Download presentation
Presentation is loading. Please wait.
Published byAda Glenn Modified over 9 years ago
1
Cory Bowers Harold Gray Brian Schneider Data Security
2
Security Security is all about trust in protection and authenticity No matter how much you patch or secure your systems, weakest link in security chain is the natural human willingness to accept someone at their own word
3
Why? Hacker’s motivation: Pride Commit fraud Identity Theft Espionage Disrupt Administrator’s motivation: Protect company data Protect resources Protect company reputation
4
Threats Social Engineering Manipulating people to get access to confidential data Malware Worms Trojan Horses Rootkits Keylogger
5
Social Engineering Physical By Phone – call up a company and gradually get information Dumpster Diving – phone books, org charts, calendars, old paperwork, internal technical documentation, old hardware Online – most users use the same password, exploit through phishing sites and spam Psychological Impersonation – repairman, IT support, manager, trusted third party Ingratiation – using a position of power to get somebody to perform an unauthorized action Conformity – everybody else has given us this info, Diffusion of responsibility – alleviate the stress on the employee Friendliness – most people want to help, just have to be believable Reverse Social Engineering – sabotage, advertising, and assisting Kevin Mitnick – most famous, raised the issue of computer security in the US
6
Malware Worms – actively transmits itself over a network to infect other computers, possibly carrying a malicious payload Virus – a piece of software that infects a piece of software through a security hole allowing itself to run malicious code or propogate Trojan Horses – a piece of malware that masquerades as a good piece of software, but has a harmful payload, opens a backdoor to the system usually Rootkits – help malicious programs avoid detection on the system Keylogger – monitor user keystrokes and report them back to attacker
7
Good Security Policies Applicable to any variable inside of a system including hardware, software and people We are familiar with the practice of good policies in regard to hardware and software, but the policy of people within the system is most important.
8
Simple common policy Complex passwords Don’t share passwords Don’t write passwords down
9
Policy for paper documents First, what are you going to allow your employees to print? Where are they stored in between usage? ‘Who’ can take ‘what’, ‘where’? Time to shred? Who is responsible? Should the policy require in-house shredding or is it acceptable to transport the documents first? What degree of shredding is necessary? Is the policy the same for all documents?
10
Human Policy The human policy can apply to every aspect such as cameras, access cards, restricted area access, physical access to machines, direct physical access to certain machines, etc… On a basic level, policy helps prevent negligence Email attachments/USB drives/”Screensavers”/lost corporate devices Beyond that, a user can be educated to a policy that would help the system defend against social engineering
11
[Virtual] Protection Standard network protection, password protection, etc… Select which data is worth backing up and how often. Protection policies must be aware of budgets! Make offline (separate) copies Encrypt those copies
12
[Real] Protection Physical data threats Vandalism Theft Natural Disaster Fire/Water/Climate Control Power surge/Lightning EMP Terrorism
13
Backups Housing for the backups must be secure. In instances where a system is backed up to a remote location, part of the policy is to keep the location secret. Some mediums degrade over time and became unreliable Rewriteable mediums degrade relative to use
14
Tools to prevent unauthorized physical access: various physical identifications systems cameras alarms logging of physical access
15
Reasons for destroying data Data Remanence Tendency of data to remain on the medium after deletion Removal of equipment Might donate old equipment to charities, other organizations
16
Proper ways to delete data Deletion ‘Soft’ delete by marking files for deletion OS generally keeps file in holding area for easy recover if user made a mistake When deletion is confirmed, the file’s entry is just removed from the file system. Reasons not to do it Even after deletion, the data is still there. Can be recovered through file recovery utilities Can also be retrieved by reading disk sectors directly. Sterilization
17
Involves complete destruction of data Clearing Writing over deleted files with dummy data. Typically all 0’s, but patterns of alternating 1’s and 0’s are better. Can only be used on media that can be rewritten Purging Destruction of the magnetic domains of the media by exposure to a strong magnetic field. For high security application, specially made degaussers are used. Destroying Done via disintegration, pulverization, melting, incineration, or shredding. Ultimately, the only way to assure destruction of data.
18
Destroying optical or other media Optical Disks Cannot be deleted, cleared, or purged. Must be destroyed. Must be shredded via a crosscut shredder, burned, or pulverized. Magnetic Disks May have any of the above done, based on importance of data being destroyed. Equipment If applicable, may be cleared or purged, but can always be destroyed. Paper Shredding via a crosscut shredder Size varies by importance of paperwork Disintegration into pulp by water and a fine screen.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.