1 / 20

General Security Concepts

" The best way to predict the future is to invent it.“ Alan Kay. General Security Concepts. Ali SHAYAN ZAKARIA 12.May.2010 Kish Island – CITELEX 2010. Reasonable Secure Environment. Physical. Operational. Management. Securing the Physical Environment. Physical Security:

sorley
Download Presentation

General Security Concepts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. " The best way to predict the future is to invent it.“ Alan Kay General Security Concepts Ali SHAYAN ZAKARIA 12.May.2010 Kish Island – CITELEX 2010 General Security Concepts

  2. Reasonable Secure Environment Physical Operational Management General Security Concepts

  3. Securing the Physical Environment • Physical Security: • Involves protecting your assets and information from physical access by unauthorized personnel. • Try to protect those items that can be seen, touched and stolen. • Easy? How? • Controlling access to the office, • Shredding unneeded documents, • Limiting access to sensitive area, • Provide perimeter and corridor security, • Person present (even if it a guard who spends most of the time sleeping) • Roving security patrol, • Multiple lock access control methods • Electronic or password access General Security Concepts

  4. Physical Security Components • First: Making a physical location less tempting as a target • You must prevent people from seeing your organization as a tempting target • Locking doors • Installing surveillance or alarm system • Elevators requiring keys or badges in order to reach upper floors • Second: Detecting the penetration or theft • You want to know what was broken into, what is missing, and how the loss occurred • Passive videotape systems • Make the video cameras as conspicuous as possible • Make it well-known that you’ll prosecute anyone caught in the act of theft to the fullest extend of the law • Third: Recovering from a theft or loss of critical information or systems • How will the organization recover from the loss and get on with normal business • Planning • Thought • Testing General Security Concepts

  5. Examining Operational Security • Operational security focuses on how your organization does that which it does • Everything that isn’t related to design or physical security in your network • Instead of physical components where the data is stored, such as server, the focus is on topology and connections • Issues: • Computers • Daily operations of network • Management • Policies • Access control • Authentication • Security topologies • Connection to other networks • Backup plans • Recovery plans General Security Concepts

  6. Working with Management & Policies • Provide the guidance, rules, and procedures of implementing a security environment • Policies, to be effective, must have the full and uncompromised support of the organization’s management team • Policies establish expectations about security-related issues • Key policies to secure a network: • Administrative policies • Software design requirements • Disaster recovery plan • Information policies • Security policies • Usage policies • User management policies General Security Concepts

  7. Working with Management & Policies • Administrative Policies • Guide lines and expectations for upgrades, monitoring, backups, and audits • How often and when upgrades appear • When and how monitoring occurs • How logs are reviewed • Who is responsible for making decisions on these matters • How often decisions should be reviewed • Who • Administrators • maintenance staff • Specifications • Specific enough: to help administrative staff for running the system and network • Flexible enough: to allow for emergencies and unforeseen circumstances General Security Concepts

  8. Working with Management & Policies • Software Design requirements • Capability of the system • Should be very specific about security • Design requirements should be viewed as a moving target • Disaster Recovery Plans (DRPs) • Virtually consideration every type of occurrence of failure possible • The key to its success is its completeness • Backups and hot sites • Hot site is a facility designed to provide immediate availability in the event of a system or network failure General Security Concepts

  9. Working with Management & Policies • Information Policies • Refer to various aspects of information security • Access • Classifications • Marking and storage • Transmission of sensitive information • Destruction of sensitive information • Include data classification levels • Public: for all advertisement and information posted on the web • Internal: for all intranet-type information • Private: personnel records, client data • Confidential: Public Key Infrastructure (PKI) information and other items restricted to all but those who know them General Security Concepts

  10. Working with Management & Policies • Security Policies • Define the configuration of systems and networks • Installation of software, hardware and network connections • Define computer room and data centre security • How identification and authentication (I&A) occurs • Determine access control • Determine audit • Determine reports • Determine network connectivity • Encryption • Antivirus software • Procedures and methods used for • Password selection • Account expiration • Failed logon attempts General Security Concepts

  11. Working with Management & Policies • Usage Policies • Refers how information and resources are used • Explain to users how they can use the organization resources and for what purpose • Lay down the law about computer usage • Include statement about privacy, ownership and the consequence of improper acts • Explain usage expectation about the Internet , remote access and e-mail • How users should handle incidents • State consequence of account misuse General Security Concepts

  12. Working with Management & Policies • User Management Policies • Should clearly outline who notifies the IT department about employee termination and how and when the notification occurs • How new employees • Are added to the system • Training • Orientation • Equipment installation and configuration • When employees leave the company account be disabled or deleted • Privilege Creep General Security Concepts

  13. Understanding Components of an IT Security Audit

  14. Network Security Management’s Perspective • Dangers: • Negligence • Dereliction of duty • Liable for damaged • Misconduct • Sabotage • Aiding and abetting crime General Security Concepts

  15. Network Security Management’s Perspective • Issues • Training • Continuity and crisis planning • Assume information security is YOUR responsibility Lack of awareness can lead to negligence and liability! General Security Concepts

  16. Modern Technology Roadmap • Early 1990s: Virus scanners • Mid 1990s: Firewalls • Late 1990s: Over-reliance on encryption (PKI) • Early 2000s: Over-reliance on intrusion detection systems (IDS) • Late 2000s: Over-reliance on intrusion prevention systems/artificial intelligence General Security Concepts

  17. Notable Trends in Cyber Criminality • Motivation: Financial motives are making attackers more sophisticated. • Targeted attacks: Attacks are much more targeted than before. • Targets: The user and the user workstation (desktop or laptop) becomes the easiest path into the network. General Security Concepts

  18. Questions ? General Security Concepts

  19. Thanks General Security Concepts

More Related