- Slides: 16
The User Domain Kelly Corning & Julie Sharp
User Domain • The assets over which the users • • have control The people that have the control Domain of the AUP
Risks, Threats, & Vulnerabilities • Social Engineering • Negligence • Disgruntled Employee Attacks • Lack of User Awareness • Physical Security • Security Policy Violations
Social Engineering Definition: A collection of malicious techniques used to manipulate people into performing actions or sharing information. Examples: • • Tailgating Phishing emails Pretexting Dumpster Diving Think before you act!
Negligence • • Prevent negligent hiring Retention Supervision Training Employees need a reason to care!
Disgruntled Employee Attacks • • The Exploit Attack Process o o • o Reconnaissance Scanning Exploiting the System Keeping Access Covering Tracks Incident Handling Process Keep your employees happy!
Lack of User Awareness • Ignorance of Policies o • Employees need an appropriate level of awareness for their position Apathy towards Policies If people don't know the policies, how can they follow them?
Lack of User Awareness According to NIST. . . "Understand their roles and responsibilities related to the organizational mission" "Understand the organization’s IT security policy, procedures, and practices" "Possess at least adequate knowledge of the various management, operational, and technical controls required and available to protect the IT resources for which they are responsible. " • • •
Lack of User Awareness Levels of Awareness: Awareness • • o o Allows individuals to recognize security concerns and respond correctly Broad audience Training o Teaches skills to allow an employee to perform a specific function Education o Integrates skills and competencies to allow an employee to see the big picture and respond to an incident proactively Certification o Involves testing to show that an employee has a specific level of knowledge on a given topic
Lack of User Awareness Common Problems: • • • Teaching an old dog, new tricks Security is an information technology problem, not mine Implementation of new technology One-size-fits-all Too much information Lack of organization Failure to follow-up Lack of management support Lack of resources No explanation of why Social engineering
Physical Security • Deterrence o • • Convince attackers that the consequences of getting caught are not worth the potential payoff Access Control o Gates, doors, locks Detection o Alarm systems, motion sensors, contact sensors Identification o Video monitoring Human Response o Guards, emergency response personnel
Physical Security Quick tips: • • Don't leave confidential/sensitive information out in the open Protect portable devices Disable drives & ports to prevent copying Shred extras Lock doors Protection from environmental factors Record security camera video, keep videos Don't make it easy for the bad guy!
Security Policy Violations • Be aware of incidents Yourself o Others o • • Report incidents See that necessary action is taken Don't ignore the problem!
Acceptable Use Policy 1. Overview 2. Purpose 3. Scope 4. Policy General Use & Ownership b. Security & Proprietary Information c. Unacceptable Use i. System & Network Activities ii. Email & Communications Activities d. Blogging a.
Acceptable Use Policy 5. 6. 7. 8. 9. Inappropriate Behavior Enforcement Disclosure Definitions Revision History
References Acceptable Usage Policy Template. (2005, April 22). Retrieved March 24, 2013, from First: www. first. org/_assets/resources/guides/aup_generic. doc Info. Sec Acceptable Use Policy. (2006). Retrieved March 7, 2013, from SANS: http: //www. sans. org/securityresources/policies/Acceptable_Use_Policy. pdf User Domain. (2007, August 25). Retrieved March 7, 2013, from http: //c 2. com/cgi/wiki? User. Domain Negligence. (2012, November 21). Retrieved March 23, 2013, from Wikipedia: http: //en. wikipedia. org/wiki/Negligence_in_employment Childress, J. (2013, March). CS 5493(CS 7493) Secure System Administration and Certification. Retrieved March 8, 2013, from utulsa: http: //personal. utulsa. edu/~james-childress/cs 5493. html Giallombardo, A. (2012, September 25). Sample Acceptable Use Policy Template. Retrieved March 24, 2013, from Mafia Securtiy: https: //www. mafiasecurity. com/disaster-recovery/sample-acceptable-use-policy-template/ Kratt, H. (2004, December 8). The Inside Story: A Disgruntled Employee Gets His Revenge. Retrieved March 23, 2013, from SANS: http: //www. sans. org/reading_room/whitepapers/engineering/story-disgruntled-employeerevenge_1548 Russell, C. (2002, October 25). Security Awareness - Implementing an Effective. Retrieved March 23, 2013, from SANS: http: //www. sans. org/reading_room/whitepapers/awareness/security-awareness-implementing-effectivestrategy_418 Wilson, M. , & Hash, J. (n. d. ). INFORMATION TECHNOLOGY SECURITY AWARENESS, TRAINING, EDUCATION, AND CERTIFICATION. Retrieved March 25, 2013, from National Institute of Standards and Technology: http: //www. itl. nist. gov/lab/bulletns/bltnoct 03. htm