1 / 72

Lesson 3-Operational/Organizational Security

Lesson 3-Operational/Organizational Security. Background. Prevention technologies prevent unauthorized individuals from gaining access to systems or data. In an operational environment, prevention is difficult. Relying on prevention technologies alone is not sufficient. . Background.

lobo
Download Presentation

Lesson 3-Operational/Organizational Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lesson 3-Operational/Organizational Security

  2. Background • Prevention technologies prevent unauthorized individuals from gaining access to systems or data. • In an operational environment, prevention is difficult. • Relying on prevention technologies alone is not sufficient.

  3. Background • Prevention technologies are static. • They are put in place and generally left alone. • Detection and response technologies are dynamic. • They acknowledge that security is an ongoing process.

  4. Background • The first presentation introduced the operational model of computer security. • The model described the various components in computer security and network security. • The operational model of computer security stated that: • Protection = Prevention + (Detection + Response). • This presentation addresses the issues surrounding computer security and network security.

  5. Objectives • Upon completion of this lesson, the learner will be able to: • Describe the various operational aspects to security in an organization. • Describe the physical security components used to protect computers and networks. • Explain how social engineering is used as a means to gain access to computers and networks and how an organization should deal with social engineering.

  6. Objectives • Upon completion of this lesson, the learner will be able to (continued): • Explain how the growing use of wireless cellular technology has impacted data transmission and how factors such as location affect our ability to secure it. • Describe how the use of shielding technology can prevent disclosure through electronic emanations. • Describe various fire suppression systems designed to limit the damage caused by fires.

  7. Security Operations • Policies • Procedures • Standards • Guidelines

  8. Policies • Policies are: • High-level, broad statements of what the organization wants to accomplish. • Made by the management when laying out the organization's position on some issues.

  9. Standards • Standards are: • Mandatory elements regarding the implementation of a policy. • Accepted specifications of specific details on how a policy is to be implemented or enforced.

  10. Guidelines • Guidelines are: • Recommendations relating to a policy. • Not mandatory.

  11. Procedures • Procedures are step-by-step instructions on how to implement policies in an organization. • Step-by-step instructions that describe exactly how employees are expected to act in a given situation or to accomplish a specific task.

  12. Policy Changes • As the network constantly changes, the policies, procedures, and guidelines should be periodically evaluated and changed if necessary. • The constant monitoring of the network and the periodic review of the relevant documents are part of the operational model. • When applied to policies, this process results in the policy life cycle.

  13. Policy Life Cycle • The four steps of the policy life cycle are: • Plan (Adjust) • Implement • Monitor • Evaluate

  14. Plan (Adjust) • In the planning and adjustment phase: • Users develop the policies, procedures, and guidelines that will be implemented. • Design the security components to protect the network.

  15. Implement • Implementation of any policy, procedure, or guideline requires an instruction period to about its contents.

  16. Monitor • Constant monitoring ensures that hardware and software, policies, procedures, and guidelines are effective in securing the systems.

  17. Evaluate • Evaluating the effectiveness of security includes a vulnerability assessment and penetration test of the system to ensure that security meets expectations. • After evaluating the organization’s stand on security, the process restarts at step one, this time adjusting the security mechanisms that are in place. • Evaluation is a continuous process.

  18. Intrusion Detection System (IDS) • An intrusion detection system is often a part of the security perimeter for the organization. • The IDS may be placed on the inside of the firewall, or the outside, or on both sides. • The specific location depends upon what a company is more concerned about (the insider threat or external threats).

  19. Corporate Network • Beyond this security perimeter is the corporate network. • This is simple depiction. • An actual network may have numerous subnets and extranets.

  20. More Complex Networks • Organizations may have a telephone network connected to the public switched telephone network (PSTN), which is the phone company. • The organization may have authorized modems. • However, the potential exists for unauthorized modems, and hence the telephone network must be considered as a source of access for the network.

  21. Examine Sources of Attacks • When considering the policies, procedures, and guidelines to implement security for the organization, both networks need to be considered. • The biggest danger to any organization is from an insider rather than external attacks. • Insiders can include a disgruntled employee having physical access to the facility. • An attacker with physical access to an office can find the information needed to access computer systems and network.

  22. Physical Security • All mechanisms used to ensure that physical access to computer systems and networks is restricted to authorized users. • Access from all six sides is important. • The security of obvious points of entry such as doors and windows should be examined. • Even floors and ceiling should be scrutinized for possible access points.

  23. Access Controls • Physical access control is similar to computer and network access controls where access is restricted to the authorized. • Physical access controls can be based on: • Something that individuals have (key). • Something that they know (the combination). • Something that they are (biometrics).

  24. Locks • A lock is the most common physical access control device. • Combination locks represent an access control device that depends upon something the individual knows (the combination). • Combinations do not require any extra hardware, but they must be remembered (which means individuals may write them, which is a security vulnerability in itself) and are hard to control.

  25. Key Locks • Locks with keys depend on something the individual has (the key). • Key locks are simple and easy to use, but the key may be lost. • If the key is lost, a duplicate key has to be made or the lock has to be re-keyed. • Keys may also be copied and can be hard to control.

  26. Modern Locks • Newer locks replace the traditional key with a card that must be passed through a reader or placed against it. • The individual may also have to provide a personal access code, thus making this form of access both a something-you-know and something-you-have method. • In addition to locks on doors, other common physical security devices include video surveillance and even simpler access control logs (sign-in logs).

  27. Access Control Logs • Sign-in logs do not provide an actual barrier. • They provide a record of access. • When used in conjunction with a guard who verifies an individual's identity, they dissuade potential adversaries from attempting to gain access to a facility.

  28. Other Access Control Mechanisms • Another common access control mechanism is a human security guard. • Guards provide an extra level of examination of individuals who want to gain access. • Security guards can counter piggybacking.

  29. Biometrics • Biometrics: • Uses something unique about the individual. • Does not rely on an individual to remember something or to have something. • Is a sophisticated access control approach and is also more expensive. • Can control access to computer systems, networks, and physical access control devices.

  30. Biometrics • Biometrics provides an additional layer of security. • Biometrics is normally used in conjunction with another method. • Biometric devices are not 100 percent accurate and may allow access to unauthorized individuals.

  31. Weaknesses of Authentication • All forms of authentication have weaknesses that can be exploited. • For this reason, “strong authentication” or “two-factor authentication” should be used. • These methods use two of the three different types of authentication (something that the users have, know, or are) to provide two levels of security.

  32. Physical Barriers • Physical barriers help implement the physical-world equivalent of layered security. • The outermost layer of physical security contains the public activities. • An individual progresses through the layers. • The barriers and security mechanisms should become less public to make it more difficult for observers to determine what mechanisms are in place.

  33. Physical Barriers • Signs are also an important element in security, as they announce to the public what areas are public and which are private. • In addition to walls and fences, open space can also serve as a barrier. • Consider the use of large areas of open space. • An intruder must cross this open space which takes time. • During this time their presence may be discovered and hence they are vulnerable.

  34. Social Engineering • Social engineering takes advantage of humans – the weakest link in the security chain. • Individuals attempting to social-engineer a piece of information rely on two aspects of the human nature. • First, people generally want to help somebody who is requesting help. • Second, people generally want to avoid confrontation.

  35. Social Engineering • The goal of social engineering is to obtain the pieces of information necessary to reach the next step. • This is done repeatedly until the ultimate goal is reached.

  36. Halting Social Engineering • The most effective means to stop social engineering is through the training and education of users, administrators, and security personnel.

  37. Stopping Social Engineering • To stop social engineering, employees should: • Recognize the type of information that should be protected. • Recognize how seemingly unimportant information may be combined with other information to divulge sensitive information (also known as data aggregation).

  38. Environment • Environmental issues include items such as heating, ventilation, air conditioning (HVAC) systems, electrical power, and the “environments of nature.”

  39. HVAC • HVAC systems are often computer-controlled and provide remote access via telephone connections. • These connections should be protected in a similar manner as computer modems, or else attackers may locate them and change the HVAC settings for an office or building.

  40. Power and UPS • Electrical power is essential for computer systems and networks. • Electrical power is subject to momentary surges and disruption. • Surge protectors protect sensitive electronic equipment from fluctuations in voltage. • Uninterruptible Power Supply (UPS) should be considered for critical systems so that a loss of power will not halt processing.

  41. Natural Disasters • Storms and floods require devices to sense water in a facility to warn pending problems. • Frequent hurricanes, earthquakes, and tornadoes in an area require reinforced facilities to protect important processing equipment. • All of these provide reasons for having an active program to ensure frequent backup of critical data and off-site storage.

  42. Off-Site Storage • Having off-site storage limits the chance that a natural disaster affecting one area will result in the total loss of the organization's critical data. • When considering backup and contingency plans, it is also important to consider backup processing locations in case a disaster not only destroys the data at the organization's primary site but all processing equipment as well.

  43. Fire Suppression • According to the Fire Suppression Systems Association: • Forty-three percent of businesses closed as a result of fire never reopen. • Twenty-nine percent will fail within three years of the event. • The ability to respond to a fire quickly and effectively is critical to the long-term success of an organization. • A fire needs fuel, oxygen, and high temperatures for the chemical combustion to occur. • If any of these are removed, fire will not continue.

  44. Water • Water-based fire suppression systems are primarily used to address and control structural fires. • Water damages electronic items.

  45. Halon • Halon-based fire suppression systems • Halon interferes with the combustion in a fire. • It mixes quickly with the air in a room and does not cause harm to computer systems. • It is dangerous to humans, especially when subjected to extreme temperatures (fire). It can degrade into toxic chemicals. • It is linked with ozone depletion. • Halon is not allowed in new suppression systems.

  46. Clean Agent • Clean-Agent Fire Suppression Systems • Carbon dioxide (CO2) extinguishers attack all the three necessary elements for fire to occur. • CO2 displaces oxygen so that the amount of oxygen remaining is insufficient to sustain the fire. • It provides cooling in the fire zone and reduces the concentration of “gasified” fuel.

  47. Clean Agent • Clean-Agent Fire Suppression Systems • Argon extinguishes fire by lowering the oxygen concentration below the 15 percent required for items to burn. • Argon systems reduce the oxygen content to about 12.5 percent.

  48. Clean Agent • Clean-Agent Fire Suppression Systems • Inergen is composed of three gases: 52 percent nitrogen, 40 percent argon, and 8 percent carbon dioxide. • Like argon systems, Inergen systems reduce the level of oxygen to about 12.5 percent, which is sufficient for human safety but not sufficient to sustain a fire.

  49. Clean Agent • FE-13, or trifluoromethane, was developed as a chemical refrigerant. • It suppresses fire by raising the total heat capacity of the environment. • FE-13 is gaseous and leaves no residue to harm equipment. It is safe to use in occupied areas.

  50. Hand-held Fire Extinguishers • Hand-held fire extinguishers: • Can be used if a fire is caught and contained before automatic systems discharge. • Result in significant savings in time and equipment costs (including the recharging of the automatic system). • Are commonly used in offices.

More Related