Transcript Security+ All-In-One Edition Chapter 1 – General Security

Security+
All-In-One Edition
Chapter 2 – Organizational
Security
Brian E. Brzezicki
no security that is not designed
An organization cannot expect to be secure,
unless security is directed from the top-down.
• Management must realize the need for
security
• Management must create a security policy
• Management must empower the security
team to design and enforce the security
program
Polices, Standards, Guidelines and
Procedures
A security program needs to be implemented
with, procedures, standards and guidelines.
These are all part of an organizations security
plan. We will talk about each of these in a few
slides.
Due Care and Due Diligence (41)
Corporate polices, standards and guidelines help
show and implement Due Diligence and Due Care.
Due Diligence – The idea that a company researches
and attempts to understand the risk it faces. Risk
analysis is a form of Due Diligence.
Due Care – shows that a Company makes reasonable
efforts to minimize risk and protect a companies
assets. Having polices, procedures and guidelines
show a company is exercising Due Care.
Policy (27)
Policies – high level non-specific broad statement
explaining the companies need and commitment to
security. Very much like a mission statement.
The corporate Policy will be very non-specific, there
will be system/issue specific security policies that
attempt to lay the security foundation for the
organization
• Example: Password Policies
• Example: Data Encryption Policies
Standards (27)
Standards – mandatory elements regarding the
implementation of a policy.
Example: All users will wear a ID badge when
on the premises, all employees will report any
people that are not displaying an ID badge.
Guidelines (27)
Recommendations relating or supporting a
policy, when no specific standard or rule
exists.
• Example: When dealing with customer
information you must do your utmost to
protect the confidentiality of the information.
Procedures (27)
Specific step by step actions in relating to
implementing part of a policy.
• Example: There are often written procedures
on how to install and configure a new Desktop
computer that will be placed on the network.
Security Plan Lifecycle (28)
The policies, standards, guidelines and
procedures will change as the company
changes, it is a lifecycle
1. Plan for security
2. Implement the plan
3. Monitor the implementation
4. Evaluate the effectiveness
5. Adjust and restart
Some Specific Types of Policies
•
•
•
•
•
•
•
•
Information Classification Policies
Acceptable Use Policies
Internet Usage Policies
Email Usage Policies
Data Disposal Policies
Password Policies
Termination Policies
Data Privacy Policies
These are just some specific examples of specific
policies that give the legs to a corporate security
policy.
Human Resources
Human Resources (44)
Humans are the weakest link in computer
security, what's more we are the most
prevalent part of an organization. There must
be policies specific in regards to HR practices.
A few of these are very important.
Hiring Policies (44)
• Background Checks on ALL employees –
why?
• Reference Checks – why?
• Education Checks – why?
• Employment Checks
• NDAs etc MUST be signed.
• Non-Competes MUST be signed
Once hired you should have an orientation, and
all policies should be reviewed and signed.
Employment
• Periodic drugs tests
• Periodic reviews
– Performance
– Permissions/Access reviews, especially during
role changes – why?
– “attitude” – why?
– If demoted, supervisors should be alerted to keep
a close eye on employee – why?
Termination (45)
An organization must take careful steps when
an employee is leaving either on their own or
through firing/layoffs. Each situation may be
different and may have to evaluate
• Access to sensitive information
• Access to customers
• Access to systems and networks
(more)
Terminations
If an employee is being terminated they should
• Have access immediately revoked
• Return all access devices (key cards etc)
• Return all equipment
• Change passwords if necessary
• Not interact with other employees
• Be escorted out of the building
(more)
Termination
Either way, there should be written policies
describing what procedures to take with
terminations, also there should always be
an exit interview.
Separation of Duties / Mandatory
Vacations (46)
HR should enact
• Separation of duties
• Job rotation
• Mandatory Vacations
These are discussed on the next slides.
Job Rotation (12)
Individuals rotate through various jobs
responsibilities, such that no one person is
solely responsible for something.
• Decreases the ability to commit fraud
undetected.
• Decreases the chance that something could
be seriously negatively effected if someone
leaves the organization
• Decreases ability for employees to “blackmail”
Mandatory Vacations
Mandatory Vacations (NB)
All employees are REQUIRED to take their
vacation.
• Decreases the ability to commit fraud
undetected. (main security reason)
• Decreases the chance that something could
be seriously negatively effected if someone
leaves the organization
Attacks that which can be
defended well against by policies
and education
Social Engineering (34)
What is social Engineering?
• Incredibly easy to exploit
• Often can trivially bypass advanced logical/technical
security controls
• Takes advantage of a few things
–
–
–
–
–
People are the weakest part of security
People want to avoid confrontation
People often don’t think about security implications
People are often untrained about computing and security
A little knowledge here or there allows me to “aggregate”
knowledge and piece things together.
Phishing (35)
An attacker attempts to obtain sensitive
information from a user by masquerading as a
trusted entity via email, or instant messaging.
• Usually send a link to a forged website
• Website looks just like the real website
• User is tricked into entering personal
information
(more)
Phishing (35)
Signs of phishing
• Long website links with similar names
• Poor grammar and spelling
Countermeasures
• Anti-phishing software
• Digital Certificates
• Have organizational policy that you will never send
emails requesting personal information
• User education (most effective)
Old School Phishing attack
A gentleman in one of my classes pointed out
an old attack that I had forgotten about. One
of the predecessors to modern phishing… 510 years ago people used to put up fake
ATMs that would read and store you ATM
numbers and PINs. After you swiped the card
and put in your PIN you’d get a “system
down” message… most people never would
realize that they had their info stolen… this is
a predecessor to modern phishing.
Vishing (36)
Phishing, but with phone system (voice
communications)
• Phone calls with Spoofed Caller ID (easy to
do with VoIP), or with a dedicated PRI line.
• Hacked voicemail systems
Shoulder Surfing (36)
What is this?
• May include advanced equipment such as
cameras
Countermeasures
• Privacy screens
• User environmental awareness
Dumpster Diving? (37)
Anyone Heard of Kevin Mitnick?
Countermeasures
• Have a corporate policy regarding data
destruction
• Shred sensitive documents
• Lock and secure trash receptacles/areas
Chapter 2 – Review Questions
Q. What is the best countermeasure against
phishing attacks?
Q. Why is a hoax still a security concern?
Q. Installing camera to read credit card numbers at
gas pumps is what type of attack?
Q. Does an Organization Security Policy
Statement detail specifics such as how to
properly encrypt data?
Chapter 2 – Review Questions
Q. What is the difference between Due
Diligence and Due Care?
Q. What is the term for a set of “required
steps to be taken” when doing some
action called?