Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 7 Secure-Use Practices: Defensive Best Practices Presented by: Derrick Lowe Ken Dean Quintin King Caroline Hawes.

Published bySky Laye Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 7 Secure-Use Practices: Defensive Best Practices Presented by: Derrick Lowe Ken Dean Quintin King Caroline Hawes."— Presentation transcript:

1 Chapter 7 Secure-Use Practices: Defensive Best Practices Presented by: Derrick Lowe Ken Dean Quintin King Caroline Hawes

2 Introduction This chapter focuses on what companies must do to protect themselves from internal risks. Before hackers and the internet there were: –Disgruntled workers –Careless administrators –Hostile managers

3 Introduction cont’ Current technology amplifies security threats, can be blamed on organizational practices Effective countermeasures –Secure-use practices –User training

4 Secure Use Practices: Policies

5 Major Risk Factors Most likely sources of cyber threats continue to come from within. Unknown and unseen hackers and thieves are not the most common threat. It is difficult to accept the reality that a majority of cyber security incidents are traced to company insiders.

6 Examples An unwitting employee may spread infected email or be tricked into revealing information through a popular hacker technique – social engineering. Spoofing-disguising true identity of the sender Administrators may be unable or unwilling to apply software patches to fix known vulnerabilities.

7 Limits On The Extent To Which Risk Factors Can Be Controlled A complete set of updated, well-documented policies and training in security procedures can be time-consuming. They are not without risks –Selectively enforced policies can be worse than having none at all –If employees send threatening messages to each other and company fail to notify law enforcement, they can be held liable for negligence

8 Enforcement Of Secure-Use Practices Must Be Consistent With AUP A clearly written Acceptable Use Policy and documentation of confirmation from employees that they read, understood, and agreed to its terms in addition to the Secure-Use practice can help a company avoid costly lawsuits.

9 Key Secure – Use Procedures and Practices

10 Security Focus in Organizational Planning Process Information security for organizations may not always follow a standard pattern: –Develop a business plan Defines goals, objectives, strategy and priorities. –Restructure budgets and organizations Information security planning may require a different approach: –External events, current threats, technical consideration or trends may require change to be necessary.

11 Security as a Business Function Changes in behavior and attitude are necessary to have security as a priority –Top management must implement, enforce and commit…DLM model again How to achieve equal status –Centralize authority that is visible and powerful –Coordinate with other forms of risk management: physical security, insurance, and legal functions Marketing

12 Integrating Security and Business Plans Ensures that most strategic information receive the most protection. –Also promotes security as being fundamental to the success of the business. Failure to do this will lead to: –A security plan out of sync with the business plan –Security policies not being taken seriously

13 Developing Information Security Standards Formal policies and standard documents should be developed for other security functions such as: –Firewall configuration - Archival storage –Remote access procedures - Roles and permissions –Wireless handheld devices - Password maintenance Maintaining formal policies and standard documents allows for consistency and currency with changes in technology as well the as business environment.

14 Documentation and Training Normally documentation and training budgets are set a very low level. This tendency starves the education budget and will tend to subvert the entire program. When training is implemented correctly and employees know their stake in a secure workplace they are able to recognize and react in a communal fashion, which is usually the most effective method.

15 Incident Response Policy and Incident Response Teams Preparation before an incident occurs is necessary for development and readiness –Design policy and teams –Educate everyone of their roles –Conduct test to validate plan’s effectiveness An incident response policy is the key to readiness. –Needs to be clear and simple for ease of use during the stressful event –Provides guidance on what to do when an attack occurs –Defines the scope of the powers, authority, and discretion that the team has in responding to an attack. –Focuses management attention on security and response issues.

16 Example: Incident Response Process From http://www.securityfocus.com/ infocus/1467

17 Developing a Notification Plan Who do you notify: –Law enforcement –Regulatory authorities –Clearinghouse organizations, such as CERT –Business partners –Bugtraq The choice is up to the victimized firm. –In 2002, CSI/FBI Computer Crime and Security Survey reported that only 60% of known intrusions were reported to anyone not directly involved and 34% to law enforcement. These numbers occur because some firms may not want to expose any breaches in their networks to the public, the risk of liability, and delays and costs in formal investigations.

18 Secure-Use Procedures: Technology

19 Shut Down Unnecessary Services Network Administrators should review all active ports. –Ports: interfaces, or entry/exit points, to a network –Common Ports 80-http 23-Telnet 43-SSL 110-POP3

20 Set up and Maintain Permissions Securely Permissions are privileges granted to each user that control what data and applications that user has access to. –Controlled by system admin –Can be from read-only to full admin privileges –Limitations can help distinguish honest and dishonest employees: security by ignorance Roles, or access-level categories, are an effective way to manage permissions where users are assigned specific access levels to the server

21 Conduct Background Checks A thorough background investigation of everyone being considered for a system administrator job should be conducted rigorously prior to employment –Rotating responsibilities among a team makes it difficult to hide dishonesty

22 Enforce Strong Passwords Rules for strong passwords: No default passwords Minimum 10 characters with symbols and #s Change at least every 4 months Any others?

23 Review Partner Contracts Network of business partners become an extension of the business’s own network. –Ask for 3 rd party certification of info security practices –Build in provisions into contracts that provides protection

24 Audit and Update One area of liability that is often ignored is the use of unlicensed software. –Software vendors are entitled to conduct audits to ensure license compliance. –The best way to protect your company is to periodically survey all computers for illegal applications proactively. –Failure to address known vulnerabilities in commercial software become vulnerabilities for hackers to exploit

25 Physical Security Ways to keep information physically secure –Use encryption on all offline storage of sensitive data –Make sure all the network devices in the field are in physically secure place –Dispose of old computers with extreme care.

26 Auditing …. Acts as a legal deterrent and demonstrates diligence Similar to financial audits – certify with outside agency Beyond technology: include documentation, training and personnel …includes Testing Test response of defensive technology and designated response team Backup sites should be included

27 Other Secure Principles and Practices

28 Insurance Now available to cover liability from virus transmission and confidential info release, business interruption, loss of income from DoS attack http://www.cfcunderwriting.com/produ cts/esurance.htmlhttp://www.cfcunderwriting.com/produ cts/esurance.html Staying Current Need I say more?

29 Reinforcing Secure-Use Procedures Warning vs Welcome message –Welcome message must be after warning –Court ruling found incorrect order implies authorization Rewards are as important as reprimands Rewarding Secure Behavior

30 Worst Practices

31 Dangerous Email Practices email forwarding auto reply/responders allow system to send prepared message automatically to each email it receives –Spammers are guaranteed responses HTML email IM

32 Dangerous Sharing Practices P2P Network - 2nd most effective way (mail 1st) for malware distribution Software downloads - spy ware, Trojan horses Unauthorized users-PCs and PDAs shared with others unfamiliar with AUP Public networks and wireless networks - open PC to anyone monitoring

33 Summary Secure-Use Practices help control risks and dangers through the use of policies and technology The effectiveness of security practices depends on the relationship to the business culture and diligence of staff The key is to balance security and capability

Download ppt "Chapter 7 Secure-Use Practices: Defensive Best Practices Presented by: Derrick Lowe Ken Dean Quintin King Caroline Hawes."

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Ethics, Privacy and Information Security

Ethics, Privacy and Information Security
Security and Personnel

Security and Personnel
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Computer Security Workshops Security 101 - Introduction, Central Principles and Concepts.

Computer Security Workshops Security Introduction, Central Principles and Concepts.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Computer Security Fundamentals

Computer Security Fundamentals
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Introduction to Network Defense

Introduction to Network Defense
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
Securing Information Systems

Securing Information Systems

Similar presentations

Ads by Google