Operationaland Organizational SecurityChapter 3Princ.docx

Operational
and Organizational Security
Chapter 3
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights
reserved.
Objectives
Identify various operational aspects to security in your
organization.
Identify various policies and procedures in your organization.
Identify the security awareness and training needs of an
organization.
Understand the different types of agreements employed in
negotiating security requirements.
reserved.
2
Key Terms (1 of 2)
Acceptable use policy (AUP)

Account disablement
Account lockout
Business partnership agreement (BPA)
Due care
Due diligence
Guidelines
Incident response policy
Interconnection security agreement (ISA)
Memorandum of understanding (MOU)
Nondisclosure agreement (NDA)
reserved.
Acceptable use policy (AUP) – A policy that communicates to
users what specific uses of computer resources are permitted.
Account disablement - the step between the account having
access and the account being removed from the system.
Account lockout - Akin to disablement, although lockout
typically refers to the ability to log on. If a user mistypes their
password a certain number of times, they may be forced to wait
a set amount of time while their account is locked before
attempting to log in again.
Business partnership agreement (BPA) – A written agreement
defining the terms and conditions of a business partnership.
Due care – The degree of care that a reasonable person would
exercise under similar circumstances.
Due diligence – The reasonable steps a person or entity would
take in order to satisfy legal or contractual requirements—
commonly used when buying or selling something of significant
value.

Guidelines – Recommendations relating to a policy.
Incident response policy – Policies and procedures that outline
how the organization will prepare for security incidents and
respond to them when they occur.
Interconnection security agreement (ISA) – An agreement
between parties to establish procedures for mutual cooperation
and coordination between them with respect to security
requirements associated with their joint project.
Memorandum of understanding (MOU) – A document executed
between two parties that defines some form of agreement.
Nondisclosure agreement (NDA) - standard corporate document
used to explain the boundaries of company secret material
3
Key Terms (2 of 2)
Policies
Procedures
Security policy
Service level agreement (SLA)
Standard operating procedure
Standards
User habits
reserved.
Policies – Policies are high-level, broad statements of what the
organization wants to accomplish. They are made by
management when laying out the organization’s position on
some issue.
Procedures – Procedures are the step-by-step instructions on
how to implement policies in the organization. They describe

exactly how employees are expected to act in a given situation
or to accomplish a specific task.
Security policy – The security policy is a high-level statement
produced by senior management that outlines both what security
means to the organization and the organization’s goals for
security.
Service level agreement (SLA) – An agreement between parties
concerning the expected or contracted uptime associated with a
system.
Standard operating procedure - mandatory step-by-step
instructions set by the organization so that in the performance
of their duties, employees will meet the stated security
objectives of the firm.
Standards – Standards are mandatory elements regarding the
implementation of a policy. They are accepted specifications
that provide specific details on how a policy is to be enforced.
Some standards are externally driven.
User habits – Are a front-line security tool in engaging the
workforce to improve the overall security posture of an
organization.
4
Policies, Procedures, Standards,
and Guidelines (1 of 3)
Policies – high-level, broad statements of what the organization
wants to accomplish
Made by management when laying out the organization’s
position on some issue
Procedures – step-by-step instructions on how to implement
policies in the organization
Describe exactly how employees are expected to act in a given
situation or to accomplish a specific task

reserved.
An important part of any organization’s approach to
implementing security are the policies, procedures, standards,
and guidelines that are established to detail what users and
administrators should be doing to maintain the security of the
systems and network. Collectively, these documents provide the
guidance needed to determine how security will be implemented
in the organization.
5
Standards – mandatory elements regarding the implementation
of a policy
Accepted specifications providing specific details on how a
policy is to be enforced
Possibly externally driven
Guidelines – recommendations relating to a policy
Key term: recommendations
Not mandatory steps
reserved.
6
Four steps of the policy lifecycle
Plan (adjust) for security in your organization.

Develop the policies, procedures, and guidelines
Implement the plans.
Includes an instruction period
Monitor the implementation.
Ensure effectiveness
Evaluate the effectiveness.
Vulnerability assessment and penetration test
reserved.
Just as the network itself constantly changes, the policies,
procedures, standards, and guidelines should be included in
living documents that are periodically evaluated and changed as
necessary. The constant monitoring of the network and the
periodic review of the relevant documents are part of the
process that is the operational model. When applied to policies,
this process results in what is known as the policy lifecycle.
A vulnerability assessment is an attempt to identify and
prioritize the list of vulnerabilities within a system or network.
A penetration test is a method to check the security of a system
by simulating an attack by a malicious individual to ensure the
security is adequate.
7
Security Policies
Security policy – a high-level statement produced by senior
management
Outlines both what security means to the organization and the
organization’s goals for security
Main security policy broken down into additional policies

covering specific topics
Should include other policies
Change management, data policies, human resources policies
reserved.
Change Management Policy
Change management ensures proper procedures followed when
modifications to the IT infrastructure are made.
Modifications prompted by a number of different events
“Management” implies process controlled in some systematic
way.
Change management process includes various stages:
Request change, review and approve process, examine
consequences, implement change, document process
reserved.
Modifications can be prompted by a number of different events,
including new legislation, updated versions of software or
hardware, implementation of new software or hardware, or
improvements to the infrastructure.
A change management process should include various stages,
including a method to request a change to the infrastructure, a
review and approval process for the request, an examination of
the consequences of the change, resolution (or mitigation) of
any detrimental effects the change might incur, implementation

of the change, and documentation of the process as it related to
the change.
9
Data Policies (1 of 8)
Data can be shared for the purpose of processing or storage.
Control over data is a significant issue in third-party
relationships.
Who owns the data?
reserved.
Data ownership
Data requires a data owner.
Data ownership roles for all data elements need to be defined in
the business.
Data ownership is a business function.
The requirements for security, privacy, retention, and other
business functions must be established.
Not all data requires the same handling restrictions, but all data
requires these characteristics to be defined.
This is the responsibility of the data owner.
reserved.

Unauthorized data sharing
Unauthorized data sharing can be a significant issue, and in
today’s world, data has value and is frequently used for
secondary purposes.
Ensuring that all parties in the relationship understand the data-
sharing requirements is an important prerequisite.
Ensuring that all parties understand the security requirements of
shared data is important.
reserved.
Data backup requirements involve:
Determining level of backup, restore objectives,
and level of protection requirements
Can be defined by the data owner and then executed by
operational IT personnel
Determining the backup responsibilities and developing the
necessary operational procedures to ensure that adequate
backups occur are important security elements.
reserved.
Data ownership requirements include backup responsibilities.
13
Classification of information

Needed because of different importance or sensitivity
Factors affecting information classification
Value to the organization, age, and laws or regulations
governing protection
Most widely known classification system – U.S. government
Confidential, Secret, and Top Secret
Business classifications
Publicly Releasable, Proprietary, Company Confidential, and
For Internal Use Only
reserved.
A key component of IT security is the protection of the
information processed and stored on the computer systems and
network. Organizations deal with many different types of
information, and they need to recognize that not all information
is of equal importance or sensitivity. This requires
classification of information into various categories, each with
its own requirements for its handling.
A key component of IT security is the protection of the
information processed and stored on the computer systems and
network. Organizations deal with many different types of
information, and they need to recognize that not all information
is of equal importance or sensitivity.
Each policy for the classification of information should describe
how it should be protected, who may have access to it, who has
the authority to release it and how, and how it should be
destroyed. All employees of the organization should be trained
in the procedures for handling the information that they are
authorized to access. Discretionary and mandatory access

control techniques use classifications as a method to identify
who may have access to what resources.
14
Data labeling, handling, and disposal
Data labeling enables an understanding of level of protection
required.
For data inside an information-processing system:
Protections should be designed into the system
Data outside system require other means of protection.
Training ensures labeling occurs and is used and followed.
Important for users whose roles are impacted by the material
Important for proper data handling and disposal
reserved.
Effective data classification programs include data labeling,
which enables personnel working with the data to know whether
it is sensitive and to understand the levels of protection
required.
When the data is inside an information-processing system, the
protections should be designed into the system. But when the
data leaves this cocoon of protection, whether by printing,
downloading, or copying, it becomes necessary to ensure
continued protection by other means. This is where data
labeling assists users in fulfilling their responsibilities.
Personnel are intimately involved in several specific tasks
associated with data handling and data destruction/disposal and,

if properly trained, can act as a security control. Untrained or
inadequately trained personnel will not be a productive security
control and, in fact, can be a source of potential compromise.
15
Need to know goes hand-in-hand with least privilege.
Guiding factor is that:
Each individual supplied absolute minimum amount of
information and privileges needed to perform work
Access requires justified need to know.
Policy should spell out these two principles:
Who in the organization can grant access to information
Who can assign privileges to employees
reserved.
Disposal and destruction policy
Important papers should be shredded.
Delete all files and overwrite data on magnetic storage data
before discarding.
Destroy data magnetically using a strong magnetic field to
degauss the media.
File off magnetic material from the surface of a hard drive
platter.
Shred floppy media, CDs and DVDs.
Best practice is to match the action to the risk level.

reserved.
Many potential intruders have learned the value of dumpster
diving. An organization must be concerned about not only paper
trash and discarded objects, but also the information stored on
discarded objects such as computers. Several government
organizations have been embarrassed when old computers sold
to salvagers proved to contain sensitive documents on their hard
drives. It is critical for every organization to have a strong
disposal and destruction policy and related procedures.
17
Password and Account Policies (1 of 4)
Average user has 20 passwords
Password complexity should include
Minimum length
Uppercase
Lowercase
Numerals
Non-alphabetic characters
reserved.
18

Account expiration
Should occur when a user is no longer authorized on a given
system
Manager should notify Human Resources (HR)
Account recovery
Can be serious, especially if an administrator password is lost
Need a recovery plan
reserved.
19
Account disablement
Preferable to removal because removal might result in
permission and ownership problems
Account lockout
Temporary disablement (e.g., if user tries to log on too many
times)
Password history
Should prevent users from reusing prior passwords
reserved.

20
Password reuse
Not a good idea
Password length
At least 10 characters, with 12 preferable
Protection of Passwords
Should prevent users from writing down or sharing
reserved.
21
Human Resources Policies (1 of 14)
Humans are the weakest link in security chain.
Three policies are needed:
Policy for hiring of individuals
Policy to keep employees from “disgruntled” category
Policy to address employees leaving organization
Security must be considered in all policies.
reserved.

Code of ethics
Describes expected behavior at highest level
Sets tone for how employees act and conduct business
Code inclusions
Demand honesty from employees
Demand employees perform all activities in a professional
manner
Address principles of privacy and confidentiality
State how employees treat client and organizational data
Cover how to handle conflicts of interests
reserved.
By outlining a code of ethics, the organization can encourage an
environment that is conducive to integrity and high ethical
standards. For additional ideas on possible codes of ethics,
check professional organizations such as the Institute for
Electrical and Electronics Engineers (IEEE), the Association for
Computing Machinery (ACM), or the Information Systems
Security Association (ISSA).
23
Job rotation
By rotating jobs, individuals get a better perspective on how
various parts of IT can enhance or hinder the business
Rotating individuals through security positions can result in a
much wider understanding throughout the organization about
potential security problems.

A benefit is that the company does not have to rely on any one
individual too heavily for security expertise.
Separation of duties no individual can conduct transactions
alone
reserved.
Benefit of job rotation:
If all security tasks are the domain of one employee, and that
individual leaves suddenly, security at the organization could
suffer. On the other hand, if security tasks are understood by
many different individuals, the loss of any one individual has
less of an impact on the organization.
24
Employee hiring and promotions
Policies should ensure organization hires the most capable and
trustworthy employees.
Policies should minimize the risk that the employee will ignore
company rules and affect security.
Periodic reviews by supervisory personnel, additional drug
checks, and monitoring of activity during work
Policy should handle employee’s status change.
Especially if construed as negative
If employee promoted, privileges may still change
reserved.

It is becoming common for organizations to run background
checks on prospective employees and to check the references
prospective employees supply. Frequently, organizations require
drug testing, check for any past criminal activity, verify claimed
educational credentials, and confirm reported work history. For
highly sensitive environments, special security background
investigations can also be required.
If the change can be construed as a negative personnel action
(such as a demotion), supervisors should be alerted to watch for
changes in behavior that might indicate the employee is
contemplating or conducting unauthorized activity. It is likely
that the employee will be upset, and whether he acts on this to
the detriment of the company is something that needs to be
guarded against. In the case of a demotion, the individual may
also lose certain privileges or access rights, and these changes
should be made quickly so as to lessen the likelihood that the
employee will destroy previously accessible data if he becomes
disgruntled and decides to take revenge on the organization.
If the employee is promoted, privileges may still change, but
the need to make the change to access privileges may not be as
urgent, though it should still be accomplished as quickly as
possible. If the move is a lateral one, changes may also need to
take place, and again they should be accomplished as quickly as
possible.
25
Retirement, separation, or termination of an employee
Employee announced retirements – limit access to sensitive
documents when employee announces their intention.
Forced retirement – determine risk if employee becomes
disgruntled.

New job offer – carefully consider continued access to sensitive
information.
Termination – assume he is or will become disgruntled.
reserved.
An employee leaving an organization can be either a positive or
a negative action.
Combinations should be quickly changed once an employee has
been informed of their termination. Access cards, keys, and
badges should be collected; the employee should be escorted to
her desk and watched as she packs personal belongings; and
then she should be escorted from the building.
Note: It is better to give a potentially disgruntled employee
several weeks of paid vacation than to have him trash sensitive
files to which he has access. Because employees typically know
the pattern of management behavior with respect to termination,
doing the right thing will pay dividends in the future for a firm.
26
Exit interviews are a powerful tool for collecting information
when people leave a firm
On-boarding/off-boarding business partners
Agreements tend to be fairly specific with respect to terms
associated with mutual expectations associated with the process
of the business.
Important considerations prior to the establishment of the
relationship include:

On-boarding and off-boarding processes
Data retention and destruction by the third party
reserved.
Just as it is important to manage the on- and off-boarding
processes of company personnel, it is important to consider the
same types of elements when making arrangements with third
parties. Agreements with business partners tend to be fairly
specific with respect to terms associated with mutual
expectations associated with the process of the business.
Considerations regarding the on-boarding and off-boarding
processes are important, especially the off-boarding. When a
contract arrangement with a third party comes to an end, issues
as to data retention and destruction by the third party need to be
addressed. These considerations need to be made prior to the
establishment of the relationship, not added at the time that it is
coming to an end.
Note: On-boarding and off-boarding business procedures should
be well documented to ensure compliance with legal
requirements.
27
Adverse reactions
How to deal with employees who violate policies
Mandatory vacations
Employee who never takes time off might be involved in
nefarious activity.
Requiring mandatory vacations serves as a security protection
mechanism.

Tool to detect fraud
Necessity of a second person familiar with security procedures
to fill in while employee on vacation
reserved.
Organizations have provided vacation time to their employees
for many years. Few, however, force employees to take this
time if they don’t want to. From a security standpoint, an
employee who never takes time off might be involved in
nefarious activity, such as fraud or embezzlement, and might
be afraid that if he leaves on vacation, the organization will
discover his illicit activities. As a result, requiring employees to
use their vacation time through a policy of mandatory vacations
can be security protection mechanism. Using mandatory
vacations as a tool to detect fraud will require that somebody
else also be trained in the functions of the employee who is on
vacation. Having a second person familiar with security
procedures is also a good policy in case something happens to
the primary employee.
28
Social media networks
Considered a form of third party
Challenge of terms of use as there is no negotiated set of
agreements with respect to requirements
Only option is to adopt provided terms of service

reserved.
The rise of social media networks has changed many aspects of
business. Whether used for marketing, communications,
customer relations, or some other purpose, social media
networks can be considered a form of third party. One of the
challenges in working with social media networks and/or
applications is their terms of use. While a relationship with a
typical third party involves a negotiated set of agreements with
respect to requirements, there is no negotiation with social
media networks. The only option is to adopt their terms of
service, so it is important to understand the implications of
these terms with respect to the business use of the social
network.
29
Acceptable use policy (AUP)
AUP outlines what the organization considers to be the
appropriate use of company resources, such as computer
systems, e-mail, Internet access, and networks.
Goal is to ensure employee productivity while limiting
organizational liability through inappropriate use of the
organization’s assets.
Policy clearly delineates what activities are not allowed.
It states if the organization considers it appropriate to monitor
the employees’ use of the systems and network.
reserved.

The AUP should clearly delineate what activities are not
allowed. It should address issues such as the use of resources to
conduct personal business, installation of hardware or software,
remote access to systems and networks, the copying of
company-owned software, and the responsibility of users to
protect company assets, including data, software, and hardware.
Statements regarding possible penalties for ignoring any of the
policies (such as termination) should also be included.
Related to appropriate use of the organization’s computer
systems and networks by employees is the appropriate use by
the organization. The most important of such issues is whether
the organization considers it appropriate to monitor the
employees’ use of the systems and network.
If monitoring is considered appropriate, the organization should
include a statement to this effect in the banner that appears at
login. This repeatedly warns employees, and possible intruders,
that their actions are subject to monitoring and that any misuse
of the system will not be tolerated. Should the organization
need to use in a civil or criminal case any information gathered
during monitoring, the issue of whether the employee had an
expectation of privacy, or whether it was even legal for the
organization to be monitoring, is simplified if the organization
can point to a statement that is always displayed that instructs
users that use of the system constitutes consent to monitoring.
Before any monitoring is conducted, or the actual wording on
the warning message is created, the organization’s legal counsel
should be consulted to determine the appropriate way to address
this issue in the particular jurisdiction.
30

Internet usage policy
Goal: ensure maximum employee productivity and to limit
potential liability to the organization from inappropriate use of
the Internet in a workplace
Address what sites employees allowed and not allowed to visit
Spell out the acceptable use parameters
Describe circumstances an employee allowed to post something
from the organization’s network on the Web
Need procedure to post the object or message
reserved.
The Internet provides a tremendous temptation for employees to
waste hours as they surf the Web for the scores of games from
the previous night, conduct quick online stock transactions, or
read the review of the latest blockbuster movie everyone is
talking about. In addition, allowing employees to visit sites that
may be considered offensive to others (such as pornographic or
hate sites) can open the company to accusations of condoning a
hostile work environment and result in legal liability.
31
E-mail usage policy
Specifies what the company allows employees to send in, or as
attachments to, e-mail messages
Spells out whether nonwork e-mail traffic allowed
Describes type of message considered inappropriate to send
Specifies disclaimers that must be attached to an employee’s
message sent to an individual outside the company

Reminds employees of the risks of clicking on links in
e-mails, or opening attachments
reserved.
This policy should spell out whether nonwork e-mail traffic is
allowed at all or is at least severely restricted. It needs to cover
the type of message that would be considered inappropriate to
send to other employees (for example, no offensive language,
no sex-related or ethnic jokes, no harassment, and so on). The
policy should also specify any disclaimers that must be attached
to an employee’s message sent to an individual outside the
company. The policy should remind employees of the risks of
clicking on links in e-mails, or opening attachments, as these
can be social engineering attacks.
32
Clean desk policy
Specifies that sensitive information must not be left unsecured
in the work area when the worker is not present to act as
custodian
Identifies and prohibits things that are not obvious upon first
glance, such as passwords on sticky notes under
keyboards and mouse pads or in unsecured desk drawers
Training for clean desk activities making the issue a personal
one

reserved.
Preventing access to information is also important in the work
area. Even leaving the desk area and going to the bathroom can
leave information exposed and subject to compromise.
All of these elements that demonstrate the need for a clean desk
are lost if employees do not make them personal. Training for
clean desk activities needs to make the issue a personal one,
where consequences are understood and the workplace
reinforces the positive activity.
33
Bring your own device (BYOD) policy
Primary purpose
Lower risk associated with connecting a wide array of personal
devices to a company’s network and accessing sensitive data on
them.
Center element of a BYOD policy
Security, in the form of risk management
Device requirements
Must be maintained in a current, up-to-date software posture,
and with certain security features
reserved.
Everyone seems to have a smartphone, a tablet, or other
personal Internet device that they use in their personal lives.
Bringing these to work is a natural extension of one’s normal
activities, but this raises the question of what policies are

appropriate before a firm allows these devices to connect to the
corporate network and access company data. Like all other
policies, planning is needed to define the appropriate pathway
to the company objectives. Personal devices offer cost savings
and positive user acceptance, and in many cases these factors
make allowing BYOD a sensible decision.
Devices need to be maintained in a current, up-to-date software
posture, and with certain security features, such as screen locks
and passwords enabled. Remote wipe and other features should
be enabled, and highly sensitive data, especially in aggregate,
should not be allowed on the devices. Users should have
specific training as to what is allowed and what isn’t and should
be made aware of the increased responsibility associated with a
mobile means of accessing corporate resources.
In some cases it may be necessary to define a policy associated
with personally owned devices. This policy will describe the
rules and regulations associated with use of personally owned
devices with respect to corporate data, network connectivity,
and security risks.
34
Privacy policy
Explains guiding principles in guarding personal data to which
organizations are given access
Personally identifiable information (PII)
Includes any data that can be used to uniquely identify an
individual
Name, address, driver’s license number, and other details
Necessary measures taken by company
Ensure data is protected from compromise

reserved.
Customers place an enormous amount of trust in organizations
to which they provide personal information. These customers
expect their information to be kept secure so that unauthorized
individuals will not gain access to it and so that authorized
users will not use the information in unintended ways.
35
Due Care and Due Diligence
Due care generally refers to the standard of care a reasonable
person is expected to exercise in all situations.
Due diligence generally refers to the standard of care a business
is expected to exercise in preparation for a business transaction.
The standard applied—reasonableness—is extremely subjective
and often is determined by a jury.
Many sectors have a set of “security best practices.”
reserved.
Note: Due diligence is the application of a specific standard of
care. Due care is the degree of care that an ordinary person
would exercise.
An organization must take reasonable precautions before
entering a business transaction or it might be found to have
acted irresponsibly. In terms of security, organizations are
expected to take reasonable precautions to protect the
information that they maintain on individuals. Should a person
suffer a loss as a result of negligence on the part of an

organization in terms of its security, that person typically can
bring a legal suit against the organization.
The organization will need to show that it had taken reasonable
precautions to protect the information, and that, despite these
precautions, an unforeseen security event occurred that caused
the injury to the other party. Since this is so subjective, it is
hard to describe what would be considered reasonable, but many
sectors have a set of “security best practices” for their industry,
which provides a basis for organizations in that sector to start
from. If the organization decides not to follow any of the best
practices accepted by the industry, it needs to be prepared to
justify its reasons in court should an incident occur. If the
sector the organization is in has regulatory requirements,
justifying why the mandated security practices were not
followed will be much more difficult (if not impossible).
36
Due Process
Due process is concerned with guaranteeing fundamental
fairness, justice, and liberty in relation to an individual’s legal
rights.
Individual’s rights outlined by Constitution and Bill of Rights
Procedural due process uses concept of “fair”.
Courts recognize series of rights embodied by the Constitution.
Organizational due process occurs in administrative actions
adversely affecting employees.
reserved.
Of interest is the recognition by courts of a series of rights that
are not explicitly specified by the Constitution but that the

courts have decided are implicit in the concepts embodied by
the Constitution. An example of this is an individual’s right to
privacy.
From an organization’s point of view, due process may come
into play during an administrative action that adversely affects
an employee. Before an employee is terminated, for example,
were all of the employee’s rights protected? An actual example
pertains to the rights of privacy regarding employees’ e-mail
messages.
As the number of cases involving employers examining
employee e-mails grows, case law continues to be established
and the courts eventually will settle on what rights an employee
can expect. The best thing an employer can do if faced with this
sort of situation is to work closely with HR staff to ensure that
appropriate policies are followed and that those policies are in
keeping with current laws and regulations.
37
Incident Response Policies and Procedures
Incident response policy and associated procedures
Developed to outline how the organization will prepare for
security incidents and respond to them when they occur
Designed in advance
Should cover five phases:
Preparation, detection, containment and eradication, recovery,
and follow-up actions
reserved.
No matter how careful an organization is, eventually a security

incident of some sort will occur. When it happens, how
effectively the organization responds to it will depend greatly
on how prepared it is to handle incidents.
38
Security Awareness and Training
Programs enhance an organization’s security posture.
Teach personnel how to follow the correct set of actions to
perform their duties in a secure manner
Make personnel aware of the indicators and effects of social
engineering attacks
Properly trained employees perform duties in a more effective
manner.
Security awareness programs and campaigns include:
Seminars, videos, posters, newsletters, similar materials
Fairly easy to implement and not very costly
reserved.
Properly trained employees are able to perform their duties in a
more effective manner, including their duties associated with
information security. The extent of information security training
will vary depending on the organization’s environment and the
level of threat, but initial employee security training at the time
of being hired is important, as is periodic refresher training. A
strong security education and awareness training program can
go a long way toward reducing the chance that a social
engineering attack will be successful.
39

Security Policy Training and Procedures
Personnel need training with respect to the tasks and
expectations to perform complex tasks.
Applies to security policy and operational security details
Use refresher training for periodic reinforcement.
Collection of policies should paint a picture describing the
desired security culture of the organization.
Security policy – high-level directive
Second-level policies – password, access, information handling,
and acceptable use policies
reserved.
If employees are going to be expected to comply with the
organization’s security policy, they must be properly trained in
its purpose, meaning, and objectives. Training with respect to
the information security policy, individual responsibilities, and
expectations is something that requires periodic reinforcement
through refresher training.
Because the security policy is a high-level directive that sets the
overall support and executive direction with respect to security,
it is important that the meaning of this message be translated
and supported. Second-level policies such as password, access,
information handling, and acceptable use policies also need to
be covered. The collection of policies should paint a picture
describing the desired security culture of the organization. The
training should be designed to ensure that people see and
understand the whole picture, not just the elements.
40

Role-based Training
Training needs to be targeted to the user with regard
to their role in the subject of the training.
Role-based training is an important part of information security
training.
Applies to:
Data Owner - User
System Administrator - Privileged User
System Owner - Executive User
reserved.
If a person has job responsibilities that may impact information
security, then role-specific training is needed to ensure that the
individual understands the responsibilities as they relate to
information security. Some roles, such as system administrator
or developer, have clearly defined information security
responsibilities. The roles of others, such as project manager or
purchasing manager, have information security impacts that are
less obvious, but these roles require training as well. In fact, the
less-obvious but wider-impact roles of middle management can
have a large effect on the information security culture, and thus
if a specific outcome is desired, it requires training.
41
Compliance with Laws, Best Practices,
and Standards (1 of 2)
Wide array of laws, regulations, contractual requirements,
standards, and best practices associated with information
security.
Organization must build them into their own policies and

procedures.
reserved.
There is a wide array of laws, regulations, contractual
requirements, standards, and best practices associated with
information security. Each places its own set of requirements
upon an organization and its personnel. The only effective way
for an organization to address these requirements is to build
them into their own policies and procedures. Training to one’s
own policies and procedures would then translate into coverage
of these external requirements.
42
Compliance with Laws, Best Practices,
and Standards (2 of 2)
External requirements impart a specific training and awareness
component upon the organization.
Payment Card Industry Data Security Standard (PCI DSS),
Gramm Leach Bliley Act (GLBA), or Health Insurance
Portability Accountability Act (HIPAA)
reserved.
43
User Habits

User habits are a front-line security tool in engaging the
workforce to improve the overall security posture of an
organization.
Individual user responsibilities vary between organizations and
the type of business in which each organization is involved.
There are certain very basic responsibilities that all users
should be instructed to adopt.
reserved.
Basic responsibilities:
Lock the door to your office or workspace, including drawers
and cabinets.
Do not leave sensitive information inside your car unprotected.
Secure storage media containing sensitive information in a
secure storage device.
Shred paper containing organizational information before
discarding it.
Do not divulge sensitive information to individuals (including
other employees) who do not have an authorized need to know
it. Do not discuss sensitive information with family members.
(The most common violation of this rule occurs in regard to HR
information, as employees, especially supervisors, may
complain to their spouse or friends about other employees or
about problems that are occurring at work.)
Protect laptops and other mobile devices that contain sensitive
or important organization information wherever the device may
be stored or left. (It’s a good idea to ensure that sensitive
information is encrypted on the laptop or mobile device so that,
should the equipment be lost or stolen, the information remains
safe.)

Be aware of who is around you when discussing sensitive
corporate information. Does everybody within earshot have the
need to hear this information? Enforce corporate access control
procedures. Be alert to, and do not allow, piggybacking,
shoulder surfing, or access without the proper credentials.
Be aware of the correct procedures to report suspected or actual
violations of security policies.
Follow procedures established to enforce good password
security practices. Passwords are such a critical element that
they are frequently the ultimate target of a social engineering
attack. Though such password procedures may seem too
oppressive or strict, they are often the best line of defense.
44
Training Metrics and Compliance
Requirements for maintaining a trained workforce
Record-keeping system measuring compliance with attendance
and the effectiveness of the training
Follow up and gather training metrics
Challenges
Maintaining active listing of training and retraining
Monitoring the effectiveness of the training; measuring
effectiveness by actual impact on employee behavior
Standard operating procedures
Mandatory step-by-step instructions
reserved.
Interoperability Agreements (1 of 5)
Many business operations involve actions between many
different parties.
Actions require communication between the parties.

Define the responsibilities and expectations of the parties
Define business objectives
Define environment within which the objectives will be pursued
Written agreements used to ensure agreement is understood
between the parties.
reserved.
Numerous forms of legal agreements and contracts are used in
business, but with respect to security, some of the most common
ones are the service level agreement, business partnership
agreement, memorandum of understanding, and interconnection
security agreement.
46
Service level agreements (SLA)
Contractual agreements between entities that describe specified
levels of service that the servicing entity agrees to guarantee for
the customer
SLA rules
Describe entire set of product or service functions in sufficient
detail that their requirement will be unambiguous
Provide a clear means of determining whether a specified
function or service has been provided at the agreed-upon level
of performance
reserved.

SLAs essentially set the requisite level of performance of a
given contractual service. SLAs are typically included as part of
a service contract and set the level of technical expectations. An
SLA can define specific services, the performance level
associated with a service, issue management and resolution, and
so on. SLAs are negotiated between customer and supplier and
represent the agreed-upon terms. An organization contracting
with a service provider should remember to include in the
agreement a section describing the service provider’s
responsibility in terms of business continuity and disaster
recovery. The provider’s backup plans and processes for
restoring lost data should also be clearly described.
47
Business partnership agreement (BPA)
Legal agreement between partners establishing the terms,
conditions, and expectations of the relationship between the
partners
Sharing of profits and losses, the responsibilities of each
partner, the addition or removal of partners, and any other
issues
Uniform Partnership Act (UPA)
Lays out uniform set of rules associated with partnerships to
resolve any partnership terms
Designed as “one size fits all”
reserved.

Memorandum of understanding (MOU)
Legal document used to describe a bilateral agreement between
parties
Written agreement expressing a set of intended actions between
the parties with respect to some common
pursuit or goal
More formal and detailed than a simple handshake
Generally lacks the binding powers of a contract
Common to find between different units within an organization
to detail expectations associated with the common business
interest
reserved.
Interconnection security agreement (ISA)
These are specialized agreement between organizations that
have interconnected IT systems.
Purpose is to document the security requirements associated
with the interconnection.
ISA as part of an MOU
ISA can detail specific technical security aspects of a data
interconnection.
Nondisclosure Agreements (NDAs) – explain the boundaries of
corporate secret material
reserved.

The Security Perimeter (1 of 5)
Various networks components
Connection to the Internet
Protection is attached to it such as a firewall.
Intrusion detection system (IDS)
May be either on the inside or the outside of the firewall or both
Specific location depends on the company and what it is more
concerned about preventing
Router
Enhances security
reserved.
Note: The security perimeter, with its several layers of security,
along with additional security mechanisms that may be
implemented on each system (such as user IDs/passwords),
creates what is sometimes known as defense-in-depth. This
implies that security is enhanced when there are multiple layers
of security (the depth) through which an attacker would have to
penetrate to reach the desired goal.
51
Figure 3.1 Basic diagram of an organization’s network
reserved.

If the average administrator were asked to draw a diagram
depicting the various components of their network, the diagram
would probably look something like Figure 3.1.
A very simple depiction—an actual network can have numerous
subnets and extranets as well as wireless access points—but the
basic components are present. Beyond this security perimeter is
the corporate network.
52
Additional possible access points into the network
Public switched telephone network (PSTN) and wireless access
points
Authorized modems or wireless networks
Potential exists for unauthorized versions of both
Voice over IP (VoIP)
Eliminates the traditional land lines in an organization and
replaces them with special telephones that connect to the IP
data network
Insider seen as biggest danger to any organization
reserved.
Most experts will agree that the biggest danger to any
organization does not come from external attacks but rather
from the insider—a disgruntled employee or somebody else who
has physical access to the facility. Given physical access to an
office, the knowledgeable attacker will quickly find the
information needed to gain access to the organization’s
computer systems and network. Consequently, every

organization also needs security policies, procedures, and
guidelines that cover physical security, and every security
administrator should be concerned with these as well. While
physical security (which can include such things as locks,
cameras, guards and entry points, alarm systems, and physical
barriers) will probably not fall under the purview of the security
administrator, the operational state of the organization’s
physical security measures is just as important as many of the
other network-centric measures.
Note: An increasing number of organizations are implementing
VoIP solutions to bring the telephone and computer networks
together. While there are some tremendous advantages to doing
this in terms of both increased capabilities and potential
monetary savings, bringing the two networks together may also
introduce additional security concerns. Another common
method to access organizational networks today is through
wireless access points. These may be provided by the
organization itself to enhance productivity, or they may be
attached to the network by users without organizational
approval. The impact of all of these additional methods that can
be used to access a network is to increase the complexity of the
security problem.
53
Figure 3.2 A more complete diagram of an organization’s
network
reserved.

Physical security
Consists of all mechanisms used to ensure that physical access
to the computer systems and networks is restricted to only
authorized users
Additional physical security mechanisms
Routers, firewalls, and intrusion detection systems
Consider access from all six sides
Security of obvious points of entry be examined (doors and
windows)
Walls themselves as well as the floor and ceiling
reserved.
Questions such as the following should be addressed:
Is there a false ceiling with tiles that can be easily removed?
Do the walls extend to the actual ceiling or only to a false
ceiling?
Is there a raised floor?
Do the walls extend to the actual floor, or do they stop at a
raised floor?
How are important systems situated?
Do the monitors face away from windows, or could the activity
of somebody at a system be monitored?
Who has access to the facility?
What type of access control is there, and are there any guards?
Who is allowed unsupervised access to the facility?
Is there an alarm system or security camera that covers the
area?
What procedures govern the monitoring of the alarm system or
security camera and the response should unauthorized activity

be detected?
55
Chapter Summary
Identify various operational aspects to security in your
organization.
Identify various policies and procedures in your organization.
Identify the security awareness and training needs of an
organization.
Understand the different types of agreements employed in
negotiating security requirements.
reserved.
56
The Role of People in Security
Chapter 4
reserved.
Objectives (1 of 2)

Define basic terminology associated with social engineering.
Describe steps organizations can take to improve their security.
Describe common user actions that may put an organization’s
information at risk.
Recognize methods attackers may use to gain information about
an organization.
reserved.
2
Objectives (2 of 2)
Determine ways in which users can aid instead of detract from
security.
Recognize the role training and awareness plays in assisting the
people side of security.
reserved.
3
Key Terms (1 of 2)
Authority
Backdoor
Consensus
Dumpster diving

Familiarity
Impersonation
Intimidation
Pharming
Phishing
Piggybacking
Reverse social engineering
Scarcity
Shoulder surfing
reserved.
Authority - The use of authority in social situations can lead to
an environment where one party feels at risk in challenging
another over an issue.
Backdoor – A hidden method used to gain access to a computer
system, network, or application. Often used by software
developers to ensure unrestricted access to the systems they
create. Synonymous with trapdoor.
Consensus - a group-wide decision.
Dumpster diving - The practice of searching through trash to
discover sensitive material that has been thrown away but not
destroyed or shredded.
Familiarity - People do things for people they like or feel
connected to. Building this sense of familiarity and appeal can
lead to misplaced trust.
Impersonation - a common social engineering technique that can
be employed in many ways. It can occur in person, over a

phone, or online. In the case of an impersonation attack, the
attacker assumes a role that is recognized by the person being
attacked, and in assuming that role, the attacker uses the
potential victim’s biases against their better judgment to follow
procedures. Impersonation can occur in a variety ways—from
third parties, to help desk operators, to vendors and even online
sources.
Intimidation – can be either subtle, through perceived power, or
more direct, through the use of communications that build an
expectation of superiority.
Pharming – consists of misdirecting users to fake web sites
made to look official.
Phishing - The use of social engineering to trick a user into
responding to something such as an e-mail to instantiate a
malware-based attack.
Piggybacking - the simple tactic of following closely behind a
person who has just used their own access card or PIN to gain
physical access to a room or building.
Reverse social engineering - A social engineering attack pattern
where the attacker prepositions themselves to be the person you
call when you think you are attacked. Because you call them,
your level of trust is lower.
Scarcity - If something is in short supply and is valued, then
arriving with what is needed can bring rewards—and
acceptance.
Shoulder surfing - A technique from social engineering where
you observe another’s action, such as a password entry.
4
Key Terms (2 of 2)
Social engineering
Spam
Spear phishing
Tailgating

Trust
Urgency
Vishing
reserved.
Social engineering – The art of deceiving another person so that
he or she reveals confidential information. This is often
accomplished by posing as an individual who should be entitled
to have access to the information.
SPAM - E-mail that is not requested by the recipient and is
typically of a commercial nature. Also known as unsolicited
commercial e-mail (UCE).
Spear phishing - refers to the special targeting of groups with
something in common when launching a phishing attack.
Tailgating - Tailgating or piggybacking is the simple tactic of
following closely behind a person who has just used their own
access card or PIN to gain physical access to a room or
building. See piggybacking.
Trust – having an understanding of how something or someone
will act under specific conditions.
Urgency - Time can be manipulated to drive a sense of urgency
and prompt shortcuts that can lead to opportunities for
interjection into processes.
Vishing - Phishing over voice circuits, specifically voice over
IP (VoIP).
5
People—A Security Problem
The operational model of computer security acknowledges that
prevention technologies are not sufficient to protect our

computer systems and networks.
The biggest reason is that every network and computer system
has at least one human user.
Humans are prone to make mistakes and are often easily misled
or fooled.
reserved.
6
Social Engineering (1 of 3)
Social engineering is the process of convincing an authorized
individual to provide confidential information or access to an
unauthorized individual.
Various deceptive practices are used to convince the targeted
person to take two possible actions:
Divulge information they normally would not divulge
Convince the target to do something they normally wouldn’t do
reserved.
7
Social engineering is very successful for two general reasons:
Most people have a basic desire to be helpful.

Individuals normally seek to avoid confrontation and trouble.
Social engineering may also be accomplished using other means
besides direct contact between the target and the attacker.
reserved.
8
An attacker who is attempting to exploit the natural tendency of
people to be helpful may take one of several approaches:
The attacker may simply ask a question, hoping to immediately
obtain the desired information.
The attacker may first attempt to engage the target in
conversation and try to evoke sympathy so that the target feels
sorry for the individual and is more prone to provide the
information.
The attacker may appeal to an individual’s ego.
reserved.
Up to this point, social engineering has been discussed in the
context of an outsider attempting to gain information about the
organization. This does not have to be the case. Insiders may
also attempt to gain information they are not authorized to have.
In many cases, the insider may be much more successful since
they will already have a certain level of information regarding

the organization and can therefore better spin a story that may
be believable to other employees.
9
Tools (1 of 9)
Authority – person feels at risk challenging someone
Intimidation
Consensus – group-wide decision
Scarcity
Familiarity – can lead to misplaced trust
Trust – the whole point of social engineering is to build trust
Urgency
reserved.
Rifkin had set up a bogus account in a New York bank, using a
false name, and he deposited the money into that account. He
later transferred the money again to another account in
Switzerland under a different name. He then used the money to
purchase millions of dollars in diamonds, which he then
smuggled back into the United States. The crime might have
gone undetected if he had not boasted of his exploits to an
individual who was more than happy to turn him in.
In 1979, Rifkin was sentenced to eight years in prison. At his
trial he attempted to convince the judge that he should be
released so he could teach others how to protect their systems
against the type of activity he perpetrated. The judge denied this
request.
10
Tools (2 of 9)

Impersonation – tricking someone as to the attacker’s role
Third-party authorization
Help Desk/Tech support
Contractors/Outside parties
Online attacks
Defenses
reserved.
.
11
Tools (3 of 9)
Phishing is social engineering in which an attacker attempts to
obtain sensitive information from a user.
It masquerades as a trusted entity in an e-mail or instant
message sent to a large group of often random users.
Attacker attempts to obtain usernames, passwords, credit card
numbers, and details about the user’s bank accounts.
Attacker points users to fake non-reputable web sites or sends
bulk e-mail instructing users to click a fake link to verify that
their account has not been tampered with.
reserved.
Phishing is now the most common form of social engineering
attack related to computer security. The target may be a
computer system and access to the information found on it (such

as is the case when the phishing attempt asks for a user ID and
password) or the target may be personal information, generally
financial, about an individual (in the case of phishing attempts
that ask for an individual’s banking information).
12
Tools (4 of 9)
Spear phishing is the term that has been created to refer to the
special targeting of groups with something in common when
launching a phishing attack.
Pharming consists of misdirecting users to fake web sites made
to look official.
Using phishing, individuals are targeted one by one by sending
out e-mails.
To become a victim, the recipient must take an action.
reserved.
Another specialized version of phishing is closely related to
spear phishing. Again, specific individuals are targeted, but in
this case the individuals are important individuals high up in an
organization such as the corporate officers. The goal is to go
after these “bigger targets,” and thus the term that is used to
refer to this form of attack is whaling.
13
Tools (5 of 9)
Vishing is a variation of phishing that uses voice
communication technology to obtain the information the
attacker is seeking.
It takes advantage of the trust people place in the telephone
network.

Attackers can spoof (simulate) calls from legitimate entities
using Voice over IP (VoIP) technology.
Voice messaging can also be compromised.
Attackers are after credit card numbers or other information that
can be used in identity theft.
reserved.
Vishing (phishing conducted using voice systems) is generally
successful because of the trust that individuals place in the
telephone system. With caller ID, people believe they can
identify who it is that is calling them. They do not understand
that, just like many protocols in the TCP/IP protocol suite,
caller ID can be spoofed.
The user may receive an e-mail asking him or her to call a
number that is answered by a potentially compromised voice
message system. Users may also receive a recorded message
that appears to come from a legitimate entity. In both cases, the
user will be encouraged to respond quickly and provide the
sensitive information so that access to their account is not
blocked. If a user ever receives a message that claims to be
from a reputable entity and asks for sensitive information, the
user should not provide it but instead should use the Internet or
examine a legitimate account statement to find a phone number
that can be used to contact the entity. The user can then verify
that the message received was legitimate or report the vishing
attempt.
14
Tools (6 of 9)
SPAM is bulk unsolicited e-mail.

It is not generally considered a social engineering issue.
SPAM can be a security concern.
Legitimate SPAM is sent by a company advertising a product or
service.
Malicious SPAM includes an attachment containing malicious
software designed to harm your system, or a link to a malicious
web site that may attempt to obtain personal information from
you.
SPIM is SPAM delivered via instant messaging application.
reserved.
Tools (7 of 9)
Shoulder surfing does not require direct contact.
Attacker observes individual entering sensitive information on a
form, keypad, or keyboard or sets up a camera or uses
binoculars to view the user entering sensitive data.
Example of information desired: PINs or gate codes
Shoulder surfing prevention techniques
Small shield surrounding keypad or scramble location of the
numbers on keypad
Important for user awareness of surroundings
Be aware of attacker starting conversation with target.
reserved.
A related, somewhat obvious security precaution is that a
person should not use the same PIN for all of their different

accounts, gate codes, and so on, since an attacker who learns
the PIN for one type of access could then use it for all of the
other types of access.
16
Tools (8 of 9)
Reverse social engineering occurs when the attacker hopes to
convince the target to initiate the contact.
Attack is successful since target is initiating the contact.
Attacker may not have to convince target of their authenticity.
The tricky part of this attack is convincing the target to make
that initial contact.
Methods to accomplish an attack
Send out a spoofed e-mail to contact company
Target an organization undergoing organizational change
reserved.
Possible methods to accomplish this might include sending out a
spoofed e-mail (fake e-mail designed to appear authentic) that
claims to be from a reputable source and provides another e-
mail address or phone number to call for “tech support,” or
posting a notice or creating a bogus web site for a legitimate
company that also claims to provide “tech support.” This may
be especially successful if timed to coincide with a company’s
deployment of a new software or hardware platform. Another
potential time to target an organization with this sort of attack
is when there is a significant change in the organization itself,
such as when two companies merge or a smaller company is
acquired by a larger one. During these times, employees are not
familiar with the new organization or its procedures, and amidst
the confusion, it is easy to conduct either a social engineering

or reverse social engineering attack.
17
Tools (9 of 9)
Hoaxes can be very damaging if it causes users to take some
sort of action that weakens security.
Training and awareness are the best and first line of defense for
both users and administrators.
Users should be trained to be suspicious of unusual e-mails and
stories and should know who to contact in the organization to
verify their validity when received.
Hoaxes often also advise the user to send it to their friends so
they know about the issue as well—and by doing so, they help
spread the hoax.
reserved.
18
Poor Security Practices (1 of 10)
A significant portion of human-created security problems
results from poor security practices.
These poor practices may be:
Due to an individual user who is not following established
security policies or processes
Caused by a lack of security policies, procedures, or training
within the user’s organization

reserved.
19
Password selection
Users tend to pick passwords that are easy to remember.
Names of family members, pets, sports teams
The more the attacker knows about the user, the better the
chance of discovering the user’s password.
Organizations have encouraged users to mix upper- and
lowercase characters and to include numbers and special
characters in their password.
reserved.
Poor password selection is one of the most common of poor
security practices, and one of the most dangerous. Numerous
studies that have been conducted on password selection have
found that, while overall more users are learning to select good
passwords, a significant percentage of users still make poor
choices. The problem with this, of course, is that a poor
password choice can enable an attacker to compromise a
computer system or network more easily. Even when users have
good passwords, they often resort to another poor security
practice—writing the password down in an easily located place,
which can also lead to system compromise if an attacker gains
physical access to the area.
Know the rules for good password selection. Generally, these

are to use eight or more characters in your password, include a
combination of upper and lowercase letters, include at least one
number and one special character, do not use a common word,
phrase, or name, and choose a password that you can remember
so that you do not need to write it down.
20
Password selection (continued)
Organizations have instituted additional policies and rules
relating to password selection to further complicate an
attacker’s efforts.
Require users to frequently change their password
Require that passwords must not be written down
Average Internet user probably has at least a half dozen
different accounts and passwords to remember.
Users frequently use same password for all accounts.
Attackers are guessing PINs using same process as guessing a
password.
reserved.
Organizations have instituted additional policies and rules
relating to password selection to further complicate an
attacker’s efforts. Organizations, for example, may. This means
that if an attacker is able to guess a password, it is only valid
for a limited period of time before a new password is selected,
after which the attacker is locked out. All is not lost for the
attacker, however, since, again, users will select passwords they
can remember.

Another policy or rule governing password selection often
adopted by organizations is that passwords must not be written
down. This, of course, is difficult to enforce, and thus users will
frequently write them down, often as a result of what is referred
to as the “password dilemma.” The more difficult we make it for
attackers to guess our passwords, and the more frequently we
force password changes, the more difficult the passwords are
for authorized users to remember and the more likely they are to
write them down. Writing them down and putting them in a
secure place is one thing, but all too often users will write them
on a slip of paper and keep them in their calendar, wallet, or
purse.
21
Shoulder surfing
Shoulder surfing does not involve direct contact with the user.
Attacker directly observes target entering sensitive information
on a form, keypad, or keyboard.
Attacker may simply look over the shoulder of the user at work,
watching as a coworker enters their password.
Best defense is for a user to be aware of their surroundings and
not allow individuals to get into a position from which
they can observe what the user is entering.
reserved.
22

Tailgating or piggybacking is the simple tactic of following
closely behind a person who has just used his own access card
or PIN to gain physical access to a room or building.
An attacker can gain access to the facility without having to
know the access code or having to acquire an access card.
Prevent tailgating by using procedures ensuring nobody follows
too closely or is in a position to observe actions.
Can use a “man trap,” which utilizes two doors to gain access to
the facility
reserved.
Piggybacking is related to social engineering attacks. Both the
piggybacking and shoulder surfing attack techniques can be
easily countered by using simple procedures to ensure nobody
follows you too closely or is in a position to observe your
actions. Both of these rely on the poor security practices of an
authorized user, such as people are often in a hurry and will
frequently not follow good physical security practices and
procedures.
Attackers know this and may attempt to exploit this
An attacker can gain access to the facility without having the
access code or card.
Piggybacking is related to social engineering attacks:
The attacker may start a conversation with the target before
reaching the door.
Avoid piggybacking:
Use a man trap, which utilizes two doors to gain access to the
facility. The second door does not open until the first one is
closed and is spaced close enough to the first that an enclosure
is formed that only allows one individual through at a time.

23
Dumpster diving is the process of going through a target’s trash
in hopes of finding valuable information.
Has been used by identity thieves, private investigators, and law
enforcement personnel, to obtain information about an
individual or organization
May actually find user IDs and passwords
Will probably find employee names, from which it’s not hard to
determine user IDs
May gather a variety of information that can be useful in a
social engineering attack
reserved.
One common place to find this information, if the attacker is in
the vicinity of the target, is the target’s trash. The attacker
might find little bits of information that could be useful for an
attack.
In most locations, trash is no longer considered private property
after it has been discarded (and even where dumpster diving is
illegal, little enforcement occurs). An organization should have
policies about discarding materials. Sensitive information
should be shredded and the organization should consider
securing the trash receptacle so that individuals can’t forage
through it. People should also consider shredding personal or
sensitive information that they wish to discard in their own
trash. A reasonable quality shredder is inexpensive and well
worth the price when compared with the potential loss that
could occur as a result of identity theft.

24
Installing unauthorized hardware and software
Organizations should have a policy that restricts the ability of
normal users to install software and new hardware on their
systems.
A backdoor is an avenue used to access a system while
circumventing normal security mechanisms and can often be
used to install additional executable files that can lead to more
ways to access the compromised system.
Common examples include unauthorized communication
software and a modem; a wireless access point; and games.
reserved.
Organizations should have a policy that restricts the ability of
normal users to install software and new hardware on their
systems. A common example is a user installing unauthorized
communication software and a modem to allow them to connect
to their machine at work via a modem from their home. Another
common example is a user installing a wireless access point so
that they can access the organization’s network from many
different areas. In these examples, the user has set up a
backdoor into the network, circumventing all the other security
mechanisms in place. The term “rogue modem” or “rogue access
point” may be used to describe these two cases.
Another common example of unauthorized software that users
install on their systems is games. Unfortunately, not all games

come in shrink wrapped packages. Numerous small games can
be downloaded from the Internet. The problem with this is that
users don’t always know where the software originally came
from and what may be hidden inside it. Many individuals have
unwittingly installed what seemed to be an innocuous game,
only to have downloaded a piece of malicious code capable of
many things, including opening a backdoor that allows attackers
to connect to, and control, the system from across the Internet.
Because of these potential hazards, many organizations do not
allow their users to load software or install new hardware
without the knowledge and assistance of administrators. Many
organizations also screen, and occasionally intercept, e-mail
messages with links or attachments that are sent to users. This
helps prevent users from, say, unwittingly executing a hostile
program that was sent as part of a worm or virus. Consequently,
many organizations have their mail servers strip off executable
attachments to e-mail so that users can’t accidentally cause a
security problem.
25
Data handling
This is an important training topic for employees.
How to recognize the data classification and handling
requirements of the data they are using
How to follow the proper handling processes
Include a training clause for certain data elements requiring
special handling because of contracts, laws, or regulations.
The spirit of the training clause is you get what you train; if
security over specific data types is a requirement, it should be
trained.

reserved.
26
Physical access by non-employees
Significant deterrent to unauthorized individuals is to require
employees to wear identification badges when at work.
Method to quickly spot who has permission to have physical
access to the organization and who does not
Requires employees to actively challenge individuals who are
not wearing the required identification badge
Consider personnel with legitimate access and have intent to
steal intellectual property or exploit the organization
Contractors, consultants, partners, custodial staff
reserved.
Combine an attacker who slips in by piggybacking off of an
authorized individual and an environment where employees
have not been encouraged to challenge individuals without
appropriate credentials and you have a situation where you
might as well not have any badges in the first place.
Organizations also frequently become complacent when faced
with what appears to be a legitimate reason to access the
facility, such as when an individual shows up with a warm pizza

claiming it was ordered by an employee. It has often been stated
by security consultants that it is amazing what you can obtain
access to with a pizza box or a vase of flowers.
Another aspect that must be considered is personnel who have
legitimate access to a facility but also have intent to steal
intellectual property or otherwise exploit the organization.
Physical access provides an easy opportunity for individuals to
look for the occasional piece of critical information carelessly
left out. With the proliferation of devices such as cell phones
with built-in cameras, an individual could easily photograph
information without it being obvious to employees. Contractors,
consultants, and partners frequently not only have physical
access to the facility but may also have network access. Other
individuals who typically have unrestricted access to the facility
when no one is around are nighttime custodial crewmembers
and security guards. Such positions are often contracted out. As
a result, hackers have been known to take temporary custodial
jobs simply to gain access to facilities.
27
Clean desk policies
Specify that sensitive information must not be left unsecured in
the work area when the worker is not present to act as
custodian.
Example: leaving the desk area and going to the bathroom can
leave information exposed and subject to compromise.
The clean desk policy should identify and prohibit things that
are not obvious upon first glance, such as passwords on sticky
notes under keyboards and mouse pads or in unsecured desk
drawers.

reserved.
Preventing access to information is also important in the work
area. Firms with sensitive information should have a “clean
desk policy” specifying that sensitive information is not left
unsecured in the work area when the worker is not present to act
as custodian.
28
People as a Security Tool
Social engineering paradox
People are not only the biggest problem and security risk but
also the best tool in defending against a social engineering
attack.
To fight social engineering attacks, create policies and
procedures that establish roles and responsibilities for security
administrators and all users.
Management expectations, security-wise, from employees
Description of items the organization is trying to protect, and
mechanisms important for that protection
reserved.
An interesting paradox when speaking of social engineering
attacks is that people are not only the biggest problem and
security risk but also the best tool in defending against a social
engineering attack. The first step a company should take to fight

potential social engineering attacks is to create the policies and
procedures that establish the roles and responsibilities for not
only security administrators but for all users. What is it that
management expects, security-wise, from all employees? What
is it that the organization is trying to protect, and what
mechanisms are important for that protection?
29
Security Awareness (1 of 2)
Active security awareness program
Such a program is the single most effective method to counter
potential social engineering attacks.
The extent of the training will vary depending on the
organization’s environment and the level of threat.
Training should stress the type of information that the
organization considers sensitive and which may be the target of
a social engineering attack.
Employees should be aware of attack indicators.
Employees should be taught to be cautious about revealing
personal information.
reserved.
A strong security education and awareness training program can
go a long way toward reducing the chance that a social
engineering attack will be successful. Awareness programs and
campaigns, which might include seminars, videos, posters,
newsletters, and similar materials, are also fairly easy to
implement and not very costly. There is no reason for an
organization to not have an awareness program in place. A lot
of information and ideas are available on the Internet. See what
you can find that might be usable for your organization that you

can obtain at no charge from various organizations on the
Internet. (Tip: Check organizations such as NIST and NSA,
which have developed numerous security documents and
guidelines.)
30
Security Awareness (2 of 2)
Corporate security officers
Must cultivate an environment of trust as well as an
understanding of the importance of security
Need the help of all users
Should strive to cultivate a team environment in which users,
when faced with a questionable situation, will not hesitate to
call the security office
Social Networking and P2P
Be careful not to mix social and business communications
reserved.
If users feel that security personnel are only there to make their
life difficult or to dredge up information that will result in an
employee’s termination, the atmosphere will quickly turn
adversarial and be transformed into an “us versus them”
situation. Security personnel need the help of all users and
should strive to cultivate a team environment in which users,
when faced with a questionable situation, will not hesitate to
call the security office. In situations like this, security offices
should remember the old adage of “don’t shoot the messenger.”
31
Security Policy Training and Procedures
People in an organization play a significant role in the security

posture of the organization.
Training is important as it can provide the basis for awareness
of issues such as social engineering and desired employee
security habits.
reserved.
Chapter Summary (1 of 2)
Define basic terminology associated with social engineering.
Describe steps organizations can take to improve their security.
Describe common user actions that may put an organization’s
information at risk.
Recognize methods attackers may use to gain information about
an organization.
reserved.
33
Chapter Summary (2 of 2)
Determine ways in which users can aid instead of detract from
security.
Recognize the roles training and awareness play in assisting the
people side of security.

reserved.
34

Operationaland Organizational SecurityChapter 3Princ.docx

More Related Content

Similar to Operationaland Organizational SecurityChapter 3Princ.docx (20)

More from mccormicknadine86 (20)

Recently uploaded (20)

Operationaland Organizational SecurityChapter 3Princ.docx