1 / 20

Information Systems Security

Information Systems Security. A comprehensive guide. Outline. CIA Triangle Threat Analysis and Asset Inventory General Security Concepts Communication Security Network Security Physical Security Disaster Recovery Security Policies and Procedures Security in small vs. large companies.

daw
Télécharger la présentation

Information Systems Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Systems Security A comprehensive guide

  2. Outline • CIA Triangle • Threat Analysis and Asset Inventory • General Security Concepts • Communication Security • Network Security • Physical Security • Disaster Recovery • Security Policies and Procedures • Security in small vs. large companies

  3. Confidentiality Integrity Availability CIA Triangle • Confidentiality • Preventing unauthorized access to systems • Integrity • Ensure data is what it claims to be • Ensure accuracy of data • Availability • Ensure systems and data are available when they are needed

  4. Threat Analysis and Asset Inventory • Threat Categories • External Intentional (Hackers) • External Accidental (Remote Users) • Internal Intentional (Disgruntled Employees) • Internal Accidental (Untrained Employees) • Natural Disasters (Fires, Floods, Earthquakes) • Asset Inventory • Hardware, Software, Data, Expertise

  5. General Security Concepts • Malicious Code • Viruses : software designed to infect and cause ‘damage’ to a computer • Trojan Horse : program pretending to be something legitimate • Worm : propagate through email or through network connections. Do not depend on other programs • Logic Bomb : execute when certain conditions are met

  6. General Security Concepts (con’t) • Social Engineering • “Hello, I’m calling from the IT department, I need your password to fix your PC” • TCP/IP Attacks • Network Sniffers • Port Scans • Denial of Service Attacks

  7. General Security Concepts (con’t) • Man in the middle Attacks • Spoofing Attacks • Back Door Attacks • Password Guessing Attacks • Dictionary Attacks • Brute Force Attack

  8. Communication Security • E-mail Security • Spam • Hoaxes • Viruses traveling as e-mail attachments • PGP Encryption (www.pgpi.org)

  9. Communication Security (Con’t) • Web Security • SSL or HTTPS • Buffer Overflow • Denial of service attacks • Wireless Security • Wireless Access Points • Unsecure communication method • WEP->WPA->WPA2

  10. Network Security • Firewalls • Intrusion Detection Systems • OS Updates, Patches and Service Packs • Access control lists • Usernames and passwords • Rights and privileges

  11. Physical Security • Locks on doors to protect systems • Access badges • Biometrics • Hand scan • Retina scan • Voice recognition • Fire Suppression • Sprinkler system? No, FM-200 gas fire suppression

  12. Disaster Recovery • September 11th lesson • Natural Disasters • Backups • Daily, weekly, monthly • Off site storage • Disaster Recovery Plan • Testing your plan

  13. Security Policies and Procedures • Policies, Procedures and Consequences • Cost-effective solution • Acceptable use policy • Use of company email • Appropriate surfing policy • Coordination with Human Resources Dept • Communicate policies effectively

  14. Security in small vs. large companies 3rd Security Conference April 14/15, 2004 Current Security Practices of SMEs: A Case StudyNamu`o, Weiner, and JennexSan Diego State University Presentation by: Clyne G. H. Namu’o Systems Administrator, San Diego Regional Center Graduate Student, San Diego State University Adjunct Faculty, SD Comm. College District Microsoft Certified Systems Administrator Adobe Certified Expert Microsoft Certified Professional Microsoft Office User Specialist namuo32@hotmail.com

  15. Survey Background • Component of Generic Security Plan for SMEs • 32 questions regarding computer security (jump to survey) • Respondents • 218 total • All in San Diego (planned extension/expansion to other cities) • 56% Large corporations (123) • 44% SMEs (95) (Companies with less than 500 employees) • Working professionals • Industry professionals • Hypothesis • SMEs lack knowledge and resources to implement property security measures/barriers and will exhibit less knowledge about their security plans • Literature on SMEs supports this but found little quantitative data to support this

  16. SMEs Large

  17. SMEs Large I am comfortable our security plan protects our critical data We have adequate knowledge about IS security I am confident my company won't have a IS security problem We rely on one or two key people to manage our IS security Our security rules are a burden to follow I stay awake nights worrying about my company's data and networks 5=Agree 4=Somewhat agree 3=Neutral 2=Somewhat disagree 1=Disagree

  18. Conclusions • SMEs have less knowledge of security and their security plans than their counter parts in large companies • However, personnel in SMEs are just about as comfortable with their security as their counter parts in large companies • No one is losing sleep over their security plan

  19. Conclusion • CIA Triangle • Threat Analysis and Asset Inventory • General Security Concepts • Communication Security • Network Security • Physical Security • Disaster Recovery • Security Policies and Procedures • Security in small vs. large companies

More Related