BLM5102

Computer Systems and

Network Security

Prof. Dr. Hasan Hüseyin BALIK

(5th Week)
 Outline
• 2. Management ıssues
—2.1. IT Security Management and Risk
Assessment
—2.2. IT Security Controls, Plans and Procedures
—2.3. Physical and Infrastructure Security
—2.4. Human Resources Security
—2.5. Security Auditing
— 2.6. Legal and Ethical Aspects
2.4. Human Resources Security
 2.4. Outline
• Security Awareness, Training, and Education
• Employment Practices and Policies
• E-Mail and Internet Use Policies
• Computer Security Incident Response Teams
Security Awareness, Training,
and Education

The topic of security awareness, training, and

education is mentioned prominently in a
number of standards and standards-related
documents, including ISO 27002 (Code of Practice
for Information Security Management) and NIST SP
800-100 (Information Security Handbook: A Guide
for Managers).
Benefits to Organizations
Security awareness, training, and
education programs provide four major
benefits to organizations:

• Improving employee behavior

• Increasing employee accountability
• Mitigating liability for employee
behavior
• Complying with regulations and
contractual obligations
 Human Factors
Employee behavior is a critical concern in ensuring the
security of computer systems and information assets

Principal problems associated with employee behavior are:

Actions by disgruntled
Errors and omissions Fraud
employees
 ION
CAT
U
ED

IT S
and ecurity
NG Pr o Spe
AINI fess ciali
iona sts
TR Edu ls
catio
Exp n and
erie
nce A
Fu
Man
age Rela and Re nctiona I
tive spon l Ro B
Acq to IT sibil les
uir Des iti
e ig Syst es
an n ems
Dev d Imple
e
lop me
a nt
Opend Rev
rate iew
a
Evand A
luat
e Use I
B
Invo A
lved ll Em
with ploy
IT ees
S
Bas ecuri Syst
ics a ty ems
nd L ics
itera Bas
cy ty
uri acy
Sec Liter
and

B = beginning
I = intermediate Emp All
loye
A = advanced es
Secu
Awa rity y
urit
r en Sec eness
ess ar
Aw

ESS
REN
A
AW

Figure 17.1 Information Technology (IT) Learning Continuum

Comparative Framework
 Awareness
• Seeks to inform and focus an employee's attention on
security issues within the organization
• Aware of their responsibilities for maintaining security and
the restrictions on their actions
• Users understand the importance of security for the well-
being of the organization
• Promote enthusiasm and management buy-in
• Program must be tailored to the needs of the
organization and target audience
• Must continually promote the security message to
employees in a variety of ways
• Should provide a security awareness policy document to
all employees
NIST SP 800-100 ( Information Security Handbook: A
Guide for Managers ) describes the content of
awareness programs, in general terms, as follows:

“Awareness tools are used to promote information security

and inform users of threats and vulnerabilities that impact
their division or department and personal work environment by
explaining the what but not the how of security, and
communicating what is and what is not allowed. Awareness not
only communicates information security policies and procedures
that need to be followed, but also provides the foundation for
any sanctions and disciplinary actions imposed for
noncompliance. Awareness is used to explain the rules of
behavior for using an agency’s information systems and
information and establishes a level of expectation on the
acceptable use of the information and information systems.”
 Training
Designed to teach people the
• What people should do and how they
skills to perform their IT-
related tasks more securely should do it

• Focus is on good computer security

General users practices

Programmers,
• Develop a security mindset in the
developers, system
developer
maintainers

• How to make tradeoffs involving security

Management-level risks, costs, benefits

• Risk management goals, measurement,

Executive-level leadership
 Education
• Most in depth program
• Targeted at security professionals whose
jobs require expertise in security
• Fits into employee career development
category
• Often provided by outside sources
• College courses
• Specialized training programs
Employment Practices and
Policies
• Managing personnel with potential access
is an essential part of information security
• Employee involvement:
• Unwittingly aid in the commission of a violation by
failing to follow proper procedures
• Forgetting security considerations
• Not realizing that they are creating a vulnerability
• Knowingly violate controls or procedures
 Security in the Hiring
Process
• Objective:
• “To ensure that employees, contractors and third party users
understand their responsibilities, and are suitable for the roles they are
considered for, and to reduce the risk of theft, fraud or misuse of
facilities”

• Need appropriate background checks and

screening
• Investigate accuracy of details

• For highly sensitive positions:

• Have an investigation agency do a background check
• Criminal record and credit check
Employment
Agreements
 During Employment
Objectives with respect to current employees:

•Ensure that employees, contractors, and third-party users are aware of information
security threats and concerns and their responsibilities and liabilities with regard to
information security
•Are equipped to support the organizational security policy in their work
•Reduce the risk of human error

Two essential elements of personnel security

during employment are:
•A comprehensive security policy document
•An ongoing awareness and training program

Security principles:

•Least privilege
•Separation of duties
•Limited reliance on key employees
Termination of Employment
• Termination security objectives:
• Ensure employees, contractors, and third party users exit
organization or change employment in an orderly manner
• The return of all equipment and the removal of all access
rights are completed

Critical actions:
• Remove name from all authorized access lists
• Inform guards that ex-employee general access is not allowed
• Remove personal access codes, change physical locks and lock
combinations, reprogram access card systems
• Recover all assets, including employee ID, portable USB storage
devices, documents, and equipment
• Notify by memo or e-mail appropriate departments
 Email and Internet Use Policies
• Organizations are incorporating specific e-mail
and Internet use policies into their security
policy document
• Concerns for employers:
• Work time consumed in non-work-related activities
• Computer and communications resources may be
consumed, compromising the mission that the IT resources
are designed to support
• Risk of importing malware
• Possibility of harm, harassment, inappropriate
online conduct
 Suggested Policies

Business use Content

Policy scope Privacy
only ownership

Unlawful
Standard of Reasonable Security
activity
conduct personal use policy
prohibited

Company Company Disciplinary

policy rights action
 Security Incident
Response
• Response procedures to incidents are an essential control
for most organizations
• Procedures need to reflect possible consequences of an incident
on the organization and allow for a suitable response
• Developing procedures in advance can help avoid panic

• Benefits of having incident response capability:

• Systematic incident response
• Quicker recovery to minimize loss, theft, disruption of service
• Use information gained during incident handling to better
prepare for future incidents
• Dealing properly with legal issues that may arise during
incidents
Computer Security Incident
Response Team (CSIRT)

CSIRTs are responsible for:

Rapidly detecting incidents

Minimizing loss and destruction

Mitigating the weaknesses that were exploited

Restoring computing services

 Security Incidents
“Any action that threatens one or more of the classic
security services of confidentiality, integrity, availability,
accountability, authenticity, and reliability in a system”

Unauthorized access to a system

•Accessing information not authorized to see
•Passing information on to a person not authorized to see it
•Attempting to circumvent the access mechanisms
•Using another person’s password and user id

Unauthorized modification of information on the system

•Attempting to corrupt information that may be of value
•Attempting to modify information without authority
•Processing information in an unauthorized manner
Ar t ifa ct
Any file or object found on a system that might be involved in probing
or attacking systems and networks or that is being used to defeat
security measures. Artifacts can include but are not limited to
computer viruses, Trojan horse programs, worms, exploit scripts, and
toolkits.

Com pu t e r Se cu r it y I n cide n t Re spon se Te a m ( CSI RT)

...... A capability set up for the purpose of assisting in responding to
computer security-related incidents that involve sites within a defined
Security
constituency; also called a Computer Incident Response Team (CIRT)
or a CIRC (Computer Incident Response Center, Computer Incident Incident
Response Capability).

Con st it u e n cy
Terminology
..The group of users, sites, networks or organizations served by the
CSIRT.

I n cide n t
...... A violation or imminent threat of violation of computer security
policies, acceptable use policies, or standard security practices.

Tr ia ge
The process of receiving, initial sorting, and prioritizing of information
to facilitate its appropriate handling.

Vu ln e r a bilit y
.. A characteristic of a piece of technology which can be exploited to
perpetrate a security incident. For example, if a program
unintentionally allowed ordinary users to execute arbitrary operating
system commands in privileged mode, this "feature" would be a
vulnerability.
 Detecting Incidents
• Incidents may be detected by users or
administration staff
• Staff should be encouraged to make reports of system
malfunctions or anomalous behaviors

• Automated tools
• System integrity verification tools
• Log analysis tools
• Network and host intrusion detection systems (IDS)
• Intrusion prevention systems
 Triage Function
•Ensure that all information destined for the incident handling service is
channeled through a single focal point
•Commonly achieved by advertising the triage function as the single point
of contact for the whole incident handling service
Goal:

•Requesting additional information in order to categorize the incident

•Notifying the various parts of the enterprise or constituency about the
vulnerability and shares information about how to fix or mitigate the
vulnerability
Responds to
incoming •Identifies the incident as either new or part of an ongoing incident and
passes this information on to the incident handling response function
information by:
 Responding to Incidents
• Must have documented procedures to respond to
incidents
• Procedures should:

Identify typical
Describe the action categories of incidents
Detail how to identify
taken to recover from and the approach
the cause
the incident taken to respond to
them

Identify the
Identify management
circumstances when
personnel responsible
security breaches
for making critical
should be reported to
decisions and how to
third parties such as the
contact them
police or relevant CERT
H ot line / H e lpde sk I nfor m a t ion
Ca ll Ce nt e r Re que st

I DS
I ncide nt
Tr ia ge
r e por t
Em a il

Ot he r Vulne r a bilit y
Re por t

Obt a in
Ana lyze cont a ct
info

Re solut ion

Coor dina t e Pr ovide

infor m a t ion t e chnica l
& r e sponse a ssist a nce

Figure 17.2 Incident Handling Life Cycle

 Documenting Incidents
• Should immediately follow a
response to an incident
• Identify what vulnerability led to its occurrence
• How this might be addressed to prevent the incident
in the future
• Details of the incident and the response taken
• Impact on the organization’s systems and
their risk profile
 Se r vice N a m e I n for m a t ion flow t o I n for m a t ion flow fr om
in cide n t ha n dlin g in cide n t h a n dlin g
Announcements Warning of current attack Statistics or status report
scenario
New attack profiles to
consider or research.
Vulnerability How to protect against Possible existence of new
Handling exploitation of specific vulnerabilities
vulnerabilities
Malware Handling Information on how to Statistics on identification
recognize use of specific of malware in incidents
malware New malware sample
Information on malware
impact/threat
Education/Training None Practical examples and
motivation knowledge
Intrusion Detection New incident report New attack profile to
Services check for
Security Audit or Notification of penetration Common attack scenarios
Assessments test start and finish
schedules
Security Consulting Information about Practical
common pitfalls and the examples/experiences
magnitude of the threats
Risk Analysis Information about Statistics or scenarios of
common pitfalls and the loss
magnitude of the threats
Technology Watch Warn of possible future Statistics or status report
attack scenarios
New attack profiles to
Alert to new tool consider or research
distribution
Development of Availability of new tools Need for products
Security Tools for constituency use Provide view of current
practices