Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building a security strategy By Raef Mchaymech. Our Case of study This is the company that we need to secure its information system.

Published byAntonia Townsend Modified over 8 years ago

Similar presentations

Presentation on theme: "Building a security strategy By Raef Mchaymech. Our Case of study This is the company that we need to secure its information system."— Presentation transcript:

1 Building a security strategy By Raef Mchaymech

2 Our Case of study This is the company that we need to secure its information system

3 The Assets ▪ The Assets of the company: – Physical Assets: ▪ The two Servers ▪ The departments’ desktops ▪ The manager’s laptop ▪ The router ▪ The switch ▪ The cables (Communication medium) – Non-Physical Assets ▪ These Assets are the electronic information and the data concerning the company

4 The non-physical Assets ▪ The Business Confidential Information – Stock Data – Order Data – Account Data – Financial Data ▪ The Personal Information – Employees’ Data (name, salary, …) – Clients’ Data (address, payments,…)

5 Classification Risk Level High Medium Low The Assets: -------------- The Stock Server The Order Server The Bills department’s Desktops The HR department’s Desktops The IT department’s Desktops The Accounting department’s Desktops The manager’s laptop The router The switch The cables ------------- Stock Data Order Data Account Data Financial Data Employees’ Data Clients’ Data

6 The Threats ▪ These are the threats that endanger the company Human errors: e.g. entering incorrect transactions; failing to spot and correct errors; processing the wrong information; accidentally deleting data Technical errors: e.g. hardware that fails or software that crashes during transaction processing Accidents and disasters: e.g. floods, fire Fraud - deliberate attempts to corrupt or amend previously legitimate data and information Espionage: e.g. competitors deliberately gaining access to commercially-sensitive data (e.g. customer details; pricing and profit margin data, designs) Malicious damage: where an employee or other person deliberately sets out to destroy or damage data and systems (e.g. hackers, creators of viruses)

7 Some detailed Threats Unauthorized or Malicious Access ▪ We can use firewall (hardware for higher security) ▪ Disabling all the unneeded ports and enable only the ports that we use. E.g. port 80 for the web Man in the middle attacks ▪ The usage of static routing and static switching

8 Some detailed Threats Viruses ▪ Antivirus software should be installed on all computers and servers ▪ Constantly update for viruses’ definitions Spyware ▪ Anti-spyware software should be installed on all computers and servers ▪ Network analyzer software to track all the network usage ▪ Constantly update

9 Denial of Service Attack ▪ The Solution: – Monitor the system for flooding messages – Disable or monitor the ICMP messages ▪ Intrusion Detection System (IDS)

10 Espionage and Fraud ▪ The Use of encryption is the best solution to preserve: – Confidentiality – Authentication – Integrity ▪ The data should be transmitted encrypted ▪ The data on the server should be saved encrypted ▪ Sending data over secured communication protocols like SSL

11 Non-Malicious Threats Entering incorrect transactions ▪ The system should always shows a preview of the transactions ▪ And always asks for confirmation in case of critical transactions, e.g. costumer payments. ▪ An undo button if applicable Accidently delete data files ▪ Should exist a real-time backing up for critical data and daily transactions

12 Accidents and disasters ▪ These threats can’t be escaped ▪ The best solution is to draw contingency plans ▪ Backed-up data in somewhere else – E.g. one complete back up every week to a remote location using VPN ▪ An alternative building for emergency that can fully or partially handle the works

13 Secure Databases ▪ Use different roles for different departments to assure the authority, i.e. which database and what operations ▪ Accounting Department is allowed to read, write and update the accounting database only ▪ IT Department is not allowed to access any database. ▪ Billing Department is allowed to read, write and update data in stock database. ▪ HR Department is allowed only to read the data from accounting database.

14 Secure more Secure the router and the switch ▪ Use Strong Passwords ▪ WPA encryption and not WEP ▪ Add static routing and static switching to both router and switch. ▪ Use access lists control for packet filtering. Secure Software ▪ All the software used in the company are secured with a login password for each user.

15 The outside Thick walls ( can handle accidents, explosions,…) Strong barriers around the wall to not let vehicles come near the company For higher security we could consider putting external cameras Minimizing the number of doors that let you enter to the company, and in case of emergency doors, make them exit only. Protecting the resources that are outside (electricity generators,…)

16 The Inside Separating the guest room from the rest of the company Offer some low-level type of authentication on the entrance. ( the employees may show some badges even the guest can show some ID)

17 The Inside A security control room and a surveillance room. And this room should be highly protected (a thick door that opens only with biometrics of the security and the monitoring guys) The manager room should also be protected just like the monitoring room (biometrics of the manager is a good solution) There should be cameras covering everything in the company especially the doors because they should be opened remotely from the security control room after the identity of the person is authenticated by the monitoring guy. The servers room wall could be made from strong glasses or fabrics, in this way everything happens inside the room could probably be detected from other employees

18 The Inside There should be a door, an alley and then another door to enter to the servers room One of the two doors should be opened remotely from the monitoring room and the other one should be opened by a card (or biometric for higher security) identifying the employee A door cannot be opened if the second one is still open The system should count if someone entered and expect him to exit the room (do not accept the same card again to enter if you didn’t leave) The alley should not have blind spots (all covered by the cameras) If someone needs to enter to the servers room he needs to state clearly why

19 The Inside A direct link from the server S1 which is available to any one, to the server S2 which contains critical data is a big vulnerability point if this infrastructure is leaked outside the company And updating the data from S2 to S1, so the salesmen can know the exact amount of stock, can be done using the billing department, a software that uses real-time and consistent update can work around this problem All computers in the company must be protected with updated anti-viruses software, and especially the computers in the bills department

20 Cables ▪ The cables are installed invisibly through walls to protect them from intentional or non-intentional damage.

21 What do we need else ? ▪ The physical world and the logical world cost a lot of money, but they are not enough ▪ The employees should be educated and security-aware ▪ Organization-level security policies ▪ Some rules: – There must be an inside man who is a security expert, do not depend only on outside security contacts – At least two sources for the main utilities – There should be a security officer in the company that has the authority to watch the employees and see if they obey the rules

22 Security management ▪ The rules (continued): – There must be a security aware programs for the employees (educate them to take more precautions) examples: ▪ To not leave their cars open ▪ To take precautions when using USB flashes inside the company’s computers ▪ To not share their passwords ▪ To change their passwords from time to time ▪ … ▪ After all if the employees do not take precautions, the maximum level of hardware and software security will not be enough at all

23 Thank You

Download ppt "Building a security strategy By Raef Mchaymech. Our Case of study This is the company that we need to secure its information system."

Similar presentations

Security Strategy. You will need to be able to explain:  Data Security  Data Integrity and  Data Privacy  Risks  Hacking  Denial of Service DOS.

Security Strategy. You will need to be able to explain:  Data Security  Data Integrity and  Data Privacy  Risks  Hacking  Denial of Service DOS.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Chapter 12 Network Security.

Chapter 12 Network Security.
N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.

N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.

Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Threats to I.T Internet security By Cameron Mundy.

Threats to I.T Internet security By Cameron Mundy.

Similar presentations

Ads by Google