Post on 26-Dec-2015
Module 02: 1
Introduction to Computer Securityand Information Assurance
Objectives• Recognize that physical
security and cyber security are related
• Recognize that personnel security policies and procedures are related to cyber security
• Explain how awareness training strengthens cyber security practices
Module 02: 2
Introduction to Computer Securityand Information Assurance
Physical Security• Addresses the protection of the
organization’s assets:– Personnel– Property– Information
Module 02: 3
Introduction to Computer Securityand Information Assurance
Physical And Cyber Security• Disciplines merging
• Physical access can lead to compromise
Module 02: 4
Introduction to Computer Securityand Information Assurance
Physical Security Threats• Most threats in this area are ‘physical’
– Fire– Flood– Natural disasters
• The Human factor is an exception to this rule
Module 02: 5
Introduction to Computer Securityand Information Assurance
Major Sources Of Physical Loss• Temperature extremes• Gases• Liquids• Living organisms• Excessive movement • Energy anomalies
Source: “Fighting Computer Crime” by Donn B. Parker
Module 02: 6
Introduction to Computer Securityand Information Assurance
Physical Security Threat Categories
• Natural and Environmental
• Man-made
Module 02: 7
Introduction to Computer Securityand Information Assurance
Natural And Environmental Threats
• Hurricanes• Tornadoes• Earthquakes• Floods• Lightning• Mudslides• Fire• Electrical
Module 02: 8
Introduction to Computer Securityand Information Assurance
Man-Made Threats• Hackers
• Theft
• Human error
Module 02: 9
Introduction to Computer Securityand Information Assurance
Physical SecurityCountermeasures
• Property protection
• Structural hardening
• Physical access control
• Intrusion detection
• Physical security procedures
• Contingency plans
• Physical security awareness training
Module 02: 10
Introduction to Computer Securityand Information Assurance
Property Protection• Fences• Gates• Doors• Locks and keys• Lighting• Fire detection and
suppression systems
Module 02: 11
Introduction to Computer Securityand Information Assurance
Structural Hardening• Robust construction
• Minimal penetration
• Building complexity
Module 02: 12
Introduction to Computer Securityand Information Assurance
Physical Access Control• Ensures only authorized individuals are
allowed into certain areas– Who– What– When– Where– How
Module 02: 13
Introduction to Computer Securityand Information Assurance
Intrusion Detection• Guards
• Dogs
• Electronic monitoring systems
Module 02: 14
Introduction to Computer Securityand Information Assurance
Physical Security Procedures• Impose consequences for physical
security violations
• Examples:– Log personnel access
to restricted areas– Escort visitors, delivery,
terminated personnel
Module 02: 15
Introduction to Computer Securityand Information Assurance
Contingency Plans• Considerations include
– Generators– Fire suppression and
detection systems– Water sensors– Alternate facility– Offsite storage facility
Module 02: 16
Introduction to Computer Securityand Information Assurance
Physical Security Awareness Training
• Train personnel what to do about– Suspicious
activities– Unrecognized
persons
Module 02: 17
Introduction to Computer Securityand Information Assurance
Personnel Security• Practices established to ensure the safety
and security of personnel and other organizational assets
Module 02: 18
Introduction to Computer Securityand Information Assurance
Personnel Security• It’s all about the
people
• People are the weakest link
• An avenue to mold and define personnel behavior
Module 02: 19
Introduction to Computer Securityand Information Assurance
Personnel Security Threat Categories
• Insider threats
• Social engineering
Module 02: 20
Introduction to Computer Securityand Information Assurance
Insider Threats• One of the most common threats to any
organization
• More difficult to recognize
• Include– Sabotage– Unauthorized disclosure
of information
Module 02: 21
Introduction to Computer Securityand Information Assurance
Social Engineering Threats• Multiple techniques are used to gain
information from authorized employees and using that information in conjunction with an attack– Protect your password
(even from the help desk)– Protect personnel rosters
Module 02: 22
Introduction to Computer Securityand Information Assurance
Dumpster Diving• Rummaging through a
company’s or individual’s garbage for discarded documents, information, and other precious items that could be used in an attack against that person or company
Module 02: 23
Introduction to Computer Securityand Information Assurance
Phishing• Usually takes place through fraudulent e-
mails requesting users to disclose personal or financial information
• E-mail appears to come from a legitimate organization
Module 02: 24
Introduction to Computer Securityand Information Assurance
Module 02: 25
Introduction to Computer Securityand Information Assurance
Security Awareness• Recognizing what
types of security issues might arise
• Knowing your responsibilities and what actions to take in case of a breach
Module 02: 26
Introduction to Computer Securityand Information Assurance
Policies And Procedures• Acceptable use policy
• Personnel controls
• Hiring and termination practices
Module 02: 27
Introduction to Computer Securityand Information Assurance
People And Places: What You Need To Know
• Physical security
• Physical security threats and countermeasures
• Personnel security
• Personnel security threats and countermeasures