1 / 16

The User Domain

The User Domain. Kelly Corning & Julie Sharp. User Domain. The assets over which the users have control The people that have the control Domain of the AUP. Risks, Threats, & Vulnerabilities. Social Engineering Negligence Disgruntled Employee Attacks Lack of User Awareness

elmo-osborne
Télécharger la présentation

The User Domain

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The User Domain Kelly Corning & Julie Sharp

  2. User Domain • The assets over which the users have control • The people that have the control • Domain of the AUP

  3. Risks, Threats, & Vulnerabilities • Social Engineering • Negligence • Disgruntled Employee Attacks • Lack of User Awareness • Physical Security • Security Policy Violations

  4. Social Engineering Definition: A collection of malicious techniques used to manipulate people into performing actions or sharing information. Examples: • Tailgating • Phishing emails • Pretexting • Dumpster Diving Think before you act!

  5. Negligence • Prevent negligent hiring • Retention • Supervision • Training Employees need a reason to care!

  6. Disgruntled Employee Attacks • The Exploit • Attack Process • Reconnaissance • Scanning • Exploiting the System • Keeping Access • Covering Tracks • Incident Handling Process Keep your employees happy!

  7. Lack of User Awareness • Ignorance of Policies • Employees need an appropriate level of awareness for their position • Apathy towards Policies If people don't know the policies, how can they follow them?

  8. Lack of User Awareness According to NIST... • "Understand their roles and responsibilities related to the organizational mission" • "Understand the organization’s IT security policy, procedures, and practices" • "Possess at least adequate knowledge of the various management, operational, and technical controls required and available to protect the IT resources for which they are responsible."

  9. Lack of User Awareness Levels of Awareness: • Awareness • Allows individuals to recognize security concerns and respond correctly • Broad audience • Training • Teaches skills to allow an employee to perform a specific function • Education • Integrates skills and competencies to allow an employee to see the big picture and respond to an incident proactively • Certification • Involves testing to show that an employee has a specific level of knowledge on a given topic

  10. Lack of User Awareness Common Problems: • Teaching an old dog, new tricks • Security is an information technology problem, not mine • Implementation of new technology • One-size-fits-all • Too much information • Lack of organization • Failure to follow-up • Lack of management support • Lack of resources • No explanation of why • Social engineering

  11. Physical Security • Deterrence • Convince attackers that the consequences of getting caught are not worth the potential payoff • Access Control • Gates, doors, locks • Detection • Alarm systems, motion sensors, contact sensors • Identification • Video monitoring • Human Response • Guards, emergency response personnel

  12. Physical Security Quick tips: • Don't leave confidential/sensitive information out in the open • Protect portable devices • Disable drives & ports to prevent copying • Shred extras • Lock doors • Protection from environmental factors • Record security camera video, keep videos Don't make it easy for the bad guy!

  13. Security Policy Violations • Be aware of incidents • Yourself • Others • Report incidents • See that necessary action is taken Don't ignore the problem!

  14. Acceptable Use Policy • Overview • Purpose • Scope • Policy • General Use & Ownership • Security & Proprietary Information • Unacceptable Use • System & Network Activities • Email & Communications Activities • Blogging

  15. Acceptable Use Policy • 5. Inappropriate Behavior • 6. Enforcement • 7. Disclosure • 8. Definitions • 9. Revision History

  16. References • Acceptable Usage Policy Template. (2005, April 22). Retrieved March 24, 2013, from First: www.first.org/_assets/resources/guides/aup_generic.doc • InfoSec Acceptable Use Policy. (2006). Retrieved March 7, 2013, from SANS: http://www.sans.org/security-resources/policies/Acceptable_Use_Policy.pdf • User Domain. (2007, August 25). Retrieved March 7, 2013, from http://c2.com/cgi/wiki?UserDomain • Negligence. (2012, November 21). Retrieved March 23, 2013, from Wikipedia: http://en.wikipedia.org/wiki/Negligence_in_employment • Childress, J. (2013, March). CS5493(CS7493) Secure System Administration and Certification . Retrieved March 8, 2013, from utulsa: http://personal.utulsa.edu/~james-childress/cs5493/cs5493.html • Giallombardo, A. (2012, September 25). Sample Acceptable Use Policy Template. Retrieved March 24, 2013, from Mafia Securtiy: https://www.mafiasecurity.com/disaster-recovery/sample-acceptable-use-policy-template/ • Kratt, H. (2004, December 8). The Inside Story: A Disgruntled Employee Gets His Revenge. Retrieved March 23, 2013, from SANS: http://www.sans.org/reading_room/whitepapers/engineering/story-disgruntled-employee-revenge_1548 • Russell, C. (2002, October 25). Security Awareness - Implementing an Effective. Retrieved March 23, 2013, from SANS: http://www.sans.org/reading_room/whitepapers/awareness/security-awareness-implementing-effective-strategy_418 • Wilson, M., & Hash, J. (n.d.). INFORMATION TECHNOLOGY SECURITY AWARENESS, TRAINING, EDUCATION, AND CERTIFICATION. Retrieved March 25, 2013, from National Institute of Standards and Technology: http://www.itl.nist.gov/lab/bulletns/bltnoct03.htm

More Related