Tuesday, July 29, 2014

Risk Mitigation

Risk Mitigation, A systematic reduction in the extent of exposure to a risk and/or the likelihood of its occurrence. Also called risk reduction.

How to Control Risk

Privilege Management, the process of assigning and revoking privileges to objects; that is, it covers the procedures of managing object authorizations.

Change Management, refers to a methodology for making modifications and keeping track of those changes. Change management seeks to approach changes systematically and provide the necessary documentation of the changes.

Incident Management, the framework and functions required to enable incident response and incident handling within an organization. The object of incident management is to restore normal operations as quickly as possible with the least possible impact on either the business or the users.

Types of Security Policies

User Policies - Define what users can do when using your network or data and also define security settings that affect users such as password policies.
  • Password Policies - This policy is to help keep user accounts secure. It defines how often users must change their passwords, how long they must be, complexity rules (types of characters used such as lower case letters, upper case letters, numbers, and special characters), and other items.
  • Proprietary Information Use - Acceptable use of any proprietary information owned by the company. Defines where it can be stored and where it may be taken, how and where it can be transmitted.
  • Internet Usage - Use of internet mail, Use of programs with passwords or unencrypted data sent over the internet.
  • System Use - Program installation, No Instant Messaging, No file sharing such as Kazaa, Morpheus. Restrictions on use of your account or password (not to be given away).
  • VPN and remote user system use (remote access) - Must be checked for viruses/trojans/backdoors. Must have firewall, must have AV.
  • Acceptable use of hardware such as modems - No use of modems to internet without a personal firewall.
IT Policies - Define the policies of the IT department used to govern the network for maximum security and stability.
  • Virus incident and security incident - Intrusion detection, containment, and removal.
  • Backup policy - Define what to back up, who backs it up, where it is stored, how long it is stored, how to test backups, what program is used to do backups.
  • Client update policies - Update clients how often and using what means or tools.
  • Server configuration, patch update, and modification policies (security) - Remove unneeded services (harden server). 
  • Firewall policies - What ports to block or allow, how to interface to it or manage it, who has access to the control console.
  • Wireless, VPN, router and switch security, dmz policy, email retention, auto forwarded email policy, ability for IT to audit and do risk assessment, acceptable encryption algorithms
General Policies - High level policies defining who is responsible for the policies along with business continuity planning and policies.
  • High level program policy - Defines who owns other policies, who is responsible for them, scope and purpose of policies, any policy exceptions, related documents or policies.
  • Business continuity plan - Includes the following plans:
    • Crisis Management - What to do during the (any) crisis which may threaten the organization.
    • Disaster Recovery - Subfunctions:
      • Server recovery
      • Data recovery
      • End-user recovery
      • Phone system recovery
      • Emergency response plan
      • Workplace recovery

                                   How Awareness and Training Provide Increased Security

Awareness and training involve instruction regarding compliance, secure user practices, and an awareness of threats. Awareness and training also involve helping users understand how their normal practices can impact the security of the organization.

With compliance, users should be made aware of the organization's established security strategy as well as the reasons it is necessary to adhere to it. This can include information on security policy training and procedures, data labeling, handling and disposal, developing and safeguarding one's personally identifiable information, and compliance with laws, best practices and standards.

Some user practices include password behaviors, data handling, clean desk policies, preventing tailgating, and the use of personally owned devices.

With threat awareness, users may be unaware of the security threat a practice or technology may introduce. For example, when using peer-to-peer (P2P) networks for file sharing, the system may become susceptible to viruses, worms, trojans, and spyware. The other technology associated with this type of threat is social networking. Users often include personal information in their profiles for others to read. Attackers may steal this data and use it for malicious purposes. Another thing to consider is the vulnerability of of the social networking site, and how easy it may be for attackers to break into the sites to steal user information.

















http://www.businessdictionary.com/definition/risk-mitigation.html
http://www.comptechdoc.org/independent/security/recommendations/secpolgen.html
Posted by at No comments:

Tuesday, July 22, 2014

Business Continuity

 Business continuity can be defined as the ability of an organization to maintain its operations and services in the face of a disruptive event.

Environmental controls are steps to avoid disruptions rather than trying to recover from them.

Fire suppression, the act of suppressing a fire with different materials, chemicals, and/or systems.

Electromagnetic Interference (EMI) Shielding, shielding which protects from the sudden flow of electric current between two objects, which can destroy electronic equipment.

Heating, Ventilation, and Air Conditioning (HVAC), are systems that provide and regulate heating and cooling.

Components of Redundancy Training

Servers, a system that connects computers on a network, so that information can be shared between all systems.

Storage, internal and external disks and drives where information is stored and retrieved.

Networks, a redundant network ensures that network services are always accessible.

Sites,  simply defined as a location; can be physical and electronic.

Data Backups, is copying information to a different medium and storing it (preferably at an off-site location) so that it can be used in the event of a disaster.

Disaster Recovery Procedures

Recovery strategies should be developed for Information technology (IT) systems, applications and data. This includes networks, servers, desktops, laptops, wireless devices, data and connectivity. Priorities for IT recovery should be consistent with the priorities for recovery of business functions and processes that were developed during the business impact analysis. IT resources required to support time-sensitive business functions and processes should also be identified. The recovery time for an IT resource should match the recovery time objective for the business function or process that depends on the IT resource.

Incident Response Procedures, the components required to identify, analyze, and contain that incident. Incident handling is the planning, coordination, communications, and planning functions that are needed in order to resolve an incident in an efficient manner.







http://www.ready.gov/business/implementation/IT








Posted by at No comments:

Wednesday, July 16, 2014

                                                                Passwords



Passwords, are a secret combination of letters, numbers, and/or characters that only the user should know.


                                                 Why length and complexity is important?

          

The length  and complexity of  an password  will presents an obstacle for anyone attempting  to decipher . A password that may consist of  "XYZ", will be considerably easier to decipher than a password that can say "stix007candy1886a". The challenge for people trying to break passwords is the “keyspace”, which is the total number of possibilities for a password based on the number of characters it uses. Therefore, it’s not complexity (the number of characters used) but the length of the password that makes the password a strong repellent for hackers.


                                                                 Attacks on passwords  

  
Password Attacks, are ways the one tries to figure out a password to gain access.

To understand how to protect yourself from a password attack, you should become familiar with the most commonly used types of attacks. Commonly used attacks are:

Password Guessing, The most common type of attack is password guessing. Attackers can guess passwords locally or remotely using either a manual or automated approach. Though this approach is
a possibility, in reality, this is not practical.

Brute-Force Attack, in which the attacker tries every possible combination of characters for a password, given a character set (e.g., abcd…ABCD…1234…!@#$) and a maximum password length.The most successful and time-consuming of attacks.

Dictionary attacks,  work on the assumption that most passwords consist of whole words, dates, or numbers taken from a dictionary. Dictionary attack tools require a dictionary input list. Hybrid attacks, are variations of the dictionary attack. They add special characters, may spell words backward or misspell words, or add numbers.


Password Resetting, A case where rather figuring out or "cracking" the password, attackers find it easier to reset the password by using a program re-setter

Password Cracking, Password cracking is the process of taking a captured password hash (or some other obscured form of the plaintext password or challenge-response packets) and converting it to its plaintext original. Basically, software will learn the password.

 Rainbow tables, These days, password crackers are computing all possible passwords and their hashes (Unique strings of data) in a given system and putting the results into a lookup table called a rainbow table. When an attacker extracts a hash from a target system, he or she can simply go to the rainbow table and look up the plaintext password.

 Password sniffing, Some password crackers can sniff authentication traffic between a client and server and extract password hashes or enough authentication information to begin the cracking process.




Password Capturing, Many attackers capture passwords simply by installing a keyboard-sniffing Trojan horse or one of the many physical keyboard-logging hardware devices for sale on the Internet.


                                                 
                                                           Limitations on Password Supplements

Password Supplements,  Are solutions that have been developed to help users avoid using poor password practices. Autocomplete or HTTP Authentication Passwords are examples.

The limitations and disadvantages are that users are restricted to using the computer that has the password information previously stored, they must avoid clearing the passwords from the computer, and the passwords may be vulnerable if another user is allowed access to their computer.


                                          Project Case 10-4: Use Cognitive Biometrics

Is this type of cognitive biometrics effective? If you came back to this site tomorrow, would you remember the three faces?  Yes, Yes

                                                    

                                                     Other types of authentication

 Authentication, The steps that ensure that the individual is who they claim to be.

Tokens, is typically a small device with a window display. A token works in conjunction with a authentication server to share a unique algorithm once every 30 to 60 seconds.

Cards, Smart Cards and Common Access Cards are examples. Both have integrated chips that assist in executing the authentication process.

Standard Biometrics, Uses a person's unique physical characteristics.

Behavioral Biometrics, Uses the normal actions that a user may perform.

Keystroke Dynamics, Type of behavioral biometric which recognizes a users unique typing pattern.

Voice Recognition, Recognizes a users voice.

Cognitive Biometrics, Uses perception and facial recognition through a familiarization process.

Single Sign-On, A single authentication spread across multiple networks.

Windows Live Id, Standard password and username.

Open ID, Identity in which only a URL backed up by a username and password. Provides a means to say that the user owns the specific URL.

Open Authorization, A technology to avoid using multiple passwords. Example: google+






















http://www.soliditsolutions.com/2011/03/the-importance-of-password-length-and-complexity/
http://windowsitpro.com/security/types-password-attacks

Posted by at No comments:
Subscribe to: Posts (Atom)