Introduction to Computer Security and Information Assurance Objectives
Introduction to Computer Security and Information Assurance Objectives • Recognize that physical security and cyber security are related • Recognize that personnel security policies and procedures are related to cyber security • Explain how awareness training strengthens cyber security practices Module 02: 1
Introduction to Computer Security and Information Assurance Physical Security • Addresses the protection of the organization’s assets: – Personnel – Property – Information Module 02: 2
Introduction to Computer Security and Information Assurance Physical And Cyber Security • Disciplines merging • Physical access can lead to compromise Module 02: 3
Introduction to Computer Security and Information Assurance Physical Security Threats • Most threats in this area are ‘physical’ – Fire – Flood – Natural disasters • The Human factor is an exception to this rule Module 02: 4
Introduction to Computer Security and Information Assurance Major Sources Of Physical Loss • • • Temperature extremes Gases Liquids Living organisms Excessive movement Energy anomalies Source: “Fighting Computer Crime” by Donn B. Parker Module 02: 5
Introduction to Computer Security and Information Assurance Physical Security Threat Categories • Natural and Environmental • Man-made Module 02: 6
Introduction to Computer Security and Information Assurance Natural And Environmental Threats • • Hurricanes Tornadoes Earthquakes Floods Lightning Mudslides Fire Electrical Module 02: 7
Introduction to Computer Security and Information Assurance Man-Made Threats • Hackers • Theft • Human error Module 02: 8
Introduction to Computer Security and Information Assurance Physical Security Countermeasures • • Property protection Structural hardening Physical access control Intrusion detection Physical security procedures Contingency plans Physical security awareness training Module 02: 9
Introduction to Computer Security and Information Assurance Property Protection • • • Fences Gates Doors Locks and keys Lighting Fire detection and suppression systems Module 02: 10
Introduction to Computer Security and Information Assurance Structural Hardening • Robust construction • Minimal penetration • Building complexity Module 02: 11
Introduction to Computer Security and Information Assurance Physical Access Control • Ensures only authorized individuals are allowed into certain areas – Who – What – When – Where – How Module 02: 12
Introduction to Computer Security and Information Assurance Intrusion Detection • Guards • Dogs • Electronic monitoring systems Module 02: 13
Introduction to Computer Security and Information Assurance Physical Security Procedures • Impose consequences for physical security violations • Examples: – Log personnel access to restricted areas – Escort visitors, delivery, terminated personnel Module 02: 14
Introduction to Computer Security and Information Assurance Contingency Plans • Considerations include – Generators – Fire suppression and detection systems – Water sensors – Alternate facility – Offsite storage facility Module 02: 15
Introduction to Computer Security and Information Assurance Physical Security Awareness Training • Train personnel what to do about – Suspicious activities – Unrecognized persons Module 02: 16
Introduction to Computer Security and Information Assurance Personnel Security • Practices established to ensure the safety and security of personnel and other organizational assets Module 02: 17
Introduction to Computer Security and Information Assurance Personnel Security • It’s all about the people • People are the weakest link • An avenue to mold and define personnel behavior Module 02: 18
Introduction to Computer Security and Information Assurance Personnel Security Threat Categories • Insider threats • Social engineering Module 02: 19
Introduction to Computer Security and Information Assurance Insider Threats • One of the most common threats to any organization • More difficult to recognize • Include – Sabotage – Unauthorized disclosure of information Module 02: 20
Introduction to Computer Security and Information Assurance Social Engineering Threats • Multiple techniques are used to gain information from authorized employees and using that information in conjunction with an attack – Protect your password (even from the help desk) – Protect personnel rosters Module 02: 21
Introduction to Computer Security and Information Assurance Dumpster Diving • Rummaging through a company’s or individual’s garbage for discarded documents, information, and other precious items that could be used in an attack against that person or company Module 02: 22
Introduction to Computer Security and Information Assurance Phishing • Usually takes place through fraudulent emails requesting users to disclose personal or financial information • E-mail appears to come from a legitimate organization Module 02: 23
Introduction to Computer Security and Information Assurance Module 02: 24
Introduction to Computer Security and Information Assurance Security Awareness • Recognizing what types of security issues might arise • Knowing your responsibilities and what actions to take in case of a breach Module 02: 25
Introduction to Computer Security and Information Assurance Policies And Procedures • Acceptable use policy • Personnel controls • Hiring and termination practices Module 02: 26
Introduction to Computer Security and Information Assurance People And Places: What You Need To Know • Physical security threats and countermeasures • Personnel security threats and countermeasures Module 02: 27
- Slides: 27