11.1 - The Role of the Operations Department

Companies perform important pieces of “due care and due diligence” efforts which include correct policies, procedures, standards, and guidelines. These due diligence efforts require responsible, careful, cautious, and practical company practicing. It is important to identify systems and operations that are sensitive (meaning they need to be protected from disclosure) and critical (meaning they must remain available at all times). Organizations consider many threats including disclosure of confidential data, theft of assets, corruption of data,...

10.3 - Software Development Life Cycle

The Software Development Life Cycle consists of requirements gathering, design, development, testing/validation, and release/maintenance. Requirements gathering: Determines the why create this software, the what the software will do, and the for whom the software will be created Design: deals with how the software will accomplish the goals identified Development: programming software code to meet specifications laid out in the design phase Testing/validation:...

10.2 - System Development Life Cycle

A life cycle is a representation of development changes. Systems have their own developmental life cycle, which is made up of the following phases: initiation, acquisition/development, implementation, operation/maintenance, and disposal. These together are referred to as a system development life cycle (SDLC). Initiation: Need for a new system is defined Acquisition/development: New system is either created or purchased Implementation: New system is installed into production environment Operation/maintenance: System is used and cared for Disposal:  System...

10.1 - Where Do We Place Security?

Different Environments Demand Different Security - Network and security administrators are overwhelmingly having to integrate various applications and computer systems to keep up with company demand. Environment vs Application - Application controls and are very specific to their needs and in the security compromises they understand. Functionality vs Security - Code security and functionality is inherently built-i...

9.3 - Ethics

Ethics are based on many different issues and foundations because of this they are interpreted differently on an individual basis. Computer Ethics Institute is a nonprofit organization that works to help advance technology by ethical means. The Computer Ethics Institute has developed its own Ten Commandments of Computer Ethics: Thou shalt not use a computer to harm other people. Thou shalt not interfere with other people’s computer work. Thou shalt not snoop around in other people’s computer files. Thou shalt not use a computer to steal. Thou...

9.2 - Intellectual Property Laws

Intellectual property laws do not always concern themselves with what is right or wrong. Its main focus is on how organizations and individuals protect what they rightfully own from unauthorized use. This provides these entities options for what they can do if these laws are violated. Trade Secret This is something that is proprietary to an organization and vital for its profitability  and survival. For example, the trade secret that Coca-Cola owns is the formula used for their soft drink. This resource is highly confidential and protected...

9.1 - Complexities in Cybercrime

A majority of cyber attackers rarely caught because they mask their identities and addresses, this is known as spoofing. As we know, these attackers hack into networks, retrieve any resources they sought, and wipe clean all logs that may have tracked their activity. Often times, companies do not even know they have been violated. The Evolution of Attacks In the early days of computing, hackers were mainly made up of people who just enjoyed the thrill of hacking. True hackers saw this as a challenging game without any real intent of harm or damage....

8.1 - Business Continuity and Disaster Recovery

The goal of a business after a disaster is recovery. The steps required to minimize the effects of a disaster and disruption means that necessary actions are enacted to ensure that the resources, personnel, and business processes are able to resume operation in a timely manner. This differs from continuity planning, which provides procedures for dealing with long-term outages and disasters. The goal of a disaster recovery plan is to handle the disaster...

7.5 - Internet Security

A common misconception that people tend to have is that the Web is the Internet, it is not. The Web actually runs on top of the Internet, it is the collection of servers that process websites. The Internet is the collection of physical devices and communication protocols that interact with these websites. Web browsers understand protocols because they have the capability to process the various types of commands; however, they do not understand all of them. For those protocols or commands the user’s browser does not know how to process, the user...

7.4 - Link Encryption vs. End-to-End Encryption

Encryption is performed with different types of protection and communication levels. Two general types of encryption implemented are link encryption and end-to-end encryption.  Link encryption, or online encryption, is provided by service providers and integrated into their network protocols. All of the information is encrypted, the packets must be decrypted at each point to the router to send the packet next. The router must decrypt...

7.3 - Public Key Infrastructure

Public key infrastructure contains programs, data formats, procedures, communication protocols, security policies, and public key cryptography working together. The public key establishes trust within an environment. This ISO framework uses public key cryptography it sets up authentication across various networks and the Internet. Public key cryptography is alternatively named as asymmetric algorithms. We need e-mail clients, e-mail servers, and e-mail messages, which together build a type of infrastructure—an e-mail infrastructure. PKI is made...

7.2 - Methods of Encryption

There are several parts to an encryption process; however, it should be noted that there are two main pieces: algorithms and keys. Algorithms used in computer systems are complex mathematical formulas enforce rules of how the plaintext will be turned into cipher-text. Keys are strings of bits that use these algorithms and add randomness for encryption. To allow entities to communicate through encryption, these entities must use the same algorithm...

7.1 - History of Cryptography

Cryptography is believed to originate in Egypt, around 2000 B.C. Hieroglyphics, at the time, were used to decorate tombs which told the life story of the deceased. This practice was to portray the story in a noble and ceremonial manner than to actually hide the messages themselves. Over time, encryption evolved from being visual representations of storytelling and into applications used to obscure information from others. For example, substitution cipher (replacement of characters with another characters), became a cryptographic method used....

6.5 - Networking Devices

There are several types of networking devices. These include LANs, MANs, and WANs that  provide intercommunication among computers and their networks. These different networking devices vary based on their capabilities and intelligence Repeaters These provide the most basic type of connectivity, by only repeating electrical signals between cable segments which enables it to extend a network at the physical layer. Additionally, repeaters are add-on devices that extend network connection over further distances. The device amplifies signals. Bridges Bridges...

6.4 - Types of Transmission

Physical data can be transmitted in different ways, analog or digital. It can also use different schemes for synchronization, synchronous or asynchronous. Additionally, physical data can use either one sole channel over a baseband transmission medium or broadband via several different channels over a transmission medium. Transmission can takes place as electrical voltage, radiowaves, microwaves, and infrared signals. Analog and Digital Signals...

6.3 - TCP/IP Model

Transmission Control Protocol/Internet Protocol (TCP/IP) governs the way data travel from one device to another as a suite of protocols. IP is a network layer protocol and provides datagram routing services. IP’s main task is to support internetwork addressing and packet routing. It is a connectionless protocol that envelops data passed to it from the transport layer. It works with other protocols to transmit the data to the destination computer and then reassemble the data back into a form that the application layer can understand and process. The...

6.2 - Open Systems Interconnection Reference Model

Created by the ISO (International Organization for Standardization), ISO has worked to develop protocols set to be used by all vendors throughout the world to allow the interconnection of network devices. This ideology was perpetuated with the intent of ensuring all vendor products and technologies could communicate and interact across international and technical boundaries. The protocol did not catch on as a standard, but the model of this...

6.1 - Telecommunications & Network Security

Telecommunications and networking use various devices, software, and protocols that are interrelated and integrated. Telecommunications is the electrical transmission of data among systems, whether through analog, digital, or wireless transmission types. While, networking is more complex in the computer field, due to evolving technologies. Modern technologies are improving exponentially in functionality and security monthly. Often times there seems to be new and emerging technologies that must be learned, understood, implemented, and secured. Network...

5.5 - Perimeter Security (Part II)

As previously discussed, perimeter security deals with facility and personnel access controls, external boundary protection mechanisms, intrusion detection, and corrective actions. Here, we will discuss the elements that make up these categories. Facility Access Control Access control needs to be enforced through physical and technical components when it comes to physical security. Having personnel within sensitive areas is one of the best security controls because they can personally detect suspicious behavior. However, they need to be trained...

5.5 - Perimeter Security (Part I)

The first line of defense is perimeter control at the physical site location, this prevents unauthorized access to the facility. Perimeter security deals with facility and personnel access controls, external boundary protection mechanisms, intrusion detection, and corrective actions. Perimeter Security Defense Model: This defense model works in two main modes:  1) During normal facility operations When the facility is in operation,...

5.4 - Internal Support Systems

When dealing with physical security, consideration for support services must be considered. This is done because malfunctions or disruption could negatively affect the organization in many ways. For example, in August of 2003, eight East Coast states (and parts of Canada) lost power for several days. During the investigation, there were rumors of a worm causing this disruption; however, the official report attributed it to a software bug in GE Energy’s XA/21 system. This left over 50 million people without power for days and resulted in four nuclear...

5.3 - Protecting Assets

In this section, we identify the main physical security components to fight against threats as theft, interruption to services, physical damage, compromised systems and environment integrity, and unauthorized access. The loss from these components being damaged as well as cost to replace these systems, consultant fees, and additional negative effects on productivity and customer confidence are considered real losses. Although, companies are generally prepared for these types of losses, by using risk analysis tools, often times the data held within...

5.2 - The Planning Process

Physical security programs rely on the level of protection needed for the organization which it is designed to protect. Typically, this depends on the organization’s acceptable level of risk. When an organization defines the acceptable level of risk, they must first plan and design the laws and regulations for compliance and its threat profile of the overall organization...

5.1 - Introduction to Physical Security

In the early days of computing (circa 1960-1970), the physical security of computers and their resources were not nearly as difficult as they are now in modern times. This is due to the large size of those computers which comprised mostly of mainframes secured away in server rooms and the fact that a limited number of individuals knew what to do with them. In present day, most computers are compact enough to sit on desks in every company around the world. Also, access to devices and other resources is distributed throughout the environment....

4.4 - Open vs. Closed Systems

Open systems are built upon “standards, protocols, and interfaces that have published specifications”. This type of architecture provides multi-operability between computer products created by various vendors. This interoperability is provided by all the vendors involved who follow certain standards and provide interfaces that enable the system to communicate with other systems. A vast majority of the systems in use today are open. The book states that the reason an administrator can have several different operating systems on computers and they...

4.3 - System Security Architecture

Firstly, security starts at a policy level, to serve as a high-level directive that provides the foundational goals for an overall system. A security policy is a strategic tool that dictates how sensitive information and resources are managed and protected. A security policy states exactly what the security level should become by once the goals of the security mechanisms are defined. The security policy also acts as a baseline for evaluating a system after it is built. Security Architecture Requirements Trusted Computing Base: is a collection...

4.2 - Operating System Architecture

Operating system architectures have undergone changes based on industry functionality and security needs. The architecture identifies how the parts of the operating system operate with each other and the functionality that the applications require. The complexity in operating systems is in the architectural approaches running in the kernel mode. As seen below, in a monolithic architectures, all the operating system processes operate in kernel mode. In...

4.1 - Computer Architecture

Computer architecture encompasses all of the functioning parts of a computer system, including the operating system, memory chips, storage devices, and input and output devices, security components, buses, and networking interfaces. The relationships and internal working of these components can be quite complex, and making them work together in a secure fashion consists of complicated methods and mechanis...

4 - Security Architecture Introduction

A majority of the compromises organizations around the world experience are flaws in software. Amazing strides in the advancement of perimeter security technology (firewalls, intrusion detection systems, etc.) are improved frequently, but the software that carries critical processing still has a lot of vulnerabilities that are exploited on a daily bas...

3.5 - Threats to Access Control

Generally, there is a higher risk that an attacker will attempt to cause issues from within an organization than from outside it.  An attacker from the outside a system can enter through remote access entry points, firewalls and even web servers. This can be a physical break in, carry out social engineering attacks, and exploits via a partner communication paths. Insiders have legitimate reasons for using the systems and resources; however, misuse does occur and could launch an actual attack. The danger of insiders is that they have already...

3.4 - Access Control Practices

In this section, we will discuss additional measures to ensure there are no unnecessary open access to allow the environment to continue at the same level of security that has been established.  What this means is that good access control practices need to be implemented and maintained from the beginning. Lack of periodical updates usually causes the most vulnerabilities in an environment. These updates include: • Deny access to systems to undefined users or anonymous accounts. • Limit and monitor the usage of administrator and other powerful...

3.3 - Access Control Methods

As stated in the last post, access controls are often implemented at various layers of a system. Some of these controls act as core components of operating systems, devices, and applications. Access Control Levels Access control consists of 3 main categories: administrative, technical, and physical.  Each category has different access control mechanisms that are carried out manually or automatically. Administrative Controls Policy and procedures Personnel controls Supervisory structure Security-awareness training Testing Physical Controls Network...

3.2 - Access Controls Techniques & Technologies

As stated by the CISSP All-in-One Exam Guide, Access Control Models are frameworks which dictate how objects are accessed by subjects. These frameworks are enforced by using specific control technologies and security mechanisms of the model. Discretionary Access Control (DAC) Gives the resource owner the ability to specify the subjects can access specific resources. The model is named “discretionary” due to the control of access which is based on the owner’s discretion. (e.g. department managers as owners of the data within their can specify...

3.1 - Access Controls & Authorization

In this section, I will be discussing Access Controls, the second domain of information security.  Access Controls: When protecting assets, access controls act as first line defense security. An example of this can be the verification of logging into web applications, which restrict access to unauthorized users. These controls are typically inherent administrative, physical, or technical in nature and should be applied in a layered approach, ensuring that an intruder would have to compromise more than one countermeasure to access critical assets. Security...

Security Definitions

More frequently than not the terms Vulnerability, Threat, Risk, and Exposure are often interchanged.  It is important to acknowledge that these words have are separate and unique meanings. Vulnerability - the lack of a countermeasures or a weakness in those countermeasures in place  e.g., services running on a server, unpatched applications or operating systems, an unrestricted wireless access point, Threat - any...

Fundamental Principles of Security

Within security there are 3 core fundamental goals which security must provide: Availability, Integrity, and Confidentiality. These pillars create the AIC triad which is designed to serve protection for critical assets.  Each asset requires different levels of protection, security controls, mechanisms, and safeguards to be implemented to provide one or more of these protection types, and all risks, threats, and vulnerabilities are measured...

10 CISSP Domains

In the last post, I mentioned that the CISSP Certification Exam covers ten different security domains. These disciplines are defined as: Access Control Telecommunications and Network Security Information Security Government and Risk Management Software Development Security Cryptography Security Architecture and Design Security Operations Business Continuity and Disaster Recovery Planning Legal, Regulations, Investigations, and Compliance Physical (Environmental) Security ...

Defining CISSP

At this point, you may be wondering what exactly it takes to become a CISSP. Firstly, you should know that before you can earn the CISSP designation, you must take the CISSP Certification Exam. The CISSP certification allows companies to find workers with the ability and experience necessary to implement solid security practices by risk analysis and other countermeasures. These measures are further defined below. Growing demand in the security field Increase knowledge on concepts and practices Bring expertise to your occupation To be more...

Intro

Hello, My name is Albert Adeseye, I am a Management Information Systems (MIS) major in the Terry College of Business from the University of Georgia. For the next 16 weeks, I will be studying under the supervision of Dr. Piercy of the MIS department focusing on IT security and governance. Our main point of concentration will be guided by the CISSP (Certified Information Systems Security Professional) exam guide, which would further my goal to pursue security in the technology sector and its systems. As computing becomes ubiquitous and more...