Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Information Security Fall Semester 2016 - Course Wrap Up Summary


Published on

This presentation is a summary, for the students of the IS 365/765 course I teach, at the University of Wisconsin-Madison, providing a 104 slide reminder of the most important topics in Information Security, which we covered throughout the semester. Today is the last day of course material. We have 4 days of student team presentations, to follow.

Published in: Internet
  • Interesting Course! Air Gap Security Breaches are a mounting concern, do you have any recommendations? Are you interested in an option to provide Industrial assets with a Real Time Model Based Method of Minimum Evidence using Material Balance modeling to thwart cyber attacks?
    Are you sure you want to  Yes  No
    Your message goes here

Information Security Fall Semester 2016 - Course Wrap Up Summary

  1. 1. Information Security 365/765, Fall Semester, 2016 Course Instructor, Nicholas Davis, CISSP, CISA Lecture 17, Course Summary
  2. 2. Agenda • Today’s chocolate bars---best for last----Caramel! • Housekeeping – Written Assignments • Discuss Team Presentations • Course Summary Presentation • Student Evaluations • Meet with your team, to work on your final presentation 11/29/2016 UNIVERSITY OF WISCONSIN 2
  3. 3. Security Controls Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. 11/29/2016 UNIVERSITY OF WISCONSIN 3
  4. 4. C I A We will never forget that Information Security is comprised of • Confidentiality • Integrity • Security We must work to balance all three, in order to have effective security 11/29/2016 UNIVERSITY OF WISCONSIN 4
  5. 5. Categories of Controls Computer security is divided into three distinct master categories, commonly referred to as controls: • Physical • Technical • Administrative 11/29/2016 UNIVERSITY OF WISCONSIN 5
  6. 6. Information Security is Made of Four Ingredients Solid security requires: • Hardware • Software • People • Procedures All working in tandem (together) 11/29/2016 UNIVERSITY OF WISCONSIN 6
  7. 7. Let’s Watch the Story Written Assignment #1 Don’t worry about taking notes, you can watch the video again, later 11/29/2016 UNIVERSITY OF WISCONSIN 7
  8. 8. Ashley Madison! We talked about Ashley Madison! • What happened? • Who were the victims? • What are the implications? 11/29/2016 UNIVERSITY OF WISCONSIN 8
  9. 9. Common Technical Weaknesses in IT We discussed the most common corporate IT weakenesses: Incorrect firewall configurations Unpatched web server vulnerabilities Databases which accept requests from any source Lack of intrusion detection systems Lack of intrusion prevention systems Failure to disable unused protocols Failure to teach proper secure software coding to programmers Failure to sanitize data 11/29/2016 UNIVERSITY OF WISCONSIN 9
  10. 10. Defense in Depth We learned about Defense in Depth, using multiple controls, in case one fails • Use better granular control for both processes and people’s access rights • Better physical security • Perform routine monitoring and auditing • Develop staff who are more proficient in the tools and methods of information security 11/29/2016 UNIVERSITY OF WISCONSIN 10
  11. 11. So Many Definitions! We learned the differences between: • Vulnerability • Threat • Risk • Exposure 11/29/2016 UNIVERSITY OF WISCONSIN 11
  12. 12. Obscurity does Not Equal Security 11/29/2016 UNIVERSITY OF WISCONSIN 12
  13. 13. Planning for IT Security The three planning areas of IT security and the area we do not wish to work in • Strategic • Tactical • Operational 11/29/2016 UNIVERSITY OF WISCONSIN 13
  14. 14. IT Risk Analysis We learned to do an IT Risk Analysis • Identify assets and their values • Identify vulnerabilities and threats • Quantify the probability and business impact of these potential threats • Provide an economic balance between the impact of the threat and the cost of the countermeasure 11/29/2016 UNIVERSITY OF WISCONSIN 14
  15. 15. Hiring Practices • Job skill screening • Reference check • Non-disclosure agreement (NDA) signed • Education verification • Criminal background check • Credit report check • Sex offender check • Drug screening • Professional license check • Immigration status check • Social Security Number trace to ensure validity 11/29/2016 UNIVERSITY OF WISCONSIN 15
  16. 16. Employee Controls Rotation of Duties No one person should stay in one position for an uninterrupted period of time, as this may enable them to have too much control over a segment of business Mandatory vacation policy 11/29/2016 UNIVERSITY OF WISCONSIN 16
  17. 17. Termination Practices • Each company needs a set of pre-defined termination procedures • Example: • Once terminated, the employee must be escorted out of the facility by their manager • Employee must immediately surrender keys, employee badge, etc. • Employee must be asked to complete an exit interview and return company property • The terminated employee’s online accounts must be disabled immediately upon termination 11/29/2016 UNIVERSITY OF WISCONSIN 17
  18. 18. Three Types of Security Policies Exist Regulatory Advisory Informative 11/29/2016 UNIVERSITY OF WISCONSIN 18
  19. 19. How Due Diligence Due Care are Related Due diligence is the understanding of the threats and risks, while due care is the countermeasures which the company has put in place to address the threats and risks 11/29/2016 UNIVERSITY OF WISCONSIN 19
  20. 20. Data Classification Types (typical) • Public • Sensitive • Private • Confidential Some models may differ in number of levels and/or how they are referred to 11/29/2016 UNIVERSITY OF WISCONSIN 20
  21. 21. Security Awareness Training Program One for senior management One for staff One for technical employees • Responsibilities of everyone • Potential Liabilities if program is not followed • Expectations of everyone 11/29/2016 UNIVERSITY OF WISCONSIN 21
  22. 22. Assignment #2 Responding to a National Security Letter National Security Letters (NSLs) are an extraordinary search procedure which gives the FBI the power to compel the disclosure of customer records held by banks, telephone companies, Internet Service Providers, and others. These entities are prohibited, or "gagged," from telling anyone about their receipt of the NSL, which makes oversight difficult. The Number of NSLs issued has grown dramatically since the Patriot Act expanded the FBI's authority to issue them. 11/29/2016 UNIVERSITY OF WISCONSIN 22
  23. 23. "Deer is suspicious of Trump's claim that a 400 pound guy on a bed may have cybered us." 11/29/2016 UNIVERSITY OF WISCONSIN 23
  24. 24. Guest Speaker FBI Special Agent Byron Franz • Over 15 years experience working on national security investigations • Prior to working in Milwaukee, Byron spent 10 years in Indianapolis, where he was a member of the SWAT team • Led investigation of an Iraqi agent of Saddam Hussein • BA degree in International Relations and Russian and a JD from UW Law School 11/29/2016 UNIVERSITY OF WISCONSIN 24
  25. 25. Identification, Authentication Authorization and Accountability Identification – Who you say you are Authentication – verifying that you are who you claim to be Authorization – decision of what you are allowed to access, read, change, add, delete Accountability – proof of what a person, process or Angry Bird has done 11/29/2016 UNIVERSITY OF WISCONSIN 25
  26. 26. Centralized Identity Management VS Federated Centralized Identity Management – a single entity is responsible for authentication and authorization. Facebook for example Federated Identity Management – a set number of various organizations are deemed “trusted” For example Eduroam 11/29/2016 UNIVERSITY OF WISCONSIN 26
  27. 27. Methods to Steal Passwords Electronic monitoring Access the password file Brute force attacks Dictionary attacks Social engineering 11/29/2016 UNIVERSITY OF WISCONSIN 27
  28. 28. Major Categories of Access Controls Deterrent – A warning on a website, forbidding unauthorized access Preventive – Username and password controlled access Detective – logs are audited in real- time and an alarm goes off after 10 incorrect login attempts There are four other categories of access controls, but, not important for our discussion 11/29/2016 UNIVERSITY OF WISCONSIN 28
  29. 29. Pre Sales Engineer Tom Hunt Spent a Lecture With Us 11/29/2016 UNIVERSITY OF WISCONSIN 29
  30. 30. Bob Turner, UW-Madison Spoke About Careers in IT Security 11/29/2016 UNIVERSITY OF WISCONSIN 30
  31. 31. Single Best Piece of Technical Advice You Can Provide • Remove, or at a minimum, turn off USB port access on all end user computing devices • USB allows access even when the screen is “locked” • USB is small, easy to move in and out of a building, with enormous capacity • USB can carry dangerous self- installing payload • USB ports are often out of sight, and not noticed on back of computer, when flash drive is inserted 11/29/2016 UNIVERSITY OF WISCONSIN 31
  32. 32. How to Recognize When IP and Trade Secret Theft is Occurring • Excessive printing taking place • Use of unapproved encryption software • Spike in e-mail and USB storage/transfer volumes • Increase in foreign IP traffic • Unusual network and building access times • Unexplained wealth or affluence • Unusual foreign travel • Disillusionment/entitlement due to missed promotions or other perceived grievances • Increased amount of non-business-related activities (i.e., web surfing, job hunting, social media etc.) 11/29/2016 UNIVERSITY OF WISCONSIN 32
  33. 33. Today’s Movie Feature! • Based on a true story of an attempted theft of trade secrets • Happens to involve China, but could just as easily have been a competitor in Minnesota or Texas • Focus on the story, techniques and implications, not the nationalities of the people in the story 11/29/2016 UNIVERSITY OF WISCONSIN 33
  34. 34. Assignment #3 • Assignments 1 and 2 were essay based • Assignment 3 is more straightforward, question and answer based • Please label your answers accordingly (1,2,3, etc) • Due date is Oct 25th, but I will accept them on Oct 27th as well 11/29/2016 UNIVERSITY OF WISCONSIN 34
  35. 35. Memory Management For a secure operating environment, an operating system must exercise proper memory management. A memory management system has five basic responsibilities: • Relocation • Protection • Sharing • Logical Organization • Physical Organization 11/29/2016 UNIVERSITY OF WISCONSIN 35
  36. 36. Memory Leaks 11/29/2016 UNIVERSITY OF WISCONSIN 36
  37. 37. Four Major Physical Security Threats • Natural environmental • Supply system • Human made • Politically motivated Good security program protects against all of these, in layers 11/29/2016 UNIVERSITY OF WISCONSIN 37
  38. 38. Physical Access Control For Visitors • Limit the number of entry points • Force all guests to sign-in at a common location • Reduce entry points even more, after hours and on weekends • Validate a government issued picture ID before allowing entry • Require all guests to be escorted by a full time employee • Encourage employees to question strangers 11/29/2016 UNIVERSITY OF WISCONSIN 38
  39. 39. I went to Disney World, While You Took an Exam! 11/29/2016 UNIVERSITY OF WISCONSIN 39
  40. 40. 5 Core Steps in a Physical Security System • Deter • Delay • Detect • Assess • Respond 11/29/2016 UNIVERSITY OF WISCONSIN 40
  41. 41. Laptops Are One of the Most Frequently Stolen Physical Assets • Inventory the laptops • Harden the Operating system • Password protect BIOS • Register laptops with vendor • Don’t check laptop as baggage! • Don’t leave laptop unattended • Engrave the laptop visibly • Use a physical cable and lock • Backup data • Encrypt hard disk • Store in secure place when not in use 11/29/2016 UNIVERSITY OF WISCONSIN 41
  42. 42. A Note About Credit Card Reader Physical Security jYIbBj7k • Physical access to credit card transaction equipment is one of the greatest physical security threats facing most small businesses in the United States, but most people never give it a second thought 11/29/2016 UNIVERSITY OF WISCONSIN 42
  43. 43. Cloud Security Cloud Security refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. 11/29/2016 UNIVERSITY OF WISCONSIN 43
  44. 44. Cloud Service Models Software as a Service Platform as a Service Infrastructure as a Service 11/29/2016 UNIVERSITY OF WISCONSIN 44
  45. 45. Cloud Deployment Models Private Public Hybrid 11/29/2016 UNIVERSITY OF WISCONSIN 45
  46. 46. Bring Your Own Device BYOD (bring your own device) is the increasing trend toward employee-owned devices within a business. Smartphones are the most common example but employees also take their own tablets, laptops and USB drives into the workplace. 11/29/2016 UNIVERSITY OF WISCONSIN 46
  47. 47. Lost Devices, Sold Devices Memorized Passwords • BYOD has resulted in data breaches. For example, if an employee uses a smartphone to access the company network and then loses that phone or sells that phone, untrusted parties could retrieve any unsecured data on the phone. • Another type of security breach occurs when an employee leaves the company, they do not have to give back the device, so company applications and other data may still be present on their device • If passwords are cached (remembered) by the phone, anyone who has access to the device can now access the password protected resources 11/29/2016 UNIVERSITY OF WISCONSIN 47
  48. 48. Personal Privacy Drawing the Line IT Security departments that wish to monitor usage of personal devices must ensure that they only monitor work related activities or activities that accesses company data or information 11/29/2016 UNIVERSITY OF WISCONSIN 48
  49. 49. Malware Infections Organizations who wish to adopt a BYOD policy must also consider how they will ensure that the devices which connect to the organization’s network infrastructure to access sensitive information will be protected from malware. 11/29/2016 UNIVERSITY OF WISCONSIN 49
  50. 50. Patching Many Different Models of BYODs BYOD policy must be prepared to have the necessary systems and processes in place that will apply the patches to protect systems against the known vulnerabilities to the various devices that users may choose to use. 11/29/2016 UNIVERSITY OF WISCONSIN 50
  51. 51. Mobile Device Management Solutions Several market and policies have emerged to address BYOD security concerns, including mobile device management (MDM), containerization and app virtualization • Containerization • Virtualization 11/29/2016 UNIVERSITY OF WISCONSIN 51
  52. 52. MDM May Result in Privacy and Usability Concerns While MDM provides organizations with the ability to control applications and content on the device, research has revealed controversy related to employee privacy and usability issues that lead to resistance in some organizations 11/29/2016 UNIVERSITY OF WISCONSIN 52
  53. 53. Phone Number Ownership A key issue of BYOD which is often overlooked is BYOD's phone number problem, which raises the question of the ownership of the phone number. The issue becomes apparent when employees in sales or other customer-facing roles leave the company and take their phone number with them. Customers calling the number will then potentially be calling competitors which can lead to loss of business for BYOD enterprises 11/29/2016 UNIVERSITY OF WISCONSIN 53
  54. 54. Lack of BYOD Policy • Research reveals that only 20% of employees have signed a BYOD policy • Why not have them agree online, in order to gain network access? Offer them a carrot (network access) to agree. • Businesses need to get out of the idea of using legacy paper forms for such things 11/29/2016 UNIVERSITY OF WISCONSIN 54
  55. 55. BYOD Inventory Firms need an efficient inventory management system that keeps track of which devices employees are using, where the device is located, whether it is being used, and what software it is equipped with 11/29/2016 UNIVERSITY OF WISCONSIN 55
  56. 56. Make Sure the Employees Know If sensitive, classified, or criminal data lands on a U.S. government employee's device, the device is subject to confiscation 11/29/2016 UNIVERSITY OF WISCONSIN 56
  57. 57. Scalability and Capability of Corporate Networks Many organizations today lack proper network infrastructure to handle the large traffic which will be generated when employees will start using different devices at the same time 11/29/2016 UNIVERSITY OF WISCONSIN 57
  58. 58. 11/29/2016 UNIVERSITY OF WISCONSIN 58
  59. 59. Summary • Both Cloud and BYOD are relatively new to organizations • Both Cloud and BYOD blur the lines of where an organization’s control over data resides • Both Cloud and BYOD extend the information assets beyond historic organizational geographic boundaries • Both Cloud and BYOD are security concerns, in an attempt to maintain Confidentiality, Integrity and Availability 11/29/2016 UNIVERSITY OF WISCONSIN 59
  60. 60. Session Overview Introduction and Warning The Deep Web Defined Dynamic Content Unlinked Content Private Web Contextual Web Limited Access Content Scripted Content Non-HTML Content Deep Web Search Engines & Tor Client Examples of what can found on the Deep Web Exciting Documentary Video Question and Answer session 11/29/2016 UNIVERSITY OF WISCONSIN 60
  61. 61. Grams Sample Search Crunchy Dutch Moonrocks 11/29/2016 UNIVERSITY OF WISCONSIN 61
  62. 62. Deep Web Dangerous Web 11/29/2016 UNIVERSITY OF WISCONSIN 62
  63. 63. Class Discussion You love the Internet. However, you favorite sites, such as Facebook, Amazon, and are just the surface. There is another world out there: the Deep Web The Deep Web is where online information is password protected, or requires special software to access—and it’s massive, yet it’s almost completely out of sight. The Deep Web contains a hidden world, a community where malicious actors unite in common nefarious purpose. Should the government control or forbid certain sites? Why? Do you think buying the following items on the Internet is possible? If it is possible, should they be forbidden? How and why? • Drugs (both prescription and clearly the clearly illegal type) • Forged identity papers • Weapons, explosives and ammunition • Hired assassins • Human organs 11/29/2016 UNIVERSITY OF WISCONSIN 63
  64. 64. The EU and Privacy • The European Union (EU) has some of the most stringent data privacy rules • When it comes to data collection, the EU has six privacy principles which all countries and businesses within those countries must follow 11/29/2016 UNIVERSITY OF WISCONSIN 64
  65. 65. European Privacy Principles 1. The reason for gathering the information must be specified at the time of collection 2. Data cannot be used for other purposes 3. Un-necessary data should not be collected 11/29/2016 UNIVERSITY OF WISCONSIN 65
  66. 66. Privacy: The Need For Better Laws • Data aggregation and data retrieval technologies advancement -- Large data warehouses • Loss of borders – Private data flows from country to country with ease • Convergent technology advances – Gathering, mining and distributing information has become much easier 11/29/2016 UNIVERSITY OF WISCONSIN 66
  67. 67. Laws, Directives and Regulations Covers many different areas for many different reasons • Privacy • Computer Misuse • Software copyright • Data protection • Controls on cryptography 11/29/2016 UNIVERSITY OF WISCONSIN 67
  68. 68. Laws, Directives and Regulations • Laws, directives and regulations usually provide only broad guidance and not detailed instructions • Environments are just too diverse to get specific in terms of the details of laws, directives and regulations • Let’s look at some examples 11/29/2016 UNIVERSITY OF WISCONSIN 68
  69. 69. Sarbanes-Oxley Act The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation passed by the U.S. Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures. 11/29/2016 UNIVERSITY OF WISCONSIN 69
  70. 70. HIPAA HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs. 11/29/2016 UNIVERSITY OF WISCONSIN 70
  71. 71. GLB (GLBA) The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals. 11/29/2016 UNIVERSITY OF WISCONSIN 71
  72. 72. CFAA The Computer Fraud and Abuse Act (CFAA) of 1986 is United States legislation that made it a federal crime to access a protected computer without proper authorization. 11/29/2016 UNIVERSITY OF WISCONSIN 72
  73. 73. Federal Privacy Act of 1974 The Privacy Act of 1974, a United States federal law, establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. 11/29/2016 UNIVERSITY OF WISCONSIN 73
  74. 74. PCI-DSS (PCI) Short for Payment Card Industry (PCI) Data Security Standard (DSS), PCI DSS is a standard that all organizations, including online retailers, must follow when storing, processing and transmitting their customer's credit card data. 11/29/2016 UNIVERSITY OF WISCONSIN 74
  75. 75. 1. Validate Input and Output All data input and output should be checked very carefully for appropriateness. This check should be to see if the data is what is expected (length, characters). Making a list of bad characters is not the way to go; the lists are rarely complete. A secure program should know what it expects, and reject other input. For example, if an input field is for a Social Security Number, then any data that is not a string of nine integers is not valid. A common mistake is to filter for specific strings or payloads in the belief specific problems can be prevented.
  76. 76. 2. Fail Securely (Closed) Applications should default to secure operation. That is, in the event of failure or misconfiguration, they should not reveal more information than necessary with regard to:  Error messages (for efficient debugging purposes)  The application configuration (directory, version/patch levels)  The operating environment (network addressing, OS version/patch levels) As well, they should not allow transactions or processes to continue  With more privileges than normal  With more access than normal  Without proper validation of input parameters and output results  Bypassing any monitoring or logging facilities
  77. 77. 3. Keep it Simple While it is tempting to build elaborate and complex security controls, the reality is that if a security system is too complex for its user base, it will either not be used or users will try to find measures to bypass it. Often the most effective security is the simplest security. Do not expect users to enter 12 passwords.
  78. 78. 4. Use and Reuse Trusted Components Invariably other system designers (either on your development team or on the Internet) have faced the same problems as you. They may have invested a large amount of time on research and developing robust solutions to the problem. In many cases they will have improved components through an iterative process and learned from common mistakes along the way. Using and reusing trusted components make sense both from a resource stance and from a security stance. When someone else has proven they got it right; take advantage.
  79. 79. 5. Defense in Depth Relying on one component to perform its function 100% of the time is unrealistic. While we hope to build software and hardware that works as planned, predicting the unexpected is difficult . Good systems don’t predict the unexpected, but plan for it. If one component fails to catch a security event, a second one would.
  80. 80. 6. Only as Secure as the Weakest Link We’ve all seen it, “This system is 100% secure, it uses 128 bit SSL”. While it may be true that the data in transit from the user’s browser to the web server has appropriate security controls, more often that not the focus of security mechanisms is at the wrong place. As in the real world where there is no point in placing all of your locks on your front door to leave the backdoor swinging in its hinges, you need to think carefully about what you are securing. Attackers are lazy and will find the weakest point and attempt to exploit it.
  81. 81. 7. Security by Obscurity Won’t Work in the Long Run It’s naïve to think that hiding things from prying eyes doesn’t buy you some amount of time. Lets face it some of the biggest exploits unveiled in software have been obscured for years. But obscuring information is very different from protecting it. You are relying on the fact that no one stumbles onto your obfuscation. This strategy doesn’t work in the long term and has no guarantee of working in the short term.
  82. 82. 8. Least Privilege Systems should be designed in such a way that they run with the least amount of system privilege they need to do their job. This is the need to know approach. If a user account doesn’t need root privileges to operate, don’t assign them in the anticipation they may need them. Giving the pool man an unlimited bank account to buy the chemicals for your pool when you’re on vacation is unlikely to be a positive experience.
  83. 83. 9. Compartmentalization Similarly compartmentalizing users, processes and data helps contain problems if they do occur. Compartmentalization is an important concept widely adopted in the information security realm. Imagine the same pool man scenario. Giving the pool man the keys to the house while you are away so he can get to the pool house, may not be a wise move. Containing his access to the pool house limits the types of problems that may occur if something was to happen.
  84. 84. Telecommunications and Network Security Overview • TCP/IP and other protocols • LAN, WAN, MAN, intranet, extranet • Cable types and data transmission types • Network devices and services • Communications security management 11/29/2016 UNIVERSITY OF WISCONSIN 84
  85. 85. TCP and UDP Two Major Protocols For Transmission Over IP 11/29/2016 UNIVERSITY OF WISCONSIN 85
  86. 86. Reliabaility TCP TCP is connection-oriented protocol. When a file or message send it will get delivered unless connections fails. If connection lost, the server will request the lost part. There is no corruption while transferring a message. 11/29/2016 UNIVERSITY OF WISCONSIN 86
  87. 87. Reliability UDP UDP is connectionless protocol. When you a send a data or message, you don't know if it'll get there, it could get lost on the way. There may be corruption while transferring a message. 11/29/2016 UNIVERSITY OF WISCONSIN 87
  88. 88. Ordered Delivery TCP Ordered: If you send two messages along a connection, one after the other, you know the first message will get there first. You don't have to worry about data arriving in the wrong order 11/29/2016 UNIVERSITY OF WISCONSIN 88
  89. 89. No Ordered Delivery UDP If you send two messages out, you don't know what order they'll arrive in 11/29/2016 UNIVERSITY OF WISCONSIN 89
  90. 90. TCP is a Heavyweight Protocol Heavyweight: - when the low level parts of the TCP "stream" arrive in the wrong order, resend requests have to be sent, and all the out of sequence parts have to be put back together, so requires a bit of work to piece together 11/29/2016 UNIVERSITY OF WISCONSIN 90
  91. 91. UDP is a Lightweight Protocol Lightweight: No ordering of messages, no tracking connections, etc. It's just fire and forget! This means it's a lot quicker, and the network card / OS have to do very little work to translate the data back from the packets. 11/29/2016 UNIVERSITY OF WISCONSIN 91
  92. 92. The 5 Types of Physical Network Topologies • Bus • Ring • Star • Tree • Mesh 11/29/2016 UNIVERSITY OF WISCONSIN 92
  93. 93. Network Cabling Coaxial Cable Coaxial cable, or coax (pronounced 'ko.æks), is a type of cable that has an inner conductor surrounded by a tubular insulating layer, surrounded by a tubular conducting shield. Many coaxial cables also have an insulating outer sheath or jacket. 11/29/2016 UNIVERSITY OF WISCONSIN 93
  94. 94. Network Cabling Twisted Pair Twisted pair cabling is a type of wiring in which two conductors of a single circuit are twisted together for the purposes of canceling out electromagnetic interference from external sources; for instance, electromagnetic radiation from unshielded twisted pair cables, and crosstalk between neighboring pairs. 11/29/2016 UNIVERSITY OF WISCONSIN 94
  95. 95. Network Cabling Fiber Optic A technology that uses glass (or plastic) threads (fibers) to transmit data. A fiber optic cable consists of a bundle of glass threads, each of which is capable of transmitting messages modulated onto light waves. Fiber optics has several advantages over traditional metal communications lines: 11/29/2016 UNIVERSITY OF WISCONSIN 95
  96. 96. Wireless Best Practices • Protect your network with password and encryption • Change default SSID (name of network) • Disable broadcast SSID (name of network) • Place the Access Point at the center of the building to avoid external access • Configure the Access Point to only allow known MAC (hardware) addresses into the network 11/29/2016 UNIVERSITY OF WISCONSIN 96
  97. 97. Configuration and Change Management Policies should: 1. Document how all changes are made and approved 2. Guidelines should be different based upon the kind of data being managed 3. Disruptions in service must be planned and approved in advance 4. Contingency plans must be in place to address planned outages 11/29/2016 UNIVERSITY OF WISCONSIN 97
  98. 98. Change Control Process Process: 1. Submit request for change to take place 2. Formal approval of the change 3. Formal documentation of the change 4. Assurance of testing must be presented to the group approving the change 5. Implement the change 6. Report results to management 11/29/2016 UNIVERSITY OF WISCONSIN 98
  99. 99. Examples of Change Controlled Events New computers installed New applications installed Changes in system configurations implemented Patches and system updates New networking equipment installed Company IT infrastructure merged with that of another company which was acquired 11/29/2016 UNIVERSITY OF WISCONSIN 99
  100. 100. Physical Media Controls 1. Protect from unauthorized access 2. Protect from environmental issues such as flooding, overheating, etc. 3. Media should be labeled 4. Media should be sanitized when they reach the end of their use/life. 5. Tracking number, chain of custody of media 6. Location of backups 7. Keep history of any changes to media (replacements, etc) 11/29/2016 UNIVERSITY OF WISCONSIN 100
  101. 101. Vulnerability Testing Goals: 1. Evaluate your company’s true and actual security posture vs your company’s stated and or assumed security posture 2. Confirms known vulnerabilities and identifies new vulnerabilities 3. Tests how your company reacts to attacks of information systems 11/29/2016 UNIVERSITY OF WISCONSIN 101
  102. 102. We Watched Some Interesting Videos • Glen Duffy Shriver Story (Game of Pawns, about student spy) • The Company Man (story of industrial espionage) • United States of Secrets (dramatic inside story of mass surveillance in America) • The Spy Factory (an eye-opening documentary on the National Security Agency) • Short Youtube videos, throughout semester 11/29/2016 UNIVERSITY OF WISCONSIN 102
  103. 103. We Ate a Lot of Chocolate! 11/29/2016 UNIVERSITY OF WISCONSIN 103
  104. 104. We Took All Our Knowledge and Put It into Our Team Project! • Put forth your best effort • Better too long than too short • Send me a copy • I print them out and give them to the Chair of the OIM Department. I smile and say “This is what the students learned this semester” when I present the copies of your presentations 11/29/2016 UNIVERSITY OF WISCONSIN 104
  105. 105. Things to Remember • I am proud of all of you…We covered a LOT of material this semester • Everyone did a GREAT job being involved with class participation • Your written assignments were fantastic, showed concern, thought, originality, honesty and intelligence • You ARE every bit as smart as the people you will be working for…They are just older, not smarter • If things are not right in your job, do what is right, speak your mind, assess the situation for what it REALLY is, not what you would like it to be----and then ACT IN YOUR OWN BEST INTEREST 11/29/2016 UNIVERSITY OF WISCONSIN 105
  106. 106. Thank You! Happy Holidays! 11/29/2016 UNIVERSITY OF WISCONSIN 106