Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design.

Similar presentations


Presentation on theme: "1 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design."— Presentation transcript:

1 1 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design & Management CSE4884 Network Design and Management Lecturer: Ken Fletcher Lecture 10 Physical & Personnel Security With Acknowledgments to Mick Eaton and Tony Kerr

2 2 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design & Management ‘Security is an Attitude’ It’s a State of Mind Supported by: Legislation, Systems, Procedures, Physical Barriers, and Trustworthy Personnel.

3 3 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design & Management Information Systems Provide: Easy Access to Information; Easy Analysis of Information; Easy Modification of Information; & Easy Communication of Information. Information Systems These capabilities are just as easily used against your organisation as they are used to support it. or

4 4 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design & Management Security Objectives AVAILABILITY Ensure information and services Delivery INTEGRITY Ensure information AccuracyCONFIDENTIALITY Preserve information Value & Privacy FREEDOM FROM MISUSE & ABUSE Ensure information and systems are used only for legitimate purposes &

5 5 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design & Management PROTECTION THREATS Acceptable High Risk High Cost Threats imply future impacts ie risks. Protection has initial & ongoing impacts Impacts are money, delay, effort & inconvenience. Threats and Protection Must be Balanced The Risk Balance

6 6 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design & Management What is the threat? n Loss of Confidentiality or Privacy Legal action, either criminal or civil Embarrassment & Political pressures Loss of commercial advantage (eg trade secrets) n Loss of Integrity Inappropriate decisions Loss of accuracy and control n Loss of Availability Loss of capability to do useful work n Misuse and Abuse Excessive costs (or legal action) Loss of reputation IN SUMMARY the real impact is loss of business and profit

7 7 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design & Management Who is the threat? Insiders - very knowledgable about your organisation Disgruntled Employee Careless Employee Other insider (eg office comedian, office ‘payback’) Ex-employee Disgruntled customer, supplier, or sub-contractor Outsiders - Strangers-but with drive to succeed Thief, Vandal, or Hacker Deliberate Commercial Espionage Agent (eg on behalf of a competitor, or subcontractor) Issue Motivated Groups (eg animal liberationists) Terrorists Groups and Sympathisers Foreign Intelligence Service Agent

8 8 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design & Management Computer Abuse and Fraud ACARB 1992 72% 20%8% KPMG 1993 25% 12% 63% 56% 16%28% DATAPRO 1993 Outsiders Insiders Unknown

9 9 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design & Management What is their motivation

10 10 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design & Management What is their capability n Capability (‘know how’, and ability to perform) is available, for a price if necessary: n High Capability- Foreign Intelligence Service Ex Employee (has knowledge of procedures) Big Money Interests (could pay for it) n Medium Capability- Hackers (have knowledge) General Commercial Interests (can pay for it) n Low Capability- Disgruntled Customer (has knowledge)

11 11 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design & Management What do we do about it? n Conduct Threat Assessment Identify and value assets Postulate threats to the significant assets Identify Vulnerabilities to the postulated threats n Select Countermeasures n Implement Countermeasures n Aftercare Audit implementation and operation Continuously review tables of assets, threats, and countermeasures n Live happily ever after - until the next security breach

12 12 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design & Management The 3-D approach n Deter (to Prevent the attack) Strong Fences, Dogs, Guards, Obvious cameras, Strong lighting after dark, Formidable appearance of the site, Lack of graffiti, All fences, gates, buildings apparently in good repair n Detect (and React by calling police or guards) Dogs, Guards, Alarm Systems, Cameras (with motion detection) [NOTE: Cameras work well in dim light], ‘After the event’ detection techniques which show that tampering has occurred eg Mechanical seals, lead seals, Paints which show tampering, Easily broken but difficult-to-repair security containers n Delay (Slow down attack until police or guards arrive) High walls which take time to climb, strong locks which are also difficult to pick, strong gates/walls/doors, strong boxes to hold items (safes), long distances to travel inside the building

13 13 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design & Management ‘DoubleD Squared’ Defence in Depth Aim for multiple layers of defences - like the skins of an onion - so that failure of one layer does not cause failure of the total. Defence by Diversity Arrange to have multiple types of defences which must be overcome - so that the attacker must have a substantial range of skills, tools and knowledge. The combination of these two approaches raises the work effort, skills, and resources required of the attacker. It also slows down the attack.

14 14 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design & Management “In Defence of the Prize” Outer Perimeter Fences Strong Building Walls and Doors Locked Box

15 15 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design & Management DoubleD Squared - in practice The “Onion” Principle Perimeter Security Building Security Pass or Badge System Security Clearances “Need To Know” Concept Classification System Security Containers VALUABLES and DATA

16 16 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design & Management Physical Security Guidelines (1) n Doors - 35mm+ thick Solid Core, Steel Sheathed Fire doors as per the Aust Standard are exellent n Door Frames - Steel Sections - Welded together Firmly set and anchored into the wall n Hinges - hinge to open out, but watch out for cutting hinges off or punching out the pin- use ‘hinge bolts’ which close into the frame when door/window closed n ‘Unattended Hours’ Locks (eg Night Time locks) Strong - Chubb, Unpickable - BiLock, Abloy, etc Avoid ‘domestic’ style door locks n Access Control Locks for Daytime use Pushbutton Cypher locks or electronic (proximity card, Mil Key, Weigan Card)

17 17 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design & Management Physical Security Guidelines (2) n Walls - obviously reinforced concrete is best Walls around communications nodes should be ‘slab to slab’ n Windows- use small panes, with thicker than normal glass (10mm+), install bar grills if needed Ensure that the windows don’t provide an opportunity for study of the operation n Watch for air conditioning vents, ducts, door grills Install man proof grills or bars accross these if necesary n Floors Reinforced concrete is best n Ceilings Reinforced Concrete is best If removable ceiling tiles, then ensure that there are slab to slab walls so that no one can enter the ceiling space.

18 18 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design & Management Personnel Security Guidelines n Trusted Personnel? How do you know? Remember - people change over time –Your friend today may not be friendly tomorrow Can they be blackmailed or pressured? eg Any money/drugs/gambling problems Any sexual or lifestyle aberrations? What about indirect pressures via families? n Trust them - but also audit and check, without paranoia Watch for deviations from their normal behaviour and lifestyle Revalidate the level of trust every few years n Run ‘Security Awareness and Briefing Sessions’ yearly

19 19 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design & Management Administrative Security Guidelines n Procedures Probably suffer most from lack of planning and aftercare Are the procedures valid today - eg –Backup and restore of computer systems –Procedures for storing backup media onsite and offsite –Do you still follow the procedures applicable several years ago - eg regarding new and re-assigned staff? –Is there a defined procedure for staff leaving the company? –Maintenance procedures for the buildings and networks? –Disposal of paper, OHP transparencies, faulty hard disks, computer media, fax machine thermal image rolls, printer ribbons, Dymo tape backing strips, photo copier drums etc n IN FACT - Do you have a good procedures manual, including disaster contingency and recovery plans?

20 20 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design & Management COMMUNICATIONS PHYSICAL ADMINISTRATIVE PERSONNEL Layered Security and Communications Communication Links Penetrate All Layers!!!

21 21 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design & Management Communications n The communications systems penetrate and bypass all layers of security n As well, the computer is an ideal tool for the attackers to use - if they can get to it n The information density in the ‘computer room’ is extremely high (ie a lot of information in a small space) n PROTECT YOUR COMMUNICATIONS NODES AND COMPUTERS AS WELL OR BETTER THAN ANYTHING ELSE IN THE ORGANISATION

22 22 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design & Management Who is Responsible for Security? SECURITY IS UP TO YOU


Download ppt "1 Copyright Ken Fletcher 2004 Australian Computer Security Pty Ltd Printed 11-May-15 11:18 Prepared for: Monash University Subj: CSE4884 Network Design."

Similar presentations


Ads by Google