Transcript Risk Control Strategies And Physical Security

Risk Control Strategies
And
Physical Security
By William Gillette
Top 10 Security Mistakes
1.
2.
3.
4.
The not-so-subtle Post-it Note. Yes, those sticky yellow
things can undo the most elaborate security measures.
Leaving unattended computers on
Opening Email form strangers “I Love You Virus”
Poor password selection. Vice president of IT at General
Dynamics Corp. attended a demonstration with about 20 of
his top engineers and some anti-hacking experts from NASA.
Within 30 minutes, the NASA folks broke 60% of the
engineers' passwords. A good example is: "I pledge
allegiance to the flag" becomes "ipa2tf."
Top 10 Security Mistakes
5.
6.
7.
8.
9.
10.
Laptops have legs. physical security
Loose lips sink ships. People talk about passwords
Plug and Play (technology that enables hardware
devices to be installed and configured without the
protection)
Unreported security violations
Behind the times in terms of patches
Not watching for dangers within your own organization.
Types of Risk Control strategies




Avoidance
Transference
Migration
Acceptance
Quick Review
Risk avoidance

Defined:
–


A risk control strategy that attempts to prevent attacks to
organizational assets, through there vulnerabilities.
This is the most preferred risk control strategy as it
seeks to avoid risk/treats entirely.
Avoidance is accomplish through countering treats,
removing vulnerabilities in assets, limiting access to
assets, and adding protective safeguards.
Methods of risk avoidance



Avoidance through application of policy.
Avoidance through application of training and
education.
Avoidance though application of technology.
Risk Transference

Defined
–


Is a control approach that attempts to shift the risk to other
assets, other processes, or other organization.
This is accomplished through
rethinking/reengineering services, revising
development models, outsourcing to other
organizations or implementing service contracts
Common choice for larger companies
Risk Transference

Advantages outsourcing
–
–

Outsource company focuses their energy and
resource on their expertise
Allows parent company to concentrate on the
business they know. Example Kodak
Disadvantages
–
Cost tend to be high for these services, and they
require very detailed legal contracts to garreteer
service and recovery.
Risk Migration



Defined
– control approach that attempts to reduce the impact caused
by the exploitation of vulnerability through planning and
preparation.
Three type of plans.
– Disaster recovery plan
– Incident response plan
– Business continuity plan
Each of these strategies depends on the ability to detect and
respond to an attack as quickly as possible. All migration
strategies start with early detection.
Disaster Recovery Plan

Define
–

Examples
–
–
–

Procedures to recover loss data (data/media back up)
Procedures for the reestablishment of lost services.
Procedures to protect currently available assets(shut down)
When its Deployed
–

Preparations for recovery should a disaster occur; Strategies to limit losses
before and during disasters; Step by step instructions to regain normalcy.(This
is the most common of the migration procedures)
Immediately after the incident is labeled a disaster
Time frame
–
Short-term recovery
Incident Response Plan

Define
–
–

Example
–
–

information analysis, intelligence gathering, list of steps to be taken
during an attack
unauthorized copy example
When it’s deployed
–

Actions an organization takes during an attack, IRP’s are predefined, specific
or ad hoc, and reactive.
The what do I do now!
as the attack or disaster unfolds.
Time frame
–
immediate and real-time reaction
Business Recovery plan

Define
–

Examples
–
–

Preparations steps for the activation of a secondary data center.
Establishment of a hot site in a remote location. Many companies have
this service as a contingency against disastrous events
When its deployed
–

Steps to ensure continuation of the overall business when the scale of the
disaster requires relocations.
after it has been determined that a disaster/attack affects the continuos
operation of the organization.
Time frame
–
long term recovery.
Acceptance

Define
–

In contrast to other control, acceptance is a method of doing nothing to
protect vulnerabilities and accept the outcome of its exploitation.
To use this control the following must be taken into account.
–
–
–
–
–
–
Determined the level of risk
Assessed the probability of attack
Estimated the potential damage that could occur from attacks
Performed a thorough cost benefit analysis
Take in account the feasibility of other controls
Decide if particular functions /assets/data do not justify the cost of protection
yes
System/program
as designed
Is system/program
vulnerable
No
No
No Risk
No Risk
yes
Risk
Exists
Is the attackers
gain > cost?
No
Risk can be
accepted
yes
Is system/program
exploitable?
Is expected
loss > acceptable level
No
Risk can be
accepted
yes
Risk is
Unacceptable
Categories of controls



Control function:
– Controls and safeguards designed to defend vulnerabilities
through prevention or detection.
 Uses both technological protection (encryption) and
enforcement measures Policies
Architectural layer
– Controls applied to more then one layer of a system
 Firewalls
Strategic
–
Controls that are specific to a risk control method
Other Factor on Deciding a
Risk Control Method

Feasibility studies
–
–
–
–
Cost benefit analysis
Asset validation
Organizational feasibility
Technical feasibility
Physical Security

Defined
–
Describes protection needed out-side a system
/program

Typically physical controls include Id cards, guards,
locks, and cameras. But can also include items to
protect against disasters.
Types of Physical security

Access and control
–
Used to ward off the sticky figure bandit


Use of biometrics, smart cards, access door locks, mantraps,
electronic monitoring, shredding, and guards.
Natural disaster
–
Flood (both natural and unnatural), Fire, power
fluctuation, and so on

Use of raised floors, dedicated cooling, humidifier for tape
rooms, emergency lighting, electrical/nonH2O fire
extinguisher, surge suppressor, emergency power shut off,
and emergency replacement server/off site system.
Bibliography



Information Technology for Management
Henry C. Lucas 7th Edition Irwin McGraw-Hill
Principles of Information Security Michael E.
Whitman Thomson Course Technology.
www.computerworld.com