Jorge Sebastiao, profile picture
Uploaded byJorge Sebastiao
10,750 views

Integrating Physical And Logical Security

The document discusses the integration of physical and logical security, focusing on the need for a cohesive approach that protects both physical assets and information systems. It outlines various security challenges, including human errors and technological vulnerabilities, while emphasizing the importance of layered security and continuous monitoring. Additionally, it highlights the benefits of integrated security management for reducing vulnerabilities, cost savings, and enhancing overall business security.

Embed presentation

Integrating Physical & Logical Security Jorge Sebastião, CISSP, ISP, BSLA Founder and CEO “ Security is:… a continuous skilled process which safeguards your business value…” Jorge S., 1999
Security Protection systems Safeguard assets Safeguard of personnel Integrate People, Process, Technology Two major types: Physical Security Information Security (infosec)
Physical Security-Focus Protection of physical assets Personnel Buildings Computing Facilities Physical Access Control Power
Information Security-Focus Protection of information assets Computer Systems Data Networks Databases, Applications Logical Access Control Disaster Recovery
Signal also applies to cars of other colors
Signal also applies to cars of other colors
Scenario CFO Traveling abroad for 2 weeks Normally in Riyadh HQ Office Now in Dubai visiting Non-Integrated, non-compatible physical access control Trusted employee uses CFO password to access confidential data in Riyadh Normal working hours Sensitive files shared with competitors No Alarm raised by system??? No violation in either physical sec or infosec systems
Data Center
Threats and risks Human faults Operational disruptions Software Faults In-compatability Fraud Forgery Access Control Espionage Illegal copying Virus Natural phenomena Fire, Smoke, Explosion Destruction, Sabotage Power Failure Water Damage Leakage Theft Vandalism Delivery Problem Service Disruption Loss of Key personnel Notice to quit, Sickness
Security as: TPP Technology Process People
Attack-NCR, IBM ATMs UAE Bank Attack May-June 2003 Exploits ATM Vulnerabilities Special Device capture cards Physical Security 1.5-?.? Million Dhs Technology
Microsoft SQL Slammer Worm 25/01/2003 Exploits SQL Server 2000 Vulnerabilities Document since July 2002 Traveled Globe in 15 min Process
Verisign Verisign 22/03/2001 Someone tricked digital security specialist VeriSign ( VRSN ) , which authenticates parties in e-commerce transactions, into issuing two digital certificates with Microsoft's name on them. The certificates could be used by a malicious poseur to spread viruses or other harmful programs by camouflaging them as Microsoft software. People
PDR Defence in Depth (layered security) No Single Point of Vulnerability Centralized Security Management Heterogeneous Effective Process Implement Protection, Detection, Response PROTECTION DETECTION RESPONSE FORENSICS
Security = Time Protection Detection Response SECURITY P>D+R Anti-virus VPN Access Control Firewall Intrusion Prevention Managed Services CIRT Patch Mgmt Vulnerability Testing Intrusion Detection CCTV Log Correlation
Securing the System Effective security requires a balanced application of all methods Personnel System Security Computer Security Physical Security Process Encryption
Security Continuous process ASSESS ARCHITECT APPLY ADMINISTER Business Risk Controls Maturity
Integrated Security Management Business Security Management Physical Security Management ICT Security Management
Security Management Processes
Convergence APPLY
Identity and Access Management Strategic Context Physical Security Network / System Application / Data Suppliers, Partners, Customers Employees
New Boundaries Platforms Data Center Laptops PDA Mobiles Distributed Access Dialup, ADSL, VPN VSAT Wifi, WiMax GPRS/3G Communication Centric Applications Web Email IPM VoIP Multiple Networks Intranet Extranet Internet Users Employees Partners Suppliers Customers Consumers/Prospects Location Office Internet Café/Restaurants Airport Hotels Home
Identity and Access Management Interoperability Control Loosely-coupled, Dynamic exterior Tightly-coupled, Persistent interior Intranet Extranets Customers Partners/Suppliers Employees Consumers Internet
Identity and Access Management Flexibility Intranet Extranets Internet Control Customers Partners/Suppliers Employees Consumers Federation, Cooperation Integration
Physical Security Physical Security Sprinkler hallon Alarm System UPS CCTV System Intrusion Detection Intercom Evacuation Physical Access Control Elevator Fire HVAC Lighting Power Mgmt
Physical Security Architecture
Biometrics Example
Storage SMART CCTV + biometrics Corporate LAN / WAN / VLAN Internet
Records Physical Protection
Physical Security
 
Info warfare C4 Command, Control, Communications, Computers
Logical Security Physical Security Data Encryption Host Intrusion Detection Antivirus Perimeter Security Network Intrusion Detection Remote Client VPN Access Control Remote Clientless HTTPS Disaster Recovery Content Filtering Anti-spam Intrusion Prevention Wireless Security Network / System Application/Data
Architecture Layers Extended Perimeter Perimeter Layer Control Layer Resource Layer Identity & Access Mgmt Physical Security Integrated Directory Security Management Policy Management Remote Employees Consumers Partners Customers Suppliers
Identity and Access Management Context Business policy: legal, liability, assurance for transactions Relationships to organization Applications/Services: access control and authorization Identity and information Presentation/Personalization: Identification Relationships Authentication: Identity (Person)
Architecture and Infrastructure Directory Access Mgmt Portal/Device Identity Mgmt Policy Propagation Administration Control Access Resources Authentication Authorization User Device? Applications Platforms Databases Physical Services
SSO~~Security SSO and security Reducing sign-on a goal S ingle sign on is a risk in security compromise Standard authentication infrastructure is good SSO is not always realistic Different applications Different security Different application states Policy drives No single credential should give access to everything
Where to spend? High Low Excessive Exposure Low High R I S K SECURITY INVESTMENT Excessive Cost Appropriate Security
Return On Investment (ROI)? ROI Curve Security Investment ROI design= 21% ROI implementation= 21% ROI testing= 12% ROI
Security Architecture Incidence Response Operational Monitoring Administration Change Procedures Guidelines Roles and Responsibilities Incident Reporting Physical Dynamic Controls Selection Policy Configurations Baselines Standards Awareness Education Training Logical BIA Mapping Perimeter Architecture InfoSec Policy Security Organization Conceptual P > D + R Strategy Scope Executive InfoSec Policy Steering Committee Contextual Time (Risk Management) Technology Process People
Beyond Technology
Knowledge Base Incidence Response Applying the Knowledge Incidence Response Multiple Sources of Information Partners, Vendors, CERT ,… Internal Security Research Internet, Mailing lists and other sources ADMINISTER
Integrated P+D+R Enterprise Security Management Routers Switches Firewall N-IDS H-IDS IPS Hosts Antivirus Access Ctrl Biometrics Smart Cards Power UPS Fire CCTV P-IDS Alarms Others…. 1.Logs 5. Response 2. Encrypted Logs 3. Analysis 6. (Ongoing) Patching Incidence Response Knowledge 4. Alerting
Incidence Response Incident Response Analyse Contain Eliminate Restore Lessons Policy Refine Policy Continuous Monitoring T-1 T 0 T 1 T 1 T 3 T 4 T N Communicate
Integrated Infosec Framework Vulnerability & Risk Assessment Assess, Audits VA, Pen-Testing, Risk Technology Strategy & Usage Technology, Tools Policy Insfosec Policy, Standards Security Architecture and Technical Standards Technical Architecture Technical Standards, Baselines Security Model Information Classification and Controls Administrative and End-User Guidelines and Procedures Implementation and Configurations Administration Guidelines and Procedures Recovery Processes Incidence Response Processes Enforcement Processes Compliance Mgmt Processes CEO, Senior Management ISMS, Information Assets, IT Infrastructure Awareness, Training, Education Monitoring Processes Monitoring Processes Security Strategy Business Initiatives & Processes Business Initiatives & Processes Vulnerabilities Threats
Benefits of integration Better Security Less Vulnerabilities Better Auditing Cost Savings Mitigate legal liability (negligence)
Challenges Lack of Standards Focus on technology rather then management Reluctance of physical security to embrace ICT / IT No roadmap for organization readiness www.opensecurityexchange.com
Initiatives example www.opensecurityexchange.com X-industry collaboration Initial participants CA Gemplus HID Software House PHYSBITS-Physical Security bridge to IT
?

More Related Content

PPTX
Information Security Risk Management
byNikhil Soni
 
PPTX
Vulnerability assessment and penetration testing
byAbu Sadat Mohammed Yasin
 
PPTX
Security risk management
byPrachi Gulihar
 
PPTX
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
PPTX
Information security
byavinashbalakrishnan2
 
PPTX
Physical security
byTariq Mahmood
 
PDF
Physical Security Management System
byDaniel Suchy, CPP, MSyI
 
PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
Information Security Risk Management
byNikhil Soni
 
Vulnerability assessment and penetration testing
byAbu Sadat Mohammed Yasin
 
Security risk management
byPrachi Gulihar
 
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
Information security
byavinashbalakrishnan2
 
Physical security
byTariq Mahmood
 
Physical Security Management System
byDaniel Suchy, CPP, MSyI
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 

What's hot

PPTX
Security Policies and Standards
byprimeteacher32
 
PPT
Physical security
byDhani Ahmad
 
PPT
IT Security management and risk assessment
byCAS
 
PPTX
Chapter 11: Information Security Incident Management
byNada G.Youssef
 
PDF
Risk Assessments
byJoAnna Cheshire
 
PPTX
Security Information and Event Management (SIEM)
byk33a
 
PDF
Information Security Risk Management
byErsoy AKSOY
 
PPTX
The Six Stages of Incident Response
byDarren Pauli
 
PDF
1. Security and Risk Management
bySam Bowne
 
PDF
Application Security | Application Security Tutorial | Cyber Security Certifi...
byEdureka!
 
PPTX
Information Security Governance and Strategy - 3
byDam Frank
 
PDF
Vulnerability Assessment Report
byHarshit Singh Bhatia
 
PDF
NIST cybersecurity framework
byShriya Rai
 
PPT
information security management
byGurpreetkaur838
 
PPSX
8 Access Control
byAlfred Ouyang
 
PDF
Cyber Security Governance
byPriyanka Aash
 
PPT
3.5 ICT Policies
bymrmwood
 
PPTX
Cybersecurity 1. intro to cybersecurity
bysommerville-videos
 
PPS
Physical security.ppt
byFaheem Ul Hasan
 
PPT
Legal, Ethical and professional issues in Information Security
byGamentortc
 
Security Policies and Standards
byprimeteacher32
 
Physical security
byDhani Ahmad
 
IT Security management and risk assessment
byCAS
 
Chapter 11: Information Security Incident Management
byNada G.Youssef
 
Risk Assessments
byJoAnna Cheshire
 
Security Information and Event Management (SIEM)
byk33a
 
Information Security Risk Management
byErsoy AKSOY
 
The Six Stages of Incident Response
byDarren Pauli
 
1. Security and Risk Management
bySam Bowne
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
byEdureka!
 
Information Security Governance and Strategy - 3
byDam Frank
 
Vulnerability Assessment Report
byHarshit Singh Bhatia
 
NIST cybersecurity framework
byShriya Rai
 
information security management
byGurpreetkaur838
 
8 Access Control
byAlfred Ouyang
 
Cyber Security Governance
byPriyanka Aash
 
3.5 ICT Policies
bymrmwood
 
Cybersecurity 1. intro to cybersecurity
bysommerville-videos
 
Physical security.ppt
byFaheem Ul Hasan
 
Legal, Ethical and professional issues in Information Security
byGamentortc
 

Viewers also liked

PPTX
Computer , Internet and physical security.
byAnkur Kumar
 
PDF
Physical Security Presentation
byWajahat Rajab
 
PPSX
6 Physical Security
byAlfred Ouyang
 
PDF
Identity and Access Management 101
byJerod Brennen
 
DOC
Iso 9001 audit procedures
bypertermasuki
 
PDF
Tiny house-design-and-construction-guide-sample
byInnoBuild
 
PDF
Data center Building & General Specification
byAli Mirfallah
 
PPTX
Online media planning & strategy
byneetant
 
PPTX
What is the difference between Whole Life and Indexed Universal Life for Reti...
byMichael Grigsby
 
PPTX
Consumer Behav-Hispanic Subculture
bys_mclamore
 
PPT
Basic Intravenous Therapy 1: Anatomy
byRonald Magbitang
 
PDF
Mercedes-Benz Case Study: Getting more mileage from shareable content with Li...
byLinkedIn
 
PDF
Performance Scenario: Diagnosing and resolving sudden slow down on two node RAC
byKristofferson A
 
PPTX
Big Data Readiness Assessment
byChristopher Bradley
 
PDF
Hadoop scalability
byWANdisco Plc
 
PPS
Innovative Changes In Human Resource Management
byAshish Kumar
 
PDF
What is mechatronic system simulation
bySiemens PLM Software
 
PPTX
Group development and turning groups into effective teams
byAl - Qurmoshi Institute of Business Management, Hyderabad
 
PDF
Media Planning & buying Basics
bySachin Kapur
 
PDF
Design of packed columns
byalsyourih
 
Computer , Internet and physical security.
byAnkur Kumar
 
Physical Security Presentation
byWajahat Rajab
 
6 Physical Security
byAlfred Ouyang
 
Identity and Access Management 101
byJerod Brennen
 
Iso 9001 audit procedures
bypertermasuki
 
Tiny house-design-and-construction-guide-sample
byInnoBuild
 
Data center Building & General Specification
byAli Mirfallah
 
Online media planning & strategy
byneetant
 
What is the difference between Whole Life and Indexed Universal Life for Reti...
byMichael Grigsby
 
Consumer Behav-Hispanic Subculture
bys_mclamore
 
Basic Intravenous Therapy 1: Anatomy
byRonald Magbitang
 
Mercedes-Benz Case Study: Getting more mileage from shareable content with Li...
byLinkedIn
 
Performance Scenario: Diagnosing and resolving sudden slow down on two node RAC
byKristofferson A
 
Big Data Readiness Assessment
byChristopher Bradley
 
Hadoop scalability
byWANdisco Plc
 
Innovative Changes In Human Resource Management
byAshish Kumar
 
What is mechatronic system simulation
bySiemens PLM Software
 
Group development and turning groups into effective teams
byAl - Qurmoshi Institute of Business Management, Hyderabad
 
Media Planning & buying Basics
bySachin Kapur
 
Design of packed columns
byalsyourih
 

Similar to Integrating Physical And Logical Security

PDF
CNIT 125: Ch 2. Security and Risk Management (Part 1)
bySam Bowne
 
PPTX
Cyber Security # Lec 4
byKabul Education University
 
PDF
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
byPlatformSecurityManagement
 
PPTX
Advanced Operating System Principles.pptx
byyuvapapa26
 
PDF
1. Security and Risk Management
bySam Bowne
 
PPTX
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
bydrsajjad13
 
PDF
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
bySam Bowne
 
PPTX
Topic11
byAnne Starr
 
PDF
network security.pdf
byKIYALIBAN1
 
PDF
CyberSecurity101.pdf
byDhananjaySingh23178
 
PDF
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byhomjpxaa9886
 
PPTX
Forget cyber, it's all about AppSec
byAdrien de Beaupre
 
PPT
Essentials Of Security
byxsy
 
PPT
Cybercrime future perspectives
bySensePost
 
PPTX
Types of Security in Industrial Security
byRJCubillo
 
PDF
CISSP Domain: Identity and Access Management (IAM) – Securing Access to Peopl...
byInfosecTrain
 
PDF
CISSP Domain 5 Understanding Identity and Access Management Mind map
bypriyanshamadhwal2
 
PDF
CISSP Domain 5 Identity and Access Management (IAM).pdf
byinfosecTrain
 
PDF
Acuent Security
byStephen Bates
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
bySilvioHayashi
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
bySam Bowne
 
Cyber Security # Lec 4
byKabul Education University
 
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
byPlatformSecurityManagement
 
Advanced Operating System Principles.pptx
byyuvapapa26
 
1. Security and Risk Management
bySam Bowne
 
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
bydrsajjad13
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
bySam Bowne
 
Topic11
byAnne Starr
 
network security.pdf
byKIYALIBAN1
 
CyberSecurity101.pdf
byDhananjaySingh23178
 
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byhomjpxaa9886
 
Forget cyber, it's all about AppSec
byAdrien de Beaupre
 
Essentials Of Security
byxsy
 
Cybercrime future perspectives
bySensePost
 
Types of Security in Industrial Security
byRJCubillo
 
CISSP Domain: Identity and Access Management (IAM) – Securing Access to Peopl...
byInfosecTrain
 
CISSP Domain 5 Understanding Identity and Access Management Mind map
bypriyanshamadhwal2
 
CISSP Domain 5 Identity and Access Management (IAM).pdf
byinfosecTrain
 
Acuent Security
byStephen Bates
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
bySilvioHayashi
 

More from Jorge Sebastiao

PPTX
Real estate tokenization and blockchain
byJorge Sebastiao
 
PPTX
Blockchain and covid19 v3
byJorge Sebastiao
 
PPTX
Top tech shapping startups
byJorge Sebastiao
 
PPTX
Blockchain and security v3
byJorge Sebastiao
 
PPTX
The road to blockchain 5.0
byJorge Sebastiao
 
PPTX
Cyber Warfare 4TH edition
byJorge Sebastiao
 
PPTX
How AI is Disrupting Traffic Management in Smart City
byJorge Sebastiao
 
PPTX
Ai and traffic management application v1.0
byJorge Sebastiao
 
PPTX
Practical analytics hands-on to cloud & IoT cyber threats
byJorge Sebastiao
 
PPTX
Dz hackevent 2019 Middle East Cyberwars V3
byJorge Sebastiao
 
PPTX
AI HR and Future Jobs Version 2.1
byJorge Sebastiao
 
PPTX
Cyber fear obstacles to info sharing-Version 2
byJorge Sebastiao
 
PPTX
Blockchain & cyber security Algeria Version 1.1
byJorge Sebastiao
 
PPTX
Datamatix GCC HR future jobs Version 1.3
byJorge Sebastiao
 
PPTX
Cyber security crypto blockchain Version 3.2
byJorge Sebastiao
 
PPTX
RTA AI for traffic management version 1.4
byJorge Sebastiao
 
PPTX
IGF2017 Data is new oil - UN Internet Governance Forum
byJorge Sebastiao
 
PPTX
ADIPEC physical and Infosec for Oil and Gas
byJorge Sebastiao
 
PPTX
AVSEC are you flying cybersafe?
byJorge Sebastiao
 
PPTX
Are we ready for IoT? VU Version 7
byJorge Sebastiao
 
Real estate tokenization and blockchain
byJorge Sebastiao
 
Blockchain and covid19 v3
byJorge Sebastiao
 
Top tech shapping startups
byJorge Sebastiao
 
Blockchain and security v3
byJorge Sebastiao
 
The road to blockchain 5.0
byJorge Sebastiao
 
Cyber Warfare 4TH edition
byJorge Sebastiao
 
How AI is Disrupting Traffic Management in Smart City
byJorge Sebastiao
 
Ai and traffic management application v1.0
byJorge Sebastiao
 
Practical analytics hands-on to cloud & IoT cyber threats
byJorge Sebastiao
 
Dz hackevent 2019 Middle East Cyberwars V3
byJorge Sebastiao
 
AI HR and Future Jobs Version 2.1
byJorge Sebastiao
 
Cyber fear obstacles to info sharing-Version 2
byJorge Sebastiao
 
Blockchain & cyber security Algeria Version 1.1
byJorge Sebastiao
 
Datamatix GCC HR future jobs Version 1.3
byJorge Sebastiao
 
Cyber security crypto blockchain Version 3.2
byJorge Sebastiao
 
RTA AI for traffic management version 1.4
byJorge Sebastiao
 
IGF2017 Data is new oil - UN Internet Governance Forum
byJorge Sebastiao
 
ADIPEC physical and Infosec for Oil and Gas
byJorge Sebastiao
 
AVSEC are you flying cybersafe?
byJorge Sebastiao
 
Are we ready for IoT? VU Version 7
byJorge Sebastiao
 

Recently uploaded

PDF
How to Safely Buy Instagram Accounts in 2025 (1).pdf
byxuexmv3qbymlv32ohdjf
 
PDF
How To Buy, Verified Wise Account in 2026.pdf
byzze2jltsflran03jy3m
 
PDF
Dubai Multi Commodities Centre (DMCC) – Supplier Code of Conduct Policy
byDubai Multi Commodity Centre
 
PDF
Deckers stock picking idea from October 2025
byMathias Lascar
 
PPTX
Business Improvement blue and white scribble art presentation
byAndrew Laurey
 
PDF
How to Buy Snapchat Account( 9.7) A Step-by-Step Guide ... (2).pdf
byxuexmv3qbymlv32ohdjf
 
PDF
Buying Snapchat Accounts in 2026 first year.pdf
byh55oga0kd25m12iaza2
 
PDF
BTP - GK 2025-4 (1) Consulting Marketing.pdf
byAyushNath13
 
DOCX
Guide to Safely Buy a Verified Binance Account Today.docx
byh55oga0kd25m12iaza2
 
PDF
Unlock the Power of Leadership: The Electrolux Manufacturing System (EMS) Way
byKaiNexus
 
PDF
Top 7 Places to Buy Aged LinkedIn Accounts and Should ....pdf
byh55oga0kd25m12iaza2
 
PDF
Best 7 Sites to Buy Verified Venmo Accounts With Zero ....pdf
bybxi4tn48i3wkgpbyyfg
 
PDF
Buy Verified Western Union Accounts - in the United States (1).pdf
bykeb2bq5cegc6m2xa32ay
 
PDF
Buy LinkedIn Accounts_ Step-by-Step Guide for 2025.pdf
byndsfcm3nubx18jc4s6f4
 
PDF
LCP-Pension-Submisson-CDC-Superfund-December-2025.pdf
byHenry Tapper
 
PDF
Buy Verified Western Union Accounts - in the United States.pdf
bykeb2bq5cegc6m2xa32ay
 
DOCX
Best Place To Purchase Verified OnlyFans Accounts.docx
bymarketing
 
PDF
Updated-costings-on-changes-to-PPF-compensation-levels---with-31-March-2025-f...
byHenry Tapper
 
PDF
Buy Verified Google Ads Accounts to Maximize #ROI and Launch High-Impact #PPC...
byusasmmpva3211
 
PDF
IIMA 25-26 Prodman Marketing Consulting Finance.pdf
byAyushNath13
 
How to Safely Buy Instagram Accounts in 2025 (1).pdf
byxuexmv3qbymlv32ohdjf
 
How To Buy, Verified Wise Account in 2026.pdf
byzze2jltsflran03jy3m
 
Dubai Multi Commodities Centre (DMCC) – Supplier Code of Conduct Policy
byDubai Multi Commodity Centre
 
Deckers stock picking idea from October 2025
byMathias Lascar
 
Business Improvement blue and white scribble art presentation
byAndrew Laurey
 
How to Buy Snapchat Account( 9.7) A Step-by-Step Guide ... (2).pdf
byxuexmv3qbymlv32ohdjf
 
Buying Snapchat Accounts in 2026 first year.pdf
byh55oga0kd25m12iaza2
 
BTP - GK 2025-4 (1) Consulting Marketing.pdf
byAyushNath13
 
Guide to Safely Buy a Verified Binance Account Today.docx
byh55oga0kd25m12iaza2
 
Unlock the Power of Leadership: The Electrolux Manufacturing System (EMS) Way
byKaiNexus
 
Top 7 Places to Buy Aged LinkedIn Accounts and Should ....pdf
byh55oga0kd25m12iaza2
 
Best 7 Sites to Buy Verified Venmo Accounts With Zero ....pdf
bybxi4tn48i3wkgpbyyfg
 
Buy Verified Western Union Accounts - in the United States (1).pdf
bykeb2bq5cegc6m2xa32ay
 
Buy LinkedIn Accounts_ Step-by-Step Guide for 2025.pdf
byndsfcm3nubx18jc4s6f4
 
LCP-Pension-Submisson-CDC-Superfund-December-2025.pdf
byHenry Tapper
 
Buy Verified Western Union Accounts - in the United States.pdf
bykeb2bq5cegc6m2xa32ay
 
Best Place To Purchase Verified OnlyFans Accounts.docx
bymarketing
 
Updated-costings-on-changes-to-PPF-compensation-levels---with-31-March-2025-f...
byHenry Tapper
 
Buy Verified Google Ads Accounts to Maximize #ROI and Launch High-Impact #PPC...
byusasmmpva3211
 
IIMA 25-26 Prodman Marketing Consulting Finance.pdf
byAyushNath13
 

Integrating Physical And Logical Security

  • 1.
    Integrating Physical &Logical Security Jorge Sebastião, CISSP, ISP, BSLA Founder and CEO “ Security is:… a continuous skilled process which safeguards your business value…” Jorge S., 1999
  • 2.
    Security Protection systemsSafeguard assets Safeguard of personnel Integrate People, Process, Technology Two major types: Physical Security Information Security (infosec)
  • 3.
    Physical Security-Focus Protectionof physical assets Personnel Buildings Computing Facilities Physical Access Control Power
  • 4.
    Information Security-Focus Protectionof information assets Computer Systems Data Networks Databases, Applications Logical Access Control Disaster Recovery
  • 5.
    Signal also appliesto cars of other colors
  • 6.
    Signal also appliesto cars of other colors
  • 7.
    Scenario CFO Travelingabroad for 2 weeks Normally in Riyadh HQ Office Now in Dubai visiting Non-Integrated, non-compatible physical access control Trusted employee uses CFO password to access confidential data in Riyadh Normal working hours Sensitive files shared with competitors No Alarm raised by system??? No violation in either physical sec or infosec systems
  • 8.
  • 9.
    Threats and risksHuman faults Operational disruptions Software Faults In-compatability Fraud Forgery Access Control Espionage Illegal copying Virus Natural phenomena Fire, Smoke, Explosion Destruction, Sabotage Power Failure Water Damage Leakage Theft Vandalism Delivery Problem Service Disruption Loss of Key personnel Notice to quit, Sickness
  • 10.
    Security as: TPPTechnology Process People
  • 11.
    Attack-NCR, IBM ATMsUAE Bank Attack May-June 2003 Exploits ATM Vulnerabilities Special Device capture cards Physical Security 1.5-?.? Million Dhs Technology
  • 12.
    Microsoft SQL SlammerWorm 25/01/2003 Exploits SQL Server 2000 Vulnerabilities Document since July 2002 Traveled Globe in 15 min Process
  • 13.
    Verisign Verisign 22/03/2001 Someone tricked digital security specialist VeriSign ( VRSN ) , which authenticates parties in e-commerce transactions, into issuing two digital certificates with Microsoft's name on them. The certificates could be used by a malicious poseur to spread viruses or other harmful programs by camouflaging them as Microsoft software. People
  • 14.
    PDR Defence inDepth (layered security) No Single Point of Vulnerability Centralized Security Management Heterogeneous Effective Process Implement Protection, Detection, Response PROTECTION DETECTION RESPONSE FORENSICS
  • 15.
    Security = TimeProtection Detection Response SECURITY P>D+R Anti-virus VPN Access Control Firewall Intrusion Prevention Managed Services CIRT Patch Mgmt Vulnerability Testing Intrusion Detection CCTV Log Correlation
  • 16.
    Securing the SystemEffective security requires a balanced application of all methods Personnel System Security Computer Security Physical Security Process Encryption
  • 17.
    Security Continuous processASSESS ARCHITECT APPLY ADMINISTER Business Risk Controls Maturity
  • 18.
    Integrated Security ManagementBusiness Security Management Physical Security Management ICT Security Management
  • 19.
  • 20.
  • 21.
    Identity and AccessManagement Strategic Context Physical Security Network / System Application / Data Suppliers, Partners, Customers Employees
  • 22.
    New Boundaries PlatformsData Center Laptops PDA Mobiles Distributed Access Dialup, ADSL, VPN VSAT Wifi, WiMax GPRS/3G Communication Centric Applications Web Email IPM VoIP Multiple Networks Intranet Extranet Internet Users Employees Partners Suppliers Customers Consumers/Prospects Location Office Internet Café/Restaurants Airport Hotels Home
  • 23.
    Identity and AccessManagement Interoperability Control Loosely-coupled, Dynamic exterior Tightly-coupled, Persistent interior Intranet Extranets Customers Partners/Suppliers Employees Consumers Internet
  • 24.
    Identity and AccessManagement Flexibility Intranet Extranets Internet Control Customers Partners/Suppliers Employees Consumers Federation, Cooperation Integration
  • 25.
    Physical Security PhysicalSecurity Sprinkler hallon Alarm System UPS CCTV System Intrusion Detection Intercom Evacuation Physical Access Control Elevator Fire HVAC Lighting Power Mgmt
  • 26.
  • 27.
  • 28.
    Storage SMART CCTV+ biometrics Corporate LAN / WAN / VLAN Internet
  • 29.
  • 30.
  • 31.
  • 32.
    Info warfare C4Command, Control, Communications, Computers
  • 33.
    Logical Security PhysicalSecurity Data Encryption Host Intrusion Detection Antivirus Perimeter Security Network Intrusion Detection Remote Client VPN Access Control Remote Clientless HTTPS Disaster Recovery Content Filtering Anti-spam Intrusion Prevention Wireless Security Network / System Application/Data
  • 34.
    Architecture Layers ExtendedPerimeter Perimeter Layer Control Layer Resource Layer Identity & Access Mgmt Physical Security Integrated Directory Security Management Policy Management Remote Employees Consumers Partners Customers Suppliers
  • 35.
    Identity and AccessManagement Context Business policy: legal, liability, assurance for transactions Relationships to organization Applications/Services: access control and authorization Identity and information Presentation/Personalization: Identification Relationships Authentication: Identity (Person)
  • 36.
    Architecture and InfrastructureDirectory Access Mgmt Portal/Device Identity Mgmt Policy Propagation Administration Control Access Resources Authentication Authorization User Device? Applications Platforms Databases Physical Services
  • 37.
    SSO~~Security SSO andsecurity Reducing sign-on a goal S ingle sign on is a risk in security compromise Standard authentication infrastructure is good SSO is not always realistic Different applications Different security Different application states Policy drives No single credential should give access to everything
  • 38.
    Where to spend?High Low Excessive Exposure Low High R I S K SECURITY INVESTMENT Excessive Cost Appropriate Security
  • 39.
    Return On Investment(ROI)? ROI Curve Security Investment ROI design= 21% ROI implementation= 21% ROI testing= 12% ROI
  • 40.
    Security Architecture IncidenceResponse Operational Monitoring Administration Change Procedures Guidelines Roles and Responsibilities Incident Reporting Physical Dynamic Controls Selection Policy Configurations Baselines Standards Awareness Education Training Logical BIA Mapping Perimeter Architecture InfoSec Policy Security Organization Conceptual P > D + R Strategy Scope Executive InfoSec Policy Steering Committee Contextual Time (Risk Management) Technology Process People
  • 41.
  • 42.
    Knowledge Base IncidenceResponse Applying the Knowledge Incidence Response Multiple Sources of Information Partners, Vendors, CERT ,… Internal Security Research Internet, Mailing lists and other sources ADMINISTER
  • 43.
    Integrated P+D+R EnterpriseSecurity Management Routers Switches Firewall N-IDS H-IDS IPS Hosts Antivirus Access Ctrl Biometrics Smart Cards Power UPS Fire CCTV P-IDS Alarms Others…. 1.Logs 5. Response 2. Encrypted Logs 3. Analysis 6. (Ongoing) Patching Incidence Response Knowledge 4. Alerting
  • 44.
    Incidence Response IncidentResponse Analyse Contain Eliminate Restore Lessons Policy Refine Policy Continuous Monitoring T-1 T 0 T 1 T 1 T 3 T 4 T N Communicate
  • 45.
    Integrated Infosec FrameworkVulnerability & Risk Assessment Assess, Audits VA, Pen-Testing, Risk Technology Strategy & Usage Technology, Tools Policy Insfosec Policy, Standards Security Architecture and Technical Standards Technical Architecture Technical Standards, Baselines Security Model Information Classification and Controls Administrative and End-User Guidelines and Procedures Implementation and Configurations Administration Guidelines and Procedures Recovery Processes Incidence Response Processes Enforcement Processes Compliance Mgmt Processes CEO, Senior Management ISMS, Information Assets, IT Infrastructure Awareness, Training, Education Monitoring Processes Monitoring Processes Security Strategy Business Initiatives & Processes Business Initiatives & Processes Vulnerabilities Threats
  • 46.
    Benefits of integrationBetter Security Less Vulnerabilities Better Auditing Cost Savings Mitigate legal liability (negligence)
  • 47.
    Challenges Lack ofStandards Focus on technology rather then management Reluctance of physical security to embrace ICT / IT No roadmap for organization readiness www.opensecurityexchange.com
  • 48.
    Initiatives example www.opensecurityexchange.com X-industry collaboration Initial participants CA Gemplus HID Software House PHYSBITS-Physical Security bridge to IT
  • 49.