5.3 Organizational Security Flashcards
a document stipulating constraints and practices that a user must agree to for access to a corporate network, the internet or other resources.
• What is acceptable use of company assets?
– Detailed documentation
– May be documented in the Rules of Behavior
• Covers many topics
– Internet use, telephones, computers,
mobile devices, etc.
• Used by an organization to limit legal liability
– If someone is dismissed, these are the well-documented
reasons why
Acceptable use policies (AUP)
• Job rotation
– Keep people moving between responsibilities
– No one person maintains control for long periods
of time
• Mandatory vacations
– Rotate others through the job
– The longer the vacation, the better chance
to identify fraud
– Especially important in high-security environments
• Separation of duties – Split knowledge • No one person has all of the details • Half of a safe combination – Dual control • Two people must be present to perform the business function • Two keys open a safe (or launch a missile)
• Clean desk policy
– When you leave, nothing is on your desk
– Limit the exposure of sensitive data to third-parties
Business policies
the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities. Privilege itself refers to the authorization to bypass certain security restraints.
• Rights and permissions should be set to
the bare minimum
– You only get exactly what’s needed to complete
your objective
• All user accounts must be limited
– Applications should run with minimal privileges
• Don’t allow users to run with administrative privileges
– Limits the scope of malicious behavior
Background checks
• Background checks
– Pre-employment screening
– Verify the applicant’s claims
– Discover criminal history, workers compensation
claims, etc.
– Legalities vary by country
Least privilege
a review of a potential employee's criminal, commercial and financial records. The goal of [this] is to ensure the safety and security of the employees in the organization. • [this] – Pre-employment screening – Verify the applicant’s claims – Discover criminal history, workers compensation claims, etc. – Legalities vary by country • Adverse actions – An action that denies employment based on the background check – May require extensive documentation – Can also include existing employees
Background checks
a system of policies and procedures which aim to manage and minimize the risk of people exploiting legitimate access to an organization’s assets or premises for unauthorized purposes.
• NDA (Non-disclosure agreement)
– Confidentiality agreement / Legal contract
– Prevents the use and dissemination of
confidential information
• Social media analysis
– Gather data from social media
– Facebook, Twitter, LinkedIn, Instagram
– Build a personal profile
– Another data point when making a hiring decision
Personnel security procedures
Adding a new user to an identity management system or upgrading the user’s privileges.
• Bring a new person into the organization
– New hires or transfers
• IT agreements need to be signed
– May be part of the employee handbook or
a separate AUP
• Create accounts
– Associate the user with the proper groups
and departments
• Provide required IT hardware
– Laptops, tablets, etc. - Preconfigured and ready to go
On-boarding
Removing a user from an identity management system or downgrading the user’s privileges.
• All good things… (But you knew this day would come)
• This process should be pre-planned
– You don’t want to decide how to do things at this point
• What happens to the hardware and the data?
• Account information is usually deactivated
– But not always deleted
Off-boarding
helps the user in operating the system in efficient way. During the training a manual is given to every user so that they can understand the problem and solved it. The content of training is about the use of data that how they can edit, add, query and delete the records.
• Gamification
– Score points, compete with others, collect badges
• Capture the flag (CTF)
– Security competition
– Hack into a server to steal data (the flag)
– Can involve highly technical simulations
– A practical learning environment
• Phishing simulation
– Send simulated phishing emails
– Make vishing calls
– See which users are susceptible to phishing attacks
without being a victim of phishing
• Computer-based training (CBT)
– Automated pre-built training
– May include video, audio, and Q&A
– Users all receive the same training experience
User training
Training tailors training materials and delivery mechanisms to fit the role of an employee and reduces the cyber risk associated with that role.
- addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined.
• Before providing access, train your users
– Detailed security requirements
• Specialized training
– Each user role has unique security responsibilities
• Also applies to third-parties
– Contractors, partners, suppliers
• Detailed documentation and records
– Problems later can be severe for everyone
Role-based security awareness training
a part of the supply chain: the network of all the individuals, organizations, resources, activities and technology involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual delivery to the end user.
• Every organization works with vendors
– Payroll, customer relationship management,
email marketing, travel, raw materials
• Important company data is often shared
– May be required for cloud-based services
• Perform a risk assessment
– Categorize risk by vendor and manage the risk
• Use contracts for clear understanding
– Make sure everyone understands the expectations
– Use the contract to enforce a secure environment
Target credit card breach - November 2013
• Every point of sale terminal infected
– A third-party was allowed in through lapses in
security policy
• A vendor was infected through an email attachment
– The vendor didn’t have or follow a security policy for
their workstations
• Target didn’t segment the vendor network
from the corporate
– The attackers jumped from the vendor to the
Target network
• The corporate network was not segmented from
point of sale (POS) terminals
– Once on the inside, it was relatively easy to get to
your credit card numbers
– (110 million card numbers)
Vendors
the network of all the individuals, organizations, resources, activities and technology involved in the creation and sale of a product. [this] encompasses everything from the delivery of source materials from the supplier to the manufacturer through to its eventual delivery to the end user.
• The system involved when creating a product
– Involves organizations, people, activities, and resources
• Supply chain assessment
– Get a product or service from supplier to customer
– Evaluate coordination between groups
– Identify areas of improvement
– Assess the IT systems supporting the operation
– Document the business process changes
• New laptops arrive with bundled malware
– Lenovo, August 2014 through early 2015
– Superfish software added a self-signed root cert (!)
– Allowed for on-path attacks when browsing any site,
including over HTTPS
Supply chain
any entity that you collaborate with on a business-to-business basis.
• Much closer to your data than a vendor
– May require direct access
– May be a larger security concern than an outside hacker
• Often involves communication over a trusted connection
– More difficult to identify malicious activity
• Partner risk management should be included
– Requirements for best practices, data handling,
intellectual property
• Include additional security between partners
– Firewalls and traffic filters
Business partners
• Service Level Agreement (SLA) - defines the level of service you expect from a vendor, laying out the metrics by which service is measured, as well as remedies or penalties should agreed-on service levels not be achieved. – Minimum terms for services provided – Uptime, response time agreement, etc. – Commonly used between customers and service providers
• Memorandum of Understanding (MOU) - A document established between two or more parties to define their respective responsibilities in accomplishing a particular goal or mission.
– Both sides agree on the contents
of the memorandum
– Usually includes statements of confidentiality
– Informal letter of intent; not a signed contract
• Measurement system analysis (MSA) - an experimental and mathematical method of determining the amount of variation that exists within a measurement process. Variation in the measurement process can directly contribute to our overall process variability.
– Don’t make decisions based on incorrect data!
– Used with quality management systems,
i.e., Six Sigma
– Assess the measurement process
– Calculate measurement uncertainty
• Business Partnership Agreement (BPA) - a legal document that dictates how a small for-profit business will operate under two or more people. The agreement lays out the responsibilities of each partner in the business, how much of the business each partner owns, and how much profit and loss each partner is responsible for. – Going into business together – Owner stake – Financial contract – Decision-making agreements – Prepare for contingencies
Common agreements
from the customer or end user perspective, and is often defined as the time between installation, commissioning or startup, till removed, decommissioned, or failure.
• End of life (EOL) - occurs to hardware and software. It is the stage of a product in which it becomes outdated or unsupported by the manufacturer.
– Manufacturer stops selling a product
– May continue supporting the product
– Important for security patches and updates
• End of service life (EOSL) - support is the biggest differentiating factor. The EoSL label is a little more final than EoL. At this stage, the OEM stops selling the product and won’t offer any more maintenance or support. If they do support the hardware in some way, they may charge you greatly for the service.
– Manufacturer stops selling a product
– Support is no longer available for the product
– No ongoing security patches or updates
– May have a premium-cost support option
• Technology EOSL is a significant concern
– Security patches are part of normal operation
Product support lifetime
An agreement signed between two parties that have to disclose confidential information to each other in order to do business.
• Confidentiality agreement between parties
– Information in the agreement should not
be disclosed
• Protects confidential information
– Trade secrets
– Business activities
– Anything else listed in the NDA
• Unilateral or bilateral (or multilateral)
– On-way NDA or mutual NDA
• Formal contract
– Signatures are usually required
Non-disclosure agreement (NDA)
