© Clyne G. H. Namuo, Ph.D. – Security+
Information Information Systems SecuritySystems Security
A comprehensive guideA comprehensive guide
© Clyne G. H. Namuo, Ph.D. – Security+
OutlineOutline
CIA TriangleCIA Triangle Threat Analysis and Asset InventoryThreat Analysis and Asset Inventory General Security ConceptsGeneral Security Concepts Communication SecurityCommunication Security Network SecurityNetwork Security Physical SecurityPhysical Security Disaster Recovery Disaster Recovery Security Policies and ProceduresSecurity Policies and Procedures Security in small vs. large companiesSecurity in small vs. large companies
© Clyne G. H. Namuo, Ph.D. – Security+
CIA TriangleCIA Triangle
ConfidentialityConfidentiality Preventing unauthorized Preventing unauthorized
access to systemsaccess to systems IntegrityIntegrity
Ensure data is what Ensure data is what it claims to beit claims to be
Ensure accuracy of dataEnsure accuracy of data AvailabilityAvailability
Ensure systems and data Ensure systems and data are available when they are neededare available when they are needed
Integrity
Confidentiality
Availability
© Clyne G. H. Namuo, Ph.D. – Security+
Threat Analysis and Asset Threat Analysis and Asset InventoryInventory
Asset InventoryAsset Inventory Hardware, Software, Data, ExpertiseHardware, Software, Data, Expertise
Threat CategoriesThreat Categories External Intentional (Hackers)External Intentional (Hackers) External Accidental (Remote Users)External Accidental (Remote Users) Internal Intentional (Disgruntled Employees)Internal Intentional (Disgruntled Employees) Internal Accidental (Untrained Employees)Internal Accidental (Untrained Employees) Natural Disasters (Fires, Floods, Natural Disasters (Fires, Floods,
Earthquakes)Earthquakes) Worksheet
© Clyne G. H. Namuo, Ph.D. – Security+
General Security General Security ConceptsConcepts
Malicious CodeMalicious Code Viruses : software designed to infect Viruses : software designed to infect
and cause ‘damage’ to a computerand cause ‘damage’ to a computer Worm : propagate through email or Worm : propagate through email or
through network connections. Do not through network connections. Do not depend on other programsdepend on other programs
Trojan Horse : program pretending to Trojan Horse : program pretending to be something legitimatebe something legitimate
Logic Bomb : execute when certain Logic Bomb : execute when certain conditions are metconditions are met
© Clyne G. H. Namuo, Ph.D. – Security+
General Security General Security Concepts (con’t)Concepts (con’t)
Social EngineeringSocial Engineering ““Hello, I’m calling from the IT Hello, I’m calling from the IT
department, I need your password to fix department, I need your password to fix your PC” your PC”
TCP/IP AttacksTCP/IP Attacks Network Sniffers (Wireshark)Network Sniffers (Wireshark) Port Scans (NMAP)Port Scans (NMAP) Denial of Service Attacks (UDP Flooder)Denial of Service Attacks (UDP Flooder)
© Clyne G. H. Namuo, Ph.D. – Security+
General Security General Security Concepts (con’t)Concepts (con’t)
Man in the middle AttacksMan in the middle Attacks Spoofing AttacksSpoofing Attacks Back Door AttacksBack Door Attacks
Software/Operating system Software/Operating system vulnerabilitiesvulnerabilities
Password Guessing AttacksPassword Guessing Attacks Dictionary Attacks (Lophtcrack)Dictionary Attacks (Lophtcrack) Brute Force Attack (Cain and Abel)Brute Force Attack (Cain and Abel)
© Clyne G. H. Namuo, Ph.D. – Security+
Communication SecurityCommunication Security E-mail SecurityE-mail Security
PhishingPhishing Hoaxes and SpamHoaxes and Spam Viruses traveling as e-mail attachmentsViruses traveling as e-mail attachments PGP Encryption (PGP Encryption (www.pgpi.org) )
© Clyne G. H. Namuo, Ph.D. – Security+
Communication Security Communication Security (Con’t)(Con’t)
Web SecurityWeb Security SSL or HTTPSSSL or HTTPS Buffer OverflowBuffer Overflow Denial of service attacksDenial of service attacks
Wireless SecurityWireless Security Wireless Access PointsWireless Access Points Unsecure communication methodUnsecure communication method WEP->WPA->WPA2WEP->WPA->WPA2
© Clyne G. H. Namuo, Ph.D. – Security+
Network SecurityNetwork Security
FirewallsFirewalls Intrusion Detection SystemsIntrusion Detection Systems OS Updates, Patches and Service OS Updates, Patches and Service
PacksPacks Access control listsAccess control lists
Usernames and passwordsUsernames and passwords Rights and privilegesRights and privileges
© Clyne G. H. Namuo, Ph.D. – Security+
Physical SecurityPhysical Security
Locks on doors to protect systemsLocks on doors to protect systems Access badgesAccess badges BiometricsBiometrics
Hand scanHand scan Retina scanRetina scan Voice recognitionVoice recognition
Fire SuppressionFire Suppression Sprinkler system? No, FM-200 gas fire Sprinkler system? No, FM-200 gas fire
suppression suppression
© Clyne G. H. Namuo, Ph.D. – Security+
Disaster Recovery Disaster Recovery
September 11September 11thth lesson lesson Natural DisastersNatural Disasters BackupsBackups
Daily, weekly, monthlyDaily, weekly, monthly Off site storageOff site storage Disaster Recovery PlanDisaster Recovery Plan Testing your planTesting your plan
© Clyne G. H. Namuo, Ph.D. – Security+
Security Policies and Security Policies and ProceduresProcedures
Policies, Procedures and Policies, Procedures and ConsequencesConsequences
Cost-effective solutionCost-effective solution Acceptable use policyAcceptable use policy
Use of company emailUse of company email Appropriate surfing policyAppropriate surfing policy Coordination with Human Resources Coordination with Human Resources
DeptDept Communicate policies effectivelyCommunicate policies effectively
© Clyne G. H. Namuo, Ph.D. – Security+
Current Security Current Security Practices of SMEs: A Practices of SMEs: A
Case StudyCase StudyNamuo, Weiner, and JennexNamuo, Weiner, and JennexSan Diego State UniversitySan Diego State University
Presentation by:Presentation by:
Clyne G. H. Namuo, Ph.D.Clyne G. H. Namuo, Ph.D.
3rd Security Conference April 14/15, 2004
Security in small vs. large companiesSecurity in small vs. large companies
© Clyne G. H. Namuo, Ph.D. – Security+
Survey BackgroundSurvey Background Component of Generic Security Plan for SMEsComponent of Generic Security Plan for SMEs
32 questions regarding computer security (32 questions regarding computer security (jump to surveyjump to survey)) RespondentsRespondents
218 total 218 total All in San Diego (planned extension/expansion to other All in San Diego (planned extension/expansion to other
cities)cities) 56% Large corporations (123)56% Large corporations (123) 44% SMEs (95) (Companies with less than 500 employees)44% SMEs (95) (Companies with less than 500 employees) Working professionalsWorking professionals Industry professionalsIndustry professionals
HypothesisHypothesis SMEs lack knowledge and resources to implement property SMEs lack knowledge and resources to implement property
security measures/barriers and will exhibit less knowledge security measures/barriers and will exhibit less knowledge about their security plansabout their security plans
Literature on SMEs supports this but found little Literature on SMEs supports this but found little quantitative data to support thisquantitative data to support this
© Clyne G. H. Namuo, Ph.D. – Security+
SME vs. Large Implementation of Security Measures
47%
57%
31%
36%
28%
57%
24%
33%
38%
48%46%
76%
54%
82%
61%65% 65%
42%
26%31%
90%
84%
67% 68% 67%71%
51%
43%48%
61%
89% 88%
68%
86%
80%
88%85%
68%
34%
49%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
SMEsLarge
© Clyne G. H. Namuo, Ph.D. – Security+
© Clyne G. H. Namuo, Ph.D. – Security+
3.7
3.43.2
3.7
2.4
1.5
4.2
3.93.6
3.2
2.6
1.5
0.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
4.0
4.5
comfortable adequate confident rely burden worry
SMEsLarge
I am comfortable our security plan protects our critical dataWe have adequate knowledge about IS securityI am confident my company won't have a IS security problemWe rely on one or two key people to manage our IS securityOur security rules are a burden to followI stay awake nights worrying about my company's data and networks5=Agree 4=Somewhat agree 3=Neutral 2=Somewhat disagree 1=Disagree
© Clyne G. H. Namuo, Ph.D. – Security+
ConclusionsConclusions
SMEs have less knowledge of security SMEs have less knowledge of security and their security plans than their and their security plans than their counter parts in large companiescounter parts in large companies
However, personnel in SMEs are just However, personnel in SMEs are just about as comfortable with their about as comfortable with their security as their counter parts in large security as their counter parts in large companiescompanies
No one is losing sleep over their No one is losing sleep over their security plansecurity plan
© Clyne G. H. Namuo, Ph.D. – Security+
ConclusionConclusion CIA TriangleCIA Triangle Threat Analysis and Asset InventoryThreat Analysis and Asset Inventory General Security ConceptsGeneral Security Concepts Communication SecurityCommunication Security Network SecurityNetwork Security Physical SecurityPhysical Security Disaster Recovery Disaster Recovery Security Policies and ProceduresSecurity Policies and Procedures Security in small vs. large Security in small vs. large
companiescompanies