Security+ Guide to Network Security Fundamentals, Third Edition Chapter 14

advertisement
Security+ Guide to Network
Security Fundamentals, Third
Edition
Chapter 14
Security Policies and Training
Objectives
• Define organizational security policy
• List the types of security policies
• Describe how education and training can limit the
impact of social engineering
Security+ Guide to Network Security Fundamentals, Third Edition
2
Organizational Security Policies
• Plans and policies must be established by the
organization
– To ensure that users correctly implement the
hardware and software defenses
• One of the key policies is an organizational security
policy
Security+ Guide to Network Security Fundamentals, Third Edition
3
What Is a Security Policy?
• Security policy
– A written document that states how an organization
plans to protect the company’s information technology
assets
• An organization’s information security policy can
serve several functions:
–
–
–
–
It can be an overall intention and direction
It details specific risks and how to address them
It can create a security-aware organizational culture
It can help to ensure that employee behavior is
directed and monitored
Security+ Guide to Network Security Fundamentals, Third Edition
4
Balancing Trust and Control
• An effective security policy must carefully balance
two key elements: trust and control
• Three approaches to trust:
– Trust everyone all of the time
– Trust no one at any time
– Trust some people some of the time
• Deciding on the level of control for a specific policy is
not always clear
– The security needs and the culture of the organization
play a major role when deciding what level of control is
appropriate
Security+ Guide to Network Security Fundamentals, Third Edition
5
Balancing Trust and Control
(continued)
Security+ Guide to Network Security Fundamentals, Third Edition
6
Designing a Security Policy
• Definition of a policy
– Standard
• A collection of requirements specific to the system or
procedure that must be met by everyone
– Guideline
• A collection of suggestions that should be implemented
– Policy
• Document that outlines specific requirements or rules
that must be met
Security+ Guide to Network Security Fundamentals, Third Edition
7
Designing a Security Policy
(continued)
• A policy generally has these characteristics:
– Policies communicate a consensus of judgment
– Policies define appropriate behavior for users
– Policies identify what tools and procedures are
needed
– Policies provide directives for Human Resource action
in response to inappropriate behavior
– Policies may be helpful in the event that it is
necessary to prosecute violators
Security+ Guide to Network Security Fundamentals, Third Edition
8
Designing a Security Policy
(continued)
• The security policy cycle
– The first phase involves a risk management study
•
•
•
•
•
Asset identification
Threat identification
Vulnerability appraisal
Risk assessment
Risk mitigation
– The second phase of the security policy cycle is to use
the information from the risk management study to
create the policy
– The final phase is to review the policy for compliance
Security+ Guide to Network Security Fundamentals, Third Edition
9
Designing a Security Policy
(continued)
Security+ Guide to Network Security Fundamentals, Third Edition
10
Designing a Security Policy
(continued)
• Steps in development
– When designing a security policy many organizations
follow a standard set of principles
– It is advisable that the design of a security policy
should be the work of a team
– The team should first decide on the scope and goals
of the policy
– Statements regarding due care are often included
• The obligations that are imposed on owners and
operators of assets to exercise reasonable care of the
assets and take necessary precautions to protect them
Security+ Guide to Network Security Fundamentals, Third Edition
11
Designing a Security Policy
(continued)
Security+ Guide to Network Security Fundamentals, Third Edition
12
Designing a Security Policy
(continued)
• Many organizations also follow these guidelines
while developing a policy:
– Notify users in advance that a new security policy is
being developed and explain why the policy is needed
– Provide a sample of people affected by the policy with
an opportunity to review and comment on the policy
– Prior to deployment, give all users at least two weeks
to review and comment
– Allow users the authority to carry out their
responsibilities in a given policy
Security+ Guide to Network Security Fundamentals, Third Edition
13
Types of Security Policies
• The term security policy becomes an umbrella term
for all of the subpolicies included within it
Security+ Guide to Network Security Fundamentals, Third Edition
14
Security+ Guide to Network Security Fundamentals, Third Edition
15
Types of Security Policies (continued)
• Most organizations have security policies that
address:
–
–
–
–
–
–
–
–
–
Acceptable use
Security-related human resources
Password management and complexity
Personally identifiable information
Disposal and destruction
Service level agreements
Classification of information
Change management
Ethics
Security+ Guide to Network Security Fundamentals, Third Edition
16
Acceptable Use Policy (AUP)
• Acceptable use policy (AUP)
– Defines the actions users may perform while
accessing systems and networking equipment
– May have an overview regarding what is covered by
this policy
• The AUP usually provides explicit prohibitions
regarding security and proprietary information
• Unacceptable use may also be outlined by the AUP
• Acceptable use policies are generally considered to
be the most important information security policies
Security+ Guide to Network Security Fundamentals, Third Edition
17
Security-Related Human Resource
Policy
• Security-related human resource policy
– A policy that addresses security as it relates to human
resources
– Includes statements regarding how an employee’s
information technology resources will be addressed
• Due process
– The principle of treating all accused persons in an
equal fashion, using established rules and principles
• Due diligence
– Any investigation into suspicious employee conduct
will examine all material facts
Security+ Guide to Network Security Fundamentals, Third Edition
18
Password Management and
Complexity Policy
• Password management and complexity policy
– Can clearly address how passwords are created and
managed
• The policy should also specify what makes up a
strong password
Security+ Guide to Network Security Fundamentals, Third Edition
19
Password Management and
Complexity Policy (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
20
Password Management and
Complexity Policy (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
21
Personally Identifiable Information (PII)
Policy
• Personally identifiable information (PII) policy
– Outlines how the organization uses personal
information it collects
Security+ Guide to Network Security Fundamentals, Third Edition
22
Personally Identifiable Information (PII)
Policy (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
23
Disposal and Destruction Policy
• Disposal and destruction policy
– Addresses the disposal of resources that are
considered confidential
– Often covers how long records and data will be
retained
– Involves how to dispose of equipment
Security+ Guide to Network Security Fundamentals, Third Edition
24
Service Level Agreement (SLA) Policy
• Service level agreement (SLA)
– A service contract between a vendor and a client that
specifies what services will be provided, the
responsibilities of each party, and any guarantees of
service
• Service level agreement (SLA) policy
– An organizational policy that governs the conditions to
be contained in an SLA
• Many SLA policies contain tiers of service
Security+ Guide to Network Security Fundamentals, Third Edition
25
Service Level Agreement (SLA) Policy
(continued)
Security+ Guide to Network Security Fundamentals, Third Edition
26
Classification of Information Policy
• Classification of information policy
– Designed to produce a standardized framework for
classifying information assets
• Generally, this involves creating classification
categories such as high, medium, or low
– And then assigning information into these categories
Security+ Guide to Network Security Fundamentals
27
Change Management Policy
• Change management
– Refers to a methodology for making changes and
keeping track of those changes, often manually
– Seeks to approach changes systematically and
provide documentation of the changes
• Change management policy
– Outlines how an organization will manage changes in
a “rational and predictable” manner so employees
and clients can plan accordingly
Security+ Guide to Network Security Fundamentals, Third Edition
28
Ethics Policy
• Values
– A person’s fundamental beliefs and principles used to
define what is good, right, and just
• Morals
– Values that are attributed to a system of beliefs that
help the individual distinguish right from wrong
• Ethics
– The study of what a group of people understand to be
good and right behavior and how people make those
judgments
Security+ Guide to Network Security Fundamentals, Third Edition
29
Ethics Policy (continued)
• Ethics policy
– A written code of conduct intended to be a central
guide and reference for employees in support of dayto-day decision making
– Intended to clarify an organization’s mission, values,
and principles, and link them with standards of
professional conduct
Security+ Guide to Network Security Fundamentals, Third Edition
30
Education and Training
• Education and training involve understanding the
importance of organizational training
– And how it can be used to reduce risks, such as
social engineering
Security+ Guide to Network Security Fundamentals, Third Edition
31
Organizational Training
• All computer users in an organization share a
responsibility to protect the assets of that
organization
– Users need training in the importance of securing
information, the roles that they play in security, and
the steps they need to take to ward off attacks
• All users need:
– Continuous training in the new security defenses
– To be reminded of company security policies and
procedures
Security+ Guide to Network Security Fundamentals, Third Edition
32
Organizational Training (continued)
• One of the challenges of organizational education
and training is to understand the traits of learners
Security+ Guide to Network Security Fundamentals, Third Edition
33
Organizational Training (continued)
• Training style also impacts how people learn
• Most people are taught using a pedagogical
approach
– However, for adult learners, an andragogical
approach is often preferred
• There are different learning styles
– Visual learners
– Auditory learners
– Kinesthetic
Security+ Guide to Network Security Fundamentals, Third Edition
34
Reducing Risks of Social Engineering
• Social engineering
– Relies on tricking and deceiving someone to provide
secure information
• Phishing
– One of the most common forms of social engineering
– Involves sending an e-mail or displaying a Web
announcement that falsely claims to be from a
legitimate enterprise in an attempt to trick the user
into surrendering private information
– Both the e-mails and the fake Web sites appear to be
legitimate
Security+ Guide to Network Security Fundamentals, Third Edition
35
Security+ Guide to Network Security Fundamentals, Third Edition
36
Reducing Risks of Social Engineering
(continued)
• Variations on phishing attacks:
– Spear phishing
– Pharming
– Google phishing
• Ways to recognize phishing messages include:
–
–
–
–
–
Deceptive Web links
E-mails that look like Web sites
Fake sender’s address
Generic greeting
Pop-up boxes and attachments
Security+ Guide to Network Security Fundamentals, Third Edition
37
Reducing Risks of Social Engineering
(continued)
• Ways to recognize phishing messages include:
(continued)
– Unsafe Web sites
– Urgent request
• Some organizations have turned to creating regular
reminders to users regarding phishing attacks
Security+ Guide to Network Security Fundamentals, Third Edition
38
Security+ Guide to Network Security Fundamentals, Third Edition
39
Reducing Risks of Social Engineering
(continued)
• Dumpster diving
– Involves digging through trash receptacles to find
computer manuals, printouts, or password lists that
have been thrown away
• Shoulder surfing
– Watching an individual enter a security code or
password on a keypad
• Computer hoax
– An e-mail message containing a false warning to the
recipient of a malicious entity circulating through the
Internet
Security+ Guide to Network Security Fundamentals, Third Edition
40
Summary
• A security policy is a written document that states
how an organization plans to protect the company’s
information technology assets
• A standard is a collection of requirements specific to
the system or procedure that must be met by
everyone, while a guideline is a collection of
suggestions that should be implemented
• A policy is a document that outlines specific
requirements or rules that must be met, and is the
correct means to be used for establishing security
Security+ Guide to Network Security Fundamentals, Third Edition
41
Summary (continued)
• Because a security policy is so comprehensive and
often detailed, most organizations choose to break
the security policy down into smaller “subpolicies”
• A personally identifiable information (PII) policy
outlines how the organization uses information it
collects
• To provide users with the knowledge and skills
necessary to support information security, users need
to receive ongoing training
• Social engineering relies on tricking and deceiving
someone to provide secure information
Security+ Guide to Network Security Fundamentals, Third Edition
42
Download