1 S ecurity S olutions - Kapsi Internet-käyttäjät...

1

Copyright © Jarno Niemelä [email protected]

S e c u r i t y S o lu t io n s

Corporate security

mailto:[email protected]

2


We Do Not Live In The Internet● Fire● Burglary● Employees stealing from company● Key person becomes unavailable ● Water damage● Terrorist/Activist attack● Competitor spying● Confidential information leaks to press


3


Topics For The Day● Employee safety and security● Building security● Alarms and monitoring● Building safety● Storage of valuables● Risk management


4


Employees● The most important asset● But also the greatest risk● Employee skills, efficiency and morale determine

how your company does● Good personnel management is the most important

thing when running a company● The basic principle is to keep the good people in

and bad people out


5


Employees As Resource● From company point of view employees are

– Information storages– Workforce– Most important assent– Greatest security risk

● Key employees are critical resources– Someone who knows something that no one else does– Without key person some process is impossible– Prevent this by distributing information and having

backup persons for each task


6


Employees As a Security Risk● Unhappy people work poorly, and may leave

– Treat people well, have fair policies● Employees leak information, intentionally or not

– Training,where to talk, what to talk, whom to talk● Employees stealing company property

– Happy and motivated people are unlikely to steal– Increase risk of getting caught, conduct inventories

● Keep track what and how your employees do– Is there reasons for them to be unhappy?


7


Hiring people● Look for the right person for the right task

– Is qualified and motivated for the for the job– Is not overqualified– Fits with the people you already have

● Make sure you know who you hire– Do a proper interview, and also one with the team– Check the background and references– Test the skills of potential applicants– Personality tests, what do they tell?


8


Checking Background● Do you know anyone who knows the applicant?● Check that personal information is correct● Check for criminal record● If working with money, check credit status● Drivers license, traffic violations● Education and diplomas● Health, medication and treatments● Don't play spy, ask from applicant and verify with

applicants permission


9


Training People● Very few are incompetent because they want to

– Introductory training when new employee comes– Additional training when position changes– Tasks, policies, security and safety issues

● Keep employees skills fresh with training– People feel that their skills and value in the profession is

maintained– Employees with up to date skills are more efficient– Well trained employees also reduce security risks


10


Keeping People● Now that you have good people, you'll want to keep

them that way– Even the best and most motivated people can become

'bad' if managed improperly– In personnel security the most important things don't

actually have much to do with the 'security' part– The best way to keep people 'good' is good people

management– Especially in YT industry this is very often forgotten,

laying off even a few persons hurts the company morale, and personnel productivity long time!


11


Employee Leaving● Everyone leaves sooner or later

– 'Hostile' leaving when leaving to competitor, laid off– 'Benign' when retiring or changing field

● Know what to do when an employee leaves– Skills transfer to replacement– Gather back keys, laptops, documents, equipment– Disable accounts, change passwords– Any sensitive processes that need to be modified?– Has the employee signed NDA? Better review it


12


Building security● Building security is about making sure that the

building is safe for all company assets– People– Equipment– Information

● Building security is mostly about common sense– Good floor plan and passive security is much easier and

cheaper than best alarms and guards


13


Office layout ● Divide office areas into access zones

– Outside the office: Company entrance, fences– Public areas: Reception,public meeting rooms– Office area: Outsiders are allowed only when escorted – Critical areas: Data centers, network cabinets, finance

● Zone access control controls who gets in– No extra control inside the zone– All routes from zone to another zone must be known– There should be extra time/effort needed to get from one zone

to another


14


Office Divided Into Zones

Outside

ReceptionOffices

Server roomCritical research areasCEO, Finance offices


15


Doors● What is the purpose of a door

– Access prevention– Noise dampening– Fire door

● Is the door good enough?– Door strength– Lock strength– Hinges– Fire isolation (how long the door holds a fire)


16


Walls And Windows● Windows, an easy access to burglar or maybe not

– Can windows be broken so that it wont be noticed?– First and second floor windows should be laminated

● Walls– What time and equipment is needed to cut trough – What is on the other side of the wall?

● Check the area outside the office– Keep the yard clean and don't give tools for attackers– If possible try to prevent anyone using vehicles in attacking

the building, use decorations that are heavy


17


Access control● Let the good people in, keep the bad people out

– Access control allows more accurate control than keys– Employees need to accept the control, DONT ABUSE IT

● Access control works at the zone borders– Doesn't care what people do at the zones– Who has been at the zone at any given time

● Access control needs to be done properly– Easy to use, suspicion on anyone who cant open door – The control logs need to be stored securely– Reliable, is system keeps failing people will ignore it


18


Alarms● Alarms activate at exceptional situations

– Window broken, door forced, movement at night, fire, gas– Located at the zone borders and inside zones

● Each threat needs correct alarm sensor– Physical open/break sensors– Motion detectors, pressure sensors– Fire alarms, gas detectors, moisture sensors

● Alarms are useless by themselves– When alarm goes off, there must be a reaction– Audible alarms at outer zones, and silent at inside


19


Monitoring● Know whats going on, use cameras

– Recording cameras help investigate what happened– Actively monitored detect intrusions and guide guards

● Make sure that cameras are of some use– Secure or offside storage for video data– Keep the area well lit and situate cameras well– Put signs that the area is monitored, cameras are good

deterrent● Know what you are allowed to record and where

– Personal privacy laws are very strong in Finland


20


Guards, Guards● There are many types of guards

– Guard that is located at the site– Guard that visits the site when making rounds– Guard that is alerted when alarm goes off

● Different types have different reaction time– Guard from remote location needs transit time– Local guard can respond more quickly, but is expensive

● Optimize the value of property against the expense of protection


21


Fire● If possible prevent fires

– Find out possible ignition sources, make them safe– Neatness counts, all extra material must be removed

● If fire breaks out, the building should contain it– The office needs to be divided into fire zones– Zone should isolate the fire as well as possible– Fire doors closed, no extra holes in the walls, fire breaks

● But remember, the purpose is only to buy time– To get people into safety– For fire brigade to arrive to put the fire out


22


FIRE, Get The People Out!● If fire breaks out make sure that people get out

– Fire escape routes must be well marked– Doors in the escape route must have emergency opener– Make sure that escape routes are not blocked– There must be at least two routes from each zone– The routes should be instinctive

● People must be trained how to get out– Make sure evacuation responsibilities are assigned – Also have people responsible for first aid, guiding fire brigade

and other emergency tasks


23


Extinguishing Fire● For small fires, fire blankets and hand extinguishers

– When people reach for the extinguisher they don't check the type. So place correct extinguishers at the correct places

● Make sure that fire extinguishers are of proper type– Water sprinklers are good for general use, but wreak havoc on

paper and electronics– For electronics there are specialized gas extinguishers, but

many of them replace air. So people must be able to leave if they activate

– There are also extinguishers that can be places inside machinery and devices


24


Heat, Water And Air● Is the air conditioning sufficient?

– If it's too hot or there's not enough air people cannot concentrate

● Are server rooms and other areas properly cooled?– Too hot will cause servers to crash

● Find out where pipes go and where water goes when pipes break– More than one server room has been destroyed because

there were water pipes at its ceiling– It's good idea to situate critical systems away from any piping


25


Physical data security● Backups, backups, backups

– How do you store local backups?● How long they survive fire or water● Who has access to them?

– Having off site backups is a very good idea● More than one small company has gone bust as thief

also took the backups– Who has physical access to servers?

● If the server cannot be cracked theres always the server hard-drive...


26


Document handling● Document life cycle: Create, use, destroy

– When a document is created it should be classified● Public● Customer/contractor/partner confidential● Confidential● Restricted

● Documents must be handled by to their level● Care should be taken on storage and handling of high level

documents● For consistency only important documents should have

high level. Don't mark everything classified!


27


Destroying documents● When document is not used anymore it must be

destroyed– All confidential documents must be shredded– Document shredding companies should not be trusted

with most critical documents– Also disks, hard-drives and other medias– People must be trained, and shredding should be

convenient so that people do it– Sometimes have a look at waster paper bins at the

company, there are sometimes rather interesting documents there :)


28


Storage Of Valuables● Know what you have that needs protection

– Critical documents– Backups– Money and other valuables

● Know from what you want to protect from– Protection from fire or from burglar needs different protection.

Theres no such thing as just 'safe'– Don't just buy something that just looks secure– A fire proof safe may look big and impressive but will open

less than in a minute with a crowbar


29


Selecting A Correct Safe● Paper and data storage needs rated fire proof safe

– P rating indicates how long paper will survive. F.EX P-60 means paper will survive 60 minutes in fire of 1000C

– DIS rating will indicate how long diskettes and other material will survive

– Select either fireproof safe is data box in normal safe● EN 1143-1 rating tells safe armor rating

– E I is recommended for maximum 10 000 EUR of content value– E II is recommended for maximum 30 000 EUR of value– E III is recommended for maximum 60 000 EUR of value– E IV is recommended for maximum 120 000 EUR of value


30


Installing And Using The Safe● Choose a good location

– Bolt the safe down, so it cant be removed easily– Place into protected zone that has alarm/monitoring– Remember the safe only buys time, don't give too much– Don't put the safe into cellar, if fire comes the cellar will flood

with extinguishing water● Don't leave the keys for burglar

– If the safe has a key, store it into separate location– If the safe uses a code, either don't record the code, or store it

into safe place (bank vault)


31


What you cannot prevent insure● Sometimes, shit happens, so make sure you have

insurances● But even with best insurances the accident costs

more than the insurance company pays– Equipment– Time– Production– Missed sales and oppoturnities


32


Risk Management● Risk Management is the process of understanding

what risks company has– Risk= Probability of threat * Damage– Risk Management is

● Finding out what threats there are● Estimating probability of threat realizing● Estimating the damage caused by a threat● Analyzing the risks that were deducted from the

gathered information


33


Finding Out Risks● Identify risk areas

– Know what the company does and how● Do vulnerability analysis for each business area

– Think what can go wrong and how– Analyze past history, brainstorm, play what if

● Estimate the damage caused by vulnerabilities you found

● Make a risk matrix– Calculate each risk, and see what have high scores


34


Tools For Vulnerability Analysis● Questionnaire method

– Set of questions, from which the result can be derived– Level of success depends very much on questions

● Fault tree analysis (FTA)– A tree where threat or result is at top and causes at

branches● What needs to fail for the event to happen

● Event tree analysis (ETA)– Starts from single failure, maps what else needs to fail

and combines probabilities for event chains


35


Fault Tree Analysis

Server hacked

Unpatched vulnerability

Server hacked

Open in firewall

and

Password leaked Password guessed

or


36


Event Tree Analysis

Initial event UPS batteryholds untilpower returns

P2

Power fails

UPS

fails

works

Gracefulpowerdown

works

works

fails

fails

P1

1-P2

P3

1-P3

1-P4

P4

P1*P2

P1*P3

P1*P4

P1


37


Process Of Risk Management● For each risk found decide how to manage it

– Ignore it● Preventing is more expensive than damages

– Reduce the probability of threat● Better process control, security measures

– Limit the damage● Minimize the loss caused when risk realizes

– Have recovery process● Minimize the downtime and loss of production


38


Conclusion● I'm not an expert on this and neither are you

– Get an expert to check the building,fire and other safety● There are many laws that govern this field

– But don't think that doing things at the level required by law is enough

– The laws are there to protect others from your company– Laws don't protect you from yourself (at least not much)


39


References● Finnish Security Police

– http://www.poliisi.fi/poliisi/supo/home.nsf/pages/indexeng● PK-yrityksen riskienhallinta

– http://www.pk-rh.com/● Suomen Pelastusalan Keskusjärjestö

– http://www.spek.fi● Kaso kassakaapit

– http://www.kaso.fi● Yritysturvallisuuden perusteet

– http://www.tml.hut.fi/Opinnot/T-110.260/


http://www.spek.fi/

http://www.kaso.fi/

Date post:	19-Jun-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times