four Parts of Access Control 143 The Two Types of Access Control 144 Physical Access Control Logical Access Control 144 144 Defining an Authorization Policy 146 Identification Methods and Guidelines Identification Methods Identification Guidelines 146 147 147 Authentication Processes and Requirements Authentication Types Single Sign-On (SSO) 147 147 157 Accountability Policies and Procedures 159 Log Files 159 Data Retention, Media Disposal, and Compliance Requirements 159 vii Contents Formal Models of Access Control   161 Discretionary Access Control (DAC)   161 Mandatory Access Control (MAC)   164 Non-Discretionary Access Control   164 Rule-Based Access Control   165 Access Control Lists (ACLs)   166 Role Based Access Control (RBAC)   166 Content-Dependent Access Control   167 Constrained User Interface   168 Other Access Control Models   169 Effects of Breaches in Access Control   171 Threats to Access Controls   172 Effects of Access Control Violations   173 Centralized and Decentralized Access Control   174 Three Types of AAA Servers   174 Decentralized Access Control   177 Privacy   177 CHAPTER SUMMARY   179 Key Concepts and TERMS Chapter 5 ASSESSMEnT CHAPTER 6 179 180 Security Operations and Administration   182 Security Administration   183 Controlling Access   184 Documentation, Procedures, and Guidelines   184 Disaster Assessment and Recovery   184 Security Outsourcing   185 Compliance   186 Security Event Logs   186 Compliance Liaison   186 Remediation   186 Professional Ethics   187 Common Fallacies About Ethics   187 Codes of Ethics   188 Personnel Security Principles   189 The Infrastructure for an IT Security Policy   192 Policies   194 Standards   194 Procedures   195 Baselines   195 Guidelines   196 viii    Contents Data Classification Standards   196 Information Classification Objectives   197 Examples of Classification   198 Classification Procedures   198 Assurance   199 Configuration Management   199 Hardware Inventory and Configuration Chart   200 The Change Management Process   201 Change Control Management   201 Change Control Committees   202 Change Control Procedures   202 Change Control Issues   203 The System Life Cycle (SLC) and System Development Life Cycle (SDLC)   204 The System Life Cycle (SLC)   204 Testing and Developing Systems   206 Software Development and Security   209 Software Development Methods   209 CHAPTER SUMMARY   211 Key Concepts and TERMS Chapter 6 ASSESSMEnT CHAPTER 7 211 212 Auditing, Testing, and Monitoring   214 Security Auditing and Analysis   215 Security Controls Address Risk   216 Determining What Is Acceptable   217 Permission Levels   217 Areas of Security Audits   218 Purpose of Audits   218 Customer Confidence   219 Defining Your Audit Plan   219 Defining the Scope of the Plan   220 Auditing Benchmarks   221 Audit Data–Collection Methods   222 Areas of Security Audits   223 Control Checks and Identity Management   223 Post-Audit Activities   224 Exit Interview   225 Data Analysis   225 Generation of Audit Report   225 Presentation of Findings   226 ix Contents Security Monitoring   226 Security Monitoring for Computer Systems   227 Monitoring Issues   227 Logging Anomalies   228 Log Management   229 Types of Log Information to Capture   230 How to Verify Security Controls   231 Intrusion Detection System (IDS)   231 Analysis Methods   232 HIDS   233 Layered Defense: Network Access Control   234 Control Checks: Intrusion Detection   234 Host Isolation   235 System Hardening   235 Review Antivirus Program   237 Monitoring and Testing Security Systems   237 Monitoring   238 Testing   238 CHAPTER SUMMARY   246 Key Concepts and TERMS Chapter 7 ASSESSMEnT CHAPTER 8 246 247 Risk, Response, and Recovery   248 Risk Management and Information Security   250 Definitions of Risk   250 Elements of Risk   251 Purpose of Risk Management   252 The Risk Equation   252 The Process of Risk Management   253 Risk Analysis   254 Emerging Threats   254 Two Approaches: Quantitative and Qualitative   255 Calculating Quantified Risk   255 Qualitative Risk Analysis   257 Developing a Strategy for Dealing with Risk   258 Acceptable Range of Risk/Residual Risk   259 Evaluating Countermeasures   261 Pricing/Costing a Countermeasure   261 Countermeasure Evaluation   262 x    Contents Controls and Their Place in the Security Life Cycle   262 Planning to Survive   263 Terminology   264 Assessing Maximum Tolerable Downtime (MTD)   265 Business Impact Analysis   266 Plan Review   267 Testing the Plan   268 Backing Up Data and Applications   269 Types of Backups   270 Steps to Take in Handling an Incident   271 Notification   271 Response   272 Recovery   272 Follow-Up   272 Documentation   272 Recovery from a Disaster   273 Primary Steps to Disaster Recovery   273 Activating the Disaster Recovery Plan   273 Operating in a Reduced/Modified Environment   274 Restoring Damaged Systems   274 Disaster Recovery Issues   275 Recovery Alternatives   275 Interim or Alternate Processing Strategies   276 CHAPTER SUMMARY   278 Key Concepts and TERMS Chapter 8 ASSESSMEnT CHAPTER 9 278 279 Cryptography   280 What Is Cryptography?   281 Basic Cryptographic Principles   282 A Brief History of Cryptography   283 Cryptography’s Role in Information Security   284 Business and Security Requirements for Cryptography   286 Internal Security   286 Security Between Businesses   287 Security Measures That Benefit Everyone   287 Cryptographic Applications and Uses in Information System Security   287 Cryptanalysis and Public Versus Private Keys   289 xi Contents Cryptographic Principles, Concepts, and Terminology   291 Cryptographic Functions and Ciphers   291 Types of Ciphers   294 Symmetric and Asymmetric Key Cryptography   298 Keys, Keyspace, and Key Management   300 Digital Signatures and Hash Functions   303 Cryptographic Applications, Tools, and Resources   305 Symmetric Key Standards   306 Asymmetric Key Solutions   308 Hash Function and Integrity   309 Digital Signatures and Nonrepudiation   311 Principles of Certificates and Key Management   312 Modern Key-Management Techniques   313 CHAPTER SUMMARY   315 Key Concepts and TERMS Chapter 9 ASSESSMEnT CHAPTER 10 315 316 Networks and Telecommunications   317 The Open Systems Interconnection Reference Model   318 The Two Types of Networks   320 Wide Area Networks   320 Local Area Networks   323 TCP/IP and How It Works   324 TCP/IP Overview   325 IP Addressing   325 ICMP   326 Network Security Risks   327 Three Categories of Risk   327 Basic Network Security Defense Tools   329 Firewalls   329 Virtual Private Networks and Remote Access   332 Network Access Control   334 Wireless Networks   334 Wireless Access Points (WAPs)   335 Wireless Network Security Controls   335 CHAPTER SUMMARY   338 Key Concepts and TERMS Chapter 10 ASSESSMEnT 338 338 xii    Contents CHAPTER 11 Malicious Code and Activity   340 Characteristics, Architecture, and Operations of Malicious Software   341 The Main Types of Malware   342 Virus   342 Spam   349 Worms   350 Trojan Horses   351 Logic Bombs   352 Active Content Vulnerabilities   353 Botnets   353 Denial of Service Attacks   353 Spyware   356 Adware   356 Phishing   356 Keystroke Loggers   357 Hoaxes and Myths   358 Home-Page Hijacking   358 Web-Page Defacements   359 A Brief History of Malicious Code Threats   360 1970s and Early 1980s: Academic Research and UNIX   360 1980s: Early PC Viruses   360 1990s: Early LAN Viruses   361 Mid-1990s: Smart Applications and the Internet   361 2000 to Present   362 Threats to Business Organizations   362 Types of Threats   362 Internal Threats from Employees   363 Anatomy of an Attack   364 What Motivates Attackers?   364 The Purpose of an Attack   364 Types of Attacks   365 Phases of an Attack   367 Attack Prevention Tools and Techniques   372 Application Defenses   373 Operating System Defenses   373 Network Infrastructure Defenses   374 Safe Recovery Techniques and Practices   375 Implementing Effective Software Best Practices   375 xiii Contents Incident Detection Tools and Techniques 375 Antivirus Scanning Software 376 Network Monitors and Analyzers 376 Content/Context Filtering and Logging Software Honeypots and Honeynets 377 CHAPTER SUMMARY 376 378 KEY ConCEPTS And TERMS CHAPTER 11 ASSESSMEnT 378 379 PART THREE Information Security Standards, Education, 381 Certifications, and Laws CHAPTER 12 Information Security Standards Standards Organizations 382 383 NIST 383 International Organization for Standardization (ISO) 385 International Electrotechnical Commission (IEC) 386 World Wide Web Consortium (W3C) 387 Internet Engineering Task Force (IETF) 388 IEEE 389 International Telecommunication Union Telecommunication Sector (ITU-T) ANSI 392 ISO 17799 393 ISO/IEC 27002 PCI DSS 394 395 CHAPTER SUMMARY 397 KEY ConCEPTS And TERMS CHAPTER 12 ASSESSMEnT CHAPTER 13 397 398 Information Security Education and Training Self-Study 400 Adult Continuing Education Programs Certificate Programs CPE Credits 404 404 Post-Secondary Degree Programs Associate’s Degree Bachelor’s Degree Master’s Degree Doctoral Degree 403 407 407 409 411 405 399 390 xiv    Contents Information Security Training Programs   413 Security Training Requirements   413 Security Training Organizations   414 CHAPTER SUMMARY   416 Key Concepts and TERMS Chapter 13 ASSESSMEnT CHAPTER 14 416 417 Information Security Professional Certifications   418 Vendor-Neutral Professional Certifications   419 (ISC)2   420 GIAC/SANS Institute   421 CIW   422 CompTIA   423 SCP   423 ISACA   425 Vendor-Specific Professional Certifications   425 Cisco Systems   425 Juniper Networks   427 RSA   427 Symantec   428 Check Point   428 DoD/Military—8570.01    429 CHAPTER SUMMARY   430 Key Concepts and TERMS Chapter 14 ASSESSMEnT CHAPTER 15 430 431 U.S. Compliance Laws   432 Compliance and the Law   433 The Federal Information Security Management Act   435 Purpose and Main Requirements   436 The Role of the National Institute of Standards and Technology   438 National Security Systems   440 Oversight   440 The Future of FISMA   440 The Health Insurance Portability and Accountability Act    441 Purpose and Scope   441 Main Requirements of the HIPAA Privacy Rule   442 Main Requirements of the HIPAA Security Rule   445 Oversight   447 xv Contents The Gramm-Leach-Bliley Act   447 Purpose and Scope   448 Main Requirements of the GLBA Privacy Rule   449 Main Requirements of the GLBA Safeguards Rule   449 Oversight   450 The Sarbanes-Oxley Act   451 Purpose and Scope   451 SOX Control Certification Requirements   452 SOX Records Retention Requirements   453 Oversight   454 The Family Educational Rights and Privacy Act    454 Purpose and Scope   455 Main Requirements   455 Oversight   457 The Children’s Internet Protection Act    457 Purpose and Scope   457 Main Requirements   459 Oversight   459 Making Sense of Laws for Information Security Compliance   460 CHAPTER SUMMARY   462 Key Concepts and TERMS Chapter 15 ASSESSMEnT 462 462 ENDNOTES   463 APPENDIX A Answer Key   465 APPENDIX B Standard Acronyms   467 APPENDIX C Become an SSCP ®   469 APPENDIX D SSCP ® Practice Exam   473 Glossary of Key Terms   477 References   493 Index   497 This book is dedicated to our readers, students, and IT professionals pursuing a career in information systems security. May your passion for learning IT security help you protect the information assets of the United States of America, our businesses, and the privacy data of our citizens. —David Kim To God, who has richly blessed me in so many ways —Michael G. Solomon Letter from (ISC)2 Executive director W. Hord Tipton Dear student, I congratulate you on your decision to advance your knowledge in the rapidly expanding and challenging field of information security. This is currently one of the most in-demand industries in the world and there is an urgent need for qualified information security professionals to secure our systems, networks, and infrastructures. Fundamentals of Information Systems Security represents (ISC)2’s commitment to providing guidance and support to the information security field through exciting new educational offerings. The information provided in this book highlights the seven domains of (ISC)2’s Systems Security Certified Practitioner (SSCP ®) certification: Access Controls; Cryptography; Malicious Code and Activity; Monitoring and Analysis; Networks and Communications; Risk, Response and Recovery; and Security Operations and Administration. The SSCP is a deeply technical certification, requiring a minimum one year of technical work experience before candidates are able to sit for the examination. Considered an entry-level certification, the SSCP is desirable for those looking to embed the first footprint on their information security career path. SSCPs are often considered the “go-to” practitioners in demanding technical positions such as network security engineers, security systems analysts, and security administrators; however, they also encompass non-security disciplines that require an understanding of security but do not have information security as a primary part of their job description. Due to rapidly emerging technologies, the domains of the SSCP will continue to evolve, which is why it’s important to remain vigilant about continuing education throughout your career. When it comes to educating and certifying information security professionals throughout their careers, (ISC)2 is acknowledged as the global, not-for-profit leader. We have an elite network of over 72,000 information security professionals worldwide and a reputation built on trust and integrity which has earned our certifications and world-class educational programs recognition as the gold standard of the industry. Both education and certification create a framework for a successful career in this industry. According to the 2009 Certification Magazine Salary Survey, with support from (ISC)2, SSCPs reported earning an average annual base salary of $97,860 in the U.S. A full 96 percent of respondents from the top five countries with the highest salaries said they were certified. Around 47 percent said they think their most recently earned certification played a role in them getting a raise, and more than 85 percent of respondents agreed that since they’ve become certified, there is a greater demand for their skills. xvii xviii Letter from (ISC)2 Executive Director W. Hord Tipton In closing, let me again thank you for taking this initial step toward a very exciting and rewarding career in information security. I invite you to look to our organization, (ISC)2, when you are ready to validate your knowledge and experience by obtaining the gold standard of information security certifications. Be sure to test your knowledge by taking the SSCP practice exam at the end of the book. A tuition grant of $1,000 toward an SSCP CBK ® Review Seminar is available to all students who are enrolled in this course. I wish you the best of luck in this course and in your future information security career. Sincerely, W. Hord Tipton, CISSP-ISSEP, CAP, CISA Executive Director, (ISC)2 www.isc2.org Preface Purpose of This Book This book is part of the Information Systems Security & Assurance Series (ISSA) from Jones & Bartlett Learning (www.jblearning.com). Designed for courses and curriculums in IT Security, Cybersecurity, Information Assurance, and Information Systems Security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. These titles deliver fundamental information security principles packed with real-world applications and examples. Authored by Certified Information Systems Security Professionals (CISSPs), they deliver comprehensive information on all aspects of information security. Reviewed word for word by leading technical experts in the field, these books are not just current, but forward-thinking— putting you in the position to solve the cybersecurity challenges not just of today, but of tomorrow, as well. Part 1 of this book on information security fundamentals focuses on new risks, threats, and vulnerabilities associated with the transformation to a digital world. Individuals, students, educators, businesses, organizations, and governments have changed how they communicate and do business. Led by the integration of the Internet and broadband communications into our everyday lives, the digital revolution has created a need for information systems security. With recent compliance laws requiring organizations to protect and secure privacy data and reduce liability, information systems security has never been more recognized than it is now. Part 2 is adapted from the Official (ISC)2 SSCP ® CBK ® Study Guide. It will present a high-level overview of each of the seven domains within the Systems Security Certified Practitioner certification. The SSCP ® professional certification requires mastery of the following topics: Access Controls; Cryptography; Malicious Code and Activity; Monitoring and Analysis; Networks and Communications; Risk, Response, and Recovery; and Security Operations and Administration. Part 3 of this book provides a resource for readers and students desiring more information on information security standards, education, professional certifications, and recent compliance laws. These resources are ideal for students and individuals desiring additional information about educational and career opportunities in information systems security. xix xx Preface Learning Features The writing style of this book is practical and conversational. Step-by-step examples of information security concepts and procedures are presented throughout the text. Each chapter begins with a statement of learning objectives. Illustrations are used both to clarify the material and to vary the presentation. The text is sprinkled with Notes, Tips, FYIs, Warnings, and sidebars to alert the reader to additional helpful information related to the subject under discussion. Chapter Assessments appear at the end of each chapter, with solutions provided in the back of the book. Chapter summaries are included in the text to provide a rapid review or preview of the material and to help students understand the relative importance of the concepts presented. Audience The material is suitable for undergraduate or graduate computer science majors or information science majors, students at a two-year technical college or community college who have a basic technical background, or readers who have a basic understanding of IT security and want to expand their knowledge. Acknowledgments This is the flagship book of the Information Systems Security & Assurance Series (ISSA) from Jones & Bartlett Learning (www.jblearning.com). The ISSA Series was designed for IT security and information assurance curriculums and courseware for those colleges and universities needing a hands-on approach to delivering an information systems security and information assurance degree program whose graduates would be ready for the work force. The entire ISSA series was developed by information systems security professionals, consultants, and recognized leaders in the field of information systems security, all of whom contributed to each word, sentence, paragraph, and chapter. The dedication and perseverance displayed by those involved was driven by a single passion and common goal: “to help educate today’s information systems security practitioner” by creating the most up-to-date textbooks, courseware, and hands-on labs to ensure job and skill-set readiness for information systems security practitioners. Achieving this single passion and common goal involved a collaborative effort with the International Information Systems Security Certification Consortium, Inc. (ISC)2, to bring the Systems Security Certified Practitioner (SSCP ®) Common Body of Knowledge (CBK ®) and its seven domains of information systems security responsibility into Part 2 of this book. The seven domains of the SSCP ® CBK ® encompass what information systems security practitioners must be able to do to implement hands-on security countermeasures in IT infrastructure. Thank you to Jones & Bartlett Learning for having the vision and patience to underwrite and build the world’s best information systems security content and curriculum. Thank you to (ISC)2 for recognizing that the SSCP ® professional certification is best aligned with programs that incorporate hands-on skills-set readiness aligned to the . seven domains of SSCP ® CBK ® Thank you to the many authors, subject matter experts, super subject matter experts, copy editors, development editors, and graphic artists who contributed to this book and entire ISSA Series during the past year of development. And last but not least, I would like to thank my wife, MiYoung Kim, who is and always will be by my side. David Kim I would like to thank Kate Shoup for providing pertinent editorial comments and for helping to fine tune the book’s content, and Lawrence Goodrich and Ruth Walker for all your input, work, and patience. All of you made the process so much easier and added a lot to the book. And thanks so much to Stacey and Noah for your help in researching the many diverse topics. Michael G. Solomon xxi About the Authors David Kim (CISSP) is president of Security Evolutions, LLC (www.SecurityEvolutions.com), and chief technology officer for vLab Solutions, LLC (www.vLabSolutions.com), both located in Tarpon Springs, Florida. Security Evolutions provides IT security training and consulting services for organizations around the world. Security Evolutions has specific expertise and experience in VoIP and SIP layered security solutions where privacy data may encompass both data and voice communications. vLab Solutions is a leading designer and developer of performance-outcome-based, hands-on labs for educational, training, and professional certification requirements. vLearning Cloud,TM vLabSolution’s hands-on online labs environment, provides students with secure browser access to complete the lab exercise from a virtual workstation. Mr. Kim’s IT and IT security experience encompasses more than 25 years of technical engineering, technical management, and solutions selling and sales management. This experience includes LAN/WAN, internetworking, enterprise network management, and IT security for voice, video, and data networking infrastructures. Previously, Mr. Kim was chief operating officer of the (ISC)2 Institute located in Vienna, Virginia, where he was responsible for content development, educational products, and educational delivery for (ISC)2 (www.isc2.org) and its IT security professional certifications. Michael G. Solomon (CISSP, PMP, CISM, GSEC) is a full-time security speaker, consultant, and author, and a former college instructor who specializes in development and assessment security topics. As an IT professional and consultant since 1987, he has worked on projects for more than 100 major companies and organizations. From 1998 until 2001, he was an instructor in the Kennesaw State University Computer Science and Information Sciences (CSIS) department, where he taught courses on software project management, C programming, computer organization and architecture, and data communications. Solomon holds an MS in mathematics and computer science from Emory University (1998), a BS in computer science from Kennesaw State University (1987), and is currently pursuing a PhD in computer science and informatics at Emory University. He has also contributed to various security certification books for LANWrights, including TICSA Training Guide (Que, 2002) and an accompanying Instructor Resource Kit (Que, 2002), CISSP Study Guide (Sybex, 2003), as well as Security Training Guide (Que, 2003). Solomon coauthored Information Security Illuminated (Jones and Bartlett, 2005), Security Lab Guide (Sybex, 2005), Computer Forensics JumpStart (Sybex, 2005), PMP ExamCram2 (Que, 2005), and authored and provided the on-camera delivery of LearnKey’s CISSP Prep and PMP Prep e-Learning courses. xxii PA R T O N E The Need for Information Security Information Systems Security 2 Changing How People and Businesses Communicate 47 Malicious Attacks, Threats, and Vulnerabilities 81 The Drivers of the Information Security Business 117 CHAPTER 1 Information Systems Security T HE INTERNET HAS CHANGED DRAMATICALLY from its origins. It has grown from a small number of universities and government agencies to a worldwide network with more than two billion users. As it has grown, it has changed how people communicate and do business. It has brought many opportunities and benefits. The Internet continues to grow and expand in new and varied ways. It supports innovation and new services. Like outer space, the maturing Internet is a new frontier. There is no Internet government or central authority. It is full of challenges—and questionable behavior. The Internet as we know it today has its roots in a computer network called the Advanced Research Projects Agency Network (ARPANET), which the U.S. Department of Defense created in 1969. But the way people use the Internet is new. Today, people working in cyberspace must deal with new and constantly evolving threats. Intelligent and aggressive cybercriminals, terrorists, and scam artists lurk in the shadows. Connecting your computers or devices to the Internet immediately exposes them to attack. These attacks result in frustration and hardship. Anyone whose personal information has been stolen can attest to that. Worse, attacks on computers and networked devices are a threat to the national economy, which depends on e-commerce. Even more important, cyberattacks threaten national security. For example, terrorist attackers could shut down electricity grids and disrupt military communication. You can make a difference. The world needs people who understand computer-systems security and who can protect computers and networks from criminals and terrorists. To get you started, this first chapter gives an overview of information systems security concepts and terms that you must understand to stop these attacks. 2 1 Information Systems Security Chapter 1 Topics This chapter covers the following topics and concepts: • What information systems security is • What the tenets of information systems security are • What the seven domains of an IT infrastructure are • What the weakest link in an IT infrastructure is • How an IT security policy framework can reduce risk • How a data classification standard affects an IT infrastructure’s security needs Chapter 1 Goals When you complete this chapter, you will be able to: • Relate how availability, integrity, and confidentiality requirements affect the seven domains of a typical IT infrastructure • Describe the threats and vulnerabilities commonly found within the seven domains • Identify a layered security approach throughout the seven domains • Develop an IT security policy framework to help reduce risk from common threats and vulnerabilities • Relate how a data classification standard affects the seven domains Information Systems Security Today’s Internet is a worldwide network with more than two billion users. It includes almost every government, business, and organization on Earth. Just having that many users on the same network wouldn’t have been enough to make the Internet a gamechanging innovation, however. These users needed some type of mechanism to link documents and resources across computers. In other words, a user on computer A needed an easy way to open a document on computer B. This need gave rise to a system that defines how documents and resources are related across network machines. The name of this system is the World Wide Web (WWW). You may know it as cyberspace, or simply as the Web. Think of it this way: The Internet links communication networks to one another. The Web is the connection of Web sites, Web pages, and digital content on those networked computers. Cyberspace is all the users, networks, Web pages, and applications working in this worldwide electronic realm. 3 4 PART 1 | The Need for Information Security Government Building FIguRE 1-1 Cyberspace: the new frontier. Corporate Building School Home Store Factory Bank Host Attacker Users H P Black-hat Hackers Perpetrators Virus and Malicious Code Unfortunately, when you connect to cyberspace, you also open the door to a lot of bad guys. They want to find you and steal your data. Every computer that connects to the Internet is at risk. All users must defend their information from attackers. Cybersecurity is the duty of every government that wants to ensure its national security. It’s the responsibility of every organization that needs to protect its information. And it’s the job of each of us to protect our own data. Figure 1-1 illustrates this new frontier. The components that make up cyberspace are not automatically secure. These include cabling, physical networks, operating systems, and software applications that computers use to connect to the Internet. At the heart of the problem is the lack of security in the TCP/ IP communications protocol. This protocol is the language that computers most commonly use when communicating across the Internet. (A protocol is a list of rules and methods for communicating.) TCP/IP is really more than just one protocol. It consists of two protocols, Transmission Control Protocol (TCP) and Internet Protocol (IP), that work together to allow any two computers to communicate using a network. TCP/IP, as these two protocols are known collectively, breaks messages into chunks, or packets, to send to another networked computer. The problem is that data is readable within the IP packet. This readable mode is 1 CHAPTER 1 | Information Systems Security 5 are in cleartext. 0 16 Version IHL Identification Time to Live 31 Differentiated Services Total Length Flags Protocol Fragment Offset Header Checksum Source IP address TCP/IP Applications: E-mail SMTP/POP3 FTP/TFTP SNMP Telnet HTTP WWW Destination IP address Options Padding Data All Use Cleartext! Data Is Visible Desktop PC Server Information Systems Security known as cleartext. That means you must hide or encrypt the data sent inside a TCP/IP packet to make it more secure. Figure 1-2 shows the data within the TCP/IP packet structure. All this raises the question: If the Internet is so unsafe, why did everyone connect to it so rapidly? The answer is the huge growth of the Web from the mid 1990s to the early 2000s. Connecting to the Internet gave anyone instant access to the Web and its many resources. The appeal of easy worldwide connectivity drove the demand to connect. This demand and subsequent growth helped drive costs lower for high-speed communications. Households, businesses, and governments gained affordable high-speed Internet access. And as wireless connections have become more common and affordable, it has become easier to stay connected no matter where you are. Internet growth has also been driven by generational differences. Generation Y’s culture is taking over as baby boomers begin to retire. This new generation grew up with cell phones, smartphones, and “always on” Internet access. These devices provide real-time communications. Today’s personal communications include FIguRE 1-2 voice over IP (VoIP), text messaging, and instant messaging (IM), or chatting, as well as audio and video conferencing. TCP/IP communications 6    PART 1 | The Need for Information Security Cyberspace is the new place to meet, socialize, and share ideas. You can chat with friends, family, business contacts, and people from everywhere. But there’s a danger: You don’t really know who the person at the other end is. Liars and thieves can easily hide their identity. While cyberspace gives you fingertip access to people and information, it also brings along many risks and threats. An information security war is raging. The battlefield is cyberspace and the enemies are already within the gates. To make matters worse, the enemy is everywhere—both in the local area and around the world. Because of this, IT is in great need of proper security controls. This need has created a great demand for information security professionals. The goal is to both protect national security and business information from the enemy. Risks, Threats, and Vulnerabilities This book introduces the dangers of cyberspace and discusses how to address those dangers. It explains how to identify and combat the dangers common in information systems and IT infrastructures. To understand how to make computers more secure, you first need to understand risks, threats, and vulnerabilities. Risk is the likelihood that something bad will happen to an asset. It is the exposure to some event that has an effect on an asset. In the context of IT security, an asset can be a computer, a database, or a piece of information. Examples of risk include the following: • Losing data • Losing business because a disaster has destroyed your building • Failing to comply with laws and regulations A threat is any action that could damage an asset. Information systems face both natural and human-induced threats. The threats of flood, earthquake, or severe storms require organizations to have plans to ensure that business operation continues and that the organization can recover. A business continuity plan (BCP) gives priorities to the functions an organization needs to keep going. A disaster recovery plan (DRP) defines how a business gets back on its feet after a major disaster like a fire or hurricane. Human-caused threats to a computer system include viruses, malicious code, and unauthorized access. A virus is a computer program written to cause damage to a system, an application, or data. Malicious code or malware is a computer program written to cause a specific action to occur, such as erasing a hard drive. These threats can harm an individual, business, or organization. A vulnerability is a weakness that allows a threat to be realized or to have an effect on an asset. To understand what a vulnerability is, think about lighting a fire. Lighting a fire is not necessarily bad. If you are cooking a meal on a grill, you will need to light a fire in the grill. The grill is designed to contain the fire and should pose no danger if used properly. On the other hand, lighting a fire in a computer data center will likely cause damage. A grill is not vulnerable to fire, but a computer data center is. A threat by itself does not always cause damage; there must be a vulnerability for a threat to be realized. 1 CHAPTER 1 | Information Systems Security EULAs are license agreements between the user and the software vendor. They protect the software vendor from claims arising from imperfect software. EULAs typically contain a warranty disclaimer. This limits their liability from software bugs and weaknesses that hackers can exploit. Here is an excerpt from Microsoft’s EULA that states the company offers only “limited” warranties for its software. The EULA also advises that the software product is offered “as is and with all faults.” “DISCLAIMER OF WARRANTIES. THE LIMITED WARRANTY THAT APPEARS ABOVE IS THE ONLY EXPRESS WARRANTY MADE TO YOU AND IS PROVIDED IN LIEU OF ANY OTHER EXPRESS WARRANTIES (IF ANY) CREATED BY ANY DOCUMENTATION OR PACKAGING. EXCEPT FOR THE LIMITED WARRANTY AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND ITS SUPPLIERS PROVIDE THE SOFTWARE PRODUCT AND SUPPORT SERVICES (IF ANY) AS IS AND WITH ALL FAULTS, AND HEREBY DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS....” Microsoft’s EULA also limits its financial liability to the cost of the software or $5 (U.S.), whichever is greater. “LIMITATION OF LIABILITY. ANY REMEDIES NOTWITHSTANDING ANY DAMAGES THAT YOU MIGHT INCUR FOR ANY REASON WHATSOEVER (INCLUDING, WITHOUT LIMITATION, ALL DAMAGES REFERENCED ABOVE AND ALL DIRECT OR GENERAL DAMAGES), THE ENTIRE LIABILITY OF MICROSOFT AND ANY OF ITS SUPPLIERS UNDER ANY PROVISION OF THIS EULA AND YOUR EXCLUSIVE REMEDY FOR ALL OF THE FOREGOING (EXCEPT FOR ANY REMEDY OF REPAIR OR REPLACEMENT ELECTED BY MICROSOFT WITH RESPECT TO ANY BREACH OF THE LIMITED WARRANTY) SHALL BE LIMITED TO THE GREATER OF THE AMOUNT ACTUALLY PAID BY YOU FOR THE SOFTWARE PRODUCT OR U.S.$5.00. THE FOREGOING LIMITATIONS, EXCLUSIONS AND DISCLAIMERS (INCLUDING SECTIONS 9, 10 AND 11 ABOVE) SHALL APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EVEN IF ANY REMEDY FAILS ITS ESSENTIAL PURPOSE.” Vulnerabilities can often result in legal liabilities. Any vulnerability that allows a threat to be realized may result in legal action. Since computers must run software to be useful, and since humans write software, software programs have errors. Thus, software vendors must protect themselves from the liabilities of their own vulnerabilities with an end user licensing agreement (EULA). A EULA takes effect when the user opens the package and installs the software. All software vendors use EULAs. That means the burden of protecting data falls on systems security professionals. Information Systems Security End User Licensing Agreements (EULAs) 7 8    PART 1 | The Need for Information Security Figure 1-3 What are we securing? Firewall Mainframe Application & Web Servers System/Application Domain • Privacy Data of Individuals · Name, address, date of birth · Social Security number · Bank name, account number · Credit card account number · Utility account number · Mortgage account number · Insurance policy number · Securities & brokerage account numbers • Corporate Intellectual Property · Trade secrets · Product development · Sales and marketing strategies · Financial records · Copyrights, patents, etc. • Online B2C and B2B Transactions · Online banking · Online health care & insurance claims · e-Commerce, e-government, services · Online education and transcripts • Government Intellectual Property · National security · Military & DoD strategies Defining Information Systems Security Security is easiest to define by breaking it into pieces. An information system consists of the hardware, operating system, and application software that work together to collect, process, and store data for individuals and organizations. Information systems security is the collection of activities that protect the information system and the data stored in it. Many U.S. and international laws now require this kind of security assurance. Organizations must address this need head-on. Figure 1-3 reviews the types of information commonly found within an IT infrastructure. U.S. Compliance Laws Drive Need for Information Systems Security Cyberspace brings new threats to people and organizations. People need to protect their privacy. Businesses and organizations are responsible for protecting both their intellectual property and any personal or private data they handle. Various laws require organizations to use security controls to protect private and confidential data. Recent U.S. laws related to information security include the following: • Federal Information Security Management Act (FISMA)—Passed in 2002, the Federal Information Security Management Act (FISMA) requires federal civilian agencies to provide security controls over resources that support federal operations. 1 CHAPTER 1 | Information Systems Security 9 • gramm-Leach-Bliley Act (gLBA)—Passed in 1999, the Gramm-Leach-Bliley Act (GLBA) requires all types of financial institutions to protect customers’ private financial information. • Health Insurance Portability and Accountability Act (HIPAA)—Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) requires health care organizations to secure patient information. • Children’s Internet Protection Act (CIPA)—Passed in 2000, the Children's Internet Protection Act (CIPA) requires public schools and public libraries to use an Internet safety policy. The policy must address the following: • Children’s access to inappropriate matter on the Internet • Children’s security when using e-mail, chat rooms, and other electronic communications • Restricting hacking and other unlawful activities by children online • Disclosing and distributing personal information about children without permission • Restricting children’s access to harmful materials • Family Educational Rights and Privacy Act (FERPA)—Passed in 1974, the Family Educational Rights and Privacy Act (FERPA) protects the private data of students and their school records. You can find out more about these laws in Chapter 15. Figure 1-4 shows these laws by industry. Education Government Corporation Health Care Bank/Insurance Retail CIPA/ FERPA FISMA/ DIACAPS SOX HIPAA GLBA PCI DSS Individual Privacy Data Must Be Protected Security Controls Are Required to Protect Privacy Data Note: PCI DSS is a global standard, not a U.S. federal law. PCI DSS requires protection of consumer privacy data with proper security controls. FIguRE 1-4 U.S. compliance laws drive the need for information systems security. Information Systems Security • Sarbanes-Oxley Act (SOX)—Passed in 2002, the Sarbanes-Oxley Act (SOX) requires publicly traded companies to submit accurate and reliable financial reporting. This law does not require securing private information, but it does require security controls to protect the confidentiality and integrity of the reporting itself. 10 PART 1 | The Need for Information Security FIguRE 1-5 Co nfi de n ri ty eg Int tia lity The three tenets of information systems security. Availability Tenets of Information Systems Security Most people agree that private information should be secure. But what does “secure information” really mean? Information that is secure satisfies three main tenets, or properties, of information. If you can ensure these three tenets, you satisfy the requirements of secure information. The three tenets are as follows: • Availability—Information is accessible by authorized users whenever they request the information. • Integrity—Only authorized users can change information. • Confidentiality—Only authorized users can view information. Figure 1-5 shows the three tenets of information systems security. When you design and use security controls, you are addressing one or more of these tenets. When finding solutions to security issues, you must use the A-I-C triad. You have to define and achieve your organization’s goals for this triad in a typical IT infrastructure’s seven domains. Once defined, these goals help you put security controls in place as required for your different types of data. Some systems security professionals refer to the tenets as the C-I-A triad, but that can lead to confusion with the U.S. Central Intelligence Agency, commonly known as the CIA. 1 CHAPTER 1 | Information Systems Security Availability is a common term in everyday life. For example, you probably pay attention to the availability of your satellite TV service, your cell phone service, or a business colleague for a meeting. In the context of information security, availability is generally expressed as the amount of time users can use a system, application, and data. Common availability time measurements include the following: • Uptime—The total amount of time that a system, application, and data is accessible. Uptime is typically measured in units of seconds, minutes, and hours within a given calendar month. • Downtime—The total amount of time that a system, application, and data is not accessible. Downtime also is measured in units of seconds, minutes, and hours for a calendar month. • Availability—A math calculation where A  (Total Uptime) / (Total Uptime  Total Downtime). • Mean time to failure (MTTF)—Mean time to failure (MTTF) is the average amount of time between failures for a particular system. Semiconductors and electronics do not break and have a MTTF of many years (25 years, etc.). Physical parts such as connectors, cabling, fans, and power supplies have a much lower MTTF (five years or less) given that wear and tear can break them. • Mean time to repair (MTTR)—Mean time to repair (MTTR) is the average amount of time it takes to repair a system, application, or component. The goal is to bring the system back up quickly. • Recovery time objective (RTO)—Recovery time objective (RTO) is the amount of time it takes to recover and make a system, application, and data available for use after an outage. Business continuity plans typically define an RTO for mission-critical systems, applications, and data access. How to Measure Availability For a given 30-day calendar month, the total amount of uptime equals: 30 days  24 hours/day  60 minutes/hour  43,200 minutes For a 28-day calendar month (February), the total amount of uptime equals: 28 days  24 hours/day  60 minutes/hour  40,320 minutes Using the formula Availability  (Total Uptime) / (Total Uptime  Total Downtime), calculate the Availability factor for a 30-day calendar month with 30 minutes of scheduled downtime in that calendar month: Availability  (43,200 minutes) / (43,200 minutes  30 minutes)  .9993 or 99.93% Information Systems Security Availability 11 12 PART 1 | The Need for Information Security Telecommunications companies offer their customers service level agreements (SLAs). An SLA is a contract that guarantees a minimum monthly availability of service for wide area network (WAN) and Internet access links. SLAs accompany WAN services and dedicated Internet access links. Availability measures a monthly uptime service level commitment. As in the preceding example, 30 minutes of downtime in a given 30-day calendar month equates to 99.993 percent availability. Service providers typically offer SLAs ranging from 99.5 percent to 99.999 percent availability. Integrity Integrity deals with the validity and accuracy of data. Data lacking integrity—that is, data that is not accurate or not valid—is of no use. For some organizations, data and information are intellectual property assets. Examples include copyrights, patents, secret formulas, and customer databases. This information can have great value. Unauthorized changes can undermine the data’s value. This is why integrity is a tenet of systems security. Figure 1-6 shows what is meant by data integrity and whether that data is usable. Sabotage and corruption of data integrity is a serious threat to an organization, especially if the data is critical to business operations. Confidentiality Confidentiality is a common term. It means guarding information from everyone except those with rights to it. Confidential information includes the following: • Private data of individuals • Intellectual property of businesses • National security for countries and governments U.S. compliance laws require organizations to have controls to keep data private. FIguRE 1-6 Data integrity. Firewall Data Has Integrity If: Database Mainframe Application & Web Servers System/Application Domain User 1. Data is not altered 2. Data is valid 3. Data is accurate 1 CHAPTER 1 | Information Systems Security Identity theft affects about 10 million U.S. citizens each year. It is a major threat to American consumers. Many elements make up a person’s identity. These include but are not limited to the following: • • • • • • • • • • • Full name Mailing address Date of birth Social Security number Bank name Bank account number Credit card account number Utility account number Mortgage account number Insurance policy number Securities and investment account numbers An impostor can access your accounts with just your name, home address, and Social Security number. This threat extends beyond just financial loss. Identity theft can damage your FICO personal credit rating. This would stop you from getting a bank loan, mortgage, or credit card. It can take years to clean up your personal credit history. FICO is a publicly traded company that provides information used by Equifax, Experian, and TransUnion, the three largest consumer credit reporting agencies in the United States. With the growth in e-commerce, more people are making online purchases with credit cards. This requires people to enter private data into e-commerce Web sites. Consumers should be careful to protect their personal identity and private data. Laws require organizations to use security controls to protect customers’ private data. A security control is something an organization does to help reduce risk. Examples of controls include the following: • Conducting annual security awareness training for employees. This helps remind staff about proper handling of private data. It also drives awareness of the organization’s framework of security policies, standards, procedures, and guidelines. • Putting an IT security policy framework in place. This outline is like an instruction manual for security controls. • Designing a layered security solution for an IT infrastructure. The more layers or compartments that block or protect private data and intellectual property, the more difficult it is to find and steal. Information Systems Security Identity Theft 13 14 PART 1 | The Need for Information Security • Performing periodic security assessments and penetration tests on Web sites and IT infrastructure. This is how security professionals verify that they have installed the controls properly. • Enabling security monitoring at your Internet entry and exit points. This is like using a microscope to see what is coming in and going out. • Using automated workstation and server antivirus and malicious software protection. This is the way to keep viruses and malicious software out of your computer. • Using more stringent access controls beyond a logon ID and password for sensitive systems, applications, and data. Logon IDs with passwords are only one check of the user. Access to more sensitive systems should have a second test to confirm the user’s identity. • Minimizing software weaknesses in your computers and servers by updating them with patches and security fixes. This is the way to keep your operating system and application software up to date. Protecting private data is the process of ensuring data confidentiality. Organizations must use proper security controls specific to this concern. Some examples include the following: • Defining organization-wide policies, standards, procedures, and guidelines to protect confidential data. These are instructions for how to handle private data. • Adopting a data classification standard that defines how to treat data throughout your IT infrastructure. This is the road map for identifying what controls are needed to keep data safe. • Limiting access to systems and applications that house confidential data to only those authorized to use it. • Using cryptography techniques to hide confidential data to keep it invisible to unauthorized users. • Encrypting data that crosses the public Internet. ! WARNING Never enter private data in an e-mail in cleartext. Remember, e-mail traffic transmits through the Internet in cleartext. Also, never enter private data in a Web site if it is not a trusted host that can be checked by telephone or other means. Never enter private data into a Web site or Web application that does not use encryption. • Encrypting data that is stored within databases and storage devices. Sending data to other computers using a network means you have to take special steps to keep confidential data from unauthorized users. Cryptography is the practice of hiding data and keeping it away from unauthorized users. Encryption is the process of transforming data from cleartext into ciphertext. Cleartext data is data that anyone can read. Ciphertext is the scrambled data that is the result of encrypting cleartext. An example of this is in Figure 1-7. Data privacy is so important that local and state governments are starting to pass laws to protect it by extending federal laws. 1 CHAPTER 1 | Information Systems Security 15 Information Systems Security VPN Tunnel with Encryption IP Datagram Is Encrypted Cleartext Not Visible Data Is Visible &#$*% O#4s5! Data Is Visible FIguRE 1-7 The Seven Domains of a Typical IT Infrastructure Encryption of cleartext into ciphertext. What role do the three tenets of systems security play in a typical IT infrastructure? First, let’s review what a typical IT infrastructure looks like. Whether in a small business, large government body, or publicly traded corporation, most IT infrastructures consist of the seven domains shown in Figure 1-8. A typical IT infrastructure usually has these seven domains. Each one requires proper security controls. These controls must meet the requirements of the A-I-C triad. The following is an overview of the seven domains, and the risks, threats, and vulnerabilities you will commonly find in today’s IT environments. User Domain The User Domain defines the people who access an organization’s information system. User Domain Roles, Responsibilities, and Accountability Here's an overview of what should go on in the User Domain: • Roles and tasks—Users can access systems, applications, and data depending upon their defined access rights. Employees must conform to the staff manual and policies. The User Domain is where you will find an acceptable use policy (AUP). An AUP defines what users are allowed to do with organization-owned IT assets. It’s like a rulebook that employees must follow. Violation of these rules can be grounds for dismissal. This is where the first layer of defense starts for a layered security strategy. • Responsibilities—Employees are responsible for their use of IT assets. New legislation means that for most organizations it’s a best practice to introduce an AUP. Organizations may require staff, contractors, or other third parties to sign an agreement to keep information confidential. Some require a criminal background check for sensitive positions. The department manager or human resources manager is usually in charge of making sure employees sign and follow an AUP. 7-Domains of a Typical IT Infrastructure 16    PART 1 | The Need for Information Security LAN Domain LAN-to-WAN Domain Server User Domain Firewall Workstation Domain Computer Hub Router Firewall Remote Access Domain Mainframe Application & Web Servers Computer Figure 1-8 The seven domains of a typical IT infrastructure. System/Application Domain • Accountability—The human resources department must verify an employee’s identity before allowing use of the company’s computer system. HR must do background checks of any candidate for a job with access to sensitive computer information. Risks, Threats, and Vulnerabilities Commonly Found in the User Domain The User Domain is the weakest link in an IT infrastructure. Anyone responsible for computer security must understand what motivates someone to compromise an organization’s system, applications, or data. Table 1-1 lists the risks and threats commonly found in the User Domain and plans you can use to prevent them. 1 CHAPTER 1 | Information Systems Security Risks, threats, vulnerabilities, and mitigation plans for the User Domain. Risk, Threat, or VulnerabiLITY Mitigation Lack of user awareness Conduct security awareness training, display security awareness posters, insert reminders in banner greetings, and send e-mail reminders to employees. User apathy toward policies Conduct annual security awareness training, implement acceptable use policy, update staff manual and handbook, discuss during performance reviews. Security policy violations Place employee on probation, review AUP and employee manual, discuss during performance reviews. User inserts CDs and USB drives with personal photos, music, and videos. Disable internal CD drives and USB ports. Enable automatic antivirus scans for inserted media drives, files, and e-mail attachments. An antivirus scanning system examines all new files on your computer’s hard drive for viruses. Set up antivirus scanning for e-mails with attachments. User downloads photos, music, and videos. Enable content filtering and antivirus scanning for e-mail attachments. Content-filtering network devices are configured to permit or deny specific domain names in accordance with AUP definition. User destruction of systems, applications, or data Restrict access for users to only those systems, applications, and data needed to perform their job. Minimize write/delete permissions to the data owner only. Disgruntled employee attacks the organization or commits sabotage. Track and monitor abnormal employee behavior, erratic job performance, and use of IT infrastructure during off-hours. Begin IT access control lockout procedures based on AUP monitoring and compliance. Employee romance gone bad Track and monitor abnormal employee behavior and use of IT infrastructure during off-hours. Begin IT access control lockout procedures based on AUP monitoring and compliance. Employee blackmail or extortion Track and monitor abnormal employee behavior and use of IT infrastructure during off-hours. Enable intrusion detection system/intrusion prevention system (IDS/IPS) monitoring for sensitive employee positions and access. IDS/IPS security appliances examine the IP data streams for inbound and outbound traffic. Alarms and alerts programmed within an IDS/IPS help identify abnormal traffic and can block IP traffic as per policy definition. Information Systems Security Table 1-1 17 18    PART 1 | The Need for Information Security Workstation Domain The Workstation Domain is where most users connect to the IT infrastructure. A workstation can be a desktop computer, laptop computer, or any other device that connects to your network. Other devices might include a personal data assistant (PDA), a smartphone, or a special-purpose terminal. You can find more details about mobile devices in the “Remote Access Domain” section. Workstation Domain Roles, Responsibilities, and Accountability Here's an overview of what should go on in the Workstation Domain: • Roles and tasks—An organization’s staff should have the access necessary to be productive. Tasks include configuring hardware, hardening systems, and verifying antivirus files. Hardening a system is the process of ensuring that controls are in place to handle any known threats. Hardening activities include ensuring that all computers have the latest software revisions, security patches, and system configurations. The Workstation Domain also needs additional layers of defense. Another common defense layer is implementing workstation logon IDs and passwords to protect this entry into the IT infrastructure. • Responsibilities—The desktop support group is responsible for the Workstation Domain. Enforcing defined standards is critical to ensuring the integrity of user workstations and data. The IT security personnel must safeguard controls within the Workstation Domain. Human resources must define proper access controls for workers based on their job. IT security personnel then assign access rights to systems, applications, and data based on this definition. • Accountability—The IT desktop manager is accountable for allowing employees the greatest use of their Workstation Domain. The director of IT security is in charge of ensuring that the Workstation Domain conforms to policy. Risks, Threats, and Vulnerabilities Commonly Found in the Workstation Domain The Workstation Domain requires tight security and access controls. This is where users first access systems, applications, and data. The Workstation Domain requires a logon ID and password for access. Table 1-2 lists the risks, threats, and vulnerabilities commonly found in the Workstation Domain, along with ways to protect against them. 1 CHAPTER 1 | Information Systems Security Risks, threats, vulnerabilities, and mitigation plans for the Workstation Domain. Risk, Threat, or VulnerabiLITY Mitigation Unauthorized access to workstation Enable password protection on workstations for access. Enable auto screen lockout for inactive times. Unauthorized access to systems, applications, and data Define strict access control policies, standards, procedures, and guidelines. Implement a second-level test to verify a user’s right to gain access. Desktop or laptop computer operating system software vulnerabilities Define workstation operating system vulnerability window policy definition. A vulnerability window is the gap in time that you leave a computer unpatched with a security update. Start periodic Workstation Domain vulnerability tests to find gaps. Desktop or laptop application software vulnerabilities and software patch updates Define a workstation application software vulnerability window policy. Update application software and security patches according to defined policies, standards, procedures, and guidelines. Viruses, malicious code, or malware infects a user’s workstation or laptop computer. Use workstation antivirus and malicious code policies, standards, procedures, and guidelines. Enable an automated antivirus protection solution that scans and updates individual workstations with proper protection. User inserts compact disks (CDs), digital video disks (DVDs), or universal serial bus (USB) thumb drive into organization computer. Deactivate all CD, DVD, and USB ports. Enable automatic antivirus scans for inserted CDs, DVDs, and USB thumb drives that have files. User downloads photos, music, or videos via the Internet. Use content filtering and antivirus scanning at Internet entry and exit. Enable workstation auto-scans for all new files and automatic file quarantine for unknown file types. User violates AUP and creates security risk for the organization’s IT infrastructure. Mandate annual security awareness training for all employees. Set up security awareness campaigns and programs throughout the year. Information Systems Security Table 1-2 19 20    PART 1 | The Need for Information Security LAN Domain A local area network (LAN) is a collection of computers connected to one another or to a common connection medium. Network connection mediums can include wires, fiberoptic cables, or radio waves. LANs are generally organized by function or department. Once connected, your computer can access systems, applications, possibly the Internet, and data. The third component in the IT infrastructure is the LAN Domain. The physical part of the LAN Domain consists of the following: • Network interface card (NIC)—The interface between the computer and the LAN physical media. The network interface card (NIC) has a 6-byte Media Access Control (MAC) layer address that serves as the NIC’s unique hardware identifier. • Ethernet LAN—LAN solution based on the IEEE 802.3 CSMA/CD standard for 10/100/1000Mbps Ethernet networking. Ethernet is the most popular LAN standard. Today’s LAN standard is the Institute of Electrical and Electronics Engineers (IEEE) 802.3 Carrier Sense Multiple Access/Collision Detection (CSMA/CD) specification. Ethernet is available in 10Mbps, 100Mbps, 1Gbps, and 10Gbps speeds. • Unshielded twisted-pair cabling—The workstation cabling that uses RJ-45 connectors and jacks to physically connect to a 100Mbps/1Gbps/10Gbps Ethernet LAN switch. • LAN switch—The device that connects workstations into a physical Ethernet LAN. A switch provides dedicated Ethernet LAN connectivity for workstations and servers. This provides maximum throughput and performance for each workstation. There are two kinds of LAN switches. A Layer 2 switch examines the MAC layer address and makes forwarding decisions based on MAC layer address tables. A Layer 3 switch examines the network layer address and routes packets based on routing protocol path determination decisions. A Layer 3 switch is the same thing as a router. • File server and print server—High-powered computers that provide file sharing and data storage for users within a department. Print servers support shared printer use within a department. • Wireless access point (WAP)—For wireless LANs (WLANs), radio transceivers are used to transmit IP packets from a WLAN NIC to a wireless access point (WAP). The WAP transmits WLAN signals for mobile laptops to connect. The WAP connects back to the LAN switch using unshielded twisted-pair cabling. Ethernet switches typically provide 100Mbps or 1Gbps connectivity for each workstation. Ethernet switches are also equipped with modules that support 1Gbps or 10Gbps Ethernet backbone connections. These backbone connections commonly use fiber-optic cabling. The logical part of the LAN Domain consists of the following: • System administration—Setup of user LAN accounts with logon ID and password access controls (that is, user logon information). • Design of directory and file services—The servers, directories, and folders to which the user can gain access. 1 CHAPTER 1 | Information Systems Security • Design of server disk storage space, backup and recovery of user data— User can store data files on LAN disk storage areas where data is backed up and archived daily. In the event of data loss or corruption, data files can be recovered from the backed-up files. • Design of virtual LANs (VLANs)—With Layer 2 and Layer 3 LAN switches, you can configure Ethernet ports to be on the same virtual LAN (VLAN), even though they may be connected to different physically connected LANs. This is the same thing as configuring workstations and servers to be on the same Ethernet LAN or broadcast Domain. Users get access to their department’s LAN and other applications according to what their job calls for. LAN Domain Roles, Responsibilities, and Accountability Here's an overview of what should go on in the LAN Domain: • Roles and tasks—The LAN Domain includes both physical network components and logical configuration of services for users. Management of the physical components includes: • • • • Cabling NIC cards LAN switches Wireless access points (WAPs) LAN system administration includes maintaining the master lists of user accounts and access rights. In the LAN Domain, second-level authentication may be required. Second-level proof is like a gate where the user must confirm who he or she is a second time. • Responsibilities—The LAN support group is in charge of the LAN Domain. This includes both the physical component and logical elements. LAN system administrators must maintain and support departments’ file and print services and configure access controls for users. • Accountability—The LAN manager’s duty is to maximize use and integrity of data within the LAN Domain. The director of IT security must ensure that the LAN Domain conforms to policy. Information Systems Security • Configuration of workstation and server TCP/IP software and communication protocols—IP addressing, IP default gateway router, subnet mask address, etc. The IP default gateway router acts as the entry/exit to the LAN. The subnet mask address defines the IP network number and IP host number. 21 22    PART 1 | The Need for Information Security Risks, Threats, and Vulnerabilities Commonly Found in the LAN Domain The LAN Domain also needs strong security and access controls. Users can access company-wide systems, applications, and data from the LAN Domain. This is where the third layer of defense is required. This defense protects the IT infrastructure and the LAN Domain. Table 1-3 lists the risks, threats, and vulnerabilities commonly found in the LAN Domain with appropriate risk-reducing strategies. Table 1-3 Risks, threats, vulnerabilities, and mitigation plans for the LAN Domain. Risk, Threat, or VulnerabiLITY Mitigation Unauthorized access to LAN Make sure wiring closets, data centers, and computer rooms are secure. Do not allow anyone access without proper ID. Unauthorized access to systems, applications, and data Define strict access control policies, standards, procedures, and guidelines. Implement second-level identity check to gain access to sensitive systems, applications, and data. LAN server operating system software vulnerabilities Define server/desktop/laptop vulnerability window policies, standards, procedures, and guidelines. Conduct periodic LAN Domain vulnerability assessments to find software gaps. A vulnerability assessment is a software review that identifies bugs or errors in software. These bugs and errors go away when you upload software patches and fixes. LAN server application software vulnerabilities and software patch updates Define a strict software vulnerability window policy requiring quick software patching. Rogue users on WLANs gain unauthorized access. Use WLAN network keys that require a password for wireless access. Turn off broadcasting on WAPs. Require second-level authentication prior to granting WLAN access. Confidentiality of data transmissions via WLAN connections is compromised. Implement encryption between workstation and WAP to maintain confidentiality. LAN servers have different hardware, operating systems, and software, making it difficult to manage and troubleshoot. Implement LAN server and configuration standards, procedures, and guidelines. 1 CHAPTER 1 | Information Systems Security The LAN-to-WAN Domain is where the IT infrastructure links to a wide area network and the Internet. Unfortunately, connecting to the Internet is like rolling out the red carpet for bad guys. The Internet is open, public, and easily accessible by anyone. Most Internet traffic is cleartext. That means it’s visible and not private. Network applications use two common transport protocols: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). Both TCP and UDP use port numbers to identify the application or function; these port numbers function like channels on a TV, which dictate which station you’re watching. When a packet is sent via TCP or UDP, its port number appears in the packet header—which essentially reveals what type of packet it is. This is like advertising to the world what you are transmitting. Examples of common TCP and UDP port numbers include the following: • Port 80: Hyper Text Transfer Protocol (HTTP)—Hyper Text Transfer Protocol (HTTP) is the communications protocol between Web browsers and Web sites with data in cleartext. • Port 20: File Transfer Protocol (FTP)—File Transfer Protocol (FTP) is a protocol for performing file transfers. FTP uses TCP as a connection-oriented data transmission but in cleartext. Connection-oriented means individual packets are numbered and acknowledged as being received to increase integrity of the file transfer. • Port 69: Trivial File Transfer Protocol (TFTP)—Trivial File Transfer Protocol (TFTP) is a protocol for performing file transfers. TFTP utilizes UDP as a connectionless data transmission but in cleartext. This is used for small and quick file transfers given that it does not guarantee individual packet delivery. • Port 23: Terminal Network (Telnet)—Telnet is a network protocol for performing remote terminal access to another device. Telnet uses TCP and sends data in cleartext. • Port 22: Secure Shell (SSH)—This is a network protocol for performing remote terminal access to another device. SSH encrypts the data transmission for maintaining confidentiality of communications. A complete list of well-known port numbers from 0 to 1023 is maintained by the Internet Assigned Numbers Authority (IANA). The IANA helps coordinate global domain name services, IP addressing, and other resources. Well-known port numbers are on the IANA Web site at this location: http://www.iana.org/assignments/port-numbers. Because the TCP/IP family of protocols lacks security, the need for security controls when dealing with protocols in this family is greater. The LAN-to-WAN Domain represents the fourth layer of defense for a typical IT infrastructure. LAN-to-WAN Domain Roles, Responsibilities, and Accountability Here's an overview of what should go on in the LAN-to-WAN Domain: • Roles and tasks—The LAN-to-WAN Domain includes both the physical pieces and logical design of security appliances. It is one of the most complex areas within an IT infrastructure to secure. You need to maintain security while giving users as much access as possible. Physical parts need to be managed to give easy access to the service. The security appliances must be logically configured to adhere to policy definitions. Information Systems Security LAN-to-WAN Domain 23 24    PART 1 | The Need for Information Security This will get the most out of availability, ensure data integrity, and maintain confidentiality. The roles and tasks required within the LAN-to-WAN Domain include managing and configuring the following: • IP routers—An IP router is a network device used to transport IP packets to and from the Internet or WAN. Path determination decisions forward IP packets. Configuration tasks include IP routing and access control lists (ACLs). ACLs are used to permit and deny traffic like a filter. • IP stateful firewalls—An IP stateful firewall is a security appliance used to filter inbound IP packets based on various ACL definitions configured for IP, TCP, and UDP packet headers. A stateful firewall can examine IP, TCP, or UDP packet headers for filtering. • Demilitarized zone (DMZ)—The demilitarized zone (DMZ) is a LAN segment in the LAN-to-WAN Domain that acts as a buffer zone for inbound and outbound IP traffic. External servers such as Web servers, proxy servers, and e-mail servers can be placed here for greater isolation and screening of IP traffic. • Intrusion detection system (IDS)—This security appliance examines IP data streams for common attack and malicious intent patterns. IDSs are passive and can be set to trigger an alarm. • Intrusion prevention system (IPS)—An IPS does the same thing as an IDS but can block IP data streams identified as malicious. IPSs can end the actual communication session, filter by source IP addresses, and block access to the targeted host. • Proxy servers—A proxy server acts as a middleman between a workstation and the external target. Traffic goes to the intermediary server acting as the proxy. Data can be analyzed and properly screened before it is allowed into the IT infrastructure. • Web content-filter—This security appliance can prevent content from entering an IT infrastructure based on filtering of domain names or of keywords within domain names. • E-mail content-filter and quarantine system—This security appliance can block content within e-mails or unknown file attachments for proper antivirus screening and quarantining. Upon review, the e-mail and attachments can be forwarded to the user. • Internet entry/exit performance monitoring—This monitoring occurs where the IT infrastructure connects to the Internet through a dedicated Internet access link to maximize availability, and monitor performance and link utilization. You can find more details about DMZ, IDS, IPS, firewalls, and proxy servers in Chapter 10. • Responsibilities—The network security group is responsible for the LAN-to-WAN Domain. This includes both the physical components and logical elements. Group members are responsible for applying the defined security controls. • Accountability—Your organization’s WAN network manager has a duty to manage the LAN-to-WAN Domain. The director of IT security ensures that the LAN-to-WAN Domain security policies, standards, procedures, and guidelines are used. 1 CHAPTER 1 | Information Systems Security The LAN-to-WAN Domain needs strict security controls given the risks and threats of connecting to the Internet. This domain is where all data travels into and out of the IT infrastructure. The LAN-to-WAN Domain provides Internet access for the entire organization and acts as the entry/exit point for the wide area network (WAN). The LAN-to-WAN Domain is where the fourth layer of defense is required. Table 1-4 lists the risks, threats, and vulnerabilities commonly found in the LAN-to-WAN Domain with appropriate risk-reduction strategies. Table 1-4 Risks, threats, vulnerabilities, and mitigation plans for the LAN-to-WAN Domain. Risk, Threat, or VulnerabiLITY Mitigation Unauthorized network probing and port scanning Disable ping, probing, and port scanning on all exterior IP devices within the LAN-to-WAN Domain. Ping uses the Internet Control Message Protocol (ICMP) echo-request and echo-reply protocol. Disallow IP port numbers used for probing and scanning and monitor with IDS/IPS. Unauthorized access through the LAN-to-WAN Domain Apply strict security monitoring controls for intrusion detection and prevention. Monitor for inbound IP traffic anomalies and malicious-intent traffic. Block traffic right away if malicious. IP router, firewall, and network appliance operating system software vulnerability Define a strict zero-day vulnerability window definition. Update devices with security fixes and software patches right away. IP router, firewall, and network appliance configuration file errors or weaknesses Conduct post configuration penetration tests of the layered security solution within the LAN-to-WAN Domain. Test inbound and outbound traffic and fix any gaps. Remote users can access the organization’s infrastructure and download sensitive data Apply and enforce the organization’s data classification standard. Deny outbound traffic using source IP addresses in access control lists. If remote downloading is allowed, encrypt where necessary. Local users download unknown file type attachments from unknown sources Apply file transfer monitoring, scanning, and alarming for unknown file types from unknown sources. Local users receive unknown e-mail attachments and embedded URL links Apply e-mail server and attachment antivirus and e-mail quarantining for unknown file types. Stop domain-name Web site access based on content-filtering policies. Local users lose productivity surfing the Web and not focusing on work tasks. Apply domain-name content filtering at the Internet entry/ access point. Information Systems Security Risks, Threats, and Vulnerabilities Commonly Found in the LAN-to-WAN Domain 25 26    PART 1 | The Need for Information Security WAN Domain The Wide Area Network (WAN) Domain connects remote locations. As network costs drop, organizations can afford faster Internet and WAN connections. Today, telecommunication service providers sell the following: • Nationwide optical backbones—Optical backbone trunks for private optical backbone networks. • End-to-end IP transport—IP services and connectivity using the service provider’s IP networking infrastructure. • Multi-site WAN cloud services—IP services and connectivity offered for multi-site connectivity such as multi-protocol label switching (MPLS) WAN services. MPLS uses labels or tags to make virtual connections between endpoints in a WAN. • Metropolitan Ethernet LAN connectivity—Ethernet LAN connectivity offered within a city’s area network. • Dedicated Internet access—A broadband Internet communication link usually shared among an organization. • Managed services—Router management and security appliance management 247365. • Service level agreements (SLAs)—Contractual commitments for monthly service offerings like availability, packet loss, and response time to fix problems. The WAN Domain represents the fifth component in the IT Infrastructure. WAN services can include dedicated Internet access and managed services for customers’ routers and firewalls. Management agreements for availability and response time to outages are common. Networks, routers, and equipment require continuous monitoring and management to keep WAN service available. WAN Domain Roles, Responsibilities, and Accountability Here's an overview of what should go on in the WAN Domain: • Roles and tasks—The WAN Domain includes both physical components and the logical design of routers and communication equipment. It is the second most complex area within an IT infrastructure to secure. Your goal is to allow users the most access possible while making sure what goes in and out is safe. The roles and tasks required within the WAN Domain include managing and configuring the following: • WAN communication links—The physical communication link provided as a digital or optical service terminated at your facility. Broadband connection speeds can range from the following: • DS0 (64Kbps) to DS1 (1.544Mbps) to DS3 (45Mbps) for digital service • OC-3 (155Mbps) to OC-12 (622Mbps) to OC-48 (2,488Mbps) for optical service • 10/100/1000Mbps Metro Ethernet LAN connectivity depending on physical distance 1 CHAPTER 1 | Information Systems Security • IP stateful firewall—A security appliance that is used to filter IP packets and block unwanted IP, TCP, and UDP packet types from entering or leaving the network. Firewalls can be installed on workstations, routers, or as standalone devices protecting LAN segments. • IP router configuration—The actual router configuration information needed for the WAN backbone and edge routers used for IP connections to remote locations. The configuration must be based on the IP network design and addressing schema. • Virtual private networks (VPNs)—A virtual private network (VPN) is a dedicated tunnel from one endpoint to another. In many applications, the VPN tunnel is encrypted. The VPN tunnel can be created between a remote workstation using the public Internet and a VPN router or a secure browser and SSL-VPN Web site. • Multi-protocol label switching (MPLS)—A WAN software feature that allows customers to maximize performance. MPLS labels IP packets for rapid transport through virtual tunnels between designated endpoints. This is a form of Layer 2 switching and bypasses the routing path determination process. • SNMP network monitoring and management—A simple network management protocol (SNMP) is used for network device monitoring, alarming, and performance. • Router and equipment maintenance—A requirement to perform hardware and firmware updates, upload new operating system software, and configure routers and ACLs. • Responsibilities—The network engineer or WAN group is responsible for the WAN Domain. This includes both the physical components and logical elements. Network engineers and security practitioners set up the defined security controls according to defined policies. Note that because of the complexities of IP network engineering, many groups now outsource management of their WAN and routers to service providers. This service includes SLAs that ensure that the system is available and that problems are solved quickly. In the event of a WAN connection outage, customers call a toll-free number for their service provider’s network operations center (NOC). • Accountability—Your organization’s IT network manager must maintain, update, and provide technical support for the WAN Domain. The director of IT security ensures that the company meets WAN Domain security policies, standards, procedures, and guidelines. Some organizations use the public Internet as their WAN infrastructure. While it is cheaper, the Internet does not guarantee delivery or security. The following presents Internet risks, threats, and vulnerabilities, as well as risk-mitigation strategies. Information Systems Security • IP network design—The logical design of the IP network and addressing schema. This requires network engineering, design of alternate paths, and selection of IP routing protocol. 27 28    PART 1 | The Need for Information Security Table 1-5 Risks, threats, vulnerabilities, and mitigation plans for the WAN Domain (Internet). Risk, Threat, or VulnerabiLITY Mitigation Open, public, easily accessible to anyone that wants to connect Apply acceptable use policies, in accord with the document “RFC 1087: Ethics and the Internet.” Enact new laws regarding unauthorized access to systems, malicious attacks on IT infrastructures, and financial loss due to malicious outages. Most Internet traffic is sent in cleartext. Prohibit using the Internet for private communications without encryption and VPN tunnels. If you have a data classification standard, follow the policies, procedures, and guidelines specifically. Vulnerable to eavesdropping Use encryption and VPN tunnels for end-to-end secure IP communications. If you have a data classification standard, follow the policies, procedures, and guidelines. Vulnerable to malicious attacks Deploy layered LAN-to-WAN security countermeasures, DMZ with IP stateful firewalls, IDS/IPS for security monitoring, and quarantining of unknown e-mail file attachments. Vulnerable to denial of service (DoS), distributed denial of service (DDoS), TCP SYN flooding, and IP spoofing attacks Apply filters on exterior IP stateful firewalls and IP router WAN interfaces to block TCP SYN and ICMP (ping). Alert your Internet service provider (ISP) to put the proper filters on its IP router WAN interfaces in accordance with CERT Advisory CA-1996-21. Vulnerable to corruption of information and data Encrypt IP data transmissions with VPNs. Back up and store data in off-site data vaults (online or physical data backup) with tested recovery procedures. TCP/IP applications are inherently insecure (HTTP, FTP, TFTP, etc.). Refer to your data classification standard for proper handling of data and use of TCP/IP applications. Never use TCP/IP applications for confidential data without proper encryption. Create a network-management VLAN and isolate TFTP and SNMP traffic used for network management. Hackers, attackers, and perpetrators e-mail Trojans, worms, and malicious software freely. Scan all e-mail attachments for type, antivirus, and malicious software at the LAN-to-WAN Domain. Isolate and quarantine unknown file attachments until further security review is conducted. Provide security awareness training to remind employees of dangers. 1 CHAPTER 1 | Information Systems Security 29 Telecommunication service providers are in the business of providing WAN connectivity for end-to-end communications. Service providers must take on the responsibility for securing their network infrastructure first. Customers who sign up for WAN communication services must review the terms, conditions, and limitations of liability within their service contract. This is important because organizations must figure out where their duties start and end regarding router management and security management. The most critical aspect of a WAN services contract is how the service provider supplies troubleshooting, network management, and security management services. The WAN Domain is where the fifth layer of defense is required. Table 1-5 lists the risks, threats, and vulnerabilities found in the Internet segment of the WAN Domain and appropriate risk-lowering strategies. Telecommunication service providers sell WAN connectivity services. Some providers now also provide security management services. The following section presents WAN connectivity risks, threats, and vulnerabilities and risk-reducing strategies. Risks, Threats, and Vulnerabilities Commonly Found in the WAN Domain (Connectivity) Telecommunications companies are responsible for building and transporting customer IP traffic. Sometimes this IP traffic is bundled with dedicated Internet access, providing shared broadband access organization wide. If organizations outsource their WAN infrastructure, management and security must extend to the service provider. Organizations must define security policies and needs for their managed security provider to put in place. Table 1-6 lists the risks, threats, and vulnerabilities related to connectivity found in the WAN Domain and appropriate risk-lowering strategies. Table 1-6 Risks, threats, vulnerabilities, and mitigation plans for the WAN Domain (connectivity). Risk, Threat, or VulnerabiLITY Mitigation Commingling of WAN IP traffic on same service provider router and infrastructure Encrypt confidential data transmissions through service provider WAN using VPN tunnels. Maintaining high WAN service availability Obtain WAN service availability SLAs. Deploy redundant Internet and WAN connections when 100 percent availability is required. Maximizing WAN performance and throughput Apply WAN-optimization and data-compression solutions when accessing remote systems, applications, and data. Enable access control lists (ACLs) on outbound router WAN interfaces in keeping with policy. Using SNMP network-management applications and protocols maliciously (ICMP, Telnet, SNMP, DNS, etc.) Create separate WAN network-management VLAN. Use strict firewall ACLs allowing SNMP manager and router IP addresses through the LAN-to-WAN Domain. SNMP alarms and security monitoring 247365 Outsource security operations and monitoring. Expand services to include managed security. Information Systems Security Risks, Threats, and Vulnerabilities Commonly Found in the WAN Domain (Internet) 30    PART 1 | The Need for Information Security Remote Access Domain The Remote Access Domain connects remote users to the organization’s IT infrastructure. Remote access is critical for staff members who work in the field or from home—for example, outside sales reps, technical-support specialists, or health care professionals. Global access makes it easy to connect to the Internet, e-mail, and other business applications anywhere you can find a Wireless Fidelity (Wi-Fi) hotspot. The Remote Access Domain is important to have, but dangerous to use. It introduces many risks and threats from the Internet. Today’s mobile worker depends on the following: • Highly available cell-phone service—Mobile workers need cell-phone service to get in touch with office and support teams. • Real-time access for critical communications—Use of text messaging or IM chat on cell phones provides quick answers to short questions and does not require users to completely interrupt what they are doing. • Access to e-mail from a mobile device—Integration of e-mail with cell phones, smartphones, personal data assistants (PDAs) or BlackBerry devices provides quick response to important e-mail messages. • Broadband Wi-Fi Internet access—Some nationwide service providers now offer Wi-Fi broadband access cards. They allow wireless access in major metro areas. • Local Wi-Fi hotspot—Wi-Fi hotspots are abundant, including in airports, libraries, coffee shops, and retailers. While most are free,...
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

hello, you work is ready. you can have a look

RUNNING HEAD: IT CERTIFICATION

1

Information Technology Certifications

Student Name

University Affiliate:

Date:

IT CERTIFICATIONS

2
I.T Certifications

Certification refers to the whole process or action of giving an individual, organization or
something an official accreditation that verifies achievement of a certain level or status. From
this, we can, therefore, define IT certification as the awarding of official documents to an
individual showing that they have professional competency in a particular aspect of information
technology. There are various certifications in the IT field which includes Computer Technology
Industry Association (CompTIA), certified Internet Webmaster Certification (CIW), Cisco
Systems, IEEE Computer Society and Information System Audit and Control Association
(ISACA) among others. In this paper, we focus on only two of these certifications; CompTIA
and ISACA.
CompTIA
Comp...


Anonymous
Just the thing I needed, saved me a lot of time.

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Similar Content

Related Tags