CIT 380: Securing Computer Systems Policies  CIT 380: Securing Computer Systems Slide #
Developing a Workable Policy <ul><li>Be sure to know you security perimeter </li></ul><ul><ul><li>Laptops and PDAs </li></...
Security Perimeter <ul><li>Perimeter defines what is within your control. </li></ul><ul><li>Historically </li></ul><ul><ul...
Defense in Depth <ul><li>Firewall/IDS protect perimeter. </li></ul><ul><li>Perimeter security is not sufficient. </li></ul...
Four Easy Steps to a More Secure Computer <ul><li>Decide how important security is for your site. </li></ul><ul><li>Involv...
Compliance Audit <ul><li>Formulating policy is not enough by itself.  It is important to determine regularly if the policy...
Compliance Audits <ul><li>Audit your systems and personnel regularly. </li></ul><ul><li>Audit failures may result from </l...
Providing Security <ul><li>In-house staff </li></ul><ul><li>Full-time or part-time consultants </li></ul><ul><ul><li>Choos...
Security Concepts <ul><li>Security Through Obscurity </li></ul><ul><li>Responsible disclosure </li></ul>CIT 380: Securing ...
Key Points <ul><li>Policy divides system into </li></ul><ul><ul><li>Authorized (secure) states. </li></ul></ul><ul><ul><li...
References <ul><li>Matt Bishop,  Introduction to Computer Security , Addison-Wesley, 2005. </li></ul><ul><li>Simson Garfin...
Upcoming SlideShare
Loading in...5
×

Computer used at

155

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
155
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Computer used at"

  1. 1. CIT 380: Securing Computer Systems Policies CIT 380: Securing Computer Systems Slide #
  2. 2. Developing a Workable Policy <ul><li>Be sure to know you security perimeter </li></ul><ul><ul><li>Laptops and PDAs </li></ul></ul><ul><ul><li>Wireless networks </li></ul></ul><ul><ul><li>Computer used at home </li></ul></ul><ul><ul><li>Portable media </li></ul></ul><ul><ul><ul><li>Flash drives, CDs, DVDs </li></ul></ul></ul>CIT 380: Securing Computer Systems
  3. 3. Security Perimeter <ul><li>Perimeter defines what is within your control. </li></ul><ul><li>Historically </li></ul><ul><ul><li>Within walls of building or fences of campus. </li></ul></ul><ul><ul><li>Within router that connects to ISP. </li></ul></ul><ul><li>Modern perimeters are more complex </li></ul><ul><ul><li>Laptops, PDAs. </li></ul></ul><ul><ul><li>USB keys, CDs, DVDs, portable HDs. </li></ul></ul><ul><ul><li>Wireless networks. </li></ul></ul><ul><ul><li>Home PCs that connect to your network. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
  4. 4. Defense in Depth <ul><li>Firewall/IDS protect perimeter. </li></ul><ul><li>Perimeter security is not sufficient. </li></ul><ul><ul><li>What if someone brings infected laptop to work? </li></ul></ul><ul><ul><li>What if home user bridges your net to Internet? </li></ul></ul><ul><li>Defense in Depth </li></ul><ul><ul><li>Multiple, independent layers of protection. </li></ul></ul><ul><ul><li>Network firewall + personal firewall + IDS </li></ul></ul>CIT 380: Securing Computer Systems Slide #
  5. 5. Four Easy Steps to a More Secure Computer <ul><li>Decide how important security is for your site. </li></ul><ul><li>Involve and educate your user community. </li></ul><ul><li>Devise a plan for making and storing backups of your system data. </li></ul><ul><li>Stay inquisitive and suspicious. </li></ul>CIT 380: Securing Computer Systems
  6. 6. Compliance Audit <ul><li>Formulating policy is not enough by itself. It is important to determine regularly if the policy is being applied correctly, and if the policy is correct and sufficient. </li></ul>CIT 380: Securing Computer Systems
  7. 7. Compliance Audits <ul><li>Audit your systems and personnel regularly. </li></ul><ul><li>Audit failures may result from </li></ul><ul><ul><li>Personnel shortcomings </li></ul></ul><ul><ul><ul><li>Insufficient education or overwork </li></ul></ul></ul><ul><ul><li>Material shortcomings </li></ul></ul><ul><ul><ul><li>Insufficient resources or maintenance </li></ul></ul></ul><ul><ul><li>Organizational shortcomings </li></ul></ul><ul><ul><ul><li>Lack of authority, conflicting responsibilities </li></ul></ul></ul><ul><ul><li>Policy shortcomings </li></ul></ul><ul><ul><ul><li>Unforeseen risks, missing or conflicting policies </li></ul></ul></ul>CIT 380: Securing Computer Systems Slide #
  8. 8. Providing Security <ul><li>In-house staff </li></ul><ul><li>Full-time or part-time consultants </li></ul><ul><ul><li>Choosing a vendor </li></ul></ul><ul><ul><ul><li>“ Reformed hacker” </li></ul></ul></ul>CIT 380: Securing Computer Systems
  9. 9. Security Concepts <ul><li>Security Through Obscurity </li></ul><ul><li>Responsible disclosure </li></ul>CIT 380: Securing Computer Systems
  10. 10. Key Points <ul><li>Policy divides system into </li></ul><ul><ul><li>Authorized (secure) states. </li></ul></ul><ul><ul><li>Unauthorized (insecure) states. </li></ul></ul><ul><li>Policy vs Mechanism </li></ul><ul><ul><li>Policy: describes what security is. </li></ul></ul><ul><ul><li>Mechanism: how security policy is enforced. </li></ul></ul><ul><li>Written policy and enforced policy will differ. </li></ul><ul><ul><li>Compliance audits look for those differences. </li></ul></ul><ul><li>Security Perimeter </li></ul><ul><ul><li>Describes what is within your control. </li></ul></ul><ul><ul><li>Defense in depth: defend perimeter and inside. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
  11. 11. References <ul><li>Matt Bishop, Introduction to Computer Security , Addison-Wesley, 2005. </li></ul><ul><li>Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3/e O’Reilly, 2003. </li></ul><ul><li>NKU, Acceptable Use Policy, http://it.nku.edu/pdf/AcceptableUsePolicy-rv51.pdf , 2002. </li></ul><ul><li>SANS, SANS Security Policy Project, http://www.sans.org/resources/policies/ </li></ul>CIT 380: Securing Computer Systems Slide #
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×