ITEC85 - Planning for Security (Security Models and Frameworks)

Blueprint, Compliance, Common Language

Why Use a Framework?

Blueprint

It provides a proven roadmap. Don't reinvent the wheel.

Compliance

Many laws/regulations require adherence to a standard (e.g., banks must follow ISO or NIST).

Common Language

Allows security professionals globally to speak the same terminology.

- ISO 27001

- ISO 27002

ISO/IEC 27000 Series

International Organization for Standardization (ISO) + International Electrotechnical Commission (IEC).

ISO/IEC meaning

ISO 27001

The requirements. It defines how to build an Information Security Management System (ISMS). Companies get "Certified" against this.

ISO 27002

The code of practice. It lists the specific controls (e.g., "Use encryption," "Lock the server room").

NIST Cybersecurity Framework (CSF)

Created by the US National Institute of Standards and Technology. Free and widely used.

Identify, Protect, Detect, Respond, Recover

The 5 Core Functions (The Cycle)

Identify

Asset management, Risk assessment (Know what you have).

Protect

Access control, Training, Encryption (Stop the attack).

Detect

Monitoring logs, IDS (See the attack happening).

Respond

Incident response planning (Stop the bleeding).

Recover

Backups, Restoration (Get back to business).

Security Architecture: Defense in Depth

Concept: Security should be layered like a castle (Moat > Wall > Tower > Keep). If one layer fails, the next stops the attacker.

Policy, Physical, Perimeter, Network, Host, Application, Data

Security Architecture: Defense in Depth - The Layers

Policy

The rules.

Physical

Fences, locks, guards.

Perimeter

Firewalls, DMZ (De-Militarized Zone).

Network

Internal segmentation (VLANs), IDS/IPS.

Host

Antivirus, OS patching.

Application

Input validation, secure coding.

Data

Encryption, Hashing.

Education, Training, Awareness

Security Education, Training, and Awareness (SETA)

The "People" layer of the Cube.

Education

University level. Teaches "Why"

(Theory).

Training

Vocational/Job level. Teaches "How" (Skills - e.g., configuring a firewall).

Awareness

Daily level. Reminders (Posters,

Phishing simulations). Keeps security "top of mind."

Firewalls, DMZ (De-Militarized Zone), Proxy Servers

Designing the Security Perimeter

Firewalls

The gatekeepers. Filter traffic based on IP/Port.

DMZ (De-Militarized Zone)

A buffer zone between the Internet (Untrusted) and the Internal Network (Trusted).

Web servers

go in the DMZ.

Database servers

go in the Internal Network (never exposed directly).

Proxy Servers

Act on behalf of users to hide internal IPs.