Security all in one edition chapter 2 organizational security
1 / 31

Security+ All-In-One Edition Chapter 2 – Organizational Security - PowerPoint PPT Presentation

  • Uploaded on

Security+ All-In-One Edition Chapter 2 – Organizational Security. Brian E. Brzezicki. no security that is not designed. An organization cannot expect to be secure, unless security is directed from the top-down. Management must realize the need for security

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Security+ All-In-One Edition Chapter 2 – Organizational Security' - ariel-doyle

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Security all in one edition chapter 2 organizational security

Security+All-In-One EditionChapter 2 – Organizational Security

Brian E. Brzezicki

No security that is not designed
no security that is not designed

An organization cannot expect to be secure, unless security is directed from the top-down.

  • Management must realize the need for security

  • Management must create a security policy

  • Management must empower the security team to design and enforce the security program

Polices standards guidelines and procedures
Polices, Standards, Guidelines and Procedures

A security program needs to be implemented with, procedures, standards and guidelines. These are all part of an organizations security plan. We will talk about each of these in a few slides.

Due care and due diligence 41
Due Care and Due Diligence (41)

Corporate polices, standards and guidelines help show and implement Due Diligence and Due Care.

Due Diligence – The idea that a company researches and attempts to understand the risk it faces. Risk analysis is a form of Due Diligence.

Due Care – shows that a Company makes reasonable efforts to minimize risk and protect a companies assets. Having polices, procedures and guidelines show a company is exercising Due Care.

Policy 27
Policy (27)

Policies – high level non-specific broad statement explaining the companies need and commitment to security. Very much like a mission statement.

The corporate Policy will be very non-specific, there will be system/issue specific security policies that attempt to lay the security foundation for the organization

  • Example: Password Policies

  • Example: Data Encryption Policies

Standards 27
Standards (27)

Standards – mandatory elements regarding the implementation of a policy.

Example: All users will wear a ID badge when on the premises, all employees will report any people that are not displaying an ID badge.

Guidelines 27
Guidelines (27)

Recommendations relating or supporting a policy, when no specific standard or rule exists.

  • Example: When dealing with customer information you must do your utmost to protect the confidentiality of the information.

Procedures 27
Procedures (27)

Specific step by step actions in relating to implementing part of a policy.

  • Example: There are often written procedures on how to install and configure a new Desktop computer that will be placed on the network.

Security plan lifecycle 28
Security Plan Lifecycle (28)

The policies, standards, guidelines and procedures will change as the company changes, it is a lifecycle

  • Plan for security

  • Implement the plan

  • Monitor the implementation

  • Evaluate the effectiveness

  • Adjust and restart

Some specific types of policies
Some Specific Types of Policies

  • Information Classification Policies

  • Acceptable Use Policies

  • Internet Usage Policies

  • Email Usage Policies

  • Data Disposal Policies

  • Password Policies

  • Termination Policies

  • Data Privacy Policies

    These are just some specific examples of specific policies that give the legs to a corporate security policy.

Human resources 44
Human Resources (44)

Humans are the weakest link in computer security, what's more we are the most prevalent part of an organization. There must be policies specific in regards to HR practices. A few of these are very important.

Hiring policies 44
Hiring Policies (44)

  • Background Checks on ALL employees – why?

  • Reference Checks – why?

  • Education Checks – why?

  • Employment Checks

  • NDAs etc MUST be signed.

  • Non-Competes MUST be signed

    Once hired you should have an orientation, and all policies should be reviewed and signed.


  • Periodic drugs tests

  • Periodic reviews

    • Performance

    • Permissions/Access reviews, especially during role changes – why?

    • “attitude” – why?

    • If demoted, supervisors should be alerted to keep a close eye on employee – why?

Termination 45
Termination (45)

An organization must take careful steps when an employee is leaving either on their own or through firing/layoffs. Each situation may be different and may have to evaluate

  • Access to sensitive information

  • Access to customers

  • Access to systems and networks



If an employee is being terminated they should

  • Have access immediately revoked

  • Return all access devices (key cards etc)

  • Return all equipment

  • Change passwords if necessary

  • Not interact with other employees

  • Be escorted out of the building



Either way, there should be written policies describing what procedures to take with terminations, also there should always be an exit interview.

Separation of duties mandatory vacations 46
Separation of Duties / Mandatory Vacations (46)

HR should enact

  • Separation of duties

  • Job rotation

  • Mandatory Vacations

    These are discussed on the next slides.

Job rotation 12
Job Rotation (12)

Individuals rotate through various jobs responsibilities, such that no one person is solely responsible for something.

  • Decreases the ability to commit fraud undetected.

  • Decreases the chance that something could be seriously negatively effected if someone leaves the organization

  • Decreases ability for employees to “blackmail”

Mandatory vacations nb
Mandatory Vacations (NB)

All employees are REQUIRED to take their vacation.

  • Decreases the ability to commit fraud undetected. (main security reason)

  • Decreases the chance that something could be seriously negatively effected if someone leaves the organization

Social engineering 34
Social Engineering (34) and education

What is social Engineering?

  • Incredibly easy to exploit

  • Often can trivially bypass advanced logical/technical security controls

  • Takes advantage of a few things

    • People are the weakest part of security

    • People want to avoid confrontation

    • People often don’t think about security implications

    • People are often untrained about computing and security

    • A little knowledge here or there allows me to “aggregate” knowledge and piece things together.

Phishing 35
Phishing (35) and education

An attacker attempts to obtain sensitive information from a user by masquerading as a trusted entity via email, or instant messaging.

  • Usually send a link to a forged website

  • Website looks just like the real website

  • User is tricked into entering personal information


Phishing 351
Phishing (35) and education

Signs of phishing

  • Long website links with similar names

  • Poor grammar and spelling


  • Anti-phishing software

  • Digital Certificates

  • Have organizational policy that you will never send emails requesting personal information

  • User education (most effective)

Old school phishing attack
Old School Phishing attack and education

A gentleman in one of my classes pointed out an old attack that I had forgotten about. One of the predecessors to modern phishing… 5-10 years ago people used to put up fake ATMs that would read and store you ATM numbers and PINs. After you swiped the card and put in your PIN you’d get a “system down” message… most people never would realize that they had their info stolen… this is a predecessor to modern phishing.

Vishing 36
Vishing (36) and education

Phishing, but with phone system (voice communications)

  • Phone calls with Spoofed Caller ID (easy to do with VoIP), or with a dedicated PRI line.

  • Hacked voicemail systems

Shoulder surfing 36
Shoulder Surfing (36) and education

What is this?

  • May include advanced equipment such as cameras


  • Privacy screens

  • User environmental awareness

Dumpster diving 37
Dumpster Diving? (37) and education

Anyone Heard of Kevin Mitnick?


  • Have a corporate policy regarding data destruction

  • Shred sensitive documents

  • Lock and secure trash receptacles/areas

Chapter 2 review questions
Chapter 2 – Review Questions and education

Q. What is the best countermeasure against phishing attacks?

Q. Why is a hoax still a security concern?

Q. Installing camera to read credit card numbers at gas pumps is what type of attack?

Q. Does an Organization Security Policy Statement detail specifics such as how to properly encrypt data?

Chapter 2 review questions1
Chapter 2 – Review Questions and education

Q. What is the difference between Due Diligence and Due Care?

Q. What is the term for a set of “required steps to be taken” when doing some action called?