jcc elementary system application domain n.
Skip this Video
Loading SlideShow in 5 Seconds..
JCC Elementary System/Application Domain PowerPoint Presentation
Download Presentation
JCC Elementary System/Application Domain

Loading in 2 Seconds...

play fullscreen
1 / 32

JCC Elementary System/Application Domain - PowerPoint PPT Presentation

Download Presentation
JCC Elementary System/Application Domain
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. silver consulting JCC ElementarySystem/Application Domain Alex Wehn Jacklyn Truong Nick Poczynek silver consulting

  2. System/Application Domain • Consists of mission-critical systems, applications, and data • Common threat targets • Desktop OSs • Server and Network OSs • E-mail applications and servers • Enterprise Resource Planning applications and systems • Web browsers silver consulting

  3. Common Vulnerabilities • Unauthorized physical or logical access to resources • Weaknesses in server operating system or application software • Data loss from errors, failures, or disasters • Threat types • Denial or destruction • Alteration • Disclosure silver consulting

  4. Unauthorized Physical Access • Gaining access to a physical entity or area without permission from an administrative figure • Computer rooms • Data centers • Wiring closets • Physical data in transit silver consulting

  5. Unauthorized Physical Access • Examples • Poor security • Unlocked doors • Unguarded areas • No badge access required • Carelessness • Social engineering • Impersonation to gain access • Impersonation to gain access to someone/something with authorized access silver consulting

  6. Unauthorized Physical Access • Why is it bad? • Sensitive systems could be destroyed • Sensitive data stored on these systems could be stolen, altered, or destroyed silver consulting

  7. Unauthorized Physical Access • Mitigation • Policies • Escort all guests • Standards • Secure areas containing sensitive systems • Lock doors • Security guard assigned to each secured area • Procedures • RFID badge access to secure areas • Check-in with valid ID badge • Guidelines • Report suspicious activities • Lock drawers before leaving your desk silver consulting

  8. Unauthorized Logical Access • Gaining access to data without permission from an administrative figure • Human resources and payroll • Accounting and financial • Student and parent information • Medical • Grades • Private information silver consulting

  9. Unauthorized Logical Access • Examples • Individuals have access to information unnecessary for their position in the workplace • Non-payroll staff has access to all private employee information • Attacker gains access to systems • Obtains unencrypted financial information silver consulting

  10. Unauthorized Logical Access • Why is it bad? • Staff with access to unnecessary data could accidently alter or destroy said data • Attackers can destroy, alter, and/or disclose information if they can gain access to our systems • Deny access to important information silver consulting

  11. Unauthorized Logical Access • Mitigation • Encryption • Classify data and roles • Certain roles are allowed to access only certain data • Second-level authentication • Data handling standards • Do not store sensitive information on a personal thumb drive • Encrypt e-mails • Do not unnecessarily disclose information silver consulting

  12. Software Vulnerabilities • A flaw that exists in the programming of a software component or system that allows a malicious attacker to gain unauthorized access to that system through an exploit. • Malware is malicious software that is capable of taking advantages of flaws in software and/or users in order compromise a software application. silver consulting

  13. Software Vulnerabilities • Vulnerabilities are often found in commonly used software: • Adobe Reader • Adobe Flash • Oracle Java • Microsoft Office • Microsoft Windows • Software built in-house is not immune to vulnerabilities. silver consulting

  14. Software Vulnerabilities • Why is it bad? • Gives attackers an entry point into your system • Many remain undetected until they are actively exploited • Sometimes user awareness isn't good enough • Can be less targeted than other types of attacks silver consulting

  15. Software Vulnerabilities • Mitigation • User Awareness • System Administrator Awareness • Software Updates • Good Security Policy • Antivirus Software silver consulting

  16. Server Vulnerabilities • Server Vulnerabilities are vulnerabilities that occur in software that exists on a server, rather than a user workstation • Server vulnerabilities may be similar to software vulnerabilities, but server vulnerabilities will require little to no user intervention to be exploited. silver consulting

  17. Server Vulnerabilities • Examples • Server Operating System Vulnerabilities • Server Software Vulnerabilities • Service Software (FTP, Apache, PHP .NET) • Additional Software Vulnerabilities • Security Software Vulnerabilities (Firewalls, Antivirus) silver consulting

  18. Server Vulnerabilities • Why is it bad? • Servers will generally have more access to sensitive information, therefore the impact of server vulnerabilities is much higher • Servers are not as carefully monitored as user workstations, allowing suspicious behavior to go unnoticed for extended periods of time • Many servers have services that are intentionally exposed to the internet, making them much easier to attack. silver consulting

  19. Server Vulnerabilities • Mitigation • Plan • Configure • Careful/Minimal System Configuration • Maintain • Software Updates • Monitor for suspicious behavior • Improve • Security Policy silver consulting

  20. Data Loss • What is "data"? • E-mails • Grades • Calendars and event schedules • Payroll and employee records • Curriculum • We deal with important data every day • Teachers - imagine losing all of your course materials • Loss of data is one of computing's biggest threats silver consulting

  21. Data Loss • How do we prevent data loss? • Backups • "A copy of a file or directory stored on a separate device" • Must be performed frequently to be more useful • Backups should be physically separated silver consulting

  22. Data Loss There are three main types of backups: • Full • Performed least often • Bit-for-bit replica of a disk or partition • Differential • Stores all data that has changed since the last full backup • If differential backups become large, a new full image is needed • Incremental • Backs up new or modified files • Fast, provides a comprehensive revision history silver consulting

  23. Data Loss • Common Backup Mistakes • Backups should be verified • What happens if you restore data from a backup that was corrupted? • Not separating applications and data • System images should be available in case you need to reinstall your OS and applications • User data can then be grabbed as needed • Some data is more static than other data • Performing backups infrequently • If your most recent backup was over a week ago, what would you lose? silver consulting

  24. Data Loss • Common Vulnerabilities • Hardware failure • When computer systems fail, we rely on backups and redundancy • Natural disasters • Our backups need to be physically separated to avoid complete data loss by fires and natural disasters • System errors • System crashes can occur during data transfers silver consulting

  25. Data Loss • Working at a school presents additional data-related concerns • FERPA • Academic records are closely controlled under federal law • Negligence in protecting this data presents legal issues • HIPAA • We may be required to store and protect health information for students, faculty, and staff silver consulting

  26. Data Loss • Be prepared • Business Continuity Plan (BCP) • Conduct a business impact analysis to decide which computer uses are most important • Determine how long it will take to recover and make these uses available (RTO) • Prepare the BCP to focus on the most important uses for work to continue • Disaster Recovery Plan (DRP) • Prepare DRP based on BCP • Start DRP for most important systems first • Organize a DRP team and remote data center silver consulting

  27. Data Loss • Be aware of backup procedures and policies • After a certain period, backups must be transferred to a more permanent storage format silver consulting

  28. Data Loss How is data recovered? • A data recovery policy is put in place • An electronic form is available to document the incident • The help desk creates a ticket and gathers required information • The requested data is accessedfrom the archives • If recovery is successfully, it must be delivered • Can be transferred to requested disk location or emailed silver consulting

  29. Data Loss Data recovery, cont. • Keep in mind that recovery speed may vary based on the age of the requested file • Recovery from older tape archives can take a long time • Recovery from yesterday’s incremental backup can be almost immediate silver consulting

  30. Reducing Risks • Physically secure areas containing sensitive systems • Implement encryption and data handling standards • Minimize data access • Backup data • Develop a BCP and DRP • Be aware of all applications on the network • Plan, configure, maintain, and improve network servers • Develop and implement standards • Read and understand your provided Acceptable Use Policy silver consulting

  31. What if I Need Help? • Call the Help Desk! • Report suspected IT policy violations to your supervisors • For help with production systems and uses • Contact the Director of System and Applications or the Director of Software Development • For help with system/application domain security policies, standards, procedures, and guidelines • Contact the Director of IT Security

  32. Questions? silver consulting