This document provides an overview of security tools and technologies including intrusion detection and prevention systems, honeypots, biometric access control, cryptography, and secure communication protocols. It describes the basic categories and operating principles of intrusion detection and prevention systems. It also discusses honeypots, honeynets, and padded cell systems along with the advantages and disadvantages of these approaches. The document then covers biometric access control methods and issues related to effectiveness and user acceptability. It provides an introduction to cryptography including symmetric and asymmetric encryption algorithms and standards. Finally, it outlines several secure communication protocols and common attacks against cryptosystems such as man-in-the-middle and timing attacks.
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
Intrusion detection system (IDS) is software that automates the intrusion detection process. The primary responsibility of an IDS is to detect unwanted and malicious activities. Intrusion prevention system (IPS) is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents.
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
Intrusion detection system (IDS) is software that automates the intrusion detection process. The primary responsibility of an IDS is to detect unwanted and malicious activities. Intrusion prevention system (IPS) is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents.
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
A presentation given in April 2019 in London during ICS Cyber Security Conference. I discuss an anonymized investigation conducted by our team to identify a real malware infection on a production network, the tools and techniques used to contain this threat and how to use threat intelligence and visibility to stay ahead of cyber adversaries.
Asset visibility and network baselining
Continuous network monitoring
Threat intelligence ingestion
Thorough incident response plans
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
A presentation given in April 2019 in London during ICS Cyber Security Conference. I discuss an anonymized investigation conducted by our team to identify a real malware infection on a production network, the tools and techniques used to contain this threat and how to use threat intelligence and visibility to stay ahead of cyber adversaries.
Asset visibility and network baselining
Continuous network monitoring
Threat intelligence ingestion
Thorough incident response plans
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Computer Security: Principles of Information Security
1. Principals of Information
Security,
Fourth Edition
Chapter 7
Security Technology: Intrusion
Detection and Prevention Systems,
and Other Security Tools, Cryptography
Do not wait; the time will never be just right. Start where you stand and
work with whatever tools you may have at your command, and better
tools will be found as you go along.
NAPOLEON HILL (1883–1970) FOUNDER OF THE SCIENCE of SUCCESS
2. Learning Objectives
• Upon completion of this material, you should be able to:
– Identify and describe the categories of intrusion detection
and prevention systems, honeypots, honeynets, padded
cel, the use of biometric access mechanisms and the
basic principles of cryptography
– Describe the operating principles of the most popular
cryptographic tools
– List and explicate the major protocols used for secure
communications
– Discuss the nature of the dominant methods of attack
used against cryptosystems
Principals of Information Security, Fourth Edition 2
3. Intrusion Detection and Prevention
Systems
• Intrusion: occurs when an attacker attempts to gain
entry into or disrupt the normal operations of an
information system, almost always with the intent to
do harm
• Intrusion prevention: consists of activities that seek
to deter an intrusion from occurring
Principals of Information Security, Fourth Edition 3
4. Intrusion Detection and Prevention
Systems (cont’d.)
• Intrusion detection: consists of procedures and
systems created and operated to detect system
intrusions
• Intrusion reaction: encompasses actions an
organization undertakes when intrusion event is
detected
• Intrusion correction activities: finalize restoration of
operations to a normal state
Principals of Information Security, Fourth Edition 4
5. Why Use an IDPS?
• Prevent problem behaviors by increasing the
perceived risk of discovery and punishment
• Detect attacks and other security violations
• Detect and deal with preambles to attacks
• Document existing threat to an organization
• Act as quality control for security design and
administration, especially of large and complex
enterprises
• Provide useful information about intrusions that
take place
Principals of Information Security, Fourth Edition 5
6. Types of IDPS
• IDSs operate as network-based, host-based, or
application based systems
• Network-based IDPS is focused on protecting
network information assets
– Wireless IDPS: focuses on wireless networks
– Network behavior analysis IDPS: examines traffic
flow on a network in an attempt to recognize
abnormal patterns
Principals of Information Security, Fourth Edition 6
7. Principals of Information Security, Fourth Edition 7
Figure 7-1 Intrusion Detection and Prevention Systems
8. Types of IDPS (cont’d.)
• Network-based IDPS
– Resides on computer or appliance connected to
segment of an organization’s network; looks for signs
of attacks
– When examining packets, a NIDPS looks for attack
patterns
– Installed at specific place in the network where it can
watch traffic going into and out of particular network
segment
Principals of Information Security, Fourth Edition 8
9. Types of IDPS (cont’d.)
• Advantages of NIDPSs
– Can enable organization to use a few devices to
monitor large network
– NIDPSs not usually susceptible to direct attack and
may not be detectable by attackers
• Disadvantages of NIDPSs
– Can become overwhelmed by network volume and fail
to recognize attacks
– Require access to all traffic to be monitored
– Cannot analyze encrypted packets
– Cannot reliably ascertain if attack was successful or not
Principals of Information Security, Fourth Edition 9
10. Types of IDPS (cont’d.)
• Wireless NIDPS
– Monitors and analyzes wireless network traffic
– Issues associated with it include physical security,
sensor range, access point and wireless switch
locations, wired network connections, cost
• Network behavior analysis systems
– Examine network traffic in order to identify problems
related to the flow of traffic
– Types of events commonly detected include DoS
attacks, scanning, worms, unexpected application
services, policy violations
Principals of Information Security, Fourth Edition 10
11. Types of IDPS (cont’d.)
• Host-based IDPS
– Resides on a particular computer or server and
monitors activity only on that system
– Advantage over NIDPS: can usually be installed so
that it can access information encrypted when
traveling over network
Principals of Information Security, Fourth Edition 11
12. Types of IDPS (cont’d.)
• Advantages of HIDPSs
– Can detect local events on host systems and detect
attacks that may elude a network-based IDPS
– Functions where encrypted traffic will have been
decrypted and is available for processing
– Not affected by use of switched network protocols
– Can detect inconsistencies in how applications and
systems programs were used by examining records
stored in audit logs
Principals of Information Security, Fourth Edition 12
13. Types of IDPS (cont’d.)
• Disadvantages of HIDPSs
– Pose more management issues
– Vulnerable both to direct attacks and attacks against
host operating system
– Does not detect multi-host scanning, nor scanning of
non-host network devices
– Susceptible to some denial-of-service attacks
– Can use large amounts of disk space
– Can inflict a performance overhead on its host
systems
Principals of Information Security, Fourth Edition 13
16. Honeypots, Honeynets, and Padded
Cell Systems
• Honeypots: decoy systems designed to lure
potential attackers away from critical systems and
encourage attacks against the themselves
• Honeynets: collection of honeypots connecting
several honey pot systems on a subnet
• Honeypots designed to:
– Divert attacker from accessing critical systems
– Collect information about attacker’s activity
– Encourage attacker to stay on system long enough
for administrators to document event and, perhaps,
respond
Principals of Information Security, Fourth Edition 16
17. Honeypots, Honeynets, and Padded
Cell Systems (cont’d.)
• Padded cell: honeypot that has been protected so it
cannot be easily compromised
• In addition to attracting attackers with tempting
data, a padded cell operates in tandem with a
traditional IDS
• When the IDS detects attackers, it seamlessly
transfers them to a special simulated environment
where they can cause no harm—the nature of this
host environment is what gives approach the name
padded cell
Principals of Information Security, Fourth Edition 17
18. Honeypots, Honeynets, and Padded
Cell Systems (cont’d.)
• Advantages
– Attackers can be diverted to targets they cannot
damage
– Administrators have time to decide how to respond
to attacker
– Attackers’ actions can be easily and more
extensively monitored, and records can be used to
refine threat models and improve system protections
– Honey pots may be effective at catching insiders
who are snooping around a network
Principals of Information Security, Fourth Edition 18
19. Honeypots, Honeynets, and Padded
Cell Systems (cont’d.)
• Disadvantages
– Legal implications of using such devices are not well
defined
– Honeypots and padded cells have not yet been
shown to be generally useful security technologies
– Expert attacker, once diverted into a decoy system,
may become angry and launch a more hostile attack
against an organization’s systems
– Administrators and security managers will need a
high level of expertise to use these systems
Principals of Information Security, Fourth Edition 19
20. Biometric Access Control
• Based on the use of some measurable human
characteristic or trait to authenticate the identity of a
proposed systems user (a supplicant)
• Relies upon recognition
• Includes fingerprint comparison, palm print
comparison, hand geometry, facial recognition
using a photographic id card or digital camera,
retinal print, iris pattern
• Characteristics considered truly unique:
fingerprints, retina of the eye, iris of the eye
Principals of Information Security, Fourth Edition 20
21. Principals of Information Security, Fourth Edition 21
Figure 7-20 Biometric Recognition Characteristics
22. Effectiveness of Biometrics
• Biometric technologies evaluated on three basic
criteria:
– False reject rate: the rejection of legitimate users
– False accept rate: the acceptance of unknown users
– Crossover error rate (CER): the point where false
reject and false accept rates cross when graphed
Principals of Information Security, Fourth Edition 22
23. Acceptability of Biometrics
• Balance must be struck between how acceptable
security system is to users and its effectiveness in
maintaining security
• Many biometric systems that are highly reliable and
effective are considered intrusive
• As a result, many information security
professionals, in an effort to avoid confrontation
and possible user boycott of biometric controls,
don’t implement them
Principals of Information Security, Fourth Edition 23
24. Principals of Information Security, Fourth Edition 24
Table 7-3 Ranking of Biometric Effectiveness and Acceptance
H=High, M=Medium, L=Low
Reproduced from The ‘123’ of Biometric Technology, 2003, by Yun,
Yau Wei22
25. Cryptography
• Cryptology: science of encryption; combines
cryptography and cryptanalysis
• Cryptography: process of making and using codes
to secure transmission of information
• Cryptanalysis: process of obtaining original
message from encrypted message without knowing
algorithms
• Encryption: converting original message into a form
unreadable by unauthorized individuals
• Decryption: the process of converting the ciphertext
message back into plaintext(original message)
Principals of Information Security, Fourth Edition 25
26. Cipher Methods
• Substitution Cipher
• Transposition Cipher
• Book or Running Key Cipher
• Hash Functions
Principals of Information Security, Fourth Edition 26
27. Cryptographic Algorithms
• Often grouped into two broad categories,
symmetric and asymmetric
– Today’s popular cryptosystems use hybrid
combination of symmetric and asymmetric
algorithms
• Symmetric and asymmetric algorithms
distinguished by types of keys used for encryption
and decryption operations
Principals of Information Security, Fourth Edition 27
28. Symmetric Encryption
• Uses same “secret key” to encipher and decipher
message
– Encryption methods can be extremely efficient,
requiring minimal processing
– Both sender and receiver must possess encryption
key
– If either copy of key is compromised, an intermediate
can decrypt and read messages
– Data Encryption Standard (DES), Triple DES
(3DES), Advanced Encryption Standard (AES)
Principals of Information Security, Fourth Edition 28
30. Asymmetric Encryption
• Also known as public-key encryption
• Uses two different but related keys
– Either key can encrypt or decrypt message
– If Key A encrypts message, only Key B can decrypt
– Highest value when one key serves as private key
and the other serves as public key
• RSA algorithm
Principals of Information Security, Fourth Edition 30
32. Encryption Key Size
• When using ciphers, size of cryptovariable or key is
very important
• Strength of many encryption applications and
cryptosystems measured by key size
• For cryptosystems, security of encrypted data is not
dependent on keeping encrypting algorithm secret
• Cryptosystem security depends on keeping some
or all of elements of cryptovariable(s) or key(s)
secret
Principals of Information Security, Fourth Edition 32
34. Cryptographic Tools
• Potential areas of use include:
– Ability to conceal the contents of sensitive messages
– Verify the contents of messages and the identities of
their senders
• Tool:
– Public-Key Infrastructure (PKI)
– Digital Signatures
– Digital Certificates
Principals of Information Security, Fourth Edition 34
35. Public-Key Infrastructure (PKI)
• Integrated system of software, encryption
methodologies, protocols, legal agreements, and
third-party services enabling users to communicate
securely
• PKI systems based on public-key cryptosystems
• PKI protects information assets in several ways:
– Authentication
– Integrity
– Privacy
– Authorization
– Nonrepudiation
Principals of Information Security, Fourth Edition 35
36. Digital Signatures
• Verify information transferred using electronic
systems
• Asymmetric encryption processes used to create
digital signatures
• Nonrepudiation: the process that verifies the
message was sent by the sender and thus cannot
be refuted
Principals of Information Security, Fourth Edition 36
37. Digital Certificates
• Electronic document containing key value and
identifying information about entity that controls key
• Digital signature attached to certificate’s container
file to certify file is from entity it claims to be from
Principals of Information Security, Fourth Edition 37
39. Steganography
• Process of hiding information
• Has been in use for a long time
• Most popular modern version hides information
within files appearing to contain digital pictures or
other images
• Some applications hide messages in .bmp, .wav,
.mp3, and .au files, as well as in unused space on
CDs and DVDs
Principals of Information Security, Fourth Edition 39
40. Securing Internet Communication with
Protocol S-HTTP and SSL
• Secure Socket Layer (SSL) protocol: uses public
key encryption to secure channel over public
Internet
• Secure Hypertext Transfer Protocol (S-HTTP):
extended version of Hypertext Transfer Protocol;
provides for encryption of individual messages
between client and server across Internet
• S-HTTP is the application of SSL over HTTP
Principals of Information Security, Fourth Edition 40
41. Securing e-mail with S/MIME, PEM,
and PGP Protocols
• Secure Multipurpose Internet Mail Extensions
(S/MIME): builds on Multipurpose Internet Mail
Extensions (MIME) encoding format by adding
encryption and authentication
• Privacy Enhanced Mail (PEM): proposed as
standard to function with public-key cryptosystems;
uses 3DES symmetric key encryption
• Pretty Good Privacy (PGP): uses IDEA Cipher for
message encoding
Principals of Information Security, Fourth Edition 41
42. Securing Web transactions with SET,
SSL, and S-HTTP
• Secure Electronic Transactions (SET): developed
by MasterCard and VISA in 1997 to provide
protection from electronic payment fraud
• Uses DES to encrypt credit card information
transfers
• Provides security for both Internet-based credit
card transactions and credit card swipe systems in
retail stores
Principals of Information Security, Fourth Edition 42
43. Securing Wireless Networks with WEP
and WPA
• Wired Equivalent Privacy (WEP): early attempt to
provide security with the 8002.11 network protocol
• Wi-Fi Protected Access (WPA and WPA2): created
to resolve issues with WEP
• Next Generation Wireless Protocols: Robust
Secure Networks (RSN), AES – Counter Mode
Encapsulation, AES – Offset Codebook
Encapsulation
Principals of Information Security, Fourth Edition 43
44. Protocols for Secure Communications
(continued)
• Securing TCP/IP with IPSec
– Internet Protocol Security (IPSec): open source
protocol to secure communications across any
IP-based network
Principals of Information Security, Fourth Edition 44
45. Attacks on Cryptosystems
• Attempts to gain unauthorized access to secure
communications have used brute force attacks
(ciphertext attacks)
• Attacker may alternatively conduct known-plaintext
attack or selected-plaintext attach schemes
Principals of Information Security, Fourth Edition 45
46. Man-in-the-Middle Attack
• Designed to intercept transmission of public key or
insert known key structure in place of requested
public key
• From victim’s perspective, encrypted
communication appears to be occurring normally,
but in fact, attacker receives each encrypted
message, decodes, encrypts, and sends to
originally intended recipient
• Establishment of public keys with digital signatures
can prevent traditional man-in-the-middle attack
Principals of Information Security, Fourth Edition 46
47. Correlation Attacks
• Collection of brute-force methods that attempt to
deduce statistical relationships between structure of
unknown key and ciphertext
• Differential and linear cryptanalysis have been used
to mount successful attacks
• Only defense is selection of strong cryptosystems,
thorough key management, and strict adherence to
best practices of cryptography in frequency of
changing keys
Principals of Information Security, Fourth Edition 47
48. Dictionary Attacks
• Attacker encrypts every word in a dictionary using
same cryptosystem used by target
• Dictionary attacks can be successful when the
ciphertext consists of relatively few characters (e.g.,
usernames, passwords)
Principals of Information Security, Fourth Edition 48
49. Timing Attacks
• Attacker eavesdrops during victim’s session
– Uses statistical analysis of user’s typing patterns and
inter-keystroke timings to discern sensitive session
information
• Can be used to gain information about encryption
key and possibly cryptosystem in use
• Once encryption successfully broken, attacker may
launch a replay attack (an attempt to resubmit
recording of deciphered authentication to gain entry
into secure source)
Principals of Information Security, Fourth Edition 49
50. Defending Against Attacks
• No matter how sophisticated encryption and
cryptosystems have become, if key is discovered,
message can be determined
• Key management is not so much management of
technology but rather management of people
Principals of Information Security, Fourth Edition 50
51.
52. Principles of Information Security, 3rd Edition 52
Introduction
▪ Physical security addresses design, implementation, and
maintenance of countermeasures that protect physical
resources of an organization
▪ Most controls can be circumvented if an attacker gains
physical access
▪ Physical security is as important as logical security
53. Principles of Information Security, 3rd Edition 53
Introduction (continued)
▪ Seven major sources of physical loss:
▪ Extreme temperature
▪ Gases
▪ Liquids
▪ Living organisms
▪ Projectiles
▪ Movement
▪ Energy anomalies
54. Principles of Information Security, 3rd Edition 54
Introduction (continued)
▪ Community roles
▪ General management: responsible for facility security
▪ IT management and professionals: responsible for
environmental and access security
▪ Information security management and professionals:
perform risk assessments and implementation reviews
55. Principles of Information Security, 3rd Edition 55
Physical Access Controls
▪ Secure facility: physical location engineered with controls
designed to minimize risk of attacks from physical threats
▪ Secure facility can take advantage of natural terrain, traffic
flow, and degree of urban development; can complement
these with protection mechanisms (fences, gates, walls,
guards, alarms)
56. Principles of Information Security, 3rd Edition 56
Physical Security Controls
▪ Walls, fencing, and gates
▪ Lighting (not in ch.)
▪ Guards
▪ Dogs
▪ ID cards and badges
▪ Locks and keys
57. Principles of Information Security, 3rd Edition 57
Physical Security Controls (continued)
▪ Mantraps (or womantraps, persontraps, etc.)
▪ Electronic monitoring
▪ Alarms and alarm systems
▪ Computer rooms and wiring closets
▪ Interior walls and doors
58. Principles of Information Security, 3rd Edition 58
ID Cards and Badges
▪ Ties physical security with information access control
▪ ID card is typically concealed
▪ Name badge is visible
▪ Serve as simple form of biometrics (facial recognition)
▪ Should not be only means of control as cards can be easily
duplicated, stolen, and modified
▪ Tailgating occurs when unauthorized individual follows
authorized user through the control
59. Principles of Information Security, 3rd Edition 59
Locks and Keys
▪ Two types of locks: mechanical and electromechanical
▪ Locks can also be divided into four categories: manual,
programmable, electronic, biometric
▪ Locks fail and alternative procedures for controlling access
must be put in place
▪ Locks fail in one of two ways:
▪ Fail-safe lock
▪ Fail-secure lock
61. Principles of Information Security, 3rd Edition 61
Mantrap
▪ Small enclosure that has entry point and different exit point
▪ Individual enters mantrap, requests access, and if verified,
is allowed to exit mantrap into facility
▪ Individual denied entry is not allowed to exit until security
official overrides automatic locks of the enclosure
63. Principles of Information Security, 3rd Edition 63
Electronic Monitoring
▪ Records events where other types of physical controls are
impractical or incomplete
▪ May use cameras with video recorders; includes
closed-circuit television (CCT) systems
▪ Drawbacks
▪ Reactive; does not prevent access or prohibited activity
▪ Recordings often are not monitored in real time; must be
reviewed to have any value
64. Principles of Information Security, 3rd Edition 64
Alarms and Alarm Systems
▪ Alarm systems notify when an event occurs
▪ Detect fire, intrusion, environmental disturbance, or an
interruption in services
▪ Rely on sensors that detect event; e.g., motion detectors,
smoke detectors, thermal detectors, glass breakage
detectors, weight sensors, contact sensors, vibration
sensors
65. Principles of Information Security, 3rd Edition 65
Computer Rooms and Wiring Closets
▪ Require special attention to ensure confidentiality, integrity,
and availability of information
▪ Logical controls easily defeated if attacker gains physical
access to computing equipment
▪ Custodial staff often the least scrutinized persons who
have access to offices; are given greatest degree of
unsupervised access
66. Principles of Information Security, 3rd Edition 66
Interior Walls and Doors
▪ Information asset security sometimes compromised by
construction of facility walls and doors
▪ Facility walls typically either standard interior or firewall
▪ High-security areas must have firewall-grade walls to
provide physical security from potential intruders and
improve resistance to fires
▪ Doors allowing access to high security rooms should be
evaluated
▪ Recommended that push or crash bars be installed on
computer rooms and closets
67. Principles of Information Security, 3rd Edition 67
Fire Security and Safety
▪ Most serious threat to safety of people who work in an
organization is possibility of fire
▪ Fires account for more property damage, personal injury,
and death than any other threat
▪ Imperative that physical security plans examine and
implement strong measures to detect and respond to fires
68. Principles of Information Security, 3rd Edition 68
Fire Detection and Response
▪ Fire suppression systems: devices installed and
maintained to detect and respond to a fire
▪ Deny an environment of heat, fuel, or oxygen
▪ Water and water mist systems
▪ Carbon dioxide systems
▪ Soda acid systems
▪ Gas-based systems
69. Principles of Information Security, 3rd Edition 69
Fire Detection
▪ Fire detection systems fall into two general categories:
manual and automatic
▪ Part of a complete fire safety program includes individuals
that monitor chaos of fire evacuation to prevent an attacker
accessing offices
▪ There are three basic types of fire detection systems:
thermal detection, smoke detection, flame detection
70. Principles of Information Security, 3rd Edition 70
Fire Suppression
▪ Systems consist of portable, manual, or automatic
apparatus
▪ Portable extinguishers are rated by the type of fire: Class
A, Class B, Class C, Class D
▪ Installed systems apply suppressive agents; usually either
sprinkler or gaseous systems
72. Principles of Information Security, 3rd Edition 72
Gaseous Emission Systems
▪ Until recently, two types of systems: carbon dioxide
and Halon
▪ Carbon dioxide robs a fire of oxygen supply
▪ Halon is clean but has been classified as an
ozone-depleting substance; new installations are
prohibited
▪ Alternative clean agents include FM-200, Inergen, carbon
dioxide, FE-13 (trifluromethane)
74. Principles of Information Security, 3rd Edition 74
Failure of Supporting Utilities and
Structural Collapse
▪ Supporting utilities (heating, ventilation, and air
conditioning; power; water; and others) have significant
impact on continued safe operation of a facility
▪ Each utility must be properly managed to prevent potential
damage to information and information systems
75. Principles of Information Security, 3rd Edition 75
Heating, Ventilation, and Air Conditioning
▪ Areas within heating, ventilation, and air conditioning
(HVAC) systems that can cause damage to information
systems include:
▪ Temperature
▪ Filtration
▪ Humidity
▪ Static electricity
76. Principles of Information Security, 3rd Edition 76
Ventilation Shafts
▪ While ductwork is small in residential buildings, in large
commercial buildings it can be large enough for an
individual to climb though
▪ If vents are large, security can install wire mesh grids at
various points to compartmentalize the runs
77. Principles of Information Security, 3rd Edition 77
Power Management and Conditioning
▪ Electrical quantity (voltage level, amperage rating) is a
concern, as is quality of power (cleanliness, proper
installation)
▪ Noise that interferes with the normal 60 Hertz cycle can
result in inaccurate time clocks or unreliable internal clocks
inside CPU
▪ Grounding ensures that returning flow of current is properly
discharged to ground
▪ Overloading a circuit causes problems with circuit tripping
and can overload electrical cable, increasing risk of fire
78. Principles of Information Security, 3rd Edition 78
Uninterruptible Power Supply (UPS)
▪ In case of power outage, UPS is backup power source for
major computer systems
▪ Four basic UPS configurations:
▪ Standby
▪ Ferroresonant standby
▪ Line-interactive
▪ True online (double conversion online)
79. Principles of Information Security, 3rd Edition 79
Emergency Shutoff
▪ Important aspect of power management is the need to be
able to stop power immediately should a current represent
a risk to human or machine safety
▪ Most computer rooms and wiring closets are equipped with
an emergency power shutoff
80. Principles of Information Security, 3rd Edition 80
Water Problems
▪ Lack of water poses problem to systems, including
functionality of fire suppression systems and ability of
water chillers to provide air-conditioning
▪ Surplus of water, or water pressure, poses a real threat
(flooding, leaks)
▪ Very important to integrate water detection systems into
alarm systems that regulate overall facilities operations
81. Principles of Information Security, 3rd Edition 81
Structural Collapse
▪ Unavoidable forces can cause failures of structures that
house organization
▪ Structures designed and constructed with specific load
limits; overloading these limits results in structural failure
and potential injury or loss of life
▪ Periodic inspections by qualified civil engineers assist in
identifying potentially dangerous structural conditions
82. Principles of Information Security, 3rd Edition 82
Maintenance of Facility Systems
▪ Physical security must be constantly documented,
evaluated, and tested
▪ Documentation of facility’s configuration, operation, and
function should be integrated into disaster recovery plans
and operating procedures
▪ Testing helps improve the facility’s physical security and
identify weak points
83. Principles of Information Security, 3rd Edition 83
Interception of Data
▪ Three methods of data interception:
▪ Direct observation
▪ Interception of data transmission
▪ Electromagnetic interception
▪ U.S. government developed TEMPEST program to reduce
risk of electromagnetic radiation (EMR) monitoring
84. Principles of Information Security, 3rd Edition 84
Mobile and Portable Systems
▪ With the increased threat to information security for
laptops, handhelds, and PDAs, mobile computing requires
more security than average in-house system
▪ Many mobile computing systems have corporate
information stored within them; some are configured to
facilitate user’s access into organization’s secure
computing facilities
85. Principles of Information Security, 3rd Edition 85
Mobile and Portable Systems (continued)
▪ Controls support security and retrieval of lost or stolen
laptops
▪ CompuTrace software, stored on laptop; reports to a central
monitoring center
▪ Burglar alarms made up of a PC card that contains a motion
detector
87. Principles of Information Security, 3rd Edition 87
Remote Computing Security
▪ Remote site computing: away from organizational facility
▪ Telecommuting: computing using telecommunications
including Internet, dial-up, or leased point-to-point links
▪ Employees may need to access networks on business
trips; telecommuters need access from home systems or
satellite offices
▪ To provide secure extension of organization’s internal
networks, all external connections and systems must be
secured
88. Principles of Information Security, 3rd Edition 88
Special Considerations for Physical
Security Threats
▪ Develop physical security in-house or outsource?
▪ Many qualified and professional agencies
▪ Benefit of outsourcing includes gaining experience and
knowledge of agencies
▪ Downside includes high expense, loss of control over
individual components, and level of trust that must be
placed in another company
▪ Social engineering: use of people skills to obtain
information from employees that should not be released
89. Principles of Information Security, 3rd Edition 89
Inventory Management
▪ Computing equipment should be inventoried and inspected
on a regular basis
▪ Classified information should also be inventoried and
managed
▪ Physical security of computing equipment, data storage
media, and classified documents varies for each
organization
90. Principles of Information Security, 3rd Edition 90
Summary
▪ Threats to information security that are unique to
physical security
▪ Key physical security considerations in a facility site
▪ Physical security monitoring components
▪ Essential elements of access control
▪ Fire safety, fire detection, and response
▪ Importance of supporting utilities, especially use of
uninterruptible power supplies
▪ Countermeasures to physical theft of computing devices
91. What is the problem?
▪ Computer facility with servers in a facility where:
▪ Humidity varies between 25-40 percent
▪ Temperature varies between 75-80 degrees F.
▪ Dust is a problem
▪ Carpeting is nylon
▪ The ceiling is dropped with no firewalls
▪ Lock on the door was purchased at Lowe’s for $80
▪ Fire sprinklers were installed in the 60’s
▪ Janitors have a key to the door
Principles of Information Security, 3rd Edition 91
92. Questions
▪ What role(s) can accountants/auditors play in the
physical security of information resources?
▪ What are the factors that lead to compromise and
failure of the physical securities?
▪ How can these be remedied?
▪ Should guards be required to watch Oceans 11?
93.
94. Principles of Information Security, 3rd Edition 94
Introduction
▪ SecSDLC implementation phase is accomplished through
changing configuration and operation of organization’s
information systems
▪ Implementation includes changes to procedures, people,
hardware, software, and data
▪ Organization translates blueprint for information security
into a concrete project plan
95. Principles of Information Security, 3rd Edition 95
Information Security Project Management
▪ Once organization’s vision and objectives are understood,
process for creating project plan can be defined
▪ Major steps in executing project plan are:
▪ Planning the project
▪ Supervising tasks and action steps
▪ Wrapping up
▪ Each organization must determine its own project
management methodology for IT and information security
projects
96. Principles of Information Security, 3rd Edition 96
Developing the Project Plan
▪ Creation of project plan can be done using work
breakdown structure (WBS)
▪ Major project tasks in WBS are work to be accomplished;
individuals assigned; start and end dates; amount of effort
required; estimated capital and noncapital expenses; and
identification of dependencies between/among tasks
▪ Each major WBS task is further divided into smaller tasks
or specific action steps
97. Principles of Information Security, 3rd Edition 97
Project Planning Considerations
▪ As project plan is developed, adding detail is not always
straightforward
▪ Special considerations include financial, priority, time and
schedule, staff, procurement, organizational feasibility, and
training
98. Principles of Information Security, 3rd Edition 98
Financial Considerations
▪ No matter what information security needs exist, the
amount of effort that can be expended depends on funds
available
▪ Cost benefit analysis must be verified prior to
development of project plan
▪ Both public and private organizations have budgetary
constraints, though of a different nature
▪ To justify an amount budgeted for a security project at
either public or for-profit organizations, it may be useful to
benchmark expenses of similar organizations
99. Principles of Information Security, 3rd Edition 99
Priority Considerations
▪ In general, the most important information security
controls should be scheduled first
▪ Implementation of controls is guided by prioritization of
threats and value of threatened information assets
100. Principles of Information Security, 3rd Edition 100
Time and Scheduling Considerations
▪ Time impacts dozens of points in the development of a
project plan, including:
▪ Time to order, receive, install, and configure security control
▪ Time to train the users
▪ Time to realize return on investment of control
101. Principles of Information Security, 3rd Edition 101
Staffing Considerations
▪ Lack of enough qualified, trained, and available personnel
constrains project plan
▪ Experienced staff is often needed to implement available
technologies and develop and implement policies and
training programs
102. Principles of Information Security, 3rd Edition 102
Procurement Considerations
▪ IT and information security planners must consider
acquisition of goods and services
▪ Many constraints on selection process for equipment and
services in most organizations, specifically in selection of
service vendors or products from manufacturers/suppliers
▪ These constraints may eliminate a technology from realm
of possibilities
103. Principles of Information Security, 3rd Edition 103
Organizational Feasibility Considerations
▪ Policies require time to develop; new technologies require
time to be installed, configured, and tested
▪ Employees need training on new policies and technology,
and how new information security program affects their
working lives
▪ Changes should be transparent to system users unless
the new technology is intended to change procedures
(e.g., requiring additional authentication or verification)
104. Principles of Information Security, 3rd Edition 104
Training and Indoctrination Considerations
▪ Size of organization and normal conduct of business may
preclude a single large training program on new security
procedures/technologies
▪ Thus, organization should conduct phased-in or pilot
approach to implementation
105. Principles of Information Security, 3rd Edition 105
Scope Considerations
▪ Project scope: concerns boundaries of time and
effort-hours needed to deliver planned features and quality
level of project deliverables
▪ Project scope: the functionality that will be delivered by the
new system. (It also includes resources that must be
acquired and disposal of resources no longer needed.)
Projects that are poorly planned may incur “scope creep.”
▪ In the case of information security, project plans should
not attempt to implement the entire security system at one
time
106. Principles of Information Security, 3rd Edition 106
The Need for Project Management
▪ Project management requires a unique set of skills and
thorough understanding of a broad body of specialized
knowledge
▪ Most information security projects require a trained project
manager (a CISO) or skilled IT manager versed in project
management techniques
112. Principles of Information Security, 3rd Edition 112
Supervised Implementation
▪ Some organizations may designate champion from
general management community of interest to supervise
implementation of information security project plan
▪ An alternative is to designate senior IT manager or CIO to
lead implementation
▪ Optimal solution is to designate a suitable person from
information security community of interest
▪ It is up to each organization to find the most suitable
leadership for a successful project implementation
113. Principles of Information Security, 3rd Edition 113
Executing the Plan
▪ Negative feedback ensures project progress is measured
periodically
▪ Measured results compared against expected results
▪ When significant deviation occurs, corrective action taken
▪ Often, project manager can adjust one of three
parameters for task being corrected: effort and money
allocated; scheduling impact; quality or quantity of
deliverable
114. Principles of Information Security, 3rd Edition 114
Project Wrap-up (Post-Audit)
▪ Project wrap-up is usually handled as procedural task and
assigned to mid-level IT or information security manager
▪ Collect documentation, finalize status reports, and deliver
final report and presentation at wrap-up meeting
▪ Goal of wrap-up is to resolve any pending issues, critique
overall project effort, and draw conclusions about how to
improve process
115. Principles of Information Security, 3rd Edition 115
Technical Topics of Implementation
▪ Some parts of implementation process are technical in
nature, dealing with application of technology
▪ Others are not, dealing instead with human interface to
technical systems
116. Principles of Information Security, 3rd Edition 116
Conversion Strategies
▪ As components of new security system are planned,
provisions must be made for changeover from previous
method of performing task to new method
▪ Four basic approaches:
▪ Direct changeover
▪ Phased implementation
▪ Pilot implementation
▪ Parallel operations
117. Principles of Information Security, 3rd Edition 117
The Bull’s-Eye Model
▪ Proven method for prioritizing program of complex change
▪ Issues addressed from general to specific; focus is on
systematic solutions and not individual problems
▪ Relies on process of evaluating project plans in
progression through four layers: policies, networks,
systems, applications
119. Principles of Information Security, 3rd Edition 119
To Outsource or Not
▪ Just as some organizations outsource IT operations,
organizations can outsource part or all of information
security programs
▪ Due to complex nature of outsourcing, it’s advisable to
hire best outsourcing specialists and retain best attorneys
possible to negotiate and verify legal and technical
intricacies
120. Principles of Information Security, 3rd Edition 120
Technology Governance and Change Control
▪ Technology governance: complex process an organization
uses to manage impact and costs from technology
implementation, innovation, and obsolescence
▪ By managing the process of change, organization can
improve communication; enhance coordination; reduce
unintended consequences; improve quality of service; and
ensure groups are complying with policies
▪ (Note that there is also a separate Change Mgmt Process
for changes to existing information systems.)
121. Principles of Information Security, 3rd Edition 121
Nontechnical Aspects of Implementation
▪ Other parts of implementation process are not technical in
nature, dealing with the human interface to technical
systems
▪ Include creating a culture of change management as well
as considerations for organizations facing change
122. Principles of Information Security, 3rd Edition 122
The Culture of Change Management
▪ Prospect of change can cause employees to build up
resistance to change
▪ The stress of change can increase the probability of
mistakes or create vulnerabilities
▪ Resistance to change can be lowered by building
resilience for change
▪ Lewin change model: unfreezing, moving, refreezing
123. Principles of Information Security, 3rd Edition 123
Considerations for Organizational Change
▪ Steps can be taken to make organization more amenable
to change:
▪ Reducing resistance to change from beginning of planning
process
▪ Develop culture that supports change
124. Principles of Information Security, 3rd Edition 124
Reducing Resistance to Change from the Start
▪ The more ingrained the previous methods and behaviors,
the more difficult the change
▪ Best to improve interaction between affected members of
organization and project planners in early project phases
▪ Three-step process for project managers: communicate,
educate, and involve
125. Principles of Information Security, 3rd Edition 125
Developing a Culture that Supports Change
▪ Ideal organization fosters resilience to change
▪ Resilience: organization has come to expect change as a
necessary part of organizational culture, and embracing
change is more productive than fighting it
▪ To develop such a culture, organization must successfully
accomplish many projects that require change
126. Principles of Information Security, 3rd Edition 126
Information Systems Security Certification and
Accreditation
▪ Certification versus Accreditation
▪ Accreditation: authorizes IT system to process, store, or
transmit information; assures systems of adequate quality
▪ Certification: evaluation of technical and nontechnical
security controls of IT system establishing extent to which
design and implementation meet security requirements
▪ SP 800-37: Guidelines for the Security Certification and
Accreditation of Federal Information Technology Systems
▪ NSTISS Instruction-1000: National Information Assurance
Certification and Accreditation Process (NIACAP)
▪ ISO 17799/27001 Systems Certification and Accreditation