720 likes | 915 Views
Lesson 3-Operational/Organizational Security. Background. Prevention technologies prevent unauthorized individuals from gaining access to systems or data. In an operational environment, prevention is difficult. Relying on prevention technologies alone is not sufficient. . Background.
E N D
Background • Prevention technologies prevent unauthorized individuals from gaining access to systems or data. • In an operational environment, prevention is difficult. • Relying on prevention technologies alone is not sufficient.
Background • Prevention technologies are static. • They are put in place and generally left alone. • Detection and response technologies are dynamic. • They acknowledge that security is an ongoing process.
Background • The first presentation introduced the operational model of computer security. • The model described the various components in computer security and network security. • The operational model of computer security stated that: • Protection = Prevention + (Detection + Response). • This presentation addresses the issues surrounding computer security and network security.
Objectives • Upon completion of this lesson, the learner will be able to: • Describe the various operational aspects to security in an organization. • Describe the physical security components used to protect computers and networks. • Explain how social engineering is used as a means to gain access to computers and networks and how an organization should deal with social engineering.
Objectives • Upon completion of this lesson, the learner will be able to (continued): • Explain how the growing use of wireless cellular technology has impacted data transmission and how factors such as location affect our ability to secure it. • Describe how the use of shielding technology can prevent disclosure through electronic emanations. • Describe various fire suppression systems designed to limit the damage caused by fires.
Security Operations • Policies • Procedures • Standards • Guidelines
Policies • Policies are: • High-level, broad statements of what the organization wants to accomplish. • Made by the management when laying out the organization's position on some issues.
Standards • Standards are: • Mandatory elements regarding the implementation of a policy. • Accepted specifications of specific details on how a policy is to be implemented or enforced.
Guidelines • Guidelines are: • Recommendations relating to a policy. • Not mandatory.
Procedures • Procedures are step-by-step instructions on how to implement policies in an organization. • Step-by-step instructions that describe exactly how employees are expected to act in a given situation or to accomplish a specific task.
Policy Changes • As the network constantly changes, the policies, procedures, and guidelines should be periodically evaluated and changed if necessary. • The constant monitoring of the network and the periodic review of the relevant documents are part of the operational model. • When applied to policies, this process results in the policy life cycle.
Policy Life Cycle • The four steps of the policy life cycle are: • Plan (Adjust) • Implement • Monitor • Evaluate
Plan (Adjust) • In the planning and adjustment phase: • Users develop the policies, procedures, and guidelines that will be implemented. • Design the security components to protect the network.
Implement • Implementation of any policy, procedure, or guideline requires an instruction period to about its contents.
Monitor • Constant monitoring ensures that hardware and software, policies, procedures, and guidelines are effective in securing the systems.
Evaluate • Evaluating the effectiveness of security includes a vulnerability assessment and penetration test of the system to ensure that security meets expectations. • After evaluating the organization’s stand on security, the process restarts at step one, this time adjusting the security mechanisms that are in place. • Evaluation is a continuous process.
Intrusion Detection System (IDS) • An intrusion detection system is often a part of the security perimeter for the organization. • The IDS may be placed on the inside of the firewall, or the outside, or on both sides. • The specific location depends upon what a company is more concerned about (the insider threat or external threats).
Corporate Network • Beyond this security perimeter is the corporate network. • This is simple depiction. • An actual network may have numerous subnets and extranets.
More Complex Networks • Organizations may have a telephone network connected to the public switched telephone network (PSTN), which is the phone company. • The organization may have authorized modems. • However, the potential exists for unauthorized modems, and hence the telephone network must be considered as a source of access for the network.
Examine Sources of Attacks • When considering the policies, procedures, and guidelines to implement security for the organization, both networks need to be considered. • The biggest danger to any organization is from an insider rather than external attacks. • Insiders can include a disgruntled employee having physical access to the facility. • An attacker with physical access to an office can find the information needed to access computer systems and network.
Physical Security • All mechanisms used to ensure that physical access to computer systems and networks is restricted to authorized users. • Access from all six sides is important. • The security of obvious points of entry such as doors and windows should be examined. • Even floors and ceiling should be scrutinized for possible access points.
Access Controls • Physical access control is similar to computer and network access controls where access is restricted to the authorized. • Physical access controls can be based on: • Something that individuals have (key). • Something that they know (the combination). • Something that they are (biometrics).
Locks • A lock is the most common physical access control device. • Combination locks represent an access control device that depends upon something the individual knows (the combination). • Combinations do not require any extra hardware, but they must be remembered (which means individuals may write them, which is a security vulnerability in itself) and are hard to control.
Key Locks • Locks with keys depend on something the individual has (the key). • Key locks are simple and easy to use, but the key may be lost. • If the key is lost, a duplicate key has to be made or the lock has to be re-keyed. • Keys may also be copied and can be hard to control.
Modern Locks • Newer locks replace the traditional key with a card that must be passed through a reader or placed against it. • The individual may also have to provide a personal access code, thus making this form of access both a something-you-know and something-you-have method. • In addition to locks on doors, other common physical security devices include video surveillance and even simpler access control logs (sign-in logs).
Access Control Logs • Sign-in logs do not provide an actual barrier. • They provide a record of access. • When used in conjunction with a guard who verifies an individual's identity, they dissuade potential adversaries from attempting to gain access to a facility.
Other Access Control Mechanisms • Another common access control mechanism is a human security guard. • Guards provide an extra level of examination of individuals who want to gain access. • Security guards can counter piggybacking.
Biometrics • Biometrics: • Uses something unique about the individual. • Does not rely on an individual to remember something or to have something. • Is a sophisticated access control approach and is also more expensive. • Can control access to computer systems, networks, and physical access control devices.
Biometrics • Biometrics provides an additional layer of security. • Biometrics is normally used in conjunction with another method. • Biometric devices are not 100 percent accurate and may allow access to unauthorized individuals.
Weaknesses of Authentication • All forms of authentication have weaknesses that can be exploited. • For this reason, “strong authentication” or “two-factor authentication” should be used. • These methods use two of the three different types of authentication (something that the users have, know, or are) to provide two levels of security.
Physical Barriers • Physical barriers help implement the physical-world equivalent of layered security. • The outermost layer of physical security contains the public activities. • An individual progresses through the layers. • The barriers and security mechanisms should become less public to make it more difficult for observers to determine what mechanisms are in place.
Physical Barriers • Signs are also an important element in security, as they announce to the public what areas are public and which are private. • In addition to walls and fences, open space can also serve as a barrier. • Consider the use of large areas of open space. • An intruder must cross this open space which takes time. • During this time their presence may be discovered and hence they are vulnerable.
Social Engineering • Social engineering takes advantage of humans – the weakest link in the security chain. • Individuals attempting to social-engineer a piece of information rely on two aspects of the human nature. • First, people generally want to help somebody who is requesting help. • Second, people generally want to avoid confrontation.
Social Engineering • The goal of social engineering is to obtain the pieces of information necessary to reach the next step. • This is done repeatedly until the ultimate goal is reached.
Halting Social Engineering • The most effective means to stop social engineering is through the training and education of users, administrators, and security personnel.
Stopping Social Engineering • To stop social engineering, employees should: • Recognize the type of information that should be protected. • Recognize how seemingly unimportant information may be combined with other information to divulge sensitive information (also known as data aggregation).
Environment • Environmental issues include items such as heating, ventilation, air conditioning (HVAC) systems, electrical power, and the “environments of nature.”
HVAC • HVAC systems are often computer-controlled and provide remote access via telephone connections. • These connections should be protected in a similar manner as computer modems, or else attackers may locate them and change the HVAC settings for an office or building.
Power and UPS • Electrical power is essential for computer systems and networks. • Electrical power is subject to momentary surges and disruption. • Surge protectors protect sensitive electronic equipment from fluctuations in voltage. • Uninterruptible Power Supply (UPS) should be considered for critical systems so that a loss of power will not halt processing.
Natural Disasters • Storms and floods require devices to sense water in a facility to warn pending problems. • Frequent hurricanes, earthquakes, and tornadoes in an area require reinforced facilities to protect important processing equipment. • All of these provide reasons for having an active program to ensure frequent backup of critical data and off-site storage.
Off-Site Storage • Having off-site storage limits the chance that a natural disaster affecting one area will result in the total loss of the organization's critical data. • When considering backup and contingency plans, it is also important to consider backup processing locations in case a disaster not only destroys the data at the organization's primary site but all processing equipment as well.
Fire Suppression • According to the Fire Suppression Systems Association: • Forty-three percent of businesses closed as a result of fire never reopen. • Twenty-nine percent will fail within three years of the event. • The ability to respond to a fire quickly and effectively is critical to the long-term success of an organization. • A fire needs fuel, oxygen, and high temperatures for the chemical combustion to occur. • If any of these are removed, fire will not continue.
Water • Water-based fire suppression systems are primarily used to address and control structural fires. • Water damages electronic items.
Halon • Halon-based fire suppression systems • Halon interferes with the combustion in a fire. • It mixes quickly with the air in a room and does not cause harm to computer systems. • It is dangerous to humans, especially when subjected to extreme temperatures (fire). It can degrade into toxic chemicals. • It is linked with ozone depletion. • Halon is not allowed in new suppression systems.
Clean Agent • Clean-Agent Fire Suppression Systems • Carbon dioxide (CO2) extinguishers attack all the three necessary elements for fire to occur. • CO2 displaces oxygen so that the amount of oxygen remaining is insufficient to sustain the fire. • It provides cooling in the fire zone and reduces the concentration of “gasified” fuel.
Clean Agent • Clean-Agent Fire Suppression Systems • Argon extinguishes fire by lowering the oxygen concentration below the 15 percent required for items to burn. • Argon systems reduce the oxygen content to about 12.5 percent.
Clean Agent • Clean-Agent Fire Suppression Systems • Inergen is composed of three gases: 52 percent nitrogen, 40 percent argon, and 8 percent carbon dioxide. • Like argon systems, Inergen systems reduce the level of oxygen to about 12.5 percent, which is sufficient for human safety but not sufficient to sustain a fire.
Clean Agent • FE-13, or trifluoromethane, was developed as a chemical refrigerant. • It suppresses fire by raising the total heat capacity of the environment. • FE-13 is gaseous and leaves no residue to harm equipment. It is safe to use in occupied areas.
Hand-held Fire Extinguishers • Hand-held fire extinguishers: • Can be used if a fire is caught and contained before automatic systems discharge. • Result in significant savings in time and equipment costs (including the recharging of the automatic system). • Are commonly used in offices.