160 likes | 326 Views
The User Domain. Kelly Corning & Julie Sharp. User Domain. The assets over which the users have control The people that have the control Domain of the AUP. Risks, Threats, & Vulnerabilities. Social Engineering Negligence Disgruntled Employee Attacks Lack of User Awareness
E N D
The User Domain Kelly Corning & Julie Sharp
User Domain • The assets over which the users have control • The people that have the control • Domain of the AUP
Risks, Threats, & Vulnerabilities • Social Engineering • Negligence • Disgruntled Employee Attacks • Lack of User Awareness • Physical Security • Security Policy Violations
Social Engineering Definition: A collection of malicious techniques used to manipulate people into performing actions or sharing information. Examples: • Tailgating • Phishing emails • Pretexting • Dumpster Diving Think before you act!
Negligence • Prevent negligent hiring • Retention • Supervision • Training Employees need a reason to care!
Disgruntled Employee Attacks • The Exploit • Attack Process • Reconnaissance • Scanning • Exploiting the System • Keeping Access • Covering Tracks • Incident Handling Process Keep your employees happy!
Lack of User Awareness • Ignorance of Policies • Employees need an appropriate level of awareness for their position • Apathy towards Policies If people don't know the policies, how can they follow them?
Lack of User Awareness According to NIST... • "Understand their roles and responsibilities related to the organizational mission" • "Understand the organization’s IT security policy, procedures, and practices" • "Possess at least adequate knowledge of the various management, operational, and technical controls required and available to protect the IT resources for which they are responsible."
Lack of User Awareness Levels of Awareness: • Awareness • Allows individuals to recognize security concerns and respond correctly • Broad audience • Training • Teaches skills to allow an employee to perform a specific function • Education • Integrates skills and competencies to allow an employee to see the big picture and respond to an incident proactively • Certification • Involves testing to show that an employee has a specific level of knowledge on a given topic
Lack of User Awareness Common Problems: • Teaching an old dog, new tricks • Security is an information technology problem, not mine • Implementation of new technology • One-size-fits-all • Too much information • Lack of organization • Failure to follow-up • Lack of management support • Lack of resources • No explanation of why • Social engineering
Physical Security • Deterrence • Convince attackers that the consequences of getting caught are not worth the potential payoff • Access Control • Gates, doors, locks • Detection • Alarm systems, motion sensors, contact sensors • Identification • Video monitoring • Human Response • Guards, emergency response personnel
Physical Security Quick tips: • Don't leave confidential/sensitive information out in the open • Protect portable devices • Disable drives & ports to prevent copying • Shred extras • Lock doors • Protection from environmental factors • Record security camera video, keep videos Don't make it easy for the bad guy!
Security Policy Violations • Be aware of incidents • Yourself • Others • Report incidents • See that necessary action is taken Don't ignore the problem!
Acceptable Use Policy • Overview • Purpose • Scope • Policy • General Use & Ownership • Security & Proprietary Information • Unacceptable Use • System & Network Activities • Email & Communications Activities • Blogging
Acceptable Use Policy • 5. Inappropriate Behavior • 6. Enforcement • 7. Disclosure • 8. Definitions • 9. Revision History
References • Acceptable Usage Policy Template. (2005, April 22). Retrieved March 24, 2013, from First: www.first.org/_assets/resources/guides/aup_generic.doc • InfoSec Acceptable Use Policy. (2006). Retrieved March 7, 2013, from SANS: http://www.sans.org/security-resources/policies/Acceptable_Use_Policy.pdf • User Domain. (2007, August 25). Retrieved March 7, 2013, from http://c2.com/cgi/wiki?UserDomain • Negligence. (2012, November 21). Retrieved March 23, 2013, from Wikipedia: http://en.wikipedia.org/wiki/Negligence_in_employment • Childress, J. (2013, March). CS5493(CS7493) Secure System Administration and Certification . Retrieved March 8, 2013, from utulsa: http://personal.utulsa.edu/~james-childress/cs5493/cs5493.html • Giallombardo, A. (2012, September 25). Sample Acceptable Use Policy Template. Retrieved March 24, 2013, from Mafia Securtiy: https://www.mafiasecurity.com/disaster-recovery/sample-acceptable-use-policy-template/ • Kratt, H. (2004, December 8). The Inside Story: A Disgruntled Employee Gets His Revenge. Retrieved March 23, 2013, from SANS: http://www.sans.org/reading_room/whitepapers/engineering/story-disgruntled-employee-revenge_1548 • Russell, C. (2002, October 25). Security Awareness - Implementing an Effective. Retrieved March 23, 2013, from SANS: http://www.sans.org/reading_room/whitepapers/awareness/security-awareness-implementing-effective-strategy_418 • Wilson, M., & Hash, J. (n.d.). INFORMATION TECHNOLOGY SECURITY AWARENESS, TRAINING, EDUCATION, AND CERTIFICATION. Retrieved March 25, 2013, from National Institute of Standards and Technology: http://www.itl.nist.gov/lab/bulletns/bltnoct03.htm