Chapter 3. Security Framework Operational Security Lifecycle Security Perimeter Access Control ...
-
Upload
donald-roberts -
Category
Documents
-
view
232 -
download
0
Transcript of Chapter 3. Security Framework Operational Security Lifecycle Security Perimeter Access Control ...
Operational/Organizational Security
Chapter 3
Security Framework
Operational Security Lifecycle
Security Perimeter
Access Control
Social Engineering
Environmental Issues
Chapter Objectives
Protection = Prevention + (Detection + Response).
Prevention techniques are static barriers to the intruders.
Detection and Response technologies are dynamic and an ongoing process.
Operational Security
Systems, technologies and network constantly change with time, thus we have to monitor the systems regularly.
Monitoring the security infrastructure in the organization is an essential part of any organization’s security program.
Operational Security
An organization’s security framework is very important in implementing the security.
Security framework includes ◦ Policies◦ Procedures◦ Standards◦ Guidelines
Security Framework
Policies are high-level, broad statements of what the organization wants to accomplish.
Policies are formulated by management when laying out organization's position on some issue.
Policies
Standards are mandatory elements regarding the implementation of a policy.
They are accepted specifications providing specific details on how a policy is to be enforced.
Standards can be set by the organization or by an external agency.
Standards
Guidelines are recommendations relating to a policy.
Guidelines are optional.
Guidelines
Procedures are the steps-by-step instructions on how to implement policies in the organization.
Procedures describe exactly how employees are expected to act in a given situation.
Procedures
The policies, procedures, standards and guidelines are dynamic.
They must be revises periodically.
The operational security lifecycle has 4 phases◦ Plan (adjust)◦ Implement◦ Monitor◦ Evaluate
Operational Security Lifecycle
Planning - In this stage, all the policies, procedures, standards and guidelines for your organization’s security are developed and designed.
Implement - In this stage you implement and enforce the policies, procedures, standards and guidelines. All the employees affected by these new policies, procedures, standards and guidelines will come to know about these changes.
Operational Security Lifecycle
Monitoring - In this stage, all the policies, procedures, standards, guidelines, hardware and software are monitored to check the effectiveness of organization’s security.
Evaluate – In this stage, all the policies, procedures, standards and guidelines are again re-evaluated to ensure that the security is adequate.
Operational Security Lifecycle
Plan
Implement
Monitor
Evaluate
Operational Security Lifecycle
The basic idea of a security perimeter is to provide a “complete” security to the corporate network.
Access by external entities to the corporate network (Internal) is controlled and monitored via the security perimeter.
The Security Perimeter
Corporate Network
IDS’s
Firewall
PSTN
Router
The Security Perimeter
Internet
Telephone Company
The purpose of access controls is to restrict access to only those who are authorized to have it.
Common forms of physical access controls are the use of security guard and the lock (including many new variations of the combination locks)
Access Control
Physical security consist of all the mechanisms used to ensure that physical access to the computers and the networks is restricted to only authorized users.
Physical security adds an extra layer of security and protects the sensitive data.
Physical Security
Physical barriers provide the outmost security.
These barriers are highly visible to the public.
Physical Barriers
Physical Barriers
Biometrics is a more sophisticated access control approach.
Examples – fingerprint readers, retinal & iris scan, voice samples.
Biometric solutions are very expensive to implement.
Biometrics
Biometrics
Social engineering is the process of convincing an authorized individual to provide confidential information or access to an unauthorized individual.
Social engineering exploits the weakest point in the security perimeter – humans.
The ultimate goal of social engineering is to gradually obtain the pieces of information.
Social Engineering
The best way to stop social engineering is through training all the employees and instructing not to give out any piece of information.
Data Aggregation - Small and seemingly “unimportant” information may be combined with other pieces of information to potentially divulge sensitive information.
Social Engineering
Social Engineering
Environmental issues deals with the general operating conditions, within which an organization operates.
Environmental issues include items like heating, ventilation, air conditioning, electrical power and the “natural forces”.
Environmental factors are used to maintain the comfort of an office environment.
Environment
In case of electric power outage, UPS can be critical.
If natural disasters are common, having a complete backup plan is must.
In some cases, a separate off-site location can also me used.
Environment
Fire is one of the most common reasons for the loss of data in an organization.
Common ways of fighting the fire are:◦ Water bases fire suppression systems◦ Chemical based fire suppression systems◦ Handheld fire suppression systems◦ Fire detection systems
Fire Suppression
Very commonly used systems.
Can have adverse effects of computer and electrical systems.
Water based Fire Suppression System
Clean Agent Fire Suppression Systems.◦ Uses CO2 ◦ Safe for general usage
Halon Bases Fire Suppression System◦ Not used anymore◦ Very dangerous on human health
Chemical based Fire Suppression Systems.
Class of Fire Type of Fire Example of Combustible Material
Examples of Suppression Methods
ACommon Combustibles
Wood, Paper, Cloth Water and dry chemicals
BCombustible Liquids Petroleum Products CO2 or dry chemicals
CElectrical Electrical Wiring and
equipmentsCO2 or dry chemicals
DFlammable Metals Magnesium, Titanium Copper metal or
sodium chloride
Handheld Fire Extinguisher
Fire detection devices are of several types◦ Smoke Activated◦ Temperature Activated ◦ Flame Activated
Fire Detection Devices
Wireless environment provides portability.
Wireless networks are prone to security threats, if not properly secured.
Wireless