1 / 32

JCC Elementary System/Application Domain

silver. consulting. JCC Elementary System/Application Domain. Alex Wehn Jacklyn Truong Nick Poczynek. silver. consulting. System/Application Domain. Consists of mission-critical systems, applications, and data Common threat targets Desktop OSs Server and Network OSs

maj
Download Presentation

JCC Elementary System/Application Domain

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. silver consulting JCC ElementarySystem/Application Domain Alex Wehn Jacklyn Truong Nick Poczynek silver consulting

  2. System/Application Domain • Consists of mission-critical systems, applications, and data • Common threat targets • Desktop OSs • Server and Network OSs • E-mail applications and servers • Enterprise Resource Planning applications and systems • Web browsers silver consulting

  3. Common Vulnerabilities • Unauthorized physical or logical access to resources • Weaknesses in server operating system or application software • Data loss from errors, failures, or disasters • Threat types • Denial or destruction • Alteration • Disclosure silver consulting

  4. Unauthorized Physical Access • Gaining access to a physical entity or area without permission from an administrative figure • Computer rooms • Data centers • Wiring closets • Physical data in transit silver consulting

  5. Unauthorized Physical Access • Examples • Poor security • Unlocked doors • Unguarded areas • No badge access required • Carelessness • Social engineering • Impersonation to gain access • Impersonation to gain access to someone/something with authorized access silver consulting

  6. Unauthorized Physical Access • Why is it bad? • Sensitive systems could be destroyed • Sensitive data stored on these systems could be stolen, altered, or destroyed silver consulting

  7. Unauthorized Physical Access • Mitigation • Policies • Escort all guests • Standards • Secure areas containing sensitive systems • Lock doors • Security guard assigned to each secured area • Procedures • RFID badge access to secure areas • Check-in with valid ID badge • Guidelines • Report suspicious activities • Lock drawers before leaving your desk silver consulting

  8. Unauthorized Logical Access • Gaining access to data without permission from an administrative figure • Human resources and payroll • Accounting and financial • Student and parent information • Medical • Grades • Private information silver consulting

  9. Unauthorized Logical Access • Examples • Individuals have access to information unnecessary for their position in the workplace • Non-payroll staff has access to all private employee information • Attacker gains access to systems • Obtains unencrypted financial information silver consulting

  10. Unauthorized Logical Access • Why is it bad? • Staff with access to unnecessary data could accidently alter or destroy said data • Attackers can destroy, alter, and/or disclose information if they can gain access to our systems • Deny access to important information silver consulting

  11. Unauthorized Logical Access • Mitigation • Encryption • Classify data and roles • Certain roles are allowed to access only certain data • Second-level authentication • Data handling standards • Do not store sensitive information on a personal thumb drive • Encrypt e-mails • Do not unnecessarily disclose information silver consulting

  12. Software Vulnerabilities • A flaw that exists in the programming of a software component or system that allows a malicious attacker to gain unauthorized access to that system through an exploit. • Malware is malicious software that is capable of taking advantages of flaws in software and/or users in order compromise a software application. silver consulting

  13. Software Vulnerabilities • Vulnerabilities are often found in commonly used software: • Adobe Reader • Adobe Flash • Oracle Java • Microsoft Office • Microsoft Windows • Software built in-house is not immune to vulnerabilities. silver consulting

  14. Software Vulnerabilities • Why is it bad? • Gives attackers an entry point into your system • Many remain undetected until they are actively exploited • Sometimes user awareness isn't good enough • Can be less targeted than other types of attacks silver consulting

  15. Software Vulnerabilities • Mitigation • User Awareness • System Administrator Awareness • Software Updates • Good Security Policy • Antivirus Software silver consulting

  16. Server Vulnerabilities • Server Vulnerabilities are vulnerabilities that occur in software that exists on a server, rather than a user workstation • Server vulnerabilities may be similar to software vulnerabilities, but server vulnerabilities will require little to no user intervention to be exploited. silver consulting

  17. Server Vulnerabilities • Examples • Server Operating System Vulnerabilities • Server Software Vulnerabilities • Service Software (FTP, Apache, PHP .NET) • Additional Software Vulnerabilities • Security Software Vulnerabilities (Firewalls, Antivirus) silver consulting

  18. Server Vulnerabilities • Why is it bad? • Servers will generally have more access to sensitive information, therefore the impact of server vulnerabilities is much higher • Servers are not as carefully monitored as user workstations, allowing suspicious behavior to go unnoticed for extended periods of time • Many servers have services that are intentionally exposed to the internet, making them much easier to attack. silver consulting

  19. Server Vulnerabilities • Mitigation • Plan • Configure • Careful/Minimal System Configuration • Maintain • Software Updates • Monitor for suspicious behavior • Improve • Security Policy silver consulting

  20. Data Loss • What is "data"? • E-mails • Grades • Calendars and event schedules • Payroll and employee records • Curriculum • We deal with important data every day • Teachers - imagine losing all of your course materials • Loss of data is one of computing's biggest threats silver consulting

  21. Data Loss • How do we prevent data loss? • Backups • "A copy of a file or directory stored on a separate device" • Must be performed frequently to be more useful • Backups should be physically separated silver consulting

  22. Data Loss There are three main types of backups: • Full • Performed least often • Bit-for-bit replica of a disk or partition • Differential • Stores all data that has changed since the last full backup • If differential backups become large, a new full image is needed • Incremental • Backs up new or modified files • Fast, provides a comprehensive revision history silver consulting

  23. Data Loss • Common Backup Mistakes • Backups should be verified • What happens if you restore data from a backup that was corrupted? • Not separating applications and data • System images should be available in case you need to reinstall your OS and applications • User data can then be grabbed as needed • Some data is more static than other data • Performing backups infrequently • If your most recent backup was over a week ago, what would you lose? silver consulting

  24. Data Loss • Common Vulnerabilities • Hardware failure • When computer systems fail, we rely on backups and redundancy • Natural disasters • Our backups need to be physically separated to avoid complete data loss by fires and natural disasters • System errors • System crashes can occur during data transfers silver consulting

  25. Data Loss • Working at a school presents additional data-related concerns • FERPA • Academic records are closely controlled under federal law • Negligence in protecting this data presents legal issues • HIPAA • We may be required to store and protect health information for students, faculty, and staff silver consulting

  26. Data Loss • Be prepared • Business Continuity Plan (BCP) • Conduct a business impact analysis to decide which computer uses are most important • Determine how long it will take to recover and make these uses available (RTO) • Prepare the BCP to focus on the most important uses for work to continue • Disaster Recovery Plan (DRP) • Prepare DRP based on BCP • Start DRP for most important systems first • Organize a DRP team and remote data center silver consulting

  27. Data Loss • Be aware of backup procedures and policies • After a certain period, backups must be transferred to a more permanent storage format silver consulting

  28. Data Loss How is data recovered? • A data recovery policy is put in place • An electronic form is available to document the incident • The help desk creates a ticket and gathers required information • The requested data is accessedfrom the archives • If recovery is successfully, it must be delivered • Can be transferred to requested disk location or emailed silver consulting

  29. Data Loss Data recovery, cont. • Keep in mind that recovery speed may vary based on the age of the requested file • Recovery from older tape archives can take a long time • Recovery from yesterday’s incremental backup can be almost immediate silver consulting

  30. Reducing Risks • Physically secure areas containing sensitive systems • Implement encryption and data handling standards • Minimize data access • Backup data • Develop a BCP and DRP • Be aware of all applications on the network • Plan, configure, maintain, and improve network servers • Develop and implement standards • Read and understand your provided Acceptable Use Policy silver consulting

  31. What if I Need Help? • Call the Help Desk! • Report suspected IT policy violations to your supervisors • For help with production systems and uses • Contact the Director of System and Applications or the Director of Software Development • For help with system/application domain security policies, standards, procedures, and guidelines • Contact the Director of IT Security

  32. Questions? silver consulting

More Related