Chapter 3: Operational and Organizational Security

Download Report

Transcript Chapter 3: Operational and Organizational Security 

PRINCIPLES OF NETWORKING
SECURITY
CHAPTERS 3 & 4
Matt Lavoie
NST281-01
CHAPTER 3:
OPERATIONAL AND
ORGANIZATIONAL SECURITY
Matt Lavoie
NST281-01
Security in Your Organization




Policy: A broad statement of accomplishment
Procedure: The step-by-step method to implement a
policy
Standards: Mandatory elements of implementing a
policy
Guidelines: Recommendations related to a policy
Security in Your Organization

Policy Lifecycle:
 Plan
 Implement
 Monitor
 Evaluate

Establish a security perimeter
Physical Security





Mechanisms to restrict physical access to computers
and networks
Locks (combination/biometric/keyed)
Video surveillance, logs, guards
A room has six sides
Physical barriers (gates/walls, man-traps, open
space)
Environmental Issues

HVAC Systems: Climate control

UPS/Generators: Power failure

Fire Protection: Detect/suppress

Off-Site Backups: Bad stuff happens
Other Issues

Wireless
 Wi-Fi

/ Cellular / Bluetooth
Electromagnetic Eavesdropping
 TEMPEST

Location
 Bury
the sensitive stuff
CHAPTER 4:
THE ROLE OF PEOPLE IN
SECURITY
Matt Lavoie
NST281-01
Social Engineering

Making people talk
 Questions,

emotions, weaknesses
Obtaining insider info (or having it)
 Knowledge

of security procedures
Phishing
 Impersonation
Social Engineering

Vishing
 Trust

in voice technology (VoIP, POTS)
Shoulder surfing
 Observation

for passcodes, PINs, etc
Reverse social engineering
 Victim
initiates contact
Poor Security Practices

Password selection
 Too
short
 Not complicated
 Easy to guess
 Information on a person

Password policies
 Can
encourage bad behavior
Poor Security Practices

Same password, multiple accounts
 One

compromises all
Piggybacking
 Controlled

access points
Dumpster Diving
 Sensitive
information discarded
Poor Security Practices

Installing software/hardware
 Backdoors/rogue

access points
Physical access by non-employees
 Control
who gets in
 Pizza and flowers
 Legitimate access, nefarious intentions
People as a Security Tool

Security Awareness
 Training/refreshers
 Be
alert
 Don’t stick your head in the sand

Individual User Responsibilities
 Keep
secure material secure
What Have We Learned?
In a properly secured environment,
people are the weakest link
A system with physical access is a
compromised system
Questions and Answers