Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 6 Enterprise Security
Security Awareness: Applying Practical Security in Your World, 2e 2 Objectives Explain how physical security protects an organization Tell the difference between enterprise policies and plans, and list examples of each Give examples of different types of training and education Define ethics
Security Awareness: Applying Practical Security in Your World, 2e 3 Physical Security Protects equipment and has one primary goal –To prevent unauthorized users from reaching the equipment to use, steal, or vandalize it Rack-mounted servers –Typically 1.75 inches (4.45 centimeters) tall –Can be stacked with up to 50 other servers in a closely confined area –Typically connected to a single KVM (keyboard, video, mouse) switch
Security Awareness: Applying Practical Security in Your World, 2e 4
5
6 Physical Security (continued) KVM switches –Connection ports allow analog or digital connections from Rack-mounted servers or Connections over network cables –Some have a lock that restricts access In addition to securing device itself –Also important to securing the room containing device
Security Awareness: Applying Practical Security in Your World, 2e 7 Physical Security (continued) Basic types of door locks –Preset lock –Deadbolt lock Cipher locks –Combination locks with buttons that user must push in proper sequence to open door –Keep record of when door was opened and by which code
Security Awareness: Applying Practical Security in Your World, 2e 8
9
10
Security Awareness: Applying Practical Security in Your World, 2e 11 Physical Security (continued) Other physical vulnerabilities in an office –Suspended ceilings –HVAC ducts –Exposed door hinges –Insufficient lighting –Dead-end corridors
Security Awareness: Applying Practical Security in Your World, 2e 12 Enterprise Policies Policy –Document that outlines specific requirements or rules that must be met –Characteristics Communicates a consensus of judgment Defines appropriate behavior for users Identifies what tools and procedures are needed. Provides foundation for human resource action in response to inappropriate behavior Makes the process of prosecuting violators clearer and more fair
Security Awareness: Applying Practical Security in Your World, 2e 13 Security Policy Outlines protections that should be enacted to ensure organization’s assets face minimal risks Effective security policy –Must carefully balance trust and control Three models of trust –Trust everyone all of the time –Trust no one at any time –Trust some people some of the time
Security Awareness: Applying Practical Security in Your World, 2e 14
Security Awareness: Applying Practical Security in Your World, 2e 15 Acceptable Use Policy (AUP) Defines actions users may perform while using the computing and networking equipment Typically covers all computer use –Including Internet, , Web, and password security Should provide explicit prohibitions regarding security and proprietary information Unacceptable use should also be outlined
Security Awareness: Applying Practical Security in Your World, 2e 16 Enterprise Plans A plan –A “call to action” outlining what must be done Plans that are often used –Business continuity plan –Disaster recovery plan
Security Awareness: Applying Practical Security in Your World, 2e 17 Business Continuity Plan Process of –Assessing risks –Developing management strategy to ensure that business can continue if risks materialize Addresses anything that could affect the continuity of service over the long term
Security Awareness: Applying Practical Security in Your World, 2e 18 Business Continuity Plan (continued) Business continuity management –Concerned with developing a business continuity plan (BCP) Basic steps in creating a BCP –Understand the business –Formulate continuity strategies –Develop a response –Test the plan
Security Awareness: Applying Practical Security in Your World, 2e 19 Maintaining Utilities Uninterruptible power supply (UPS) –External device located between the outlet for electrical power and a computer device If power fails, UPS can –Send message to network administrator’s computer –Notify users that they must finish their work and log off immediately –Prevent new users from logging on –Disconnect users and shut down server
Security Awareness: Applying Practical Security in Your World, 2e 20 Creating and Maintaining Backups Four basic types of enterprise backups –Full backup –Differential backup –Incremental backup –Copy backup
Security Awareness: Applying Practical Security in Your World, 2e 21 Creating and Maintaining Backups (continued) Grandfather-father-son backup system –Divides backups into three sets Daily backup (son) Weekly backup (father) Monthly backup (grandfather)
Security Awareness: Applying Practical Security in Your World, 2e 22
Security Awareness: Applying Practical Security in Your World, 2e 23
Security Awareness: Applying Practical Security in Your World, 2e 24 Disaster Recovery Plan Disaster recovery –Focused on recovering from major disasters that could cause the organization to cease operations Disaster recovery plan (DRP) –Addresses what you should do if major catastrophe occurs
Security Awareness: Applying Practical Security in Your World, 2e 25 Disaster Recovery Plan (continued) Typical outline –Unit 1: Purpose and Scope –Unit 2: Recovery Team –Unit 3: Preparing for a Disaster –Unit 4: Emergency Procedures –Unit 5: Recovery Procedures
Security Awareness: Applying Practical Security in Your World, 2e 26 Identifying Secure Recovery Hot site –Used in the event of a disaster to continue computer and network operations Cold site –Provides office space –Customer must provide and install all equipment needed to continue operations Warm site –Has all of the equipment installed –Does not have active Internet or telecommunications facilities
Security Awareness: Applying Practical Security in Your World, 2e 27 Education and Training Opportunities for security education and training –New employee is hired –Computer attack has occurred –Employee is promoted or given new responsibilities –Department is conducting an annual retreat –New user software is installed –User hardware is upgraded
Security Awareness: Applying Practical Security in Your World, 2e 28 How Learners Learn Pedagogical approach –Comes from a Greek word meaning to lead a child Andragogical approach –The art of helping an adult learn People typically learn in three ways –Visually, auditorily, and kinesthetically
Security Awareness: Applying Practical Security in Your World, 2e 29
Security Awareness: Applying Practical Security in Your World, 2e 30
Security Awareness: Applying Practical Security in Your World, 2e 31 Learning Resources Seminars and workshops –Good means of learning latest technologies and networking with other security professionals Print media –Magazines and journals are good sources for most recent material Internet –Contains a wealth of information that can be used to keep informed about new attacks and trends
Security Awareness: Applying Practical Security in Your World, 2e 32 Ethics Set of principles and behaviors that people understand and agree to be good and right Values –A person’s fundamental beliefs –Principles used to define what is good, right, and just Morals –Values attributed to system of beliefs that helps the individual define right from wrong Code of conduct –Intended to be a central guide and reference for employees in support of day-to-day decision making
Security Awareness: Applying Practical Security in Your World, 2e 33 Summary Physical security –One of the first lines of defense against attacks Policy –Document that outlines specific requirements or rules that must be met Plan –Outlines specifically what must be done
Security Awareness: Applying Practical Security in Your World, 2e 34 Summary (continued) Users need to receive training regarding –The importance of securing information –The roles that they play in security –The necessary steps they need to take to ward off attacks Ethics –The study of what people understand to be good and right