© Clyne G. H. Namuo, Ph.D. – Security+

Information Information Systems SecuritySystems Security

A comprehensive guideA comprehensive guide

© Clyne G. H. Namuo, Ph.D. – Security+

OutlineOutline

CIA TriangleCIA Triangle Threat Analysis and Asset InventoryThreat Analysis and Asset Inventory General Security ConceptsGeneral Security Concepts Communication SecurityCommunication Security Network SecurityNetwork Security Physical SecurityPhysical Security Disaster Recovery Disaster Recovery Security Policies and ProceduresSecurity Policies and Procedures Security in small vs. large companiesSecurity in small vs. large companies

© Clyne G. H. Namuo, Ph.D. – Security+

CIA TriangleCIA Triangle

ConfidentialityConfidentiality Preventing unauthorized Preventing unauthorized

access to systemsaccess to systems IntegrityIntegrity

Ensure data is what Ensure data is what it claims to beit claims to be

Ensure accuracy of dataEnsure accuracy of data AvailabilityAvailability

Ensure systems and data Ensure systems and data are available when they are neededare available when they are needed

Integrity

Confidentiality

Availability

© Clyne G. H. Namuo, Ph.D. – Security+

Threat Analysis and Asset Threat Analysis and Asset InventoryInventory

Asset InventoryAsset Inventory Hardware, Software, Data, ExpertiseHardware, Software, Data, Expertise

Threat CategoriesThreat Categories External Intentional (Hackers)External Intentional (Hackers) External Accidental (Remote Users)External Accidental (Remote Users) Internal Intentional (Disgruntled Employees)Internal Intentional (Disgruntled Employees) Internal Accidental (Untrained Employees)Internal Accidental (Untrained Employees) Natural Disasters (Fires, Floods, Natural Disasters (Fires, Floods,

Earthquakes)Earthquakes) Worksheet

© Clyne G. H. Namuo, Ph.D. – Security+

General Security General Security ConceptsConcepts

Malicious CodeMalicious Code Viruses : software designed to infect Viruses : software designed to infect

and cause ‘damage’ to a computerand cause ‘damage’ to a computer Worm : propagate through email or Worm : propagate through email or

through network connections. Do not through network connections. Do not depend on other programsdepend on other programs

Trojan Horse : program pretending to Trojan Horse : program pretending to be something legitimatebe something legitimate

Logic Bomb : execute when certain Logic Bomb : execute when certain conditions are metconditions are met

© Clyne G. H. Namuo, Ph.D. – Security+

General Security General Security Concepts (con’t)Concepts (con’t)

Social EngineeringSocial Engineering ““Hello, I’m calling from the IT Hello, I’m calling from the IT

department, I need your password to fix department, I need your password to fix your PC” your PC”

TCP/IP AttacksTCP/IP Attacks Network Sniffers (Wireshark)Network Sniffers (Wireshark) Port Scans (NMAP)Port Scans (NMAP) Denial of Service Attacks (UDP Flooder)Denial of Service Attacks (UDP Flooder)

© Clyne G. H. Namuo, Ph.D. – Security+

General Security General Security Concepts (con’t)Concepts (con’t)

Man in the middle AttacksMan in the middle Attacks Spoofing AttacksSpoofing Attacks Back Door AttacksBack Door Attacks

Software/Operating system Software/Operating system vulnerabilitiesvulnerabilities

Password Guessing AttacksPassword Guessing Attacks Dictionary Attacks (Lophtcrack)Dictionary Attacks (Lophtcrack) Brute Force Attack (Cain and Abel)Brute Force Attack (Cain and Abel)

© Clyne G. H. Namuo, Ph.D. – Security+

Communication SecurityCommunication Security E-mail SecurityE-mail Security

PhishingPhishing Hoaxes and SpamHoaxes and Spam Viruses traveling as e-mail attachmentsViruses traveling as e-mail attachments PGP Encryption (PGP Encryption (www.pgpi.org) )

© Clyne G. H. Namuo, Ph.D. – Security+

Communication Security Communication Security (Con’t)(Con’t)

Web SecurityWeb Security SSL or HTTPSSSL or HTTPS Buffer OverflowBuffer Overflow Denial of service attacksDenial of service attacks

Wireless SecurityWireless Security Wireless Access PointsWireless Access Points Unsecure communication methodUnsecure communication method WEP->WPA->WPA2WEP->WPA->WPA2

© Clyne G. H. Namuo, Ph.D. – Security+

Network SecurityNetwork Security

FirewallsFirewalls Intrusion Detection SystemsIntrusion Detection Systems OS Updates, Patches and Service OS Updates, Patches and Service

PacksPacks Access control listsAccess control lists

Usernames and passwordsUsernames and passwords Rights and privilegesRights and privileges

© Clyne G. H. Namuo, Ph.D. – Security+

Physical SecurityPhysical Security

Locks on doors to protect systemsLocks on doors to protect systems Access badgesAccess badges BiometricsBiometrics

Hand scanHand scan Retina scanRetina scan Voice recognitionVoice recognition

Fire SuppressionFire Suppression Sprinkler system? No, FM-200 gas fire Sprinkler system? No, FM-200 gas fire

suppression suppression

© Clyne G. H. Namuo, Ph.D. – Security+

Disaster Recovery Disaster Recovery

September 11September 11thth lesson lesson Natural DisastersNatural Disasters BackupsBackups

Daily, weekly, monthlyDaily, weekly, monthly Off site storageOff site storage Disaster Recovery PlanDisaster Recovery Plan Testing your planTesting your plan

© Clyne G. H. Namuo, Ph.D. – Security+

Security Policies and Security Policies and ProceduresProcedures

Policies, Procedures and Policies, Procedures and ConsequencesConsequences

Cost-effective solutionCost-effective solution Acceptable use policyAcceptable use policy

Use of company emailUse of company email Appropriate surfing policyAppropriate surfing policy Coordination with Human Resources Coordination with Human Resources

DeptDept Communicate policies effectivelyCommunicate policies effectively

© Clyne G. H. Namuo, Ph.D. – Security+

Current Security Current Security Practices of SMEs: A Practices of SMEs: A

Case StudyCase StudyNamuo, Weiner, and JennexNamuo, Weiner, and JennexSan Diego State UniversitySan Diego State University

Presentation by:Presentation by:

Clyne G. H. Namuo, Ph.D.Clyne G. H. Namuo, Ph.D.

3rd Security Conference April 14/15, 2004

Security in small vs. large companiesSecurity in small vs. large companies

© Clyne G. H. Namuo, Ph.D. – Security+

Survey BackgroundSurvey Background Component of Generic Security Plan for SMEsComponent of Generic Security Plan for SMEs

32 questions regarding computer security (32 questions regarding computer security (jump to surveyjump to survey)) RespondentsRespondents

218 total 218 total All in San Diego (planned extension/expansion to other All in San Diego (planned extension/expansion to other

cities)cities) 56% Large corporations (123)56% Large corporations (123) 44% SMEs (95) (Companies with less than 500 employees)44% SMEs (95) (Companies with less than 500 employees) Working professionalsWorking professionals Industry professionalsIndustry professionals

HypothesisHypothesis SMEs lack knowledge and resources to implement property SMEs lack knowledge and resources to implement property

security measures/barriers and will exhibit less knowledge security measures/barriers and will exhibit less knowledge about their security plansabout their security plans

Literature on SMEs supports this but found little Literature on SMEs supports this but found little quantitative data to support thisquantitative data to support this

© Clyne G. H. Namuo, Ph.D. – Security+

SME vs. Large Implementation of Security Measures

47%

57%

31%

36%

28%

57%

24%

33%

38%

48%46%

76%

54%

82%

61%65% 65%

42%

26%31%

90%

84%

67% 68% 67%71%

51%

43%48%

61%

89% 88%

68%

86%

80%

88%85%

68%

34%

49%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

SMEsLarge

© Clyne G. H. Namuo, Ph.D. – Security+

© Clyne G. H. Namuo, Ph.D. – Security+

3.7

3.43.2

3.7

2.4

1.5

4.2

3.93.6

3.2

2.6

1.5

0.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

4.0

4.5

comfortable adequate confident rely burden worry

SMEsLarge

I am comfortable our security plan protects our critical dataWe have adequate knowledge about IS securityI am confident my company won't have a IS security problemWe rely on one or two key people to manage our IS securityOur security rules are a burden to followI stay awake nights worrying about my company's data and networks5=Agree 4=Somewhat agree 3=Neutral 2=Somewhat disagree 1=Disagree

© Clyne G. H. Namuo, Ph.D. – Security+

ConclusionsConclusions

SMEs have less knowledge of security SMEs have less knowledge of security and their security plans than their and their security plans than their counter parts in large companiescounter parts in large companies

However, personnel in SMEs are just However, personnel in SMEs are just about as comfortable with their about as comfortable with their security as their counter parts in large security as their counter parts in large companiescompanies

No one is losing sleep over their No one is losing sleep over their security plansecurity plan

© Clyne G. H. Namuo, Ph.D. – Security+

ConclusionConclusion CIA TriangleCIA Triangle Threat Analysis and Asset InventoryThreat Analysis and Asset Inventory General Security ConceptsGeneral Security Concepts Communication SecurityCommunication Security Network SecurityNetwork Security Physical SecurityPhysical Security Disaster Recovery Disaster Recovery Security Policies and ProceduresSecurity Policies and Procedures Security in small vs. large Security in small vs. large

companiescompanies