1 / 19

Risk Control Strategies And Physical Security

Risk Control Strategies And Physical Security. By William Gillette. Top 10 Security Mistakes. The not-so-subtle Post-it Note. Yes, those sticky yellow things can undo the most elaborate security measures. Leaving unattended computers on Opening Email form strangers “I Love You Virus”

Samuel
Download Presentation

Risk Control Strategies And Physical Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk Control StrategiesAnd Physical Security By William Gillette

  2. Top 10 Security Mistakes • The not-so-subtle Post-it Note. Yes, those sticky yellow things can undo the most elaborate security measures. • Leaving unattended computers on • Opening Email form strangers “I Love You Virus” • Poor password selection. Vice president of IT at General Dynamics Corp. attended a demonstration with about 20 of his top engineers and some anti-hacking experts from NASA. Within 30 minutes, the NASA folks broke 60% of the engineers' passwords. A good example is: "I pledge allegiance to the flag" becomes "ipa2tf."

  3. Top 10 Security Mistakes • Laptops have legs. physical security • Loose lips sink ships. People talk about passwords • Plug and Play (technology that enables hardware devices to be installed and configured without the protection) • Unreported security violations • Behind the times in terms of patches • Not watching for dangers within your own organization.

  4. Types of Risk Control strategies • Avoidance • Transference • Migration • Acceptance

  5. Quick Review Risk avoidance • Defined: • A risk control strategy that attempts to prevent attacks to organizational assets, through there vulnerabilities. • This is the most preferred risk control strategy as it seeks to avoid risk/treats entirely. • Avoidance is accomplish through countering treats, removing vulnerabilities in assets, limiting access to assets, and adding protective safeguards.

  6. Methods of risk avoidance • Avoidance through application of policy. • Avoidance through application of training and education. • Avoidance though application of technology.

  7. Risk Transference • Defined • Is a control approach that attempts to shift the risk to other assets, other processes, or other organization. • This is accomplished through rethinking/reengineering services, revising development models, outsourcing to other organizations or implementing service contracts • Common choice for larger companies

  8. Risk Transference • Advantages outsourcing • Outsource company focuses their energy and resource on their expertise • Allows parent company to concentrate on the business they know. Example Kodak • Disadvantages • Cost tend to be high for these services, and they require very detailed legal contracts to garreteer service and recovery.

  9. Risk Migration • Defined • control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation. • Three type of plans. • Disaster recovery plan • Incident response plan • Business continuity plan • Each of these strategies depends on the ability to detect and respond to an attack as quickly as possible. All migration strategies start with early detection.

  10. Disaster Recovery Plan • Define • Preparations for recovery should a disaster occur; Strategies to limit losses before and during disasters; Step by step instructions to regain normalcy.(This is the most common of the migration procedures) • Examples • Procedures to recover loss data (data/media back up) • Procedures for the reestablishment of lost services. • Procedures to protect currently available assets(shut down) • When its Deployed • Immediately after the incident is labeled a disaster • Time frame • Short-term recovery

  11. Incident Response Plan • Define • Actions an organization takes during an attack, IRP’s are predefined, specific or ad hoc, and reactive. • The what do I do now! • Example • information analysis, intelligence gathering, list of steps to be taken during an attack • unauthorized copy example • When it’s deployed • as the attack or disaster unfolds. • Time frame • immediate and real-time reaction

  12. Business Recovery plan • Define • Steps to ensure continuation of the overall business when the scale of the disaster requires relocations. • Examples • Preparations steps for the activation of a secondary data center. • Establishment of a hot site in a remote location. Many companies have this service as a contingency against disastrous events • When its deployed • after it has been determined that a disaster/attack affects the continuos operation of the organization. • Time frame • long term recovery.

  13. Acceptance • Define • In contrast to other control, acceptance is a method of doing nothing to protect vulnerabilities and accept the outcome of its exploitation. • To use this control the following must be taken into account. • Determined the level of risk • Assessed the probability of attack • Estimated the potential damage that could occur from attacks • Performed a thorough cost benefit analysis • Take in account the feasibility of other controls • Decide if particular functions /assets/data do not justify the cost of protection

  14. System/program as designed Is system/program vulnerable Is system/program exploitable? yes yes No No No Risk No Risk Is expected loss > acceptable level Risk Exists Is the attackers gain > cost? Risk is Unacceptable yes yes No No Risk can be accepted Risk can be accepted

  15. Categories of controls • Control function: • Controls and safeguards designed to defend vulnerabilities through prevention or detection. • Uses both technological protection (encryption) and enforcement measures Policies • Architectural layer • Controls applied to more then one layer of a system • Firewalls • Strategic • Controls that are specific to a risk control method

  16. Other Factor on Deciding aRisk Control Method • Feasibility studies • Cost benefit analysis • Asset validation • Organizational feasibility • Technical feasibility

  17. Physical Security • Defined • Describes protection needed out-side a system /program • Typically physical controls include Id cards, guards, locks, and cameras. But can also include items to protect against disasters.

  18. Types of Physical security • Access and control • Used to ward off the sticky figure bandit • Use of biometrics, smart cards, access door locks, mantraps, electronic monitoring, shredding, and guards. • Natural disaster • Flood (both natural and unnatural), Fire, power fluctuation, and so on • Use of raised floors, dedicated cooling, humidifier for tape rooms, emergency lighting, electrical/nonH2O fire extinguisher, surge suppressor, emergency power shut off, and emergency replacement server/off site system.

  19. Bibliography • Information Technology for Management Henry C. Lucas 7th Edition Irwin McGraw-Hill • Principles of Information Security Michael E. Whitman Thomson Course Technology. • www.computerworld.com

More Related