the user domain
DESCRIPTION
The User Domain. Kelly Corning & Julie Sharp. User Domain. The assets over which the users have control The people that have the control Domain of the AUP. Risks, Threats, & Vulnerabilities. Social Engineering Negligence Disgruntled Employee Attacks Lack of User Awareness - PowerPoint PPT PresentationTRANSCRIPT
The User DomainKelly Corning & Julie Sharp
User Domain
• The assets over which the users have control
• The people that have the control
• Domain of the AUP
Risks, Threats, & Vulnerabilities
• Social Engineering
• Negligence
• Disgruntled Employee Attacks
• Lack of User Awareness
• Physical Security
• Security Policy Violations
Social Engineering
Definition: A collection of malicious techniques used to manipulate people into performing actions or sharing information.
Examples:• Tailgating
• Phishing emails
• Pretexting
• Dumpster Diving
Think before you act!
Negligence
• Prevent negligent hiring
• Retention
• Supervision
• Training
Employees need a reason to care!
Disgruntled Employee Attacks
• The Exploit
• Attack Processo Reconnaissanceo Scanningo Exploiting the Systemo Keeping Accesso Covering Tracks
• Incident Handling Process
Keep your employees happy!
Lack of User Awareness
• Ignorance of Policieso Employees need an appropriate level of awareness
for their position
• Apathy towards Policies
If people don't know the policies, how can they follow them?
Lack of User Awareness
According to NIST...
• "Understand their roles and responsibilities related to the organizational mission"
• "Understand the organization’s IT security policy, procedures, and practices"
• "Possess at least adequate knowledge of the various management, operational, and technical controls required and available to protect the IT resources for which they are responsible."
Lack of User Awareness
Levels of Awareness:
• Awarenesso Allows individuals to recognize security concerns and respond correctly
o Broad audience
• Trainingo Teaches skills to allow an employee to perform a specific function
• Educationo Integrates skills and competencies to allow an employee to see the big picture
and respond to an incident proactively
• Certificationo Involves testing to show that an employee has a specific level of knowledge on
a given topic
Lack of User Awareness
Common Problems:• Teaching an old dog, new tricks
• Security is an information technology problem, not mine
• Implementation of new technology
• One-size-fits-all
• Too much information
• Lack of organization
• Failure to follow-up
• Lack of management support
• Lack of resources
• No explanation of why
• Social engineering
Physical Security
• Deterrenceo Convince attackers that the consequences of getting caught
are not worth the potential payoff
• Access Controlo Gates, doors, locks
• Detectiono Alarm systems, motion sensors, contact sensors
• Identificationo Video monitoring
• Human Responseo Guards, emergency response personnel
Physical Security
Quick tips:
• Don't leave confidential/sensitive information out in the open
• Protect portable devices
• Disable drives & ports to prevent copying
• Shred extras
• Lock doors
• Protection from environmental factors
• Record security camera video, keep videos
Don't make it easy for the bad guy!
Security Policy Violations
• Be aware of incidents o Yourselfo Others
• Report incidents
• See that necessary action is taken
Don't ignore the problem!
Acceptable Use Policy
1.Overview
2. Purpose
3. Scope
4. Policya. General Use & Ownership
b. Security & Proprietary Information
c. Unacceptable Use
i. System & Network Activities
ii. Email & Communications Activities
d. Blogging
Acceptable Use Policy
6. Enforcement
7. Disclosure
8. Definitions
9. Revision History
5. Inappropriate Behavior
ReferencesAcceptable Usage Policy Template. (2005, April 22). Retrieved March 24, 2013, from First:
www.first.org/_assets/resources/guides/aup_generic.doc
InfoSec Acceptable Use Policy. (2006). Retrieved March 7, 2013, from SANS: http://www.sans.org/security-resources/policies/Acceptable_Use_Policy.pdf
User Domain. (2007, August 25). Retrieved March 7, 2013, from http://c2.com/cgi/wiki?UserDomain
Negligence. (2012, November 21). Retrieved March 23, 2013, from Wikipedia: http://en.wikipedia.org/wiki/Negligence_in_employment
Childress, J. (2013, March). CS5493(CS7493) Secure System Administration and Certification . Retrieved March 8, 2013, from utulsa: http://personal.utulsa.edu/~james-childress/cs5493/cs5493.html
Giallombardo, A. (2012, September 25). Sample Acceptable Use Policy Template. Retrieved March 24, 2013, from Mafia Securtiy: https://www.mafiasecurity.com/disaster-recovery/sample-acceptable-use-policy-template/
Kratt, H. (2004, December 8). The Inside Story: A Disgruntled Employee Gets His Revenge. Retrieved March 23, 2013, from SANS: http://www.sans.org/reading_room/whitepapers/engineering/story-disgruntled-employee-revenge_1548
Russell, C. (2002, October 25). Security Awareness - Implementing an Effective. Retrieved March 23, 2013, from SANS: http://www.sans.org/reading_room/whitepapers/awareness/security-awareness-implementing-effective-strategy_418
Wilson, M., & Hash, J. (n.d.). INFORMATION TECHNOLOGY SECURITY AWARENESS, TRAINING, EDUCATION, AND CERTIFICATION. Retrieved March 25, 2013, from National Institute of Standards and Technology: http://www.itl.nist.gov/lab/bulletns/bltnoct03.htm