* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Network Security Policy in the Work Place
Survey
Document related concepts
Post-quantum cryptography wikipedia , lookup
Information security wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Airport security wikipedia , lookup
Security printing wikipedia , lookup
Network tap wikipedia , lookup
Unix security wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Mobile security wikipedia , lookup
Wireless security wikipedia , lookup
Computer security wikipedia , lookup
Security-focused operating system wikipedia , lookup
Transcript
Network Security Policy in the Work Place By: Joshua Cormas Network Security Policy in the Work Place • Brief overview: – Explain how companies control the risks – List the different types of security policies – Describe training and awareness to provide increased security in the work place – Real life examples Net. Security in Work Place • The most important concept in information security and networks is risk. There can be many different types of risk that are encountered in an organization. • Some risks are small and easily managed, while other risks can threaten the existence of a business. • These risks were once taken lightly, but today they are viewed as avenues through which an attacker can cripple a business. Net. Security in Work Place • Many of these of approaches can be applied to information security in general, however I will be focusing on the network security aspects. Net. Security in Work Place • Most organizations utilize a multifaceted approach. – First, they work to control risk through management techniques. – Second, they develop a policy that reflects the organization’s needs and operation. The network security policy defines what the organization needs to protect and how they will do so. – The third approach is awareness and training on the policies. Similar to how users must be instructed on how to use specific software or hardware, they also must be told network policies to maintain a secure network and business. Net. Security in Work Place • Controlling Risk – Threat: a type of action that has the potential to cause harm to a computer network. – Threat agent: a person or element that has power to carry out a threat. – Vulnerability: a flaw or weakness in a company’s network security (ex: authentication methods, back door, etc.) – Risk: likelihood that the threat agent will exploit the vulnerability Net. Security in Work Place • Some classifications of network security risks… • 1. Compliance – Following a regulation or standard on a network. • 2. Strategic – Action that affects long-term goals of organization, such as unauthorized access to intellectual property on a company database. • 3. Technical – Events that affect network systems, such as DDoS or SQL injection Net. Security in Work Place • Three strategies for controlling risks in an organization… – 1. Privilege Management: process of assigning and revoking privileges to users on a network – 2. Change Management: methodology for making modifications and keeping track of changes, such as new servers or routers being introduced to a network. – 3. Incident Management: framework and functions required to enable incident response Net. Security in Work Place • Another way of reducing risks is through a network security policy. • A security policy is a document that outlines the protections that should be enacted to ensure that the organization’s network stability and assets face minimal risks. • Defines how an organization plans to protect the company’s network. Net. Security in Work Place • The primary purpose of a network security policy is to inform users and staff the requirements for protecting various assets. • These assets take many forms, including passwords, documents, or even servers. • These policies also lay guidelines for acquiring, configuring, and auditing computer systems and networks. Net. Security in Work Place • Things companies consider when creating a network security policy include… • 1. What do you have on the network that others want? • 2. What processes, data, or information systems are critical to your organization? • 3. What would stop your company from functioning? Net. Security in Work Place • The answers to these questions identify network assets in a wide range. – Including critical databases – Vital applications – Personal data – Shared network storage – E-mail servers – Web servers Net. Security in Work Place • Network security policies must consider all entities that deal with your network. • Not only employees, but end users and anyone who has confidential data on your networks. • Employees are considered potential threats in security policies. – However, the policies must be implemented so that employees are still able to complete their jobs without being overly burdened by security measures. Net. Security in Work Place • In network security policies, users can be organized into two audiences. – Internal audience: managers/executives, departments, technical staff, end users – External audience: partners, customers, suppliers, consultants Net. Security in Work Place • Network Security Policy Components • This structure of a corporate policy is aimed at effectively meeting the needs of all audiences on the network. – Governing Policy: Policy is a high-level treatment of security concepts that are important to the company. Managers and technical staff are the intended audience. This policy section controls all security-related interaction among business units and supporting departments in the company. – End User Policy: This document covers all security topics important to end users. This policy answers the “what”, “who”, “when” and “where” network security policy questions for end users. – Technical Policies: Security staff members use technical policies as they carry out their security responsibilities for the network or system. These policies are more detailed than the others, and are system or issue specific. Net. Security in Work Place • Network security staff members use the technical policies in the conduct of their daily responsibilities. – Acceptable use policy: Defines the acceptable use of computing services and networks, and security measures employees should take. • IUP has an acceptable use policy for all users on their networks. – Audit Policy: Use to conduct audits and risk assessments, investigate incidents, ensure adherence to security policies, monitor user and system activity when needed. Net. Security in Work Place - Global Web Server Policy: defines the standards that are required by all web hosts on the network. - E-mail Policies: defines standards to prevent tarnishing the public image of the organization, restrict automatic e-mail forwarding to external destinations without prior approval, spam policies - Remote Access Policies: defines the standards for connecting to the network from any host or network external to the organization Net. Security in Work Place - VPN Security Policy: defines requirements for remote-access IP security (Ipsec) or Layer 2 Tunneling Protocol VPN connections to the organization network - Application Service Provider Policy: defines the minimum security criteria that an ASP must execute before the organization uses their services on a project - Database Credential Policy: defines the minimum requirements for securely storing and retrieving database username / passwords Net. Security in Work Place • Inter-process Communications Policy: defines the security requirements that ay two or more processes must meet when they communicate with each other using a network socket or operating system socket • Source Code Protection Policy: establishes minimum security requirements for managing product source code • Extranet Policy: defines requirement that thirdparty organizations that need access to the organization networks must sign a third-party connection agreement Net. Security in Work Place - Requirements for Network Access Policy: defines the standards and requirements for any device that requires connectivity to the internal network - Network Access Standards: defines the standards for secure physical port access for all wired and wireless network data ports - Router and Switch Security Policy: defines the minimal security configuration standards for routers and switches inside a company production network - Server Security Policy: defines the security configuration standards for servers inside a company production network or used in production capacity Net. Security in Work Place - Wireless Policy: defines standards for wireless systems that are used to connect to the organization networks - Electronic Communication Policy: defines standards for the retention of e-mail and instant messaging • There are many more policies to consider when an organization develops a network security policy document. These serve as a general base for this document. Net. Security in Work Place • Policies are important, but are useless if staff doesn’t understand and implement them. • Technical and administrative controls can all be defeated without participation of the enduser community. – To get end users (accountants, administration, etc.) to think about security policies, the company must train and regularly remind them about security. Net. Security in Work Place • Another important aspect of network security, is the physical security that protects hardware, such as servers and other computer equipment. • One method of protecting the physical assets of a network is to centralize network servers in one area. – Access to the area would require authentication of some sort, such as an ID badge. Net. Security in Work Place Net. Security in Work Place • Another key component to the physical security of a network is surveillance. • Outside of a physical network asset, there should be cameras monitoring to see who enters and attempts to access the location. • This will enable a company or organization to detect when someone enters a sensitive location, as well as evidence in the result of an attack. Net. Security in Work Place • Network encryption is another key factor. • Sometimes called “network level encryption”, is a network security process that applies crypto services at the network transfer layer. • Using existing network services and application software, network encryption is invisible to the end users and operates independently of any other encryption processes used. Net. Security in Work Place • Businesses and organizations can utilize network encryption methods to ensure communications between local networks are confidential. • One popular form of network encryption is Ipsec, otherwise known as Internet Protocol Security. – It includes a set of cryptographic tools to protect communications, encrypting each IP packet going between network systems. – This includes communication through the router or the client. Net. Security in Work Place • Network encryption products and services are offered by a number of companies, such as Cisco, Motorola, and Oracle. Net. Security in Work Place • Companies and organizations should always have some form of a data back up, so that all is not lost in the result of a network takedown or attack. – A nightly data back up held on a separate server is a good method. – IUP utilizes a nightly server back up onto an external server. This backs up e-mails and documents on IUP computers for recovery if needed. Net. Security in Work Place • Security policies also need to be revised over time. • With new technologies being released every year, it’s important that network security policies are also updated. • Policies should be updated to reflect any changes that are made in the company, to keep the work environment secure and operating efficiently. – Ex: New server created, management, authorization, access Net. Security in Work Place • Depending on work atmosphere and deadlines, technical staff tend to focus on performance such as increasing throughput, rather than “secure” performance. • Therefore, leadership must develop a nonintrusive program that keeps everyone aware of security and how to work to maintain the security of their networks and data. • 3 key components of this type of implementation is awareness, training, and education. Net. Security in Work Place • There are many past examples of network security being breached in a business or organization. – According to zdnet.com, a technology news website, nearly half of all companies globally have been hit with a Distributed Denial of Service (DDoS) attack in the past year. – A DDoS attack attempts to overload a company system – such as a web server, by sending so many communication requests that legitimate traffic cannot get through. – While annoying, sometimes a DDoS attack can be a cover for a bigger crime. It was recently revealed that organized crime groups can use a DDoS attack against a company (such as a bank), to divert the attention of the security team while criminals plunder accounts using stolen credentials. Net. Security in Work Place • Another major recent security breach occurred in December 2013, on Target’s network. – It’s speculated that this massive data breach may have resulted partly from the retailer’s failure to segregate systems handling sensitive payment card data from the rest of the network. – Sources close to the investigation said the attackers first gained access to Target’s network with a username and password stolen from a Mechanical Services company. – The attackers leveraged the access provided by the Mechanics company to move about undetected on Target’s network and upload malware programs on the company’s systems. • This incident could have been avoided with proper network security auditing and planning measures. This is one of the many examples of how important network security policy can be in businesses and organizations. Net. Security in Work Place • In 2014 Sony suffered a massive security breach. • Hackers erased data from its systems, and stole and released to the public, pre-release movies, private information and sensitive documents. • Origin of the attack is not positive, but some speculate it was the result of an external network attack. • Sony’s network security was insufficient and it led to serious consequences for the company. Net. Security in Work Place • https://www.youtube.com/watch?v=r1czEe8z TCU Sources • Ciampa, Mark D. Security+ Guide To Network Security Fundamentals. Boston, Mass.: Thomson/Course Technology, 2005. Print. • "Network Security Concepts and Policies." Security Policies. Cisco, 25 June 2014. Web. 30 Mar. 2015. • Knoll, KARE-TV Jay. "Target Poised to Settle Breach for $10 Million." USA Today. Gannett, 19 Mar. 2015. Web. 30 Mar. 2015. • "Worst Security Breaches of the Year 2014: Sony Tops the List." Network World. Network World, 18 Dec. 2014. Web. 30 Mar. 2015. • "Nearly Half of Companies Hit with DDoS Attacks in the Last Year | ZDNet."ZDNet. Zdnet.com, 30 June 2014. Web. 30 Mar. 2015.