3 Objectives The students should be able to: Define power failures: blackout, brownout, sags, spike & surges, electromagnetic interference (EMI)Define protections against power failures: surge protector, universal power supply (UPS) , alternate power generatorsDefine and describe mediums for Fire Suppression System: dry pipe, charged, FM200, ArgoniteDefine physical access controls: biometric door locks, bolting, deadman doorsDescribe the relationship between deadman door and piggybackingDefine and describe security awareness, security training, security education, segregation of dutiesCISA Review Manual 2009
4 Remember Data Criticality Classification? Critical $$$$: Cannot be performed manually. Tolerance to interruption is very lowVital $$: Can be performed manually for very short timeSensitive $: Can be performed manually for a period of time, but may cost more in staffNonsensitive ¢: Can be performed manually for an extended period of time with little additional cost and minimal recovery effortThe criticality classification is concerned with whether the company can survive without automated (computerized) access to the data. These class names are common in industry.CISA Review Manual 2009
5 … and Sensitivity Classification? (Example) The Sensitivity Classification is concerned with how much the organization wants to protect the info from release both within the organization and outside. The data classification shown above is an example, not an absolute. In other words, different companies will categorize their data differently.InternalCISA Review Manual 2009
6 Security: Defense in Depth How did a castle protect from attacks? Notice that they had multiple layers of controls. We use the same concept of multiple layers for computer security. Here is an example list of controls that are implemented as part of layering, also known as “Defense in Depth”. The circle on the right is like an onion – to get to the center you have to go through many security layers.Border RouterPerimeter firewallInternal firewallIntrusion Detection SystemPolicies & Procedures & AuditsAuthenticationAccess ControlsCISA Review Manual 2009
7 Defense in Depth: Physical access controls with Guards Which controls arePreventive?Reactive?Corrective?Alarm system: Protects doors, windows. Video cameras: sophisticated activate on motion, record for playbackManual Logging: People (visitors) sign in Bonded personnel: Contract personnel are bondedControlled Visitor Access: Employees must accompany visitorsCISA Review Manual 2009
8 Physical Issues and Controls Mobile ComputingPower ProtectionFire SuppressionDoor Locks & SecurityIPF EnvironmentCISA Review Manual 2009
10 Computer Room Equipped with… Water Detector: Placed under raised floorsRisk of electric shock; training necessaryLocation of water detectors marked on floorManual Fire Alarm: Placed throughout facilitySmoke Detectors: Above & below ceiling tiles, below room floorEmergency Power-Off Switch: Turn off power to all equipmentFire Extinguishers: At strategic locationsTagged & inspected annuallyAlarms should sound locally, at monitored guard station, and preferably fire dept.A facility is shown above, with devices to ensure Availability.CISA Review Manual 2009
11 IPF Environment Computer room on middle floor Fire department inspects room annuallyFire-resistant walls, floor, ceiling, furniture, electrical panel & conduitTwo-hour fire resistance rating for wallsEmergency Power-off switch: Panel in and outside roomRedundant power lines reduce risk of environmental hazardsSurge protectors & UPSNo smoking, food or water in IPFAudit: Observe some, request documentation, may test batteries, handheld fire extinguishers, ensure fire suppression system is to codeIPF=Information Processing FacilitiesComputer room on middle floor: To high and fire department can’t get to it. Too low and susceptible to break-in or floods.CISA Review Manual 2009
14 Deadman Doors Double set of doors: only one can be open at a time One person permitted in holding areaReduces risk of piggybacking: unauthorized person follows authorized person into restricted areaCISA Review Manual 2009
15 Computers in Public Places Logical ProtectionsPhysical LocksImaged computersNo client storage for programs and/or dataAntivirus / antispywareProtects users from each otherWeb filtersAvoid pornography, violence, adult contentLogin/passwordsIf privileged clientele allowedFirewall protection from rest of organizationComputers in public places should be locked and cabled to something non-moveable. Non-portable PCs have loop holes to ensure that locks can prevent people from opening the back of the PC. This prevents both PC and PC cards from walking away. Here you can see that the lock locks the computer to its back cover, and includes a cable.
16 Mobile ComputingEngrave a serial number and company name/logo on laptop using engraver or tamper-resistant tagsBack up critical/sensitive dataUse cable locking systemEncrypt sensitive filesAllocate passwords to individual filesConsider if password forgotten or person leaves company…?Establish a theft response team for when a laptop is stolen.Report loss of laptop to policeDetermine effect of lost or compromised data on company, clients, third partiesDisappearing laptops are one of the most common security problems.In computer labs, universities use a cable locking system to lock down computers (and their parts) – to ensure the computers are NOT mobile!!!CISA Review Manual 2009
17 Device Security PDAs Approved & registered Configuration: controlled, licensed, & tested S/WEncryptionAntivirusTraining & Due Care (including camera use)Easily misplacedFlash & Mini Hard DriveBanned and USB disabledOREncrypt all dataHere are some ways to ensure security with devices.CISA Review Manual 2009
18 Workbook: Physical Security Room Classifications SensitivityClass.DescriptionSpecial TreatmentConfidentialRoom containsConfidential info.storage or serverGuard key entry.Badge must be visible.Visitors must be escortedPrivilegedRoom contains computer equipment or controlled substancesComputers are physically secured using cable locking systemDoors locked between 5 PM and 7 AM, and weekends unless class in session.Here we can name a Room Sensitivity Class (which may correspond to the Data Sensitivity Class – or not). We need to define what defines a Room Sensitivity, and then how each room classification shall be handled. Above, we have a school system, where Protected rooms are public part time. A room is Confidential if it has files in paper or electronic form, that contain Confidential information.
19 Physical Workbook: Criticality Table Class.DescriptionSpecial Treatment(Controls related to Availability)CriticalRoom contains Critical computing resources, which cannot be performed manually.Availability controls include:Temperature control, UPS, smoke detector, fire suppressant.VitalRoom contains Vital computing resources, which can be performed manually for a short time.surge protector, temperature control, fire extinguisher.CISA Review Manual 2009
20 Workbook: Physical Security Physical Security map Rm.124Rm.128Rm130Rm 132Comp.FacilityLobbyRm.123Rm.125Rm.129This map shows a layout of a floor, including which rooms are Protected and Confidential. Door entry is also shown. The Criticality classification may be shown on the map too, instead of as a note.Sensitivity Classification:Black: ConfidentialGray: PrivilegedLight: PublicCriticality Classification: (Availability)Rm 132: CriticalRm 124, 125, 128, 129: Vital
21 Workbook: Physical Security Allocation of Assets RoomSensitivity & Crit. ClassSensitive Assets or Info.Room ControlsRm 123Privileged,VitalComputer Lab: Computers, PrinterCable locking systemDoors locked 9PM-8AM by securityRm 125Classroom: Computer & projectorTeachers have keys to door.Rm 132Confidential,CriticalServers and critical/sensitive informationKey-card entry logs personnel. Badges required.
22 Summary of Physical Controls Physical Access ControlWalls, Doors, LocksBadges, smart cardsBiometricsSecurity cameras & guardsFences, lighting, sensorsCable locking systemComputer screen hoodsEnvironmental ControlsBackup powerAir conditioningFire suppressantSecure proceduresEngraved serial numbersLocked files, desksClean deskPaper shreddersLocking screensaverSecure procedures: locked doors at night
23 QuestionA Fire Suppression system that is environmentally friendly, is not lethal, and does not damage equipment is:Dry PipeHalonChargedFM-2004 – FM-200.
24 Question The best way to prevent piggybacking into secured areas is: Deadman doorBolting doorGuardCamera1 – Deadmand doorCamera is not a preventative technique; guard and bolting door may allow someone in other than the authorized person.
25 Question A surge protector is the best protection against Electromagnetic interferenceLoss of power for minutesA blackoutSags and spikes4 - Sags and spikes: Since sags and spikes are a short term interruptions (last from a millionths to a few thousandths of a second), surge protector can protect a computer with interruptions less than a few milliseconds. A surge protector reduces the risk of damages to equipment by regulating power spikes. It either increases or decreases the electric current to make electric current consistent.
26 QuestionTo eliminate problems with incomplete transactions during a sudden power failure, Joe has decided that some form of temporary power supply is necessary to ensure a graceful shut down. The best option for Joe is:UPSSurge protectorAlternate power generatorBattery supply1 – UPS: UPS system consists of a battery or gasoline powered generator that ensures wattages into the computer is consistent, so if a power failures happens the UPS system will provide electricity from the generator to the computer for a certain amount of time.
27 Auditors check for both Physical and Personnel Security too… CISA Review Manual 2009
28 Workbook: Personnel Security Personnel Threats RoleLiability or Cost if threat occursDivulging private infoEmployeeFERPA violation = loss of federal fundsGrant abuseEmployee with grantLoss of funds from US granting agenciesThe next Workbook slides show the method used to develop personnel security
29 Security Awareness & Training Training covers what is expected of employeesWhy is policy in place?How is policy enforced?Training may be implemented as:New employee orientationCompany newslettersDetermine effectiveness by interviewing employeesCISA Review Manual 2009
30 Awareness Function: Types of Security Training Create security-conscious workforceEmployees, partners & vendorsNewsletters, surveys, quizzes, video training, forums, postersTraining:Necessary skills for a particular positionHR, legal, middle or top mgmt, IT, programmersWorkshops, conferencesEducation: High level skillsHigh-skilled professions: audit, security admin/mgmt,Risk mgmt…Organized and gradual development: teaching & coachingLeft column: level of security trainingMiddle column: intended audienceRight column: appropriate methods
31 Awareness TrainingSigned employment agreements, video, memos, s, posters, seminars and training classesA combination of parallel approachesKnowledge areas:Back-up work-related filesChoosing passwords and avoiding exposureAvoiding and web virusesRecognizing social engineersRecognizing & reporting security incidentsSecuring electronic & paper media against theft & exposureSpotting malware that could lead to identity theft & desktop spyingMetrics should be established to determine effectiveness of change in behavior and workforce attitude
32 Segregation of Duties Authorization Distribution Approves Acts on No one person can deliver service and take money with the potential of stealing or falsifying sales.Consider a Movie Theater:Origination: The person who sells you the ticketDistribution: The person who lets you into the theater.Authorization: Ticket sales of a certain unusually large amount may require manager approvalVerification: Was this done correctly?Authorization: Someone charges on VISA. VISA validates that yes, this VISA account is good.Acts onDouble-checksOriginationVerificationCISA Review Manual 2009
33 Organizational Segregation of Duties AuditEnsures procedures are professionally doneSecurity/ComplianceQualityControladvises &monitors forsecuritytests or ensuresquality of S/W orproductionDevelopment only delivers S/W to System Administration when QC has approvedCompliance: tracks security issues, such as metrics or violations of procedures, and resolves security issuesBusinessSystem/NetworkAdminDevelopmentservesdeliversS/W toadvises
34 IT Segregation of Duties UserEnd UserData EntryTest EnvironmentQuality AssuranceRequirements/DesignSystems AnalystDatabase AdministratorSecurityControl GroupSecurity AdminProduction EnvironmentComputer OperatorSystem AdministratorNetwork AdministratorHelp DeskDevelopmentEnvironment:Application programmerSystems programmerThe full and partial walls indicate where functionality can, should not, or cannot overlap. Do note that development environment should not overlap with production environment: programmers should not become system administrators. In previous slide terms, Originators should not become Distributers. Security admin can do some system admin work, but there are advantages for these groups to have separate functions: since security serves to Authorize or Verify whereas system administration serves as Distribution. Quality Assurance serves to Authorize or Verify what Development Originates. This shown diagram is not as complete as the table in the CISA manual.
35 Segregation of Duties Controls Transaction AuthorizationCustody of AssetsData owner’s responsibility is specific and documentedAllocates authorization according to least-privilege and segregation of dutiesSecurity Administrator implements physical, system & application securityAuthorization formsUser authorization tables: who can view/update/delete data at transaction or field levelA Data Owner is a person who can give out accounts for a specific (database) service. They are usually a business manager.Security administrator is someone in IT or IT security. They have a high level of permissions on a computer.
36 Workbook: Personnel Security Personnel Controls ThreatRoleControlDivulging private infoEmployeeFERPA training:annual quiz review, new employee trainingGrant abuseEmployee with grantFinancial controls: employee and administrator and financial office checkHere the role or position is ANY employee. Sometimes the role is more specific: e.g., Administrator.The above says that the controls consist of FERPA training for new employees, but also annual review (with quiz) thereafter.The second includes financial controls: For grant money, spending will be doublechecked via employee, administrator, and the financial office.
37 Workbook: Personnel Security Responsibility of Security to Roles RegistrarEstablish FERPA trainingData Owner: student scholastic and financial informationOversee FERPA adherence in Registration dept.Admin.Attend FERPA trainingRetain locked cabinets with student infoSecurity AdminMonitor logs, enable/disable permissions,rebuild computers after malware infection, collect security metrics for incident response, ...Security responsibility is allocated to IS/IT/security staff, but also to regular business staff.The admin above is the office administrator, who is responsible for the privacy of student paper records.The Registrar is the Data Owner for much of the student record information. She/he decides who should have access to which information.
38 Workbook: Personnel Security Requirements: Training, Documentation RoleRequirements: Training, DocumentationRegistrarFERPA experience in hiring.Training every 3-5 years at national conference or workshopEmployee handling student dataUniversity FERPA documentation, FERPA web page, annual quizzes, sign acceptable use policy
39 Personnel Issues Background checks can reduce fraud More secure position=more checking requiredA standard or procedure may be usefulTraining & signed contractsTrack and document theftMinor incidents could add up to a major pattern problemcan be monitored for potential problem employeesAssuming policy is in place and employees are awareTraining here means training to perform job well, as well as security awareness.Signed contracts include security contracts.Theft should not be ignored. Little problems add up to big ones, or may encourage big ones. It is important to document all problems for legal purposes.
40 Employee Hiring Document security responsibilities Screen candidates for sensitive positionsHave signed agreements regardingJob responsibilities, conditions of employmentSecurity responsibilities (incl. copyright)Confidentiality agreementIndicate corrective actions taken if security requirements not followed
42 Employee Termination Unless continued relationship expected: Return equipmentRevoke accessReturn all access keys, ID cards and budgetsNotify all staff and security personnelArrange final payPerform termination interviewCISA Review Manual 2009
43 Third Party Agreements Define information security policyDefine procedures to implement policyDeploy controls to protect against malicious softwarePublish restrictions on copying/distributing informationImplement procedures to determine whether assets were compromisedEnsure return or destruction of data at end of jobThe first and second parties are the people who have a contract. The third party is a contractor for the second party.
44 Summary of Personnel Controls Segregation of DutiesMandatory vacations or job rotationTraining and written policies and proceduresBackground checksNeed to Know/Least PrivilegeFraud reporting mechanismTransaction logs
45 QuestionWhich of the following duties can be performed by one person in a well-controlled IS environment?Software Developer and System AdministrationDatabase administration and Data EntrySystem Administrator and Quality AssuranceQuality Assurance and Software Developer3 - System Administrator and Quality Assurance has the least conflict of interest, considering segregation of duties.This is a CISA-like question, but has been reformulated.Database admin creates the database, data entry is the operations aspect. So this is developer-operations, which is a segregation of duties conflict.
46 QuestionWhich is MOST important for a successful security awareness program?Technical training for security administratorsAligning the training to organization requirementsTraining management for security awarenessUsing metrics to ensure that training is effective2-Aligning the training to organization
47 QuestionTo detect fraud, the BEST type of audit trail to log would be:User session logsFirewall incidentsOperating system incidentsApplication transactions4 - Fraud occurs most often by taking advantage of a vulnerability in an application.User session logs track when you logged in and logged out, possibly when you do certain commands – but not what you do in a database.
49 Health First Case Study Jamie Ramon MDDoctorChris Ramon RDDieticianTerryLicensedPracticing NursePatSoftware ConsultantHealth First Case StudyDesigning Physical Security
50 Defining Room Classifications and Controls SensitivityClassificationDescriptionSpecial Treatment(Examples)ProprietaryRoom contains Propriety information storage.Room and all cabinets remained locked.ConfidentialRoom contains Confidential information storage. Workstation monitor has hood.PrivateRoom contains computer with access to sensitive data or room contains controlled substances. Room remains locked when not attended. No visitors are allowed in these areas unescortedPrivilegedRoom contains computer with access to sensitive data but public has access when escorted.PublicThe public is free to spend time in this room, without escort.Criticality ClassificationCriticalRoom contains Critical computing resources, which cannot be performed manually.VitalRoom contains Vital computing resources, which can be performed manually for a short time.