Security+ All-In-One Edition Chapter 2 – Organizational Security Brian E. Brzezicki.

Slides:

Advertisements

Similar presentations

How to protect yourself, your computer, and others on the internet

Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

Ethics, Privacy and Information Security

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

1 Identity Theft and Phishing: What You Need to Know.

1. 2 Someone steals your personal information to commit fraud. A “buy now, pay never” shopping experience. What is Identity Theft?

BEWARE! IDENTITY THEFT CARL JOHNSON FINANCIAL LITERACY JENKS HIGH CSHOOL.

Protect Yourself Against Phishing. The good news: The number of US adult victims of identity fraud decreased from 9.3 million in 2005, to 8.4 million.

Security and Personnel

1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.

Social Engineering J Nivethan. Social Engineering The process of deceiving people into giving away access or confidential information Onlinne Phone Offline.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 14 Security Policies and Training.

Social Engineering Networks Reid Chapman Ciaran Hannigan.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

The Art of Deception - Controlling Human Element of Security - Shohei Hagiwara November 17th, 2009.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.

Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”

The ins and outs of By: Megan Tucker. What is identity theft? The stealing of a person’s information, especially credit cards and Social Security Number,

Internet Security PA Turnpike Commission. Internet Security Practices, rule #1: Be distrustful when using the Internet!

BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 

Chapter 3.  Security Framework  Operational Security Lifecycle  Security Perimeter  Access Control  Social Engineering  Environmental Issues.

10 Essential Security Measures PA Turnpike Commission.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

Program Objective Security Basics

Chapter 11: Policies and Procedures

1 Introduction to Security Chapter 11 Information Technology (IT) Security.

Cory Bowers Harold Gray Brian Schneider Data Security.

Chapter 4.  Can technology alone provide the best security for your organization?

Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,

Sensitive Data Accessibility Financial Management College of Education Michigan State University.

Security and Privacy Strategic Global Partners, LLC.

Identity Theft  IDENTITY THEFT occurs when someone wrongfully acquires and uses a consumer’s personal identification, credit, or account information.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Thomas Jenkins.

Security+ All-In-One Edition Chapter 14 – and Instant Messaging Brian E. Brzezicki.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Rebecca Pritchard.

Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.

Information Systems Security

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

BTT12OI.  Do you know someone who has been scammed online? What happened?  Been tricked into sending someone else money (not who they thought they were)

Ethics in CS CS5493(7493). Work Place Ethics Definition Work place ethics are the rules of personal conduct established by social traditions and the employer.

Phishing Internet scams. Phishing phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and.

Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.

By: Bonnie Vo Identity Theft Identity theft is the possession of another person’s personal information for criminal purposes. Identity Theft: What is.

P RINCIPLES OF N ETWORKING S ECURITY C HAPTERS 3 & 4 Matt Lavoie NST

Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?

Computer Security By Duncan Hall.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.

ONLINE SAFETY AND SECURITY Computer Basics 1.5. INFAMOUS CYBER ATTACKS IN 2014 Sony Pictures: Attackers stole just about everything in the corporate network,

Identity Theft PD Identity Theft Identity theft is a serious crime which can: Cost you time and money Destroy your.

Information Security Everyday Best Practices Lock your workstation when you walk away – Hit Ctrl + Alt + Delete Store your passwords securely and don’t.

Unit Five Your Money – Keeping It Safe and Secure Identity Theft Part II Resource: NEFE High School Financial Planning Program.

Unit 32 – Networked Systems Security

Access Control for Security Management BY: CONNOR TYGER.

By Amanda Cowan.  When another person steals your information and uses it to commit fraud or other crimes  The information stolen can be:  Credit Card.

JANELL LAYSER Training Manual. AWARENESS! Social Engineers are out there, and everyone should be prepared to deal with them! They can contact you by phone,

PRESENTED BY: ASHLEY CLOUSER (CONNER) Identity Theft.

Social Engineering Dr. X.

Security+ All-In-One Edition Chapter 1 – General Security Concepts

The Art of Deception.

Social Engineering No class today! Dr. X.

Protecting Yourself from Fraud including Identity Theft

Premier Employee Program Version 4.0

Anuj Dube Jimmy Lambert Michael McClendon

Founded in 2002, Credit Abuse Resistance Education (CARE) educates high school and college students on the responsible use of credit and other fundamentals.

Presentation transcript:

Security+ All-In-One Edition Chapter 2 – Organizational Security Brian E. Brzezicki

no security that is not designed An organization cannot expect to be secure, unless security is directed from the top-down. Management must realize the need for security Management must create a security policy Management must empower the security team to design and enforce the security program

Polices, Standards, Guidelines and Procedures A security program needs to be implemented with, procedures, standards and guidelines. These are all part of an organizations security plan. We will talk about each of these in a few slides.

Due Care and Due Diligence (41) Corporate polices, standards and guidelines help show and implement Due Diligence and Due Care. Due Diligence – The idea that a company researches and attempts to understand the risk it faces. Risk analysis is a form of Due Diligence. Due Care – shows that a Company makes reasonable efforts to minimize risk and protect a companies assets. Having polices, procedures and guidelines show a company is exercising Due Care.

Policy (27) Policies – high level non-specific broad statement explaining the companies need and commitment to security. Very much like a mission statement. The corporate Policy will be very non-specific, there will be system/issue specific security policies that attempt to lay the security foundation for the organization Example: Password Policies Example: Data Encryption Policies

Standards (27) Standards – mandatory elements regarding the implementation of a policy. Example: All users will wear a ID badge when on the premises, all employees will report any people that are not displaying an ID badge.

Guidelines (27) Recommendations relating or supporting a policy, when no specific standard or rule exists. Example: When dealing with customer information you must do your utmost to protect the confidentiality of the information.

Procedures (27) Specific step by step actions in relating to implementing part of a policy. Example: There are often written procedures on how to install and configure a new Desktop computer that will be placed on the network.

Security Plan Lifecycle (28) The policies, standards, guidelines and procedures will change as the company changes, it is a lifecycle 1.Plan for security 2.Implement the plan 3.Monitor the implementation 4.Evaluate the effectiveness 5.Adjust and restart

Some Specific Types of Policies Information Classification Policies Acceptable Use Policies Internet Usage Policies Usage Policies Data Disposal Policies Password Policies Termination Policies Data Privacy Policies These are just some specific examples of specific policies that give the legs to a corporate security policy.

Human Resources

Human Resources (44) Humans are the weakest link in computer security, what's more we are the most prevalent part of an organization. There must be policies specific in regards to HR practices. A few of these are very important.

Hiring Policies (44) Background Checks on ALL employees – why? Reference Checks – why? Education Checks – why? Employment Checks NDAs etc MUST be signed. Non-Competes MUST be signed Once hired you should have an orientation, and all policies should be reviewed and signed.

Employment Periodic drugs tests Periodic reviews –Performance –Permissions/Access reviews, especially during role changes – why? –“attitude” – why? –If demoted, supervisors should be alerted to keep a close eye on employee – why?

Termination (45) An organization must take careful steps when an employee is leaving either on their own or through firing/layoffs. Each situation may be different and may have to evaluate Access to sensitive information Access to customers Access to systems and networks (more)

Terminations If an employee is being terminated they should Have access immediately revoked Return all access devices (key cards etc) Return all equipment Change passwords if necessary Not interact with other employees Be escorted out of the building (more)

Termination Either way, there should be written policies describing what procedures to take with terminations, also there should always be an exit interview.

Separation of Duties / Mandatory Vacations (46) HR should enact Separation of duties Job rotation Mandatory Vacations These are discussed on the next slides.

Job Rotation (12) Individuals rotate through various jobs responsibilities, such that no one person is solely responsible for something. Decreases the ability to commit fraud undetected. Decreases the chance that something could be seriously negatively effected if someone leaves the organization Decreases ability for employees to “blackmail”

Mandatory Vacations

Mandatory Vacations (NB) All employees are REQUIRED to take their vacation. Decreases the ability to commit fraud undetected. (main security reason) Decreases the chance that something could be seriously negatively effected if someone leaves the organization

Attacks that which can be defended well against by policies and education

Social Engineering (34) What is social Engineering? Incredibly easy to exploit Often can trivially bypass advanced logical/technical security controls Takes advantage of a few things –People are the weakest part of security –People want to avoid confrontation –People often don’t think about security implications –People are often untrained about computing and security –A little knowledge here or there allows me to “aggregate” knowledge and piece things together.

Phishing (35) An attacker attempts to obtain sensitive information from a user by masquerading as a trusted entity via , or instant messaging. Usually send a link to a forged website Website looks just like the real website User is tricked into entering personal information (more)

Phishing (35) Signs of phishing Long website links with similar names Poor grammar and spelling Countermeasures Anti-phishing software Digital Certificates Have organizational policy that you will never send s requesting personal information User education (most effective)

Old School Phishing attack A gentleman in one of my classes pointed out an old attack that I had forgotten about. One of the predecessors to modern phishing… years ago people used to put up fake ATMs that would read and store you ATM numbers and PINs. After you swiped the card and put in your PIN you’d get a “system down” message… most people never would realize that they had their info stolen… this is a predecessor to modern phishing.

Vishing (36) Phishing, but with phone system (voice communications) Phone calls with Spoofed Caller ID (easy to do with VoIP), or with a dedicated PRI line. Hacked voic systems

Shoulder Surfing (36) What is this? May include advanced equipment such as cameras Countermeasures Privacy screens User environmental awareness

Dumpster Diving? (37) Anyone Heard of Kevin Mitnick? Countermeasures Have a corporate policy regarding data destruction Shred sensitive documents Lock and secure trash receptacles/areas

Chapter 2 – Review Questions Q. What is the best countermeasure against phishing attacks? Q. Why is a hoax still a security concern? Q. Installing camera to read credit card numbers at gas pumps is what type of attack? Q. Does an Organization Security Policy Statement detail specifics such as how to properly encrypt data?

Chapter 2 – Review Questions Q. What is the difference between Due Diligence and Due Care? Q. What is the term for a set of “required steps to be taken” when doing some action called?