Aula 01 - Fundamentos da segurança dos sistemas de informações
2 likes145 views
This document discusses key concepts in information systems security including confidentiality, integrity, availability (CIA), common threats across seven domains of an IT infrastructure, and roles involved in implementing the CIA triad. It explains the CIA concepts, outlines common threats in different domains like users, workstations, LANs, and remote access, and identifies users, administrators, managers and vendors as responsible for maintaining confidentiality, integrity and availability.
Aula 01 - Fundamentos da segurança dos sistemas de informações
- 1. © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Fundamentos da segurança dos sistemas de informação Unit 1 Information Systems Security Fundamentals
- 2. Page 2Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Learning Objective Explain the concepts of information systems security (ISS) as applied to an IT infrastructure.
- 3. Page 3Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Key Concepts § Confidentiality, integrity, and availability (CIA) concepts § Layered security solutions implemented for the seven domains of a typical IT infrastructure § Common threats for each of the seven domains § IT security policy framework § Impact of data classification standard on the seven domains
- 4. Page 4Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com DISCOVER: CONCEPTS
- 5. Page 5Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Introducing ISS ISS Informat ion System s Informat ion
- 6. Page 6Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com The CIA Triad Confidentiality Integrity Availability
- 7. Page 7Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Confidentiality Personal Data and Information • Credit card account numbers and bank account numbers • Social Security numbers and address information Intellectual Property • Copyrights, patents, and secret formulas • Source code, customer databases, and technical specifications National Security • Military intelligence • Homeland security and government-related information
- 8. Page 8Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com O que estamos protegendo?
- 9. Page 9Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Integrity Maintain valid, uncorrupted, and accurate information. § User names and passwords § Patents and copyrights § Source code § Diplomatic information § Financial data
- 10. Page 10Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com
- 11. Page 11Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Availability X X X
- 12. Page 12Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Conduct and Ethics in ISS §ISS is a classic battle of “good vs. evil.” §No global laws, rules, or regulations govern cyberspace. §U.S. government and Internet Architecture Board (IAB) have developed joint Internet acceptable use policy (AUP). §Security professionals are in high demand as the “good guys.”
- 13. Page 13Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Leis de Conformidade
- 14. Page 14Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Compliance Laws Driving ISS Health Insurance Portability and Accountability Act (HIPAA) Sarbanes-Oxley (SOX) Act Children’s Internet Protection Act (CIPA)
- 15. Page 15Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com IT Security Policy Framework POLICY Standard Procedure Guideline A short written statement that defines a course of action that applies to the entire organization A detailed written definition of how software and hardware are to be used Written instructions for how to use the policy and standard Suggested course of action for using the policy, standard, or procedure
- 16. Page 16Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com
- 17. Page 17Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Seven Domains of a Typical IT Infrastructure
- 18. Page 18Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Ciberespaço: uma nova fronteira
- 19. Page 19Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com
- 20. Page 20Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com O que está representado na figura?
- 21. Page 21Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Common Threats in the User Domain §Lack of user awareness §User apathy toward policies §User violating security policy §User inserting CD/DVD/USB with personal files
- 22. Page 22Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Common Threats in the User Domain (Continued) §User downloading photos, music, or videos §User destructing systems, applications, and data §Disgruntled employee attacking organization or committing sabotage §Employee blackmail or extortion
- 23. Page 23Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com §Unauthorized workstation access §Unauthorized access to systems, applications, and data §Desktop or laptop operating system vulnerabilities §Desktop or laptop application software vulnerabilities or patches Common Threats in the Workstation Domain
- 24. Page 24Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com §Viruses, malicious code, and other malware §User inserting CD/DVD/USB with personal files §User downloading photos, music, or videos Common Threats in the Workstation Domain (Continued)
- 25. Page 25Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Common Threats in the LAN Domain §Unauthorized physical access to LAN §Unauthorized access to systems, applications, and data §LAN server operating system vulnerabilities §LAN server application software vulnerabilities and software patch updates
- 26. Page 26Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Common Threats in the LAN Domain (Continued) §Rogue users on WLANs §Confidentiality of data on WLANs §LAN server configuration guidelines and standards
- 27. Page 27Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com §Unauthorized probing and port scanning §Unauthorized access §Internet Protocol (IP) router, firewall, and network appliance operating system vulnerability §Local users downloading unknown file types from unknown sources Common Threats in the LAN-to-WAN Domain WAN
- 28. Page 28Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com §Open, public, and accessible data §Most of the traffic being sent as clear text §Vulnerable to eavesdropping §Vulnerable to malicious attacks §Vulnerable to Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks Common Threats in the WAN Domain WAN
- 29. Page 29Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com §Vulnerable to corruption of information and data §Insecure Transmission Control Protocol/Internet Protocol (TCP/IP) applications §Hackers and attackers e-mailing Trojans, worms, and malicious software freely and constantly Common Threats in the WAN Domain (Continued) WAN
- 30. Page 30Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Common Threats in the Remote Access Domain Internet § Brute force user ID and password attacks § Multiple logon retries and access control attacks § Unauthorized remote access to IT systems, applications, and data § Confidential data compromised remotely § Data leakage in violation of data classification standards
- 31. Page 31Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Common Threats in the Systems/Applications Domain Cloud Computing § Unauthorized access to data centers, computer rooms, and wiring closets § Difficult-to-manage servers that require high availability § Server operating systems software vulnerability management § Security required by cloud computing virtual environments § Corrupt or lost data
- 32. Page 32Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com DISCOVER: PROCESSES
- 33. Page 33Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Implementing the CIA Triad Confidentiality AUP Security Awareness Policy Enhanced Access Control
- 34. Page 34Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Implementing the CIA Triad (Continued) Integrity AUP Security Awareness Policy Enhanced Access Control Threat Assessment and Monitoring Asset Protection Policy Vulnerability Assessment and Management
- 35. Page 35Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Implementing the CIA Triad (Continued) Availability AUP Security Awareness Policy Enhanced Access Control Threat Assessment and Monitoring Asset Protection Policy Vulnerability Assessment and Management Data Classification Standard
- 36. Page 36Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com DISCOVER: ROLES
- 37. Page 37Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Who Implements the CIA Triad? Confidentiality Integrity Availability §User §IT administrator §Network administrator §Human resources §Senior management §User §IT administrator §Network administrator §Human resources §Senior management §IT administrator §Network administrator §Third-party vendor
- 38. Page 38Fundamentals of Information Systems Security © 2012 Jones and Bartlett Learning, LLC www.jblearning.com Summary §Terms associated with ISS include risks, threats, and vulnerabilities. §Layered security strategy protects an IT infrastructure’s CIA. §IT policy framework includes policies, standards, procedures, and guidelines. §Data classification standard defines how data is to be handled within an IT infrastructure.