Principles of Computer Security, Fourth Edition
Operational
and Organizational Security
Chapter 3
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Objectives
• Identify various operational aspects to security in
your organization.
• Identify various policies and procedures in your
organization.
• Identify the security awareness and training needs of
an organization.
• Understand the different types of agreements
employed in negotiating security requirements.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Objectives (continued)
• Describe the physical security components that can
protect your computers and network.
• Identify environmental factors that can affect
security.
• Identify factors that affect the security of the
growing number of wireless technologies used for
data transmission.
• Prevent disclosure through electronic emanations.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Key Terms
• Acceptable use policy
(AUP)
• Biometrics
• Bluetooth
• Business partnership
agreement (BPA)
• Due care
• Due diligence
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
• Guidelines
• Heating, ventilation,
and air conditioning
(HVAC)
• IEEE 802.11
• Incident response policy
• Interconnection
security agreement
(ISA)
Principles of Computer Security, Fourth Edition
Key Terms (continued)
• Memorandum of
understanding (MOU)
• Physical security
• Policies
• Procedures
• Security policy
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
• Service level agreement
(SLA)
• Standards
• TEMPEST
• Uninterruptible power
supply (UPS)
• User habits
Principles of Computer Security, Fourth Edition
Policies, Procedures, Standards,
and Guidelines
• Policies – high-level, broad statements of what the
organization wants to accomplish
– Made by management when laying out the organization’s
position on some issue
• Procedures – step-by-step instructions on how to
implement policies in the organization
– Describe exactly how employees are expected to act in a
given situation or to accomplish a specific task
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Policies, Procedures, Standards,
and Guidelines (continued)
• Standards – mandatory elements regarding the
implementation of a policy
– Accepted specifications providing specific details on how a
policy is to be enforced
– Possibly externally driven
• Guidelines – recommendations relating to a policy
– Key term: recommendations
• Not mandatory steps
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Policies, Procedures, Standards,
and Guidelines (continued)
• Four steps of the policy lifecycle
1. Plan (adjust) for security in your organization.
• Develop the policies, procedures, and guidelines
2. Implement the plans.
• Includes an instruction period
3. Monitor the implementation.
• Ensure effectiveness
4. Evaluate the effectiveness.
• Vulnerability assessment and penetration test
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Security Policies
• Security policy – a high-level statement produced by
senior management
– Outlines both what security means to the organization and
the organization’s goals for security
– Main security policy broken down into additional policies
covering specific topics
– Should include other policies
• Change management, data policies, human resources
policies
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Change Management Policy
• Change management ensures proper procedures
followed when modifications to the IT infrastructure
are made.
– Modifications prompted by a number of different events
• “Management” implies process controlled in some
systematic way.
• Change management process includes various
stages:
– Request change, review and approve process, examine
consequences, implement change, document process
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Data Policies
• Data can be shared for the purpose of processing or
storage.
• Control over data is a significant issue in third-party
relationships.
• Who owns the data?
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Data Policies (continued)
• Data ownership
– Data requires a data owner.
– Data ownership roles for all data elements need to be
defined in the business.
– Data ownership is a business function.
• The requirements for security, privacy, retention, and
other business functions must be established.
– Not all data requires the same handling restrictions, but all
data requires these characteristics to be defined.
• This is the responsibility of the data owner.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Data Policies (continued)
• Unauthorized data sharing
– Unauthorized data sharing can be a significant issue, and in
today’s world, data has value and is frequently used for
secondary purposes.
– Ensuring that all parties in the relationship understand the
data-sharing requirements is an important prerequisite.
– Ensuring that all parties understand the security
requirements of shared data is important.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Data Policies (continued)
• Data backup requirements involve:
– Determining level of backup, restore objectives,
and level of protection requirements
• Can be defined by the data owner and then executed
by operational IT personnel
– Determining the backup responsibilities and developing
the necessary operational procedures to ensure that
adequate backups occur are important security elements.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Data Policies (continued)
• Classification of information
– Needed because of different importance or sensitivity
– Factors affecting information classification
• Value to the organization, age, and laws or regulations
governing protection
– Most widely known classification system – U.S. government
• Confidential, Secret, and Top Secret
– Business classifications
• Publicly Releasable, Proprietary, Company Confidential,
and For Internal Use Only
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Data Policies (continued)
• Data labeling, handling, and disposal
– Data labeling enables an understanding of level of
protection required.
– For data inside an information-processing system:
• Protections should be designed into the system
– Data outside system require other means of protection.
– Training ensures labeling occurs and is used and followed.
• Important for users whose roles are impacted by the
material
• Important for proper data handling and disposal
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Data Policies (continued)
• Need to know goes hand-in-hand with least privilege.
• Guiding factor is that:
– Each individual supplied absolute minimum amount of
information and privileges needed to perform work
• Access requires justified need to know.
• Policy should spell out these two principles:
– Who in the organization can grant access to information
– Who can assign privileges to employees
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Data Policies (continued)
• Disposal and destruction policy
– Important papers should be shredded.
– Delete all files and overwrite data on magnetic storage
data before discarding.
– Destroy data magnetically using a strong magnetic field to
degauss the media.
– File off magnetic material from the surface of a hard drive
platter.
– Shred floppy media, CDs and DVDs.
– Best practice is to match the action to the risk level.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Human Resources Policies
• Humans are the weakest link in security chain.
• Three policies are needed:
– Policy for hiring of individuals
– Policy to keep employees from “disgruntled” category
– Policy to address employees leaving organization
• Security must be considered in all policies.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Human Resources Policies (continued)
• Code of ethics
– Describes expected behavior at highest level
– Sets tone for how employees act and conduct business
• Code inclusions
– Demand honesty from employees
– Demand employees perform all activities in a professional
manner
– Address principles of privacy and confidentiality
– State how employees treat client and organizational data
– Cover how to handle conflicts of interests
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Human Resources Policies (continued)
• Job rotation
– By rotating through jobs, individuals gain a better
perspective on how the various parts of IT can enhance (or
hinder) the business.
– Rotating individuals through security positions can result in
a much wider understanding throughout the organization
about potential security problems.
– A benefit is that the company does not have to rely on any
one individual too heavily for security expertise.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Human Resources Policies (continued)
• Employee hiring and promotions
– Policies should ensure organization hires the most capable
and trustworthy employees.
– Policies should minimize the risk that the employee will
ignore company rules and affect security.
• Periodic reviews by supervisory personnel, additional
drug checks, and monitoring of activity during work
– Policy should handle employee’s status change.
• Especially if construed as negative
• If employee promoted, privileges may still change
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Human Resources Policies (continued)
• Retirement, separation, or termination of an
employee
– Employee announced retirements – limit access to
sensitive documents when employee announces their
intention.
– Forced retirement – determine risk if employee becomes
disgruntled.
– New job offer – carefully consider continued access to
sensitive information.
– Termination – assume he is or will become disgruntled.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Human Resources Policies (continued)
• Mandatory vacations
– Employee who never takes time off might be involved in
nefarious activity.
– Requiring mandatory vacations serves as a security
protection mechanism.
• Tool to detect fraud
• Necessity of a second person familiar with security
procedures to fill in while employee on vacation; good
policy in case something happens to the primary
employee
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Human Resources Policies (continued)
• On-boarding/off-boarding business partners
– Agreements tend to be fairly specific with respect to terms
associated with mutual expectations associated with the
process of the business.
– Important considerations prior to the establishment of the
relationship include:
• On-boarding and off-boarding processes
• Data retention and destruction by the third party
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Human Resources Policies (continued)
• Social media networks
– Considered a form of third party
– Challenge of terms of use as there is no negotiated set of
agreements with respect to requirements
• Only option is to adopt provided terms of service
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Human Resources Policies (continued)
• Acceptable use policy (AUP)
– AUP outlines what the organization considers to be the
appropriate use of company resources, such as computer
systems, e-mail, Internet access, and networks.
– Goal is to ensure employee productivity while limiting
organizational liability through inappropriate use of the
organization’s assets.
– Policy clearly delineates what activities are not allowed.
– It states if the organization considers it appropriate to
monitor the employees’ use of the systems and network.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Human Resources Policies (continued)
• Internet usage policy
– Goal: ensure maximum employee productivity and to limit
potential liability to the organization from inappropriate
use of the Internet in a workplace
– Address what sites employees allowed and not allowed to
visit
– Spell out the acceptable use parameters
– Describe circumstances an employee allowed to post
something from the organization’s network on the Web
• Need procedure to post the object or message
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Human Resources Policies (continued)
• E-mail usage policy
– Specifies what the company allows employees to send in,
or as attachments to, e-mail messages
– Spells out whether nonwork e-mail traffic allowed
– Describes type of message considered inappropriate to
send
– Specifies disclaimers that must be attached to an
employee’s message sent to an individual outside the
company
– Reminds employees of the risks of clicking on links in
e-mails, or opening attachments
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Human Resources Policies (continued)
• Clean desk policy
– Specifies that sensitive information must not be left
unsecured in the work area when the worker is not
present to act as custodian
– Identifies and prohibits things that are not obvious upon
first glance, such as passwords on sticky notes under
keyboards and mouse pads or in unsecured desk drawers
– Training for clean desk activities making the issue a
personal one
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Human Resources Policies (continued)
• Bring your own device (BYOD) policy
– Primary purpose
• Lower risk associated with connecting a wide array of
personal devices to a company’s network and accessing
sensitive data on them.
– Center element of a BYOD policy
• Security, in the form of risk management
– Device requirements
• Must be maintained in a current, up-to-date software
posture, and with certain security features
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Human Resources Policies (continued)
• Privacy policy
– Explains guiding principles in guarding personal data to
which organizations are given access
• Personally identifiable information (PII)
– Includes any data that can be used to uniquely identify an
individual
• Name, address, driver’s license number, and other
details
• Necessary measures taken by company
– Ensure data is protected from compromise
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Due Care and Due Diligence
• Due care generally refers to the standard of care a
reasonable person is expected to exercise in all
situations.
• Due diligence generally refers to the standard of care
a business is expected to exercise in preparation for a
business transaction.
• The standard applied—reasonableness—is extremely
subjective and often is determined by a jury.
– Many sectors have a set of “security best practices.”
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Due Process
• Due process is concerned with guaranteeing
fundamental fairness, justice, and liberty in relation
to an individual’s legal rights.
– Individual’s rights outlined by Constitution and Bill of
Rights
• Procedural due process uses concept of “fair”.
• Courts recognize series of rights embodied by the
Constitution.
• Organizational due process occurs in administrative
actions adversely affecting employees.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Incident Response Policies and Procedures
• Incident response policy and associated procedures
– Developed to outline how the organization will prepare for
security incidents and respond to them when they occur
– Designed in advance
– Should cover five phases:
• Preparation, detection, containment and eradication,
recovery, and follow-up actions
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Security Awareness and Training
• Programs enhance an organization’s security posture.
– Teach personnel how to follow the correct set of actions to
perform their duties in a secure manner
– Make personnel aware of the indicators and effects of
social engineering attacks
• Properly trained employees perform duties in a more
effective manner.
• Security awareness programs and campaigns include:
– Seminars, videos, posters, newsletters, similar materials
– Fairly easy to implement and not very costly
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Security Policy Training and Procedures
• Personnel need training with respect to the tasks and
expectations to perform complex tasks.
– Applies to security policy and operational security details
• Use refresher training for periodic reinforcement.
• Collection of policies should paint a picture
describing the desired security culture of the
organization.
– Security policy – high-level directive
– Second-level policies – password, access, information
handling, and acceptable use policies
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Role-based Training
• Training needs to be targeted to the user with regard
to their role in the subject of the training.
• Role-based training is an important part of
information security training.
• Personnel-related training elements include:
– Retraining over time to keep proper levels of knowledge
– Reassessment of required training needed as people
change jobs
• It is important to maintain accurate personnel
training records.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Compliance with Laws, Best Practices,
and Standards
• Wide array of laws, regulations, contractual
requirements, standards, and best practices
associated with information security.
– Organization must build them into their own policies and
procedures.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Compliance with Laws, Best Practices,
and Standards (continued)
• External requirements impart a specific training and
awareness component upon the organization.
– Payment Card Industry Data Security Standard (PCI DSS),
Gramm Leach Bliley Act (GLBA), or Health Insurance
Portability Accountability Act (HIPAA)
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
User Habits
• User habits are a front-line security tool in engaging
the workforce to improve the overall security posture
of an organization.
• Individual user responsibilities vary between
organizations and the type of business in which each
organization is involved.
– There are certain very basic responsibilities that all users
should be instructed to adopt.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
New Threats and Security Trends/Alerts
• New viruses
– New forms of viruses, or malware, created every day.
– Poor user practices assist in the spread of attacks.
– Training assists in defending against these attack vectors.
• Phishing attacks
– Best defense is an educated and aware body of employees.
• Social networking and P2P
– People habitually share too much information.
– Don’t mix business and personal information.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Training Metrics and Compliance
• Requirements for maintaining a trained workforce
– Record-keeping system measuring compliance with
attendance and the effectiveness of the training
– Follow up and gather training metrics to validate
compliance and security posture
• Challenges
– Maintaining active, up-to-date listing of individual training
and retraining
– Monitoring the effectiveness of the training; measuring
effectiveness by actual impact on employee behavior
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Interoperability Agreements
• Many business operations involve actions between
many different parties.
• Actions require communication between the parties.
– Define the responsibilities and expectations of the parties
– Define business objectives
– Define environment within which the objectives will be
pursued
• Written agreements used to ensure agreement is
understood between the parties.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Interoperability Agreements (continued)
• Service level agreements (SLA)
– Contractual agreements between entities that describe
specified levels of service that the servicing entity agrees
to guarantee for the customer
• SLA rules
– Describe entire set of product or service functions in
sufficient detail that their requirement will be
unambiguous
– Provide a clear means of determining whether a specified
function or service has been provided at the agreed-upon
level of performance
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Interoperability Agreements (continued)
• Business partnership agreement (BPA)
– Legal agreement between partners establishing the terms,
conditions, and expectations of the relationship between
the partners
• Sharing of profits and losses, the responsibilities of
each partner, the addition or removal of partners, and
any other issues
• Uniform Partnership Act (UPA)
– Lays out uniform set of rules associated with partnerships
to resolve any partnership terms
– Designed as “one size fits all”
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Interoperability Agreements (continued)
• Memorandum of understanding (MOU)
– Legal document used to describe a bilateral agreement
between parties
– Written agreement expressing a set of intended actions
between the parties with respect to some common
pursuit or goal
– More formal and detailed than a simple handshake
• Generally lacks the binding powers of a contract
– Common to find between different units within an
organization to detail expectations associated with the
common business interest
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Interoperability Agreements (continued)
• Interconnection security agreement (ISA)
– These are specialized agreement between organizations
that have interconnected IT systems.
– Purpose is to document the security requirements
associated with the interconnection.
• ISA as part of an MOU
– ISA can detail specific technical security aspects of a data
interconnection.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
The Security Perimeter
• Various networks components
– Connection to the Internet
• Protection is attached to it such as a firewall.
– Intrusion detection system (IDS)
• May be either on the inside or the outside of the
firewall or both
• Specific location depends on the company and what it
is more concerned about preventing
– Router
• Enhances security
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Figure 3.1 Basic diagram of an organization’s network
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
The Security Perimeter (continued)
• Additional possible access points into the network
– Public switched telephone network (PSTN) and wireless
access points
– Authorized modems or wireless networks
– Potential exists for unauthorized versions of both
• Voice over IP (VoIP)
– Eliminates the traditional land lines in an organization and
replaces them with special telephones that connect to the
IP data network
• Insider seen as biggest danger to any organization
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Figure 3.2 A more complete diagram of an organization’s network
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Physical Security
• Physical security
– Consists of all mechanisms used to ensure that physical
access to the computer systems and networks is restricted
to only authorized users
• Additional physical security mechanisms
– Routers, firewalls, and intrusion detection systems
• Consider access from all six sides
– Security of obvious points of entry be examined (doors and
windows)
– Walls themselves as well as the floor and ceiling
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Physical Access Controls
• Physical access
– Restricted by requiring the individual to somehow
authenticate that they have the right or authority to have
the desired access
– Authentication based on something the individual has,
something they know, or something they are
– Lock: most common physical access control device
– Other common physical security devices
• Video surveillance, simple access control logs, guards
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Physical Access Controls (continued)
• Biometrics: something-you-are method
– More sophisticated and can be expensive access control
– Suffer from false positives and false negatives
• Makes them less than 100 percent effective
• Frequently used with another form of authentication
– Advantage: user always has them and they tend to have
better entropy than passwords
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Biometrics (continued)
• Methods: handwriting analysis, retinal scans, iris
scans, voiceprints, hand geometry, and facial
geometry
• Control access to computer systems and networks
and physical access to restricted areas
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Physical Barriers
• Physical barriers help implement the physical-world
equivalent of layered security.
– Outermost layer contains more publicly visible activities
– Progress through the layers and barriers and security
mechanisms become less publicly visible
– Signs to announce public and private areas
– Man trap: consists of a small space large enough for only
one person at a time, with two locking doors
• Open space can serve as a barrier.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Environmental Issues
• Heating, ventilation, and air conditioning (HVAC)
systems maintain office environment comfort
• Electrical power subject to momentary surges and
disruption
– Surge protectors protect sensitive electronic equipment
from fluctuations in voltage.
– Uninterruptible power supply (UPS) should be considered
for critical systems so that a loss of power will not halt
processing
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Fire Suppression
• Two approaches to address threat
– Detectors detect a fire in its very early stages before fire
suppression system activated.
• Can potentially sound a warning to deal with the fire
before suppression equipment kicks in
– Suppression systems come in several varieties.
• Standard sprinkler-based systems – not optimal for
data centers
• Gas-based systems – good alternative but they carry
special concerns
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Wireless
• Wireless communications refers to cellular
telephones (“cell phones”)
– Cell phone network: phones, cells with their accompanying
base stations that they are used in; hardware and software
that allows them to communicate
• Two main wireless network technology standards
– Bluetooth
– IEEE 802.11
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Wireless
• Bluetooth – short range (approximately ten meters)
personal area network (PAN) cable-replacement
technology
• Bluetooth devices – talk directly without a central
device
– Peer-to-peer communication
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Wireless (continued)
• IEEE 802.11 set of standards
– Well suited for the local area network (LAN) environment
– Operate in an ad hoc peer-to-peer fashion or in
infrastructure mode
• In infrastructure mode, computers with 802.11 network
cards communicate with a wireless access point
• IEEE 802.11 security problems
– Transmission and reception areas covered by access points
are not easily controlled; networks set up without security
enabled; serious security flaws exist in the 802.11 design
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Electromagnetic Eavesdropping
• The van Eck phenomenon
– Eavesdropping on what was being displayed on monitors
could be accomplished by picking up and then decoding
the electromagnetic interference produced by the
monitors.
• TEMPEST (Transient ElectroMagnetic Pulse
Emanation STandard)
– Military program to control these electronic emanations
– The actual process for controlling the emanations
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Electromagnetic Eavesdropping (continued)
• Prevent emanations from being picked up
– Put the equipment beyond the point that the emanations
can be picked up.
– Provide shielding for the equipment itself.
– Place equipment in a shielded enclosure (such as a room).
• Can also put distance between the target and the
attacker or use a Faraday cage (shielding a room)
• Electromagnetic eavesdropping equipment not
readily available
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Modern Eavesdropping
• Webcams and microphones used to spy on users
– Record keystrokes and other activities
• Devices intercept wireless signals between wireless
keyboards and mice
• USB-based keyloggers
– Placed in the back of machines
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Chapter Summary
• Identify various operational aspects to security in
your organization.
• Identify various policies and procedures in your
organization.
• Identify the security awareness and training needs of
an organization.
• Understand the different types of agreements
employed in negotiating security requirements.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Chapter Summary (continued)
• Describe the physical security components that can
protect your computers and network.
• Identify environmental factors that can affect
security.
• Identify factors that affect the security of the
growing number of wireless technologies used for
data transmission.
• Prevent disclosure through electronic emanations.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.