Developing National Action Plans and National Communications Procedures -P rinciples -Criteria
P RINCIPLES OF N ETWORKING S ECURITY C HAPTERS 3 & 4 Matt Lavoie NST281-01.
19
PRINCIPLES OF NETWORKING SECURITY CHAPTERS 3 & 4 Matt Lavoie NST281-01
-
Upload
emery-hodge -
Category
Documents
-
view
213 -
download
0
Transcript of P RINCIPLES OF N ETWORKING S ECURITY C HAPTERS 3 & 4 Matt Lavoie NST281-01.
PRINCIPLES OF NETWORKING SECURITYCHAPTERS 3 & 4Matt Lavoie
NST281-01
Matt Lavoie
NST281-01
CHAPTER 3:
OPERATIONAL AND ORGANIZATIONAL SECURITY
Security in Your Organization
Policy: A broad statement of accomplishment
Procedure: The step-by-step method to implement a policy
Standards: Mandatory elements of implementing a policy
Guidelines: Recommendations related to a policy
Security in Your Organization Policy Lifecycle:
Plan Implement Monitor Evaluate
Establish a security perimeter
Physical Security
Mechanisms to restrict physical access to computers and networks
Locks (combination/biometric/keyed) Video surveillance, logs, guards A room has six sides Physical barriers (gates/walls, man-traps,
open space)
Environmental Issues
HVAC Systems: Climate control
UPS/Generators: Power failure
Fire Protection: Detect/suppress
Off-Site Backups: Bad stuff happens
Other Issues
Wireless Wi-Fi / Cellular / Bluetooth
Electromagnetic Eavesdropping TEMPEST
Location Bury the sensitive stuff
Matt Lavoie
NST281-01
CHAPTER 4:
THE ROLE OF PEOPLE IN SECURITY
Social Engineering
Making people talk Questions, emotions, weaknesses
Obtaining insider info (or having it) Knowledge of security procedures
Phishing Impersonation
Social Engineering
Vishing Trust in voice technology (VoIP, POTS)
Shoulder surfing Observation for passcodes, PINs, etc
Reverse social engineering Victim initiates contact
Poor Security Practices
Password selection Too short Not complicated Easy to guess Information on a person
Password policies Can encourage bad behavior
Poor Security Practices
Same password, multiple accounts One compromises all
Piggybacking Controlled access points
Dumpster Diving Sensitive information discarded
Poor Security Practices
Installing software/hardware Backdoors/rogue access points
Physical access by non-employees Control who gets in Pizza and flowers Legitimate access, nefarious intentions
People as a Security Tool
Security Awareness Training/refreshers Be alert Don’t stick your head in the sand
Individual User Responsibilities Keep secure material secure
In a properly secured environment, people are the weakest link
A system with physical access is a compromised system
What Have We Learned?
Questions and Answers
