IT Security Analyst

CISSP Certified Information Systems Security Professional (CISSP) certification
Access Controls
1. Who can access & Control Resources
2. First Line of Defense - Securing the organisations resources
3. Protection against unauthorised access
4. 1.User is correctly Identified
  1. Username and password is a form of access control
  2. 2. Authenticated
    1. 3. Authorized to Access Resources
      1. 4. User is Accountable for all the tasks performed using the resource
5. Authentication
  1. matching credentials stored in system with what is provided by the user
  2. Effective Authorization
  3. 3 types
    1. 1. Something you KNOW
      1. Easy
      2. Inexpensive
      3. Not Very Secure
      4. Passwords, PIN, lock combinations, pass phrases, personal information : favourite color, mothers maiden name
      5. easy to guess
      6. may be disclosed to others
      7. may be discovered through dictionary or other attacks types
      8. Knowledge-based
      9. Passwords
      10. A system may provide a default password
      11. a system may generate password
      12. System and a token card may generate a password for a user
      13. User may select a password
      14. Techniques
      15. password checkers
      16. Tools
      17. dictionary or brute force attacks
      18. Detect weak user-chosen passwords
      19. if detected
      20. reduce vulnerability
      21. force making them more secure
      22. Password generators
      23. software or hardware devices
      24. generate passwords
      25. prevent too easy passwords
      26. Password Aging
      27. configuring password to expire
      28. Attempt Thresholds
      29. Hashing and Encryption
      30. Cognitive Passwords
      31. OTP
      32. One-Time-Passwords
    2. 2. Something You HAVE
      1. Expensive
      2. Fairly secure
      3. Can be lost or stolen
      4. Smart cards, token devices, memory cards
      5. Can specify location
    3. 3. Something you ARE
      1. High level of security
      2. expensive
      3. Prone to false positives or negatives
      4. falsely accept or reject samples
      5. fingerprints, voiceprints, retina and iris patterns to stored patterns
  4. Multifactor authentication
    1. increases security with more than one type of authentication
    2. two-factor
      1. ATM card
      2. Something you have and something you know (PIN)
    3. Three-Factor
      1. all three types
      2. highest level of security
      3. Examples
      4. Access a network resource
      5. password, token and fingerprint
      6. Location access
      7. PIN, Driver's License and a voice Sample
  5. Performance
    1. FRR
      1. False Rejection Rate
      2. % of Subjects a system falsely rejects
      3. Biometric Authentication
      4. increases with increasing system sensitivity
    2. FAR
      1. False Acceptance Rate
      2. % of invalid subjects a system falsely accepts
      3. Biometric authentication
      4. decreases with increasing system sensitivity
    3. CER
      1. Crossover Error Rate
      2. Gives the rate at which FRR equals FAR
      3. Compare the overall accuracy of different authentication devices
      4. Lower value = greater accuracy
    4. Metrics
      1. Enrolment time
      2. time taken to register biometric characteristics
      3. Throughput rate
      4. rate at which a system identifies, authenticates and processes users
      5. Acceptability
      6. user acceptability of the system based on privacy and ease of use
6. Authorization
  1. System checks the rights to the user and permissions granted
  2. Effective Authorization
    1. Least Privilege principle
      1. Minimum set of priviledges to do their job
    2. Need to Know principle
      1. Only assign users information to do their job
      2. Minimizes the number of subjects with access to specific resources
      3. Reduces the risk in breach in security
    3. Compartmentalization principle
      1. process thats separates specific groups to prevent flows of information moving between groups
    4. Security Domains
    5. Correct Identifications of Roles
      1. need to know
      2. Role of User(s)
      3. Data Owners
      4. Classify data
      5. determine access controls for proper data handling
      6. Subtopic 3
      7. Custodians
      8. take care of data backups
      9. Instructions provided by the Data Owners
      10. Subjects assigned to these roles
    6. Separation of Duties and responsibilities
      1. Ensures no single individual is solely responsible for performing a set of transactions
      2. Ensures less error
      3. Ensures no fraud
    7. Entitlesments
      1. Entitlements are the resources available to a user and the authoritative rights that the user has within the department or organisation
7. Accountability
  1. Ensuring Accountability
    1. recording activities
    2. System-Level Events
    3. Application-Level Events
    4. User-Level Events
    5. Log Files
      1. Can help detect
      2. intrusions
      3. reconstruct events
      4. produce problem reports - assist in recovery
    6. Audit Trails
8. Confidentiality
  1. protected from
    1. unauthorized access
    2. unauthorized disclosure
  2. Specifies
    1. who can access the information
    2. What actions can be performed after accessing it
  3. Access controls
    1. Encryption
    2. Transmission protocol
9. Integrity
  1. ensures information is complete , accurate
  2. Protected against unauthorized modifications
10. Availability
  1. Subjects need information and resources to be available promptly.
  2. Control Mechanisms
    1. Fault Tolerance
    2. ensure availability of resources
    3. Recovery
    4. ensure availability of resources
11. Revoke Access
  1. Employee leaves an organization
  2. Information entering a system is detected as Hostile
    1. access rights of the source of the information must be dynamically revoked
12. TYPES
  1. Administrative
    1. Security Policies and Procedures
      1. high-level plan for implementing security
      2. Identifying unacceptable Actions based on level of Risk an organization can accept
    2. Personnel Controls
      1. what is expected of employees when using organizational resources and the consequences of noncompliance
      2. Organizational hierarchy
      3. which employees should report to and who is held responsible for employee's actions
    3. Security Awareness Training
      1. helps educate employees about access control usage
      2. minimize unintentional breaches in access control
    4. Periodic Testing of Controls
      1. helps check access control effectiveness in supporting the security policy of an organization
    5. Techniques
      1. Hiring practices
      2. background Checks
      3. Termination practices
      4. revoking user accounts
      5. revoking network permissions
      6. Classification of data based on the level of sensitivity
      7. Supervision of employees
      8. tracking of employee activities
      9. Separation of Duties
      10. no single individual is solely responsible for a task
      11. Rotation of Duties
      12. limit the time for which individuals are assigned to particular tasks
      13. minimize potential for COLLUSION
  2. Technical
    1. or LOGICAL controls
    2. Software tools that restrict access to objects and insures confidentiality, integrity and availability
    3. Part of
      1. Applications
      2. Operating Systems
      3. Devices
      4. Protocols
      5. Encryption
      6. Add-on Security Packages
    4. Discretionary Access Control Architecture
      1. how resources are accessed on a system
    5. Network Access Control
      1. determine which subjects can enter a network and what actions they can perform AFTER authentication
      2. Network Segmentation
      3. Entities on a Network
      4. Routers
      5. Switches
      6. NICs
      7. Bridges
    6. Encryption and Protocols
      1. Ensure Confidentiality and Integrity of Information flowing within the network
      2. Only Authorized users have access
      3. Unauthorized modifications dont occur
    7. Control Zones
      1. Protect Network devices
      2. from emitting electrical signals so CONFIDENTIAL information doesnt leak out through airwaves
    8. Software-based auditing controls
      1. track activities within a network or computer
      2. help identify security breaches
    9. TECHNOLOGIES
      1. Controlled User Interfaces
      2. restrict network access to authorized users only
      3. Passwords
      4. User Authentication
      5. Tokens
      6. OTP
      7. One-Time-Passwords
      8. Change after every use
      9. Firewalls
      10. Filter Information
      11. Routers
      12. Connect Networks
      13. Transmission of information
      14. Provide Content Filtering
      15. Anti-Virus software
      16. detect and protect against viruses
      17. ACL- Access Control Lists
      18. list of subjects and their access permissions
      19. help prevent the unauthorized access of resources
      20. IDS - Intrusion Detection Systems
      21. detect unwanted data modifications
      22. detect malicious network traffic occurring due to hacker attacks
      23. Smart Cards
      24. Semiconductor chips
      25. Accepts, Store and Transmit Information
      26. Help in User Identification
      27. Biometrics
      28. Identify and Authenticates Users
      29. Analyse physical attributes and behaviours
      30. Examples
      31. Keyboard Dynamics
      32. Facial Scans
      33. Handgeometry
      34. Fingerprints
      35. Voice Patterns
      36. Retina
      37. Iris Patterns
      38. Signatures
  3. Physical
    1. Network and Work-Area Segregation
      1. Enforces Access controls on Entry & Exit to the Network or Area
    2. Perimeter and Computer Security Controls
      1. help protect individuals, facilities and components within facilities
    3. Cable Control
      1. prevent Theft
      2. prevent copying of information
    4. Data Backups
      1. help ensure information access in case of system failures or natural disasters
    5. Techniques
      1. Guards and Guard Dogs
      2. Fences
      3. Motion Detectors
      4. Door and Window Locks
      5. Cable Sheaths
      6. Prevent electrical interference
      7. Prevent Crimping and sniffing
      8. Computer Locks
      9. Swipe Cards and Badges
      10. Video Cameras
      11. Alarms
  4. Access Control Layers of an Object
13. Information Classification
  1. classify information by EVALUATING its Risk Level
  2. Assets of little value get only basic protection
  3. High-sensitive assets receive high levels of protection
  4. 3 Critical Activities
    1. 1. Establish Program
      1. information classification program
      2. create an infrastructure for the program
      3. 1. Objectives
      4. Document Objectives
      5. Define Vision
      6. Help describe the program to others
      7. Provide Benchmarks which you can evaluate the program
      8. 2. Executive Manager
      9. Top-Manager backing and support
      10. without support program is likely to fail
      11. Illustrate to management both financial and business cost and benefits of the program
      12. 3. Information Classification Policy Documentation
      13. Work with Stakeholders to create an information classification policy
      14. Document should communicate WHY the organization needs to classify information
      15. What the requirements are
      16. Scope of users and system policy affects
      17. Users roles and responsibilities in implementing the program
      18. Should clearly describe the different classification for information
      19. 4. Process Flow Chart
      20. operational procedures
      21. Process flows
      22. Show how info must be classified
      23. How the different categories of information should be protected
      24. Identify Key Role Players
      25. Process Owners
      26. May be Custodians
      27. Application Owners
      28. Specify what data and resources are required for
      29. specific tasks
      30. roles
      31. Provide insight into the classification requirements of data within their functional areas.
      32. Identify Information owners and delegates
      33. Information Owners
      34. understand the information in their business areas
      35. responsible for deciding how the information should be used
      36. Owners may assign read, modify or delete permissions to information delegates so Information delegates can carry out operational decisions
      37. Identify Stakeholders
      38. understand relationship between
      39. System Owners
      40. Information Owners
      41. Application Owners
      42. If System owner and Information Owner are the same individual, the incentive to enhance system security is greatly increased
      43. Protection of Information assets is important here
      44. Classify Information and Applications
      45. need to define categories to use first
      46. Categories should be periodically reviewed
      47. in-line with organizational needs
      48. Categories
      49. 1. Public
      50. can be disclosed to general public
      51. No harm to company, partners, individuals
      52. Require no special protection
      53. 2. Internal Use
      54. info disclosed only inside the company
      55. could harm company if disclosed externally
      56. Must be protected from unauthorized external access
      57. 3. Confidential
      58. Information to stay within a single business Unit
      59. May cause serious harm if disclosed
      60. Must protect information within the business unit
      61. 4. Restricted
      62. Information that would cause irreparable damage if accessed by unauthorized personnel
      63. requires highest level of security
      64. Create a central repository for classification information
      65. Database
      66. data can be analysed from multiple perspectives
      67. Classification can be updated easily
      68. Develop Tools
      69. templates
      70. distributed to Data Owners
      71. collect Classification information on the data managed in their functional areas
      72. Once Collected should be in the DB central repository
      73. Ensure consistency for gathering data and for tracking and analyzing information
      74. results can be exported to a database for consolidation
      75. Database
      76. Train users
      77. Employees should be trained to ensure they understand the classification categories and know what procedures to follow
      78. Training program
      79. purpose of the program
      80. Why its important
      81. Practical examples
      82. different types of information
      83. How they should be handled
      84. Develop and implement auditing procedures
      85. include spot checks
      86. determine whether sensitive information has been left unguarded
      87. Reviews of current classifications
      88. Reviews of current protection measures
    2. 2. Labeling and Marking
      1. marking media
      2. marking the classification levels
      3. Ensures that those working with the data know what control measures to apply
      4. No Labelling
      5. can use business areas and locations to assign control measures according to the classification level of data
      6. Eg. a backup library may require a confidential level of control and a separate area may be used for restricted information.
    3. 3. Assurance
      1. obtaining assurance that classification is occurring correctly
      2. Periodic testing so control measure are correctly applied
      3. May involve random audits for checking that confidential data isnt left on desks or in insecure areas
      4. Encourage employees to report security breaches
  5. Advantages
    1. helps establish ownership of information
    2. Provide central point of control
    3. Protection of sensitive data
    4. Increases C.I.A of information
    5. Improves employee awareness of security issues
    6. Supports business recovery by ID critical Info
    7. Reduces spending of unnecessary spending on security and inefficient storage of data
    8. helps to ensure compliance with requirements to protect confidential information
Job Requirements
1. NAB Technology Secuirty Team
2. Providing oversight and consultancy for overall security management and compliance within BPMO IT.
3. Creating and assigning users rights including groups, directories and applications.
4. Management, review and control of directory access (NetApp filers, NAS);
5. Provision of second level support for user access to Citrix, file shares, directory mappings, user profiles, and application access issues.
6. Review, control and compliance of the Global Security Administration function;
7. Conduct regular compliance reviews (e.g. review of user access rights);
8. Setup, maintenance and support of the Control-SA user provisioning tool;
9. Management ongoing updates to the user access request / approval system (SARD);
10. Promote, encourage and enforce segregation of duties and information security principles and policies
11. Creating, verifying, and modifying new and existing user accounts for Windows, Unix, and other security applications.
12. To be successful in this role, you will have the following skills and experience to bring to this role:
13. Windows / Unix / Security technology related role
14. Solid communication skills (i.e. ability to discuss / explain technologies) and provide a Service Delivery focus in addressing business requirements
15. Experience liaising and explaining to Senior business and Technology users security problems, issues, restrictions and policies;
16. Knowledge of exploits (i.e. viruses and other vulnerabilities);
17. Practical knowledge in Windows, Active Directory and LDAP security (i.e. either as a Security Administrator or Windows / Unix Support experience).
18. Experience in the use of Control-SA or equivalent user provisioning tools.
19. Excel skills.
20. Knowledge of other Identity Management products