Introduction to Computer Security
and Information Assurance
Objectives
• Recognize that physical
security and cyber
security are related
• Recognize that
personnel security
policies and procedures
are related to cyber
security
• Explain how awareness
training strengthens
cyber security practices
Module 02: 1
Introduction to Computer Security
and Information Assurance
Physical Security
• Addresses the protection of the
organization’s assets:
– Personnel
– Property
– Information
Module 02: 2
Introduction to Computer Security
and Information Assurance
Physical And Cyber Security
• Disciplines merging
• Physical access can
lead to compromise
Module 02: 3
Introduction to Computer Security
and Information Assurance
Physical Security Threats
• Most threats in this area are ‘physical’
– Fire
– Flood
– Natural disasters
• The Human factor is an exception to this
rule
Module 02: 4
Introduction to Computer Security
and Information Assurance
Major Sources Of Physical Loss
•
•
•
•
•
•
Temperature extremes
Gases
Liquids
Living organisms
Excessive movement
Energy anomalies
Source: “Fighting Computer Crime” by Donn B. Parker
Module 02: 5
Introduction to Computer Security
and Information Assurance
Physical Security Threat
Categories
• Natural and Environmental
• Man-made
Module 02: 6
Introduction to Computer Security
and Information Assurance
Natural And Environmental
Threats
•
•
•
•
•
•
•
•
Hurricanes
Tornadoes
Earthquakes
Floods
Lightning
Mudslides
Fire
Electrical
Module 02: 7
Introduction to Computer Security
and Information Assurance
Man-Made Threats
• Hackers
• Theft
• Human error
Module 02: 8
Introduction to Computer Security
and Information Assurance
Physical Security
Countermeasures
•
•
•
•
•
•
•
Property protection
Structural hardening
Physical access control
Intrusion detection
Physical security procedures
Contingency plans
Physical security awareness training
Module 02: 9
Introduction to Computer Security
and Information Assurance
Property Protection
•
•
•
•
•
•
Fences
Gates
Doors
Locks and keys
Lighting
Fire detection and
suppression
systems
Module 02: 10
Introduction to Computer Security
and Information Assurance
Structural Hardening
• Robust construction
• Minimal penetration
• Building complexity
Module 02: 11
Introduction to Computer Security
and Information Assurance
Physical Access Control
• Ensures only authorized individuals are
allowed into certain areas
– Who
– What
– When
– Where
– How
Module 02: 12
Introduction to Computer Security
and Information Assurance
Intrusion Detection
• Guards
• Dogs
• Electronic monitoring systems
Module 02: 13
Introduction to Computer Security
and Information Assurance
Physical Security Procedures
• Impose consequences for physical
security violations
• Examples:
– Log personnel access
to restricted areas
– Escort visitors, delivery,
terminated personnel
Module 02: 14
Introduction to Computer Security
and Information Assurance
Contingency Plans
• Considerations include
– Generators
– Fire suppression and
detection systems
– Water sensors
– Alternate facility
– Offsite storage facility
Module 02: 15
Introduction to Computer Security
and Information Assurance
Physical Security
Awareness Training
• Train personnel what to do about
– Suspicious
activities
– Unrecognized
persons
Module 02: 16
Introduction to Computer Security
and Information Assurance
Personnel Security
• Practices established to ensure the safety
and security of personnel and other
organizational assets
Module 02: 17
Introduction to Computer Security
and Information Assurance
Personnel Security
• It’s all about the
people
• People are the
weakest link
• An avenue to mold
and define
personnel behavior
Module 02: 18
Introduction to Computer Security
and Information Assurance
Personnel Security Threat
Categories
• Insider threats
• Social engineering
Module 02: 19
Introduction to Computer Security
and Information Assurance
Insider Threats
• One of the most common threats to any
organization
• More difficult to recognize
• Include
– Sabotage
– Unauthorized disclosure
of information
Module 02: 20
Introduction to Computer Security
and Information Assurance
Social Engineering Threats
• Multiple techniques are used to gain
information from authorized employees
and using that information in conjunction
with an attack
– Protect your password
(even from the help desk)
– Protect personnel rosters
Module 02: 21
Introduction to Computer Security
and Information Assurance
Dumpster Diving
• Rummaging through a
company’s or
individual’s garbage
for discarded
documents,
information, and other
precious items that
could be used in an
attack against that
person or company
Module 02: 22
Introduction to Computer Security
and Information Assurance
Phishing
• Usually takes place through fraudulent emails requesting users to disclose
personal or financial information
• E-mail appears to come from a legitimate
organization
Module 02: 23
Introduction to Computer Security
and Information Assurance
Module 02: 24
Introduction to Computer Security
and Information Assurance
Security Awareness
• Recognizing what
types of security
issues might arise
• Knowing your
responsibilities and
what actions to take
in case of a breach
Module 02: 25
Introduction to Computer Security
and Information Assurance
Policies And Procedures
• Acceptable use policy
• Personnel controls
• Hiring and termination
practices
Module 02: 26
Introduction to Computer Security
and Information Assurance
People And Places:
What You Need To Know
• Physical security
• Physical security threats and
countermeasures
• Personnel security
• Personnel security threats and
countermeasures
Module 02: 27