the user domain

The User DomainKelly Corning & Julie Sharp

User Domain

• The assets over which the users have control

• The people that have the control

• Domain of the AUP

Risks, Threats, & Vulnerabilities

• Social Engineering

• Negligence

• Disgruntled Employee Attacks

• Lack of User Awareness

• Physical Security

• Security Policy Violations

Social Engineering

Definition: A collection of malicious techniques used to manipulate people into performing actions or sharing information.

Examples:• Tailgating

• Phishing emails

• Pretexting

• Dumpster Diving

Think before you act!

Negligence

• Prevent negligent hiring

• Retention

• Supervision

• Training

Employees need a reason to care!

Disgruntled Employee Attacks

• The Exploit

• Attack Processo Reconnaissanceo Scanningo Exploiting the Systemo Keeping Accesso Covering Tracks

• Incident Handling Process

Keep your employees happy!

Lack of User Awareness

• Ignorance of Policieso Employees need an appropriate level of awareness

for their position

• Apathy towards Policies

If people don't know the policies, how can they follow them?

Lack of User Awareness

According to NIST...

• "Understand their roles and responsibilities related to the organizational mission"

• "Understand the organization’s IT security policy, procedures, and practices"

• "Possess at least adequate knowledge of the various management, operational, and technical controls required and available to protect the IT resources for which they are responsible."

Lack of User Awareness

Levels of Awareness:

• Awarenesso Allows individuals to recognize security concerns and respond correctly

o Broad audience

• Trainingo Teaches skills to allow an employee to perform a specific function

• Educationo Integrates skills and competencies to allow an employee to see the big picture

and respond to an incident proactively

• Certificationo Involves testing to show that an employee has a specific level of knowledge on

a given topic

Lack of User Awareness

Common Problems:• Teaching an old dog, new tricks

• Security is an information technology problem, not mine

• Implementation of new technology

• One-size-fits-all

• Too much information

• Lack of organization

• Failure to follow-up

• Lack of management support

• Lack of resources

• No explanation of why

• Social engineering

Physical Security

• Deterrenceo Convince attackers that the consequences of getting caught

are not worth the potential payoff

• Access Controlo Gates, doors, locks

• Detectiono Alarm systems, motion sensors, contact sensors

• Identificationo Video monitoring

• Human Responseo Guards, emergency response personnel

Physical Security

Quick tips:

• Don't leave confidential/sensitive information out in the open

• Protect portable devices

• Disable drives & ports to prevent copying

• Shred extras

• Lock doors

• Protection from environmental factors

• Record security camera video, keep videos

Don't make it easy for the bad guy!

Security Policy Violations

• Be aware of incidents o Yourselfo Others

• Report incidents

• See that necessary action is taken

Don't ignore the problem!

Acceptable Use Policy

1.Overview

2. Purpose

3. Scope

4. Policya. General Use & Ownership

b. Security & Proprietary Information

c. Unacceptable Use

i. System & Network Activities

ii. Email & Communications Activities

d. Blogging

Acceptable Use Policy

6. Enforcement

7. Disclosure

8. Definitions

9. Revision History

5. Inappropriate Behavior

ReferencesAcceptable Usage Policy Template. (2005, April 22). Retrieved March 24, 2013, from First:

www.first.org/_assets/resources/guides/aup_generic.doc

InfoSec Acceptable Use Policy. (2006). Retrieved March 7, 2013, from SANS: http://www.sans.org/security-resources/policies/Acceptable_Use_Policy.pdf

User Domain. (2007, August 25). Retrieved March 7, 2013, from http://c2.com/cgi/wiki?UserDomain

Negligence. (2012, November 21). Retrieved March 23, 2013, from Wikipedia: http://en.wikipedia.org/wiki/Negligence_in_employment

Childress, J. (2013, March). CS5493(CS7493) Secure System Administration and Certification . Retrieved March 8, 2013, from utulsa: http://personal.utulsa.edu/~james-childress/cs5493/cs5493.html

Giallombardo, A. (2012, September 25). Sample Acceptable Use Policy Template. Retrieved March 24, 2013, from Mafia Securtiy: https://www.mafiasecurity.com/disaster-recovery/sample-acceptable-use-policy-template/

Kratt, H. (2004, December 8). The Inside Story: A Disgruntled Employee Gets His Revenge. Retrieved March 23, 2013, from SANS: http://www.sans.org/reading_room/whitepapers/engineering/story-disgruntled-employee-revenge_1548

Russell, C. (2002, October 25). Security Awareness - Implementing an Effective. Retrieved March 23, 2013, from SANS: http://www.sans.org/reading_room/whitepapers/awareness/security-awareness-implementing-effective-strategy_418

Wilson, M., & Hash, J. (n.d.). INFORMATION TECHNOLOGY SECURITY AWARENESS, TRAINING, EDUCATION, AND CERTIFICATION. Retrieved March 25, 2013, from National Institute of Standards and Technology: http://www.itl.nist.gov/lab/bulletns/bltnoct03.htm