1 / 25

Chapter 2 Organizational/Operational Security

Chapter 2 Organizational/Operational Security. The Role of People in Security. This presentation discusses: The human element and the role that people play in security. User practices that help in securing an organization. Vulnerabilities that users can introduce. Background.

sreddin
Download Presentation

Chapter 2 Organizational/Operational Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 2Organizational/Operational Security

  2. The Role of People in Security • This presentation discusses: • The human element and the role that people play in security. • User practices that help in securing an organization. • Vulnerabilities that users can introduce.

  3. Background • The operational model of computer security acknowledges that absolute protection of computer systems and networks is not possible. • People need to be prepared to detect and respond to attacks that were able to circumvent the security mechanisms.

  4. Background • Technology alone will not solve the security problem. • No matter how advanced the technology is, it will ultimately be deployed in an environment where humans exist. • The human element is the biggest problem to security.

  5. Background • It is difficult to compensate for all the ways humans can deliberately or accidentally cause security problems or circumvent security mechanisms. • Despite the technology, security procedures, and security training provided, some people will not do what they are supposed to, and will create vulnerability in an organization’s security posture.

  6. Objectives • Upon completion of this lesson, the learner will be able to: • Define basic terminology associated with Social Engineering. • Describe the number of poor security practices that may put an organization’s information at risk. • Describe methods attackers may use to gain information about an organization. • List and describe ways in which users can aid instead of detract from security.

  7. People • Prevention technologies are not sufficient since every network and computer system has at least one human user. • A significant portion of security problems that humans can cause result from poor security practices.

  8. Password Selection • Computer intruders rely on poor passwords to gain unauthorized access to a system or network.

  9. Passwords • Password Problems • Users choose passwords that are easy to remember and often choose the same sequence of characters as they have for their user IDs. • Users also frequently select names of family members, their pets, or their favorite sports team for their passwords.

  10. Improving Passwords • To complicate the attacker’s job: • Mix uppercase and lowercase characters. • Include numbers and special characters in passwords.

  11. Policy • Organizations have instituted additional policies and rules relating to password selection to complicate an attacker’s effort. • Organizations may require users to change their passwords frequently. • This means if an attacker is able to guess a password, it is valid only for a limited time before the attacker is locked out.

  12. Notes on the Monitor • Another policy or rule for password selection adopted by an organization is that passwords should not be written. • To make the passwords more difficult for attackers to guess, users need to change the passwords frequently.

  13. Increasing Problem • Users frequently use the same password for all accounts on many systems. • If one account is broken, all other accounts are subsequently also vulnerable to attack.

  14. PINs • Most people have at least one Personal Identification Number (PIN). • They are associated with things such as their automated teller machine or a security code to gain physical access to a room. Users invariably select numbers that are easy to remember.

  15. Human Attacks • Piggybacking and shoulder surfing • Dumpster diving • Installing unauthorized hardware and software • Access by non-employees • Social engineering • Reverse social engineering

  16. Piggybacking and Shoulder Surfing • Piggybacking is the tactic of closely following a person who has just used an access card or PIN to gain physical access to a room or building. • In security, piggybacking refers to when a person tags along with another person who is authorized to gain entry into a restricted area, or pass a certain checkpoint • What is a Piggybacking attack of your computer system? a super large group of computer in a network, sending large amounts of data to ur computer, also piggybacking is stealing wifi from a un protected network. • how do you "piggyback" on another person's wireless computer connection? u need to know the access code or be able to log in when the security is switched of for a few seconds at the hub or just drive around till u find a connection that's got no security

  17. Shoulder Surfing • Shoulder surfing is a procedure in which attackers position themselves in such a way as to be able to observe the authorized user entering the correct access code.

  18. Dumpster Diving • Attackers need some information before launching an attack. • A common place to find this information is to go through the target’s trash. • This process, of going through a target’s trash, is known as dumpster diving.

  19. Dumpster Diving • If the attackers are fortunate and the target’s security procedures are very poor, attackers may find userids and passwords. • Manuals of hardware or software purchased may also provide a clue as to what vulnerabilities might be present on the target’s computer systems and networks.

  20. Unauthorized Hardware and Software • Organizations should have a policy to restrict normal users from installing software and hardware on their systems. • Communication software and a modem may allow individuals to connect to their machines at work using a modem from home. • This creates a backdoor into the network and can circumvent all the other security mechanisms. • There are numerous small programs that can be downloaded from the Internet. • Users cannot always be sure where the software originally came from and what may be hidden inside.

  21. E-Mail • Tasks that can be performed using received e-mails can be controlled. • This helps prevent users from executing a hostile program that was sent as part of a worm or virus.

  22. Access by Non-employees • If an attacker gains access to a facility, there are chances of obtaining enough information to penetrate computer systems and networks. • Many organizations require employees to wear identification badges at work. • This method is easy to implement and may be a deterrent to unauthorized individuals. • It also requires that employees challenge individuals not wearing identification badges.

  23. Access by Non-employees • One should examine who has legitimate access to a facility. • Non-employees may not have the same regard for the intellectual property rights of the organization that employees have. • Contractors, consultants, and partners may frequently not only have physical access to the facility but also have network access. • Nighttime custodial crewmembers and security guards have unrestricted access to the facility when no one is around.

  24. Social Engineering • Using social engineering, the attacker deceives to: • Obtain privileged information. • Convince the target to do something that they normally would not.

  25. Social Engineering • Social engineering is successful because of two reasons. • The first is the basic human nature to be helpful. • The second reason is that individuals normally seek to avoid confrontation and trouble.

More Related