Security All-In-One Edition Chapter 2

1
SecurityAll-In-One EditionChapter 2
Organizational Security

• Brian E. Brzezicki

2
no security that is not designed

• An organization cannot expect to be secure,
  unless security is directed from the top-down.
• Management must realize the need for security
• Management must create a security policy
• Management must empower the security team to
  design and enforce the security program

3
Polices, Standards, Guidelines and Procedures

• A security program needs to be implemented with,
  procedures, standards and guidelines. These are
  all part of an organizations security plan. We
  will talk about each of these in a few slides.

4
Due Care and Due Diligence (41)

• Corporate polices, standards and guidelines help
  show and implement Due Diligence and Due Care.
• Due Diligence The idea that a company
  researches and attempts to understand the risk it
  faces. Risk analysis is a form of Due Diligence.
• Due Care shows that a Company makes reasonable
  efforts to minimize risk and protect a companies
  assets. Having polices, procedures and guidelines
  show a company is exercising Due Care.

5
Policy (27)

• Policies high level non-specific broad
  statement explaining the companies need and
  commitment to security. Very much like a mission
  statement.
• The corporate Policy will be very non-specific,
  there will be system/issue specific security
  policies that attempt to lay the security
  foundation for the organization
• Example Password Policies
• Example Data Encryption Policies

6
Standards (27)

• Standards mandatory elements regarding the
  implementation of a policy.
• Example All users will wear a ID badge when on
  the premises, all employees will report any
  people that are not displaying an ID badge.

7
Guidelines (27)

• Recommendations relating or supporting a policy,
  when no specific standard or rule exists.
• Example When dealing with customer information
  you must do your utmost to protect the
  confidentiality of the information.

8
Procedures (27)

• Specific step by step actions in relating to
  implementing part of a policy.
• Example There are often written procedures on
  how to install and configure a new Desktop
  computer that will be placed on the network.

9
Security Plan Lifecycle (28)

• The policies, standards, guidelines and
  procedures will change as the company changes, it
  is a lifecycle
• Plan for security
• Implement the plan
• Monitor the implementation
• Evaluate the effectiveness
• Adjust and restart

10
Some Specific Types of Policies

• Information Classification Policies
• Acceptable Use Policies
• Internet Usage Policies
• Email Usage Policies
• Data Disposal Policies
• Password Policies
• Termination Policies
• Data Privacy Policies
• These are just some specific examples of specific
  policies that give the legs to a corporate
  security policy.

11
Human Resources
12
Human Resources (44)

• Humans are the weakest link in computer security,
  what's more we are the most prevalent part of an
  organization. There must be policies specific in
  regards to HR practices. A few of these are very
  important.

13
Hiring Policies (44)

• Background Checks on ALL employees why?
• Reference Checks why?
• Education Checks why?
• Employment Checks
• NDAs etc MUST be signed.
• Non-Competes MUST be signed
• Once hired you should have an orientation, and
  all policies should be reviewed and signed.

14
Employment

• Periodic drugs tests
• Periodic reviews
• Performance
• Permissions/Access reviews, especially during
  role changes why?
• attitude why?
• If demoted, supervisors should be alerted to keep
  a close eye on employee why?

15
Termination (45)

• An organization must take careful steps when an
  employee is leaving either on their own or
  through firing/layoffs. Each situation may be
  different and may have to evaluate
• Access to sensitive information
• Access to customers
• Access to systems and networks
• (more)

16
Terminations

• If an employee is being terminated they should
• Have access immediately revoked
• Return all access devices (key cards etc)
• Return all equipment
• Change passwords if necessary
• Not interact with other employees
• Be escorted out of the building
• (more)

17
Termination

• Either way, there should be written policies
  describing what procedures to take with
  terminations, also there should always be an exit
  interview.

18
Separation of Duties / Mandatory Vacations (46)

• HR should enact
• Separation of duties
• Job rotation
• Mandatory Vacations
• These are discussed on the next slides.

19
Job Rotation (12)

• Individuals rotate through various jobs
  responsibilities, such that no one person is
  solely responsible for something.
• Decreases the ability to commit fraud undetected.
  
• Decreases the chance that something could be
  seriously negatively effected if someone leaves
  the organization
• Decreases ability for employees to blackmail

20
Mandatory Vacations
21
Mandatory Vacations (NB)

• All employees are REQUIRED to take their
  vacation.
• Decreases the ability to commit fraud undetected.
  (main security reason)
• Decreases the chance that something could be
  seriously negatively effected if someone leaves
  the organization

22
Attacks that which can be defended well against
by policies and education
23
Social Engineering (34)

• What is social Engineering?
• Incredibly easy to exploit
• Often can trivially bypass advanced
  logical/technical security controls
• Takes advantage of a few things
• People are the weakest part of security
• People want to avoid confrontation
• People often dont think about security
  implications
• People are often untrained about computing and
  security
• A little knowledge here or there allows me to
  aggregate knowledge and piece things together.

24
Phishing (35)

• An attacker attempts to obtain sensitive
  information from a user by masquerading as a
  trusted entity via email, or instant messaging.
• Usually send a link to a forged website
• Website looks just like the real website
• User is tricked into entering personal
  information
• (more)

25
Phishing (35)

• Signs of phishing
• Long website links with similar names
• Poor grammar and spelling
• Countermeasures
• Anti-phishing software
• Digital Certificates
• Have organizational policy that you will never
  send emails requesting personal information
• User education (most effective)

26
Old School Phishing attack

• A gentleman in one of my classes pointed out an
  old attack that I had forgotten about. One of the
  predecessors to modern phishing 5-10 years ago
  people used to put up fake ATMs that would read
  and store you ATM numbers and PINs. After you
  swiped the card and put in your PIN youd get a
  system down message most people never would
  realize that they had their info stolen this is
  a predecessor to modern phishing.

27
Vishing (36)

• Phishing, but with phone system (voice
  communications)
• Phone calls with Spoofed Caller ID (easy to do
  with VoIP), or with a dedicated PRI line.
• Hacked voicemail systems

28
Shoulder Surfing (36)

• What is this?
• May include advanced equipment such as cameras
• Countermeasures
• Privacy screens
• User environmental awareness

29
Dumpster Diving? (37)

• Anyone Heard of Kevin Mitnick?
• Countermeasures
• Have a corporate policy regarding data
  destruction
• Shred sensitive documents
• Lock and secure trash receptacles/areas

30
Chapter 2 Review Questions

• Q. What is the best countermeasure against
  phishing attacks?
• Q. Why is a hoax still a security concern?
• Q. Installing camera to read credit card numbers
  at gas pumps is what type of attack?
• Q. Does an Organization Security Policy Statement
  detail specifics such as how to properly encrypt
  data?

31
Chapter 2 Review Questions

• Q. What is the difference between Due Diligence
  and Due Care?
• Q. What is the term for a set of required steps
  to be taken when doing some action called?