Transcript Information Systems Security

Information Systems
Security
A comprehensive guide
© Clyne G. H. Namuo, Ph.D. – Security+
Outline









CIA Triangle
Threat Analysis and Asset Inventory
General Security Concepts
Communication Security
Network Security
Physical Security
Disaster Recovery
Security Policies and Procedures
Security in small vs. large companies
© Clyne G. H. Namuo, Ph.D. – Security+
CIA Triangle
Confidentiality

Confidentiality


Preventing unauthorized
access to systems
Integrity
Ensure data is what
it claims to be
 Ensure accuracy of data


Integrity
Availability

Ensure systems and data
are available when they are needed
© Clyne G. H. Namuo, Ph.D. – Security+
Availability
Threat Analysis and Asset Inventory

Asset Inventory


Hardware, Software, Data, Expertise
Threat Categories
External Intentional (Hackers)
 External Accidental (Remote Users)
 Internal Intentional (Disgruntled Employees)
 Internal Accidental (Untrained Employees)
 Natural Disasters (Fires, Floods, Earthquakes)


Worksheet
© Clyne G. H. Namuo, Ph.D. – Security+
General Security Concepts

Malicious Code
Viruses : software designed to infect and cause
‘damage’ to a computer
 Worm : propagate through email or through
network connections. Do not depend on other
programs
 Trojan Horse : program pretending to be
something legitimate
 Logic Bomb : execute when certain conditions are
met

© Clyne G. H. Namuo, Ph.D. – Security+
General Security Concepts (con’t)

Social Engineering


“Hello, I’m calling from the IT department, I need
your password to fix your PC”
TCP/IP Attacks
Network Sniffers (Wireshark)
 Port Scans (NMAP)
 Denial of Service Attacks (UDP Flooder)

© Clyne G. H. Namuo, Ph.D. – Security+
General Security Concepts (con’t)



Man in the middle Attacks
Spoofing Attacks
Back Door Attacks


Software/Operating system vulnerabilities
Password Guessing Attacks
Dictionary Attacks (Lophtcrack)
 Brute Force Attack (Cain and Abel)

© Clyne G. H. Namuo, Ph.D. – Security+
Communication Security

E-mail Security
Phishing
 Hoaxes and Spam
 Viruses traveling as e-mail attachments
 PGP Encryption (www.pgpi.org)

© Clyne G. H. Namuo, Ph.D. – Security+
Communication Security (Con’t)

Web Security
SSL or HTTPS
 Buffer Overflow
 Denial of service attacks


Wireless Security
Wireless Access Points
 Unsecure communication method
 WEP->WPA->WPA2

© Clyne G. H. Namuo, Ph.D. – Security+
Network Security




Firewalls
Intrusion Detection Systems
OS Updates, Patches and Service Packs
Access control lists
Usernames and passwords
 Rights and privileges

© Clyne G. H. Namuo, Ph.D. – Security+
Physical Security



Locks on doors to protect systems
Access badges
Biometrics
Hand scan
 Retina scan
 Voice recognition


Fire Suppression

Sprinkler system? No, FM-200 gas fire suppression
© Clyne G. H. Namuo, Ph.D. – Security+
Disaster Recovery



September 11th lesson
Natural Disasters
Backups




Daily, weekly, monthly
Off site storage
Disaster Recovery Plan
Testing your plan
© Clyne G. H. Namuo, Ph.D. – Security+
Security Policies and Procedures



Policies, Procedures and Consequences
Cost-effective solution
Acceptable use policy
Use of company email
 Appropriate surfing policy
 Coordination with Human Resources Dept


Communicate policies effectively
© Clyne G. H. Namuo, Ph.D. – Security+
Security in small vs. large companies
3rd Security Conference
April 14/15, 2004
Current Security Practices
of SMEs: A Case Study
Namuo, Weiner, and Jennex
San Diego State University
Presentation by:
Clyne G. H. Namuo, Ph.D.
© Clyne G. H. Namuo, Ph.D. – Security+
Survey Background

Component of Generic Security Plan for SMEs


Respondents







32 questions regarding computer security (jump to survey)
218 total
All in San Diego (planned extension/expansion to other cities)
56% Large corporations (123)
44% SMEs (95) (Companies with less than 500 employees)
Working professionals
Industry professionals
Hypothesis


SMEs lack knowledge and resources to implement property security
measures/barriers and will exhibit less knowledge about their security plans
Literature on SMEs supports this but found little quantitative data to support
this
© Clyne G. H. Namuo, Ph.D. – Security+
SME vs. Large Implementation of Security Measures
SMEs
Large
100%
90%
90%
89% 88%
88%
86%
85%
82%
80%
84%
80%
76%
67% 68% 67%
70%
71%
68%
61%
60%
57%
57%
43%
40%
30%
49%
48%48% 46%
42%
38%
36%
31%
61%
54%
51%
50% 47%
68%
65% 65%
34%
33%
31%
28%
26%
24%
20%
10%
v
co
re
s
dis
les
wi
re
up
s
ts
ou
n
cc
ka
oli
c
pw
dp
ne
tw
or
© Clyne G. H. Namuo, Ph.D. – Security+
ies
es
av
ids
pa
tch
os
do
cu
m
en
te
d
sp
ec
ific
re
vie
we
d
tra
co
ine
ns
d
eq
ue
nc
es
inv
en
th
to
re
ry
at
an
aly
si s
of
ba
fsi
ck
te
up
ste
ste
us
d
er
ac
co
un
ts
ph
ys
i ca
l
fir
ew
al
ls
0%
© Clyne G. H. Namuo, Ph.D. – Security+
4.5
4.0
4.2
3.9
3.7
3.6
SMEs
Large
3.7
3.4
3.5
3.2
3.2
3.0
2.6
2.4
2.5
2.0
1.5
1.5
1.5
1.0
0.5
0.0
comfortable
adequate
confident
rely
I am comfortable our security plan protects our critical data
We have adequate knowledge about IS security
I am confident my company won't have a IS security problem
We rely on one or two key people to manage our IS security
Our security rules are a burden to follow
I stay awake nights worrying about my company's data and networks
5=Agree
4=Somewhat agree
3=Neutral
2=Somewhat disagree
© Clyne G. H. Namuo, Ph.D. – Security+
burden
1=Disagree
worry
Conclusions



SMEs have less knowledge of security and their
security plans than their counter parts in large
companies
However, personnel in SMEs are just about as
comfortable with their security as their counter
parts in large companies
No one is losing sleep over their security plan
© Clyne G. H. Namuo, Ph.D. – Security+
Conclusion









CIA Triangle
Threat Analysis and Asset Inventory
General Security Concepts
Communication Security
Network Security
Physical Security
Disaster Recovery
Security Policies and Procedures
Security in small vs. large companies
© Clyne G. H. Namuo, Ph.D. – Security+