Chapter 3: Operational and Organizational Security
Download
Report
Transcript Chapter 3: Operational and Organizational Security
PRINCIPLES OF NETWORKING
SECURITY
CHAPTERS 3 & 4
Matt Lavoie
NST281-01
CHAPTER 3:
OPERATIONAL AND
ORGANIZATIONAL SECURITY
Matt Lavoie
NST281-01
Security in Your Organization
Policy: A broad statement of accomplishment
Procedure: The step-by-step method to implement a
policy
Standards: Mandatory elements of implementing a
policy
Guidelines: Recommendations related to a policy
Security in Your Organization
Policy Lifecycle:
Plan
Implement
Monitor
Evaluate
Establish a security perimeter
Physical Security
Mechanisms to restrict physical access to computers
and networks
Locks (combination/biometric/keyed)
Video surveillance, logs, guards
A room has six sides
Physical barriers (gates/walls, man-traps, open
space)
Environmental Issues
HVAC Systems: Climate control
UPS/Generators: Power failure
Fire Protection: Detect/suppress
Off-Site Backups: Bad stuff happens
Other Issues
Wireless
Wi-Fi
/ Cellular / Bluetooth
Electromagnetic Eavesdropping
TEMPEST
Location
Bury
the sensitive stuff
CHAPTER 4:
THE ROLE OF PEOPLE IN
SECURITY
Matt Lavoie
NST281-01
Social Engineering
Making people talk
Questions,
emotions, weaknesses
Obtaining insider info (or having it)
Knowledge
of security procedures
Phishing
Impersonation
Social Engineering
Vishing
Trust
in voice technology (VoIP, POTS)
Shoulder surfing
Observation
for passcodes, PINs, etc
Reverse social engineering
Victim
initiates contact
Poor Security Practices
Password selection
Too
short
Not complicated
Easy to guess
Information on a person
Password policies
Can
encourage bad behavior
Poor Security Practices
Same password, multiple accounts
One
compromises all
Piggybacking
Controlled
access points
Dumpster Diving
Sensitive
information discarded
Poor Security Practices
Installing software/hardware
Backdoors/rogue
access points
Physical access by non-employees
Control
who gets in
Pizza and flowers
Legitimate access, nefarious intentions
People as a Security Tool
Security Awareness
Training/refreshers
Be
alert
Don’t stick your head in the sand
Individual User Responsibilities
Keep
secure material secure
What Have We Learned?
In a properly secured environment,
people are the weakest link
A system with physical access is a
compromised system
Questions and Answers