Security+ Guide to Network Security Fundamentals, Third Edition Chapter 14
advertisement
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 14 Security Policies and Training Objectives • Define organizational security policy • List the types of security policies • Describe how education and training can limit the impact of social engineering Security+ Guide to Network Security Fundamentals, Third Edition 2 Organizational Security Policies • Plans and policies must be established by the organization – To ensure that users correctly implement the hardware and software defenses • One of the key policies is an organizational security policy Security+ Guide to Network Security Fundamentals, Third Edition 3 What Is a Security Policy? • Security policy – A written document that states how an organization plans to protect the company’s information technology assets • An organization’s information security policy can serve several functions: – – – – It can be an overall intention and direction It details specific risks and how to address them It can create a security-aware organizational culture It can help to ensure that employee behavior is directed and monitored Security+ Guide to Network Security Fundamentals, Third Edition 4 Balancing Trust and Control • An effective security policy must carefully balance two key elements: trust and control • Three approaches to trust: – Trust everyone all of the time – Trust no one at any time – Trust some people some of the time • Deciding on the level of control for a specific policy is not always clear – The security needs and the culture of the organization play a major role when deciding what level of control is appropriate Security+ Guide to Network Security Fundamentals, Third Edition 5 Balancing Trust and Control (continued) Security+ Guide to Network Security Fundamentals, Third Edition 6 Designing a Security Policy • Definition of a policy – Standard • A collection of requirements specific to the system or procedure that must be met by everyone – Guideline • A collection of suggestions that should be implemented – Policy • Document that outlines specific requirements or rules that must be met Security+ Guide to Network Security Fundamentals, Third Edition 7 Designing a Security Policy (continued) • A policy generally has these characteristics: – Policies communicate a consensus of judgment – Policies define appropriate behavior for users – Policies identify what tools and procedures are needed – Policies provide directives for Human Resource action in response to inappropriate behavior – Policies may be helpful in the event that it is necessary to prosecute violators Security+ Guide to Network Security Fundamentals, Third Edition 8 Designing a Security Policy (continued) • The security policy cycle – The first phase involves a risk management study • • • • • Asset identification Threat identification Vulnerability appraisal Risk assessment Risk mitigation – The second phase of the security policy cycle is to use the information from the risk management study to create the policy – The final phase is to review the policy for compliance Security+ Guide to Network Security Fundamentals, Third Edition 9 Designing a Security Policy (continued) Security+ Guide to Network Security Fundamentals, Third Edition 10 Designing a Security Policy (continued) • Steps in development – When designing a security policy many organizations follow a standard set of principles – It is advisable that the design of a security policy should be the work of a team – The team should first decide on the scope and goals of the policy – Statements regarding due care are often included • The obligations that are imposed on owners and operators of assets to exercise reasonable care of the assets and take necessary precautions to protect them Security+ Guide to Network Security Fundamentals, Third Edition 11 Designing a Security Policy (continued) Security+ Guide to Network Security Fundamentals, Third Edition 12 Designing a Security Policy (continued) • Many organizations also follow these guidelines while developing a policy: – Notify users in advance that a new security policy is being developed and explain why the policy is needed – Provide a sample of people affected by the policy with an opportunity to review and comment on the policy – Prior to deployment, give all users at least two weeks to review and comment – Allow users the authority to carry out their responsibilities in a given policy Security+ Guide to Network Security Fundamentals, Third Edition 13 Types of Security Policies • The term security policy becomes an umbrella term for all of the subpolicies included within it Security+ Guide to Network Security Fundamentals, Third Edition 14 Security+ Guide to Network Security Fundamentals, Third Edition 15 Types of Security Policies (continued) • Most organizations have security policies that address: – – – – – – – – – Acceptable use Security-related human resources Password management and complexity Personally identifiable information Disposal and destruction Service level agreements Classification of information Change management Ethics Security+ Guide to Network Security Fundamentals, Third Edition 16 Acceptable Use Policy (AUP) • Acceptable use policy (AUP) – Defines the actions users may perform while accessing systems and networking equipment – May have an overview regarding what is covered by this policy • The AUP usually provides explicit prohibitions regarding security and proprietary information • Unacceptable use may also be outlined by the AUP • Acceptable use policies are generally considered to be the most important information security policies Security+ Guide to Network Security Fundamentals, Third Edition 17 Security-Related Human Resource Policy • Security-related human resource policy – A policy that addresses security as it relates to human resources – Includes statements regarding how an employee’s information technology resources will be addressed • Due process – The principle of treating all accused persons in an equal fashion, using established rules and principles • Due diligence – Any investigation into suspicious employee conduct will examine all material facts Security+ Guide to Network Security Fundamentals, Third Edition 18 Password Management and Complexity Policy • Password management and complexity policy – Can clearly address how passwords are created and managed • The policy should also specify what makes up a strong password Security+ Guide to Network Security Fundamentals, Third Edition 19 Password Management and Complexity Policy (continued) Security+ Guide to Network Security Fundamentals, Third Edition 20 Password Management and Complexity Policy (continued) Security+ Guide to Network Security Fundamentals, Third Edition 21 Personally Identifiable Information (PII) Policy • Personally identifiable information (PII) policy – Outlines how the organization uses personal information it collects Security+ Guide to Network Security Fundamentals, Third Edition 22 Personally Identifiable Information (PII) Policy (continued) Security+ Guide to Network Security Fundamentals, Third Edition 23 Disposal and Destruction Policy • Disposal and destruction policy – Addresses the disposal of resources that are considered confidential – Often covers how long records and data will be retained – Involves how to dispose of equipment Security+ Guide to Network Security Fundamentals, Third Edition 24 Service Level Agreement (SLA) Policy • Service level agreement (SLA) – A service contract between a vendor and a client that specifies what services will be provided, the responsibilities of each party, and any guarantees of service • Service level agreement (SLA) policy – An organizational policy that governs the conditions to be contained in an SLA • Many SLA policies contain tiers of service Security+ Guide to Network Security Fundamentals, Third Edition 25 Service Level Agreement (SLA) Policy (continued) Security+ Guide to Network Security Fundamentals, Third Edition 26 Classification of Information Policy • Classification of information policy – Designed to produce a standardized framework for classifying information assets • Generally, this involves creating classification categories such as high, medium, or low – And then assigning information into these categories Security+ Guide to Network Security Fundamentals 27 Change Management Policy • Change management – Refers to a methodology for making changes and keeping track of those changes, often manually – Seeks to approach changes systematically and provide documentation of the changes • Change management policy – Outlines how an organization will manage changes in a “rational and predictable” manner so employees and clients can plan accordingly Security+ Guide to Network Security Fundamentals, Third Edition 28 Ethics Policy • Values – A person’s fundamental beliefs and principles used to define what is good, right, and just • Morals – Values that are attributed to a system of beliefs that help the individual distinguish right from wrong • Ethics – The study of what a group of people understand to be good and right behavior and how people make those judgments Security+ Guide to Network Security Fundamentals, Third Edition 29 Ethics Policy (continued) • Ethics policy – A written code of conduct intended to be a central guide and reference for employees in support of dayto-day decision making – Intended to clarify an organization’s mission, values, and principles, and link them with standards of professional conduct Security+ Guide to Network Security Fundamentals, Third Edition 30 Education and Training • Education and training involve understanding the importance of organizational training – And how it can be used to reduce risks, such as social engineering Security+ Guide to Network Security Fundamentals, Third Edition 31 Organizational Training • All computer users in an organization share a responsibility to protect the assets of that organization – Users need training in the importance of securing information, the roles that they play in security, and the steps they need to take to ward off attacks • All users need: – Continuous training in the new security defenses – To be reminded of company security policies and procedures Security+ Guide to Network Security Fundamentals, Third Edition 32 Organizational Training (continued) • One of the challenges of organizational education and training is to understand the traits of learners Security+ Guide to Network Security Fundamentals, Third Edition 33 Organizational Training (continued) • Training style also impacts how people learn • Most people are taught using a pedagogical approach – However, for adult learners, an andragogical approach is often preferred • There are different learning styles – Visual learners – Auditory learners – Kinesthetic Security+ Guide to Network Security Fundamentals, Third Edition 34 Reducing Risks of Social Engineering • Social engineering – Relies on tricking and deceiving someone to provide secure information • Phishing – One of the most common forms of social engineering – Involves sending an e-mail or displaying a Web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information – Both the e-mails and the fake Web sites appear to be legitimate Security+ Guide to Network Security Fundamentals, Third Edition 35 Security+ Guide to Network Security Fundamentals, Third Edition 36 Reducing Risks of Social Engineering (continued) • Variations on phishing attacks: – Spear phishing – Pharming – Google phishing • Ways to recognize phishing messages include: – – – – – Deceptive Web links E-mails that look like Web sites Fake sender’s address Generic greeting Pop-up boxes and attachments Security+ Guide to Network Security Fundamentals, Third Edition 37 Reducing Risks of Social Engineering (continued) • Ways to recognize phishing messages include: (continued) – Unsafe Web sites – Urgent request • Some organizations have turned to creating regular reminders to users regarding phishing attacks Security+ Guide to Network Security Fundamentals, Third Edition 38 Security+ Guide to Network Security Fundamentals, Third Edition 39 Reducing Risks of Social Engineering (continued) • Dumpster diving – Involves digging through trash receptacles to find computer manuals, printouts, or password lists that have been thrown away • Shoulder surfing – Watching an individual enter a security code or password on a keypad • Computer hoax – An e-mail message containing a false warning to the recipient of a malicious entity circulating through the Internet Security+ Guide to Network Security Fundamentals, Third Edition 40 Summary • A security policy is a written document that states how an organization plans to protect the company’s information technology assets • A standard is a collection of requirements specific to the system or procedure that must be met by everyone, while a guideline is a collection of suggestions that should be implemented • A policy is a document that outlines specific requirements or rules that must be met, and is the correct means to be used for establishing security Security+ Guide to Network Security Fundamentals, Third Edition 41 Summary (continued) • Because a security policy is so comprehensive and often detailed, most organizations choose to break the security policy down into smaller “subpolicies” • A personally identifiable information (PII) policy outlines how the organization uses information it collects • To provide users with the knowledge and skills necessary to support information security, users need to receive ongoing training • Social engineering relies on tricking and deceiving someone to provide secure information Security+ Guide to Network Security Fundamentals, Third Edition 42
