Security Principles - Introduction to Information Security - Lecture Slides, Slides of Network security

Download Security Principles - Introduction to Information Security - Lecture Slides and more Slides Network security in PDF only on Docsity! General Security Principles and Practices Docsity.com Security Principles • Common Security Principles • Security Policies • Security Administration • Physical Security Docsity.com Common Security Principles • Least Privilege Principle – Allow only the minimum level of access controls necessary to carry out job functions – A common violation of this principle occurs because of administrator inattention • Users are placed in groups that are too broad – Another common violation occurs because of privilege creep • Users are granted new privileges when they change roles without reviewing existing privileges Docsity.com Common Security Principles • Defense in Depth Principle – Defenses should be layered – Layers begin with points of access to a network and continue with cascading security at bottleneck points • Security through Obscurity – Secrecy maintained about security that was in place – No longer very effective in a free society Docsity.com Defense in Depth Aouter a Intrusion, Detection a— Bystom(a} veers] Intranet = Yi Figure3.1 Intrusion Example of defense in Detection depth System(a} Docsity.com Acceptable Use Policy • Organization thinks: – Anything that is not permitted is prohibited • User thinks: – Anything that is not prohibited is permitted Docsity.com Backup Policy • Data backups protect against corruption and loss of data – To support the integrity and availability goals of security • Backup policy should answer key questions – What data should be backed up and how? – Where should backups be stored? – Who should have access? – How long should backups be retained? – How often can backup media be reused? Docsity.com Backup Policy • Backup types: – Cold site – Warm site – Hot site • Recovery testing essential • Policy governing periodic recovery Docsity.com Wireless Device Policy • Includes mobile phones, PDAs, palm computers • Users often bring personal devices to the workplace • Policy should define – Types of equipment that can be purchased by the organization – Type of personal equipment that may be brought into the facility – Permissible activities – Approval authorities for exceptions Docsity.com Implementing Policy • A major challenge for information security professionals • Includes processes of developing and maintaining the policies themselves as well as ensuring their acceptance and use within the organization • Activities related to policy implementation are often ongoing within an organization Docsity.com Developing Policies • Team approach should be employed – Include members from different departments or functional elements within the organization • Develop a high-level list of business objectives • Determine the documents that must be written to achieve objectives • Revise documents drafts until consensus is achieved Docsity.com Enforcement and Maintenance • Policies should define responsibilities for – Reporting violations – Procedures when violations occur • Policies should be strictly and uniformly enforced • Policy changes occur as companies and technologies change • Policies should contain provisions for modification through maintenance procedures – Essential to have mandated periodic reviews Docsity.com Security Administration Tools • Tools help with – consistent application of policy – enforcement of policy • Security checklists – Security professionals should review all checklists used in an organization for compliance with security procedures – Security professionals may develop their own checklists for security-specific tasks • Security matrices – Used in development of security policies and implementation of particular procedures – Helps focus amount of attention paid to particular goals Docsity.com Security Matrices 2 = = = = = Fa . a = z 3 i E 3 a o Critical Importance x x Moderate Innporance Figure 3.2 Low Importance x Sample security matrix Docsity.com Perimeter Security • Perimeter security includes: – Fences – Walls – Gates – Lighting – Motion detectors – Dogs – Patrols Docsity.com Access Control • Locks – Manual – Electronic – Biometric • Defense in depth principle – Fences around the facility and biometrics for specific offices within a facility Docsity.com Access Control • ID cards and badges • Electronic monitoring • Mantrap • Alarms Docsity.com Electrical Power • UPS – Standby – Line-interactive – True-online • Emergency shutoff • Grounding • Power management and conditioning Docsity.com Electronic Surveillance • Facility monitoring using surveillance video • Check for electromagnetic signals leaking data – Electromagnetic signals can be picked up and interpreted outside facility – Expensive to block electronic eavesdropping • Fire protection requires detection and suppression systems – Often dictated by building codes – Suppression systems include sprinklers, chemicals, and fire extinguishers Docsity.com Personnel Security • People are the weakest link in a security system • Perform background investigations – Can include criminal record checks, reference evaluations • Monitor employee activity – Can include monitoring Internet activity, surveillance cameras, telephone recording • Mandatory vacations • Exit procedures for employees leaving the company – Remind employees of any nondisclosure agreements Docsity.com