Presentation is loading. Please wait.

Presentation is loading. Please wait.

General Security Concepts Ali SHAYAN ZAKARIA 12.May.2010 Kish Island – CITELEX 2010 " The best way to predict the future is to invent it. Alan Kay 1General.

Similar presentations

Presentation on theme: "General Security Concepts Ali SHAYAN ZAKARIA 12.May.2010 Kish Island – CITELEX 2010 " The best way to predict the future is to invent it. Alan Kay 1General."— Presentation transcript:

1 General Security Concepts Ali SHAYAN ZAKARIA 12.May.2010 Kish Island – CITELEX 2010 " The best way to predict the future is to invent it. Alan Kay 1General Security Concepts12/5/2010

2 Reasonable Secure Environment 12/5/2010General Security Concepts2 Physical OperationalManagement

3 Securing the Physical Environment Physical Security: – Involves protecting your assets and information from physical access by unauthorized personnel. – Try to protect those items that can be seen, touched and stolen. Easy? How? – Controlling access to the office, – Shredding unneeded documents, – Limiting access to sensitive area, Provide perimeter and corridor security, Person present (even if it a guard who spends most of the time sleeping) Roving security patrol, Multiple lock access control methods Electronic or password access 12/5/2010General Security Concepts3

4 Physical Security Components First: Making a physical location less tempting as a target – You must prevent people from seeing your organization as a tempting target Locking doors Installing surveillance or alarm system Elevators requiring keys or badges in order to reach upper floors Second: Detecting the penetration or theft – You want to know what was broken into, what is missing, and how the loss occurred Passive videotape systems Make the video cameras as conspicuous as possible Make it well-known that youll prosecute anyone caught in the act of theft to the fullest extend of the law Third: Recovering from a theft or loss of critical information or systems – How will the organization recover from the loss and get on with normal business Planning Thought Testing 12/5/2010General Security Concepts4

5 Examining Operational Security Operational security focuses on how your organization does that which it does Everything that isnt related to design or physical security in your network Instead of physical components where the data is stored, such as server, the focus is on topology and connections Issues: – Computers – Daily operations of network – Management – Policies – Access control – Authentication – Security topologies – Connection to other networks – Backup plans – Recovery plans 12/5/2010General Security Concepts5

6 Working with Management & Policies Provide the guidance, rules, and procedures of implementing a security environment Policies, to be effective, must have the full and uncompromised support of the organizations management team Policies establish expectations about security-related issues Key policies to secure a network: – Administrative policies – Software design requirements – Disaster recovery plan – Information policies – Security policies – Usage policies – User management policies 12/5/2010General Security Concepts6

7 Working with Management & Policies Administrative Policies – Guide lines and expectations for upgrades, monitoring, backups, and audits How often and when upgrades appear When and how monitoring occurs How logs are reviewed Who is responsible for making decisions on these matters How often decisions should be reviewed – Who Administrators maintenance staff – Specifications Specific enough: to help administrative staff for running the system and network Flexible enough: to allow for emergencies and unforeseen circumstances 12/5/2010General Security Concepts7

8 Working with Management & Policies Software Design requirements – Capability of the system – Should be very specific about security – Design requirements should be viewed as a moving target Disaster Recovery Plans (DRPs) – Virtually consideration every type of occurrence of failure possible – The key to its success is its completeness – Backups and hot sites Hot site is a facility designed to provide immediate availability in the event of a system or network failure 12/5/2010General Security Concepts8

9 Working with Management & Policies Information Policies – Refer to various aspects of information security Access Classifications Marking and storage Transmission of sensitive information Destruction of sensitive information – Include data classification levels Public: for all advertisement and information posted on the web Internal: for all intranet-type information Private: personnel records, client data Confidential: Public Key Infrastructure (PKI) information and other items restricted to all but those who know them 12/5/2010General Security Concepts9

10 Working with Management & Policies Security Policies – Define the configuration of systems and networks Installation of software, hardware and network connections – Define computer room and data centre security How identification and authentication (I&A) occurs – Determine access control – Determine audit – Determine reports – Determine network connectivity – Encryption – Antivirus software – Procedures and methods used for Password selection Account expiration Failed logon attempts 12/5/2010General Security Concepts10

11 Working with Management & Policies Usage Policies – Refers how information and resources are used – Explain to users how they can use the organization resources and for what purpose – Lay down the law about computer usage – Include statement about privacy, ownership and the consequence of improper acts – Explain usage expectation about the Internet, remote access and e-mail – How users should handle incidents – State consequence of account misuse 12/5/2010General Security Concepts11

12 Working with Management & Policies User Management Policies – Should clearly outline who notifies the IT department about employee termination and how and when the notification occurs – How new employees Are added to the system Training Orientation Equipment installation and configuration – When employees leave the company account be disabled or deleted – Privilege Creep 12/5/2010General Security Concepts12

13 Understanding Components of an IT Security Audit

14 Network Security Managements Perspective Dangers: – Negligence – Dereliction of duty – Liable for damaged – Misconduct – Sabotage – Aiding and abetting crime 12/5/2010General Security Concepts14

15 Network Security Managements Perspective Issues – Training – Continuity and crisis planning – Assume information security is YOUR responsibility Lack of awareness can lead to negligence and liability! 12/5/2010General Security Concepts15

16 Modern Technology Roadmap Early 1990s: Virus scanners Mid 1990s: Firewalls Late 1990s: Over-reliance on encryption (PKI) Early 2000s: Over-reliance on intrusion detection systems (IDS) Late 2000s: Over-reliance on intrusion prevention systems/artificial intelligence 12/5/2010General Security Concepts16


18 Notable Trends in Cyber Criminality Motivation: Financial motives are making attackers more sophisticated. Targeted attacks: Attacks are much more targeted than before. Targets: The user and the user workstation (desktop or laptop) becomes the easiest path into the network. 12/5/2010General Security Concepts18

19 Questions ? 12/5/2010General Security Concepts19

20 Thanks 12/5/2010General Security Concepts20

Download ppt "General Security Concepts Ali SHAYAN ZAKARIA 12.May.2010 Kish Island – CITELEX 2010 " The best way to predict the future is to invent it. Alan Kay 1General."

Similar presentations

Ads by Google