ALOT of the material in these slides and in this lecture is NOT in the book. This book does a good job of presenting most of the material needed for the security+ exam. However the info in chapter 8 is a little thin… so play close note to the slides. Perhaps I provide a little too much depth for the security+ exam… but it’s well worth doing the extra learning… especially if you want to take the CISSP or really understand networks and network security concepts to be USEFUL in real life!
Brian E. Brzezicki
Bachelor of Science, Computer Science
Masters of Science, Computer Science
EC-Council Certified Ethical Hacker (CEH)
Red Hat Certified Technician (RHCT), Certified Engineer (RHCE)
Sun Solaris Network Administrator, Sun Solaris Systems Administrator
Microsoft MCSE (NT 4.0) / Microsoft Certified Trainer
This version of the Common Criteria for Information Technology Security Evaluation (CC v3.1) is the first major revision since being published as CC v2.3 in 2005.
CC v3.1 aims to: eliminate redundant evaluation activities; reduce/eliminate activities that contribute little to the final assurance of a product; clarify CC terminology to reduce misunderstanding; restructure and refocus the evaluation activities to those areas where security assurance is gained; and add new CC requirements if needed....
An organization cannot expect to be secure, unless security is directed from the top-down.
Management must realize the need for security
Management must create a security policy
Management must empower the security team to design and enforce the security program
Operating systems and software are written to be functional and easy to use and install. Otherwise vendors will have a hard time selling them ;-)
Unfortunately they generally come configured insecure (or less secure that possible) out of the box.
There are two important terms we need to understand in regards to securing systems out of the box.
Q: What type of authentication system does the OS (Security Kernel) determined who is allowed access to a resource
Q: What access control model helps fight “authorization creep”
Q: Biometrics are an example of “What you ____”
Q: What is a better security model, network based or host based? Justify your answer.
Content in lecture Information systems security include: General security concepts, identifying potential risks, infrastructure and connectivity, monitoring activity and intrusion detection, implementing and maintaining a secure network, securing the network and environment, cryptography basics - methods and standards, security policies and procedures, security administration.
The content in chapter 1: Understanding information security, understanding the goals of information security, comprehending the security process, authentication issues to consider, distinguishing between security topologies.
Note: A LOT of this chapter is “missing” from the book. That is the book is only 12 pages..I have put over 70 slides in this chapter (one of the longest) These things you should expect to see on the exam. So pay extra attention to these slides!
Computer Software, Systems and Networks are complex growing systems. They constantly evolve and their ability to be understood and recreated as well as proven integrity issues are critical to an organizations health and security.
There are generally two reasons someone is attacked
You are specifically targeted
Company with money
Company with secrets
Hard to stop..
You are a target of opportunity
Low hanging fruit
Most common, make yourself less easy
The Internet has been around for a LONG time... For most of it’s life nobody cared about the Internet except for government, researchers and geeks like me.
The Internet was never intended for security. IT was indented as a resilient network for communications. Nobody ever though it would be used for what it’s used for today
For many years, the stock and futures markets have been consid-
ered separate and distinct entities. Stocks (securities) have been the
backbone of capitalism and are still regarded as such today. Stocks
are considered the “stuff” of which all “good investments” are fash-
ioned. Not only has stock and bond trading been considered neces-
sary for the survival of industry and business in a capitalist society,
but it has also been regarded as the single most viable form of in-
vesting for the general public.
In August 1999, the Transportation Research Board (TRB) held a workshop at the
request of the National Aeronautics and Space Administration (NASA) to examine its
Small Aircraft Transportation System (SATS) concept.
The idea of analyzing your business processes and determining what are the risks that threaten those processes, and choosing cost effective countermeasures to minimize the risks and the associated losses.