Module 02: 1

Introduction to Computer Securityand Information Assurance

Objectives• Recognize that physical

security and cyber security are related

• Recognize that personnel security policies and procedures are related to cyber security

• Explain how awareness training strengthens cyber security practices

Module 02: 2

Introduction to Computer Securityand Information Assurance

Physical Security• Addresses the protection of the

organization’s assets:– Personnel– Property– Information

Module 02: 3

Introduction to Computer Securityand Information Assurance

Physical And Cyber Security• Disciplines merging

• Physical access can lead to compromise

Module 02: 4

Introduction to Computer Securityand Information Assurance

Physical Security Threats• Most threats in this area are ‘physical’

– Fire– Flood– Natural disasters

• The Human factor is an exception to this rule

Module 02: 5

Introduction to Computer Securityand Information Assurance

Major Sources Of Physical Loss• Temperature extremes• Gases• Liquids• Living organisms• Excessive movement • Energy anomalies

Source: “Fighting Computer Crime” by Donn B. Parker

Module 02: 6

Introduction to Computer Securityand Information Assurance

Physical Security Threat Categories

• Natural and Environmental

• Man-made

Module 02: 7

Introduction to Computer Securityand Information Assurance

Natural And Environmental Threats

• Hurricanes• Tornadoes• Earthquakes• Floods• Lightning• Mudslides• Fire• Electrical

Module 02: 8

Introduction to Computer Securityand Information Assurance

Man-Made Threats• Hackers

• Theft

• Human error

Module 02: 9

Introduction to Computer Securityand Information Assurance

Physical SecurityCountermeasures

• Property protection

• Structural hardening

• Physical access control

• Intrusion detection

• Physical security procedures

• Contingency plans

• Physical security awareness training

Module 02: 10

Introduction to Computer Securityand Information Assurance

Property Protection• Fences• Gates• Doors• Locks and keys• Lighting• Fire detection and

suppression systems

Module 02: 11

Introduction to Computer Securityand Information Assurance

Structural Hardening• Robust construction

• Minimal penetration

• Building complexity

Module 02: 12

Introduction to Computer Securityand Information Assurance

Physical Access Control• Ensures only authorized individuals are

allowed into certain areas– Who– What– When– Where– How

Module 02: 13

Introduction to Computer Securityand Information Assurance

Intrusion Detection• Guards

• Dogs

• Electronic monitoring systems

Module 02: 14

Introduction to Computer Securityand Information Assurance

Physical Security Procedures• Impose consequences for physical

security violations

• Examples:– Log personnel access

to restricted areas– Escort visitors, delivery,

terminated personnel

Module 02: 15

Introduction to Computer Securityand Information Assurance

Contingency Plans• Considerations include

– Generators– Fire suppression and

detection systems– Water sensors– Alternate facility– Offsite storage facility

Module 02: 16

Introduction to Computer Securityand Information Assurance

Physical Security Awareness Training

• Train personnel what to do about– Suspicious

activities– Unrecognized

persons

Module 02: 17

Introduction to Computer Securityand Information Assurance

Personnel Security• Practices established to ensure the safety

and security of personnel and other organizational assets

Module 02: 18

Introduction to Computer Securityand Information Assurance

Personnel Security• It’s all about the

people

• People are the weakest link

• An avenue to mold and define personnel behavior

Module 02: 19

Introduction to Computer Securityand Information Assurance

Personnel Security Threat Categories

• Insider threats

• Social engineering

Module 02: 20

Introduction to Computer Securityand Information Assurance

Insider Threats• One of the most common threats to any

organization

• More difficult to recognize

• Include– Sabotage– Unauthorized disclosure

of information

Module 02: 21

Introduction to Computer Securityand Information Assurance

Social Engineering Threats• Multiple techniques are used to gain

information from authorized employees and using that information in conjunction with an attack– Protect your password

(even from the help desk)– Protect personnel rosters

Module 02: 22

Introduction to Computer Securityand Information Assurance

Dumpster Diving• Rummaging through a

company’s or individual’s garbage for discarded documents, information, and other precious items that could be used in an attack against that person or company

Module 02: 23

Introduction to Computer Securityand Information Assurance

Phishing• Usually takes place through fraudulent e-

mails requesting users to disclose personal or financial information

• E-mail appears to come from a legitimate organization

Module 02: 24

Introduction to Computer Securityand Information Assurance

Module 02: 25

Introduction to Computer Securityand Information Assurance

Security Awareness• Recognizing what

types of security issues might arise

• Knowing your responsibilities and what actions to take in case of a breach

Module 02: 26

Introduction to Computer Securityand Information Assurance

Policies And Procedures• Acceptable use policy

• Personnel controls

• Hiring and termination practices

Module 02: 27

Introduction to Computer Securityand Information Assurance

People And Places: What You Need To Know

• Physical security

• Physical security threats and countermeasures

• Personnel security

• Personnel security threats and countermeasures