General Security Concepts Ali SHAYAN ZAKARIA 12.May.2010 Kish Island – CITELEX 2010 " The best way to predict the future is to invent it. Alan Kay 1General.

Slides:

Advertisements

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

Advertisements

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”

1 Telstra in Confidence Managing Security for our Mobile Technology.

Security Controls – What Works

Information Security Policies and Standards

Security+ Guide to Network Security Fundamentals

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Concepts of Database Management Seventh Edition

Factors to be taken into account when designing ICT Security Policies

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Network security policy: best practices

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.

Security Guide for Interconnecting Information Technology Systems

 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.

Information Security Technological Security Implementation and Privacy Protection.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.

General Awareness Training

Network Security Overview Ali Shayan Network Security Management’s Perspective Dangers: – Negligence – Dereliction of duty – Liable for damaged.

Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Concepts of Database Management Sixth Edition

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.

Concepts of Database Management Eighth Edition

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

Information Systems Security Operational Control for Information Security.

Group 3 Angela, Rachael, Misty, Kayelee, and Krysta.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Unit 4 IT 484 Networking Security Course Name – IT Networking Security 1203C Term Instructor.

Information Systems Security Operations Security Domain #9.

G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.

Information Systems Security

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Module 15 Managing Windows Server® 2008 Backup and Restore.

Note1 (Admi1) Overview of administering security.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 10 Case Study: Conducting an Information Systems Audit.

Chapter 2 Securing Network Server and User Workstations.

Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &

.  Understanding Information Security  Understanding the Goals of Information Security  Comprehending the Security Process  Authentication Issues.

Security fundamentals Topic 12 Maintaining organisational security.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

IS3220 Information Technology Infrastructure Security

Access Control for Security Management BY: CONNOR TYGER.

Implementing a Security Policy JISC – ICT Security Threats & Promises, April 2002 Mick Ismail ICT Services Manager City of Wolverhampton College.

Contingency Management Indiana University of Pennsylvania John P. Draganosky.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.

Welcome to the ICT Department Unit 3_5 Security Policies.

Physical Security at Data Center: A survey. Objective of the Survey  1. To identify the current physical security in data centre.  2.To analyse the.

Onsite CRM Security

Information Systems Security

Security Standard: “reasonable security”

County HIPAA Review All Rights Reserved 2002.

12 STEPS TO A GDPR AWARE NETWORK

Mohammad Alauthman Computer Security Mohammad Alauthman

Cloud Computing for Wireless Networks

Presentation transcript:

General Security Concepts Ali SHAYAN ZAKARIA 12.May.2010 Kish Island – CITELEX 2010 " The best way to predict the future is to invent it. Alan Kay 1General Security Concepts12/5/2010

Reasonable Secure Environment 12/5/2010General Security Concepts2 Physical OperationalManagement

Securing the Physical Environment Physical Security: – Involves protecting your assets and information from physical access by unauthorized personnel. – Try to protect those items that can be seen, touched and stolen. Easy? How? – Controlling access to the office, – Shredding unneeded documents, – Limiting access to sensitive area, Provide perimeter and corridor security, Person present (even if it a guard who spends most of the time sleeping) Roving security patrol, Multiple lock access control methods Electronic or password access 12/5/2010General Security Concepts3

Physical Security Components First: Making a physical location less tempting as a target – You must prevent people from seeing your organization as a tempting target Locking doors Installing surveillance or alarm system Elevators requiring keys or badges in order to reach upper floors Second: Detecting the penetration or theft – You want to know what was broken into, what is missing, and how the loss occurred Passive videotape systems Make the video cameras as conspicuous as possible Make it well-known that youll prosecute anyone caught in the act of theft to the fullest extend of the law Third: Recovering from a theft or loss of critical information or systems – How will the organization recover from the loss and get on with normal business Planning Thought Testing 12/5/2010General Security Concepts4

Examining Operational Security Operational security focuses on how your organization does that which it does Everything that isnt related to design or physical security in your network Instead of physical components where the data is stored, such as server, the focus is on topology and connections Issues: – Computers – Daily operations of network – Management – Policies – Access control – Authentication – Security topologies – Connection to other networks – Backup plans – Recovery plans 12/5/2010General Security Concepts5

Working with Management & Policies Provide the guidance, rules, and procedures of implementing a security environment Policies, to be effective, must have the full and uncompromised support of the organizations management team Policies establish expectations about security-related issues Key policies to secure a network: – Administrative policies – Software design requirements – Disaster recovery plan – Information policies – Security policies – Usage policies – User management policies 12/5/2010General Security Concepts6

Working with Management & Policies Administrative Policies – Guide lines and expectations for upgrades, monitoring, backups, and audits How often and when upgrades appear When and how monitoring occurs How logs are reviewed Who is responsible for making decisions on these matters How often decisions should be reviewed – Who Administrators maintenance staff – Specifications Specific enough: to help administrative staff for running the system and network Flexible enough: to allow for emergencies and unforeseen circumstances 12/5/2010General Security Concepts7

Working with Management & Policies Software Design requirements – Capability of the system – Should be very specific about security – Design requirements should be viewed as a moving target Disaster Recovery Plans (DRPs) – Virtually consideration every type of occurrence of failure possible – The key to its success is its completeness – Backups and hot sites Hot site is a facility designed to provide immediate availability in the event of a system or network failure 12/5/2010General Security Concepts8

Working with Management & Policies Information Policies – Refer to various aspects of information security Access Classifications Marking and storage Transmission of sensitive information Destruction of sensitive information – Include data classification levels Public: for all advertisement and information posted on the web Internal: for all intranet-type information Private: personnel records, client data Confidential: Public Key Infrastructure (PKI) information and other items restricted to all but those who know them 12/5/2010General Security Concepts9

Working with Management & Policies Security Policies – Define the configuration of systems and networks Installation of software, hardware and network connections – Define computer room and data centre security How identification and authentication (I&A) occurs – Determine access control – Determine audit – Determine reports – Determine network connectivity – Encryption – Antivirus software – Procedures and methods used for Password selection Account expiration Failed logon attempts 12/5/2010General Security Concepts10

Working with Management & Policies Usage Policies – Refers how information and resources are used – Explain to users how they can use the organization resources and for what purpose – Lay down the law about computer usage – Include statement about privacy, ownership and the consequence of improper acts – Explain usage expectation about the Internet, remote access and – How users should handle incidents – State consequence of account misuse 12/5/2010General Security Concepts11

Working with Management & Policies User Management Policies – Should clearly outline who notifies the IT department about employee termination and how and when the notification occurs – How new employees Are added to the system Training Orientation Equipment installation and configuration – When employees leave the company account be disabled or deleted – Privilege Creep 12/5/2010General Security Concepts12

Understanding Components of an IT Security Audit

Network Security Managements Perspective Dangers: – Negligence – Dereliction of duty – Liable for damaged – Misconduct – Sabotage – Aiding and abetting crime 12/5/2010General Security Concepts14

Network Security Managements Perspective Issues – Training – Continuity and crisis planning – Assume information security is YOUR responsibility Lack of awareness can lead to negligence and liability! 12/5/2010General Security Concepts15

Modern Technology Roadmap Early 1990s: Virus scanners Mid 1990s: Firewalls Late 1990s: Over-reliance on encryption (PKI) Early 2000s: Over-reliance on intrusion detection systems (IDS) Late 2000s: Over-reliance on intrusion prevention systems/artificial intelligence 12/5/2010General Security Concepts16

Notable Trends in Cyber Criminality Motivation: Financial motives are making attackers more sophisticated. Targeted attacks: Attacks are much more targeted than before. Targets: The user and the user workstation (desktop or laptop) becomes the easiest path into the network. 12/5/2010General Security Concepts18

Questions ? 12/5/2010General Security Concepts19

Thanks 12/5/2010General Security Concepts20