• Home

  • Internet

  • University of Wisconsin-Madison, Information Security 365/765 Course Summary, Everything We Learned...
103
Information Security 365/765, Fall Semester, 2017 Course Instructor, Nicholas Davis, CISSP, CISA Lecture 17, Course Summary

University of Wisconsin-Madison, Information Security 365/765 Course Summary, Everything We Learned This Semester

Embed Size (px)

Citation preview

  1. 1. Information Security 365/765, Fall Semester, 2017 Course Instructor, Nicholas Davis, CISSP, CISA Lecture 17, Course Summary
  2. 2. Guest Speaker Dec. 12 FBI Special Agent Byron Franz Over 15 years experience working on national security investigations Prior to working in Milwaukee, Byron spent 10 years in Indianapolis, where he was a member of the SWAT team Led investigation of an Iraqi agent of Saddam Hussein BA degree in International Relations and Russian and a JD from UW Law School 12/5/2017 UNIVERSITY OF WISCONSIN 2
  3. 3. Security Controls Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. 12/5/2017 UNIVERSITY OF WISCONSIN 3
  4. 4. C I A We will never forget that Information Security is comprised of Confidentiality Integrity Security We must work to balance all three, in order to have effective security 12/5/2017 UNIVERSITY OF WISCONSIN 4
  5. 5. Categories of Controls Computer security is divided into three distinct master categories, commonly referred to as controls: Physical Technical Administrative 12/5/2017 UNIVERSITY OF WISCONSIN 5
  6. 6. Information Security is Made of Four Ingredients Solid security requires: Hardware Software People Procedures All working in tandem (together) 12/5/2017 UNIVERSITY OF WISCONSIN 6
  7. 7. Lets Watch the Story Written Assignment #1 Dont worry about taking notes, you can watch the video again, later https://www.youtube.com/watch?v=TEYRLDvJaxo https://www.youtube.com/watch?v=Fw8ZorTB7_o 12/5/2017 UNIVERSITY OF WISCONSIN 7
  8. 8. Ashley Madison! We talked about Ashley Madison! What happened? Who were the victims? What are the implications? 12/5/2017 UNIVERSITY OF WISCONSIN 8
  9. 9. Common Technical Weaknesses in IT We discussed the most common corporate IT weakenesses: Incorrect firewall configurations Unpatched web server vulnerabilities Databases which accept requests from any source Lack of intrusion detection systems Lack of intrusion prevention systems Failure to disable unused protocols Failure to teach proper secure software coding to programmers Failure to sanitize data 12/5/2017 UNIVERSITY OF WISCONSIN 9
  10. 10. Defense in Depth We learned about Defense in Depth, using multiple controls, in case one fails Use better granular control for both processes and peoples access rights Better physical security Perform routine monitoring and auditing Develop staff who are more proficient in the tools and methods of information security 12/5/2017 UNIVERSITY OF WISCONSIN 10
  11. 11. So Many Definitions! We learned the differences between: Vulnerability Threat Risk Exposure 12/5/2017 UNIVERSITY OF WISCONSIN 11
  12. 12. Obscurity does Not Equal Security 12/5/2017 UNIVERSITY OF WISCONSIN 12
  13. 13. Planning for IT Security The three planning areas of IT security Strategic Tactical Operational 12/5/2017 UNIVERSITY OF WISCONSIN 13
  14. 14. IT Risk Analysis We learned to do an IT Risk Analysis Identify assets and their values Identify vulnerabilities and threats Quantify the probability and business impact of these potential threats Provide an economic balance between the impact of the threat and the cost of the countermeasure 12/5/2017 UNIVERSITY OF WISCONSIN 14
  15. 15. Hiring Practices Job skill screening Reference check Non-disclosure agreement (NDA) signed Education verification Criminal background check Credit report check Sex offender check Drug screening Professional license check Immigration status check Social Security Number trace to ensure validity 12/5/2017 UNIVERSITY OF WISCONSIN 15
  16. 16. Employee Controls Rotation of Duties No one person should stay in one position for an uninterrupted period of time, as this may enable them to have too much control over a segment of business Mandatory vacation policy 12/5/2017 UNIVERSITY OF WISCONSIN 16
  17. 17. Termination Practices Each company needs a set of pre-defined termination procedures Example: Once terminated, the employee must be escorted out of the facility by their manager Employee must immediately surrender keys, employee badge, etc. Employee must be asked to complete an exit interview and return company property The terminated employees online accounts must be disabled immediately upon termination 12/5/2017 UNIVERSITY OF WISCONSIN 17
  18. 18. Three Types of Security Policies Exist Regulatory Advisory Informative 12/5/2017 UNIVERSITY OF WISCONSIN 18
  19. 19. How Due Diligence Due Care are Related Due diligence is the understanding of the threats and risks, while due care is the countermeasures which the company has put in place to address the threats and risks 12/5/2017 UNIVERSITY OF WISCONSIN 19
  20. 20. Data Classification Types (typical) Public Sensitive Private Confidential Some models may differ in number of levels and/or how they are referred to 12/5/2017 UNIVERSITY OF WISCONSIN 20
  21. 21. Security Awareness Training Program One for senior management One for staff One for technical employees Responsibilities of everyone Potential Liabilities if program is not followed Expectations of everyone 12/5/2017 UNIVERSITY OF WISCONSIN 21
  22. 22. Assignment #2 Responding to a National Security Letter National Security Letters (NSLs) are an extraordinary search procedure which gives the FBI the power to compel the disclosure of customer records held by banks, telephone companies, Internet Service Providers, and others. These entities are prohibited, or "gagged," from telling anyone about their receipt of the NSL, which makes oversight difficult. The Number of NSLs issued has grown dramatically since the Patriot Act expanded the FBI's authority to issue them. 12/5/2017 UNIVERSITY OF WISCONSIN 22
  23. 23. Identification, Authentication Authorization and Accountability Identification Who you say you are Authentication verifying that you are who you claim to be Authorization decision of what you are allowed to access, read, change, add, delete Accountability proof of what a person, process or Angry Bird has done 12/5/2017 UNIVERSITY OF WISCONSIN 23
  24. 24. Centralized Identity Management VS Federated Centralized Identity Management a single entity is responsible for authentication and authorization. Facebook for example Federated Identity Management a set number of various organizations are deemed trusted For example Eduroam 12/5/2017 UNIVERSITY OF WISCONSIN 24
  25. 25. Methods to Steal Passwords Electronic monitoring Access the password file Brute force attacks Dictionary attacks Social engineering 12/5/2017 UNIVERSITY OF WISCONSIN 25
  26. 26. Major Categories of Access Controls Deterrent A warning on a website, forbidding unauthorized access Preventive Username and password controlled access Detective logs are audited in real- time and an alarm goes off after 10 incorrect login attempts There are four other categories of access controls, but, not important for our discussion 12/5/2017 UNIVERSITY OF WISCONSIN 26
  27. 27. Rockwell Automation Spent a Lecture With Us 12/5/2017 UNIVERSITY OF WISCONSIN 27
  28. 28. Steve Foy Spoke About Security at AT&T 12/5/2017 UNIVERSITY OF WISCONSIN 28
  29. 29. Single Best Piece of Technical Advice You Can Provide Remove, or at a minimum, turn off USB port access on all end user computing devices USB allows access even when the screen is locked USB is small, easy to move in and out of a building, with enormous capacity USB can carry dangerous self- installing payload USB ports are often out of sight, and not noticed on back of computer, when flash drive is inserted 12/5/2017 UNIVERSITY OF WISCONSIN 29
  30. 30. How to Recognize When IP and Trade Secret Theft is Occurring Excessive printing taking place Use of unapproved encryption software Spike in e-mail and USB storage/transfer volumes Increase in foreign IP traffic Unusual network and building access times Unexplained wealth or affluence Unusual foreign travel Disillusionment/entitlement due to missed promotions or other perceived grievances Increased amount of non-business-related activities (i.e., web surfing, job hunting, social media etc.) 12/5/2017 UNIVERSITY OF WISCONSIN 30
  31. 31. Todays Movie Feature! Based on a true story of an attempted theft of trade secrets Happens to involve China, but could just as easily have been a competitor in Minnesota or Texas Focus on the story, techniques and implications, not the nationalities of the people in the story 12/5/2017 UNIVERSITY OF WISCONSIN 31
  32. 32. Assignment #3 Assignments 1 and 2 were essay based Assignment 3 is more straightforward, question and answer based Please label your answers accordingly (1,2,3, etc) Due date is Oct 25th, but I will accept them on Oct 27th as well 12/5/2017 UNIVERSITY OF WISCONSIN 32
  33. 33. Memory Management For a secure operating environment, an operating system must exercise proper memory management. A memory management system has five basic responsibilities: Relocation Protection Sharing Logical Organization Physical Organization 12/5/2017 UNIVERSITY OF WISCONSIN 33
  34. 34. Memory Leaks https://www.youtube.com/watch?v=67m5jwoNkfo 12/5/2017 UNIVERSITY OF WISCONSIN 34
  35. 35. Four Major Physical Security Threats Natural environmental Supply system Human made Politically motivated Good security program protects against all of these, in layers 12/5/2017 UNIVERSITY OF WISCONSIN 35
  36. 36. Physical Access Control For Visitors Limit the number of entry points Force all guests to sign-in at a common location Reduce entry points even more, after hours and on weekends Validate a government issued picture ID before allowing entry Require all guests to be escorted by a full time employee Encourage employees to question strangers 12/5/2017 UNIVERSITY OF WISCONSIN 36
  37. 37. 5 Core Steps in a Physical Security System Deter Delay Detect Assess Respond 12/5/2017 UNIVERSITY OF WISCONSIN 37
  38. 38. Laptops Are One of the Most Frequently Stolen Physical Assets Inventory the laptops Harden the Operating system Password protect BIOS Register laptops with vendor Dont check laptop as baggage! Dont leave laptop unattended Engrave the laptop visibly Use a physical cable and lock Backup data Encrypt hard disk Store in secure place when not in use 12/5/2017 UNIVERSITY OF WISCONSIN 38
  39. 39. A Note About Credit Card Reader Physical Security https://www.youtube.com/watch?v=Xip jYIbBj7k Physical access to credit card transaction equipment is one of the greatest physical security threats facing most small businesses in the United States, but most people never give it a second thought 12/5/2017 UNIVERSITY OF WISCONSIN 39
  40. 40. Cloud Security Cloud Security refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. 12/5/2017 UNIVERSITY OF WISCONSIN 40
  41. 41. Cloud Service Models Software as a Service Platform as a Service Infrastructure as a Service 12/5/2017 UNIVERSITY OF WISCONSIN 41
  42. 42. Cloud Deployment Models Private Public Hybrid 12/5/2017 UNIVERSITY OF WISCONSIN 42
  43. 43. Bring Your Own Device BYOD (bring your own device) is the increasing trend toward employee-owned devices within a business. Smartphones are the most common example but employees also take their own tablets, laptops and USB drives into the workplace. 12/5/2017 UNIVERSITY OF WISCONSIN 43
  44. 44. Lost Devices, Sold Devices Memorized Passwords BYOD has resulted in data breaches. For example, if an employee uses a smartphone to access the company network and then loses that phone or sells that phone, untrusted parties could retrieve any unsecured data on the phone. Another type of security breach occurs when an employee leaves the company, they do not have to give back the device, so company applications and other data may still be present on their device If passwords are cached (remembered) by the phone, anyone who has access to the device can now access the password protected resources 12/5/2017 UNIVERSITY OF WISCONSIN 44
  45. 45. Personal Privacy Drawing the Line IT Security departments that wish to monitor usage of personal devices must ensure that they only monitor work related activities or activities that accesses company data or information 12/5/2017 UNIVERSITY OF WISCONSIN 45
  46. 46. Malware Infections Organizations who wish to adopt a BYOD policy must also consider how they will ensure that the devices which connect to the organizations network infrastructure to access sensitive information will be protected from malware. 12/5/2017 UNIVERSITY OF WISCONSIN 46
  47. 47. Patching Many Different Models of BYODs BYOD policy must be prepared to have the necessary systems and processes in place that will apply the patches to protect systems against the known vulnerabilities to the various devices that users may choose to use. 12/5/2017 UNIVERSITY OF WISCONSIN 47
  48. 48. Mobile Device Management Solutions Several market and policies have emerged to address BYOD security concerns, including mobile device management (MDM), containerization and app virtualization Containerization Virtualization 12/5/2017 UNIVERSITY OF WISCONSIN 48
  49. 49. MDM May Result in Privacy and Usability Concerns While MDM provides organizations with the ability to control applications and content on the device, research has revealed controversy related to employee privacy and usability issues that lead to resistance in some organizations 12/5/2017 UNIVERSITY OF WISCONSIN 49
  50. 50. Phone Number Ownership A key issue of BYOD which is often overlooked is BYOD's phone number problem, which raises the question of the ownership of the phone number. The issue becomes apparent when employees in sales or other customer-facing roles leave the company and take their phone number with them. Customers calling the number will then potentially be calling competitors which can lead to loss of business for BYOD enterprises 12/5/2017 UNIVERSITY OF WISCONSIN 50
  51. 51. Lack of BYOD Policy Research reveals that only 20% of employees have signed a BYOD policy Why not have them agree online, in order to gain network access? Offer them a carrot (network access) to agree. Businesses need to get out of the idea of using legacy paper forms for such things 12/5/2017 UNIVERSITY OF WISCONSIN 51
  52. 52. BYOD Inventory Firms need an efficient inventory management system that keeps track of which devices employees are using, where the device is located, whether it is being used, and what software it is equipped with 12/5/2017 UNIVERSITY OF WISCONSIN 52
  53. 53. Make Sure the Employees Know If sensitive, classified, or criminal data lands on a U.S. government employee's device, the device is subject to confiscation 12/5/2017 UNIVERSITY OF WISCONSIN 53
  54. 54. Scalability and Capability of Corporate Networks Many organizations today lack proper network infrastructure to handle the large traffic which will be generated when employees will start using different devices at the same time 12/5/2017 UNIVERSITY OF WISCONSIN 54
  55. 55. 12/5/2017 UNIVERSITY OF WISCONSIN 55
  56. 56. Summary Both Cloud and BYOD are relatively new to organizations Both Cloud and BYOD blur the lines of where an organizations control over data resides Both Cloud and BYOD extend the information assets beyond historic organizational geographic boundaries Both Cloud and BYOD are security concerns, in an attempt to maintain Confidentiality, Integrity and Availability 12/5/2017 UNIVERSITY OF WISCONSIN 56
  57. 57. Session Overview Introduction and Warning The Deep Web Defined Dynamic Content Unlinked Content Private Web Contextual Web Limited Access Content Scripted Content Non-HTML Content Deep Web Search Engines & Tor Client Examples of what can found on the Deep Web Exciting Documentary Video Question and Answer session 12/5/2017 UNIVERSITY OF WISCONSIN 57
  58. 58. Grams Sample Search Crunchy Dutch Moonrocks 12/5/2017 UNIVERSITY OF WISCONSIN 58
  59. 59. Deep Web Dangerous Web 12/5/2017 UNIVERSITY OF WISCONSIN 59
  60. 60. Class Discussion You love the Internet. However, you favorite sites, such as Facebook, Amazon, and wisc.edu are just the surface. There is another world out there: the Deep Web The Deep Web is where online information is password protected, or requires special software to accessand its massive, yet its almost completely out of sight. The Deep Web contains a hidden world, a community where malicious actors unite in common nefarious purpose. Should the government control or forbid certain sites? Why? Do you think buying the following items on the Internet is possible? If it is possible, should they be forbidden? How and why? Drugs (both prescription and clearly the clearly illegal type) Forged identity papers Weapons, explosives and ammunition Hired assassins Human organs 12/5/2017 UNIVERSITY OF WISCONSIN 60
  61. 61. The EU and Privacy The European Union (EU) has some of the most stringent data privacy rules When it comes to data collection, the EU has six privacy principles which all countries and businesses within those countries must follow 12/5/2017 UNIVERSITY OF WISCONSIN 61
  62. 62. European Privacy Principles 1. The reason for gathering the information must be specified at the time of collection 2. Data cannot be used for other purposes 3. Un-necessary data should not be collected 12/5/2017 UNIVERSITY OF WISCONSIN 62
  63. 63. Privacy: The Need For Better Laws Data aggregation and data retrieval technologies advancement -- Large data warehouses Loss of borders Private data flows from country to country with ease Convergent technology advances Gathering, mining and distributing information has become much easier 12/5/2017 UNIVERSITY OF WISCONSIN 63
  64. 64. Laws, Directives and Regulations Covers many different areas for many different reasons Privacy Computer Misuse Software copyright Data protection Controls on cryptography 12/5/2017 UNIVERSITY OF WISCONSIN 64
  65. 65. Laws, Directives and Regulations Laws, directives and regulations usually provide only broad guidance and not detailed instructions Environments are just too diverse to get specific in terms of the details of laws, directives and regulations Lets look at some examples 12/5/2017 UNIVERSITY OF WISCONSIN 65
  66. 66. Sarbanes-Oxley Act The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation passed by the U.S. Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures. 12/5/2017 UNIVERSITY OF WISCONSIN 66
  67. 67. HIPAA HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs. 12/5/2017 UNIVERSITY OF WISCONSIN 67
  68. 68. GLB (GLBA) The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals. 12/5/2017 UNIVERSITY OF WISCONSIN 68
  69. 69. CFAA The Computer Fraud and Abuse Act (CFAA) of 1986 is United States legislation that made it a federal crime to access a protected computer without proper authorization. 12/5/2017 UNIVERSITY OF WISCONSIN 69
  70. 70. Federal Privacy Act of 1974 The Privacy Act of 1974, a United States federal law, establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. 12/5/2017 UNIVERSITY OF WISCONSIN 70
  71. 71. PCI-DSS (PCI) Short for Payment Card Industry (PCI) Data Security Standard (DSS), PCI DSS is a standard that all organizations, including online retailers, must follow when storing, processing and transmitting their customer's credit card data. 12/5/2017 UNIVERSITY OF WISCONSIN 71
  72. 72. 1. Validate Input and Output All data input and output should be checked very carefully for appropriateness. This check should be to see if the data is what is expected (length, characters). Making a list of bad characters is not the way to go; the lists are rarely complete. A secure program should know what it expects, and reject other input. For example, if an input field is for a Social Security Number, then any data that is not a string of nine integers is not valid. A common mistake is to filter for specific strings or payloads in the belief specific problems can be prevented.
  73. 73. 2. Fail Securely (Closed) Applications should default to secure operation. That is, in the event of failure or misconfiguration, they should not reveal more information than necessary with regard to: Error messages (for efficient debugging purposes) The application configuration (directory, version/patch levels) The operating environment (network addressing, OS version/patch levels) As well, they should not allow transactions or processes to continue With more privileges than normal With more access than normal Without proper validation of input parameters and output results Bypassing any monitoring or logging facilities
  74. 74. 3. Keep it Simple While it is tempting to build elaborate and complex security controls, the reality is that if a security system is too complex for its user base, it will either not be used or users will try to find measures to bypass it. Often the most effective security is the simplest security. Do not expect users to enter 12 passwords.
  75. 75. 4. Use and Reuse Trusted Components Invariably other system designers (either on your development team or on the Internet) have faced the same problems as you. They may have invested a large amount of time on research and developing robust solutions to the problem. In many cases they will have improved components through an iterative process and learned from common mistakes along the way. Using and reusing trusted components make sense both from a resource stance and from a security stance. When someone else has proven they got it right; take advantage.
  76. 76. 5. Defense in Depth Relying on one component to perform its function 100% of the time is unrealistic. While we hope to build software and hardware that works as planned, predicting the unexpected is difficult . Good systems dont predict the unexpected, but plan for it. If one component fails to catch a security event, a second one would.
  77. 77. 6. Only as Secure as the Weakest Link Weve all seen it, This system is 100% secure, it uses 128 bit SSL. While it may be true that the data in transit from the users browser to the web server has appropriate security controls, more often that not the focus of security mechanisms is at the wrong place. As in the real world where there is no point in placing all of your locks on your front door to leave the backdoor swinging in its hinges, you need to think carefully about what you are securing. Attackers are lazy and will find the weakest point and attempt to exploit it.
  78. 78. 7. Security by Obscurity Wont Work in the Long Run Its nave to think that hiding things from prying eyes doesnt buy you some amount of time. Lets face it some of the biggest exploits unveiled in software have been obscured for years. But obscuring information is very different from protecting it. You are relying on the fact that no one stumbles onto your obfuscation. This strategy doesnt work in the long term and has no guarantee of working in the short term.
  79. 79. 8. Least Privilege Systems should be designed in such a way that they run with the least amount of system privilege they need to do their job. This is the need to know approach. If a user account doesnt need root privileges to operate, dont assign them in the anticipation they may need them. Giving the pool man an unlimited bank account to buy the chemicals for your pool when youre on vacation is unlikely to be a positive experience.
  80. 80. 9. Compartmentalization Similarly compartmentalizing users, processes and data helps contain problems if they do occur. Compartmentalization is an important concept widely adopted in the information security realm. Imagine the same pool man scenario. Giving the pool man the keys to the house while you are away so he can get to the pool house, may not be a wise move. Containing his access to the pool house limits the types of problems that may occur if something was to happen.
  81. 81. Telecommunications and Network Security Overview TCP/IP and other protocols LAN, WAN, MAN, intranet, extranet Cable types and data transmission types Network devices and services Communications security management 12/5/2017 UNIVERSITY OF WISCONSIN 81
  82. 82. TCP and UDP Two Major Protocols For Transmission Over IP 12/5/2017 UNIVERSITY OF WISCONSIN 82
  83. 83. Reliabaility TCP TCP is connection-oriented protocol. When a file or message send it will get delivered unless connections fails. If connection lost, the server will request the lost part. There is no corruption while transferring a message. 12/5/2017 UNIVERSITY OF WISCONSIN 83
  84. 84. Reliability UDP UDP is connectionless protocol. When you a send a data or message, you don't know if it'll get there, it could get lost on the way. There may be corruption while transferring a message. 12/5/2017 UNIVERSITY OF WISCONSIN 84
  85. 85. Ordered Delivery TCP Ordered: If you send two messages along a connection, one after the other, you know the first message will get there first. You don't have to worry about data arriving in the wrong order 12/5/2017 UNIVERSITY OF WISCONSIN 85
  86. 86. No Ordered Delivery UDP If you send two messages out, you don't know what order they'll arrive in 12/5/2017 UNIVERSITY OF WISCONSIN 86
  87. 87. TCP is a Heavyweight Protocol Heavyweight: - when the low level parts of the TCP "stream" arrive in the wrong order, resend requests have to be sent, and all the out of sequence parts have to be put back together, so requires a bit of work to piece together 12/5/2017 UNIVERSITY OF WISCONSIN 87
  88. 88. UDP is a Lightweight Protocol Lightweight: No ordering of messages, no tracking connections, etc. It's just fire and forget! This means it's a lot quicker, and the network card / OS have to do very little work to translate the data back from the packets. 12/5/2017 UNIVERSITY OF WISCONSIN 88
  89. 89. The 5 Types of Physical Network Topologies Bus Ring Star Tree Mesh 12/5/2017 UNIVERSITY OF WISCONSIN 89
  90. 90. Network Cabling Coaxial Cable Coaxial cable, or coax (pronounced 'ko.ks), is a type of cable that has an inner conductor surrounded by a tubular insulating layer, surrounded by a tubular conducting shield. Many coaxial cables also have an insulating outer sheath or jacket. 12/5/2017 UNIVERSITY OF WISCONSIN 90
  91. 91. Network Cabling Twisted Pair Twisted pair cabling is a type of wiring in which two conductors of a single circuit are twisted together for the purposes of canceling out electromagnetic interference from external sources; for instance, electromagnetic radiation from unshielded twisted pair cables, and crosstalk between neighboring pairs. 12/5/2017 UNIVERSITY OF WISCONSIN 91
  92. 92. Network Cabling Fiber Optic A technology that uses glass (or plastic) threads (fibers) to transmit data. A fiber optic cable consists of a bundle of glass threads, each of which is capable of transmitting messages modulated onto light waves. Fiber optics has several advantages over traditional metal communications lines: 12/5/2017 UNIVERSITY OF WISCONSIN 92
  93. 93. Wireless Best Practices Protect your network with password and encryption Change default SSID (name of network) Disable broadcast SSID (name of network) Place the Access Point at the center of the building to avoid external access Configure the Access Point to only allow known MAC (hardware) addresses into the network 12/5/2017 UNIVERSITY OF WISCONSIN 93
  94. 94. Configuration and Change Management Policies should: 1. Document how all changes are made and approved 2. Guidelines should be different based upon the kind of data being managed 3. Disruptions in service must be planned and approved in advance 4. Contingency plans must be in place to address planned outages 12/5/2017 UNIVERSITY OF WISCONSIN 94
  95. 95. Change Control Process Process: 1. Submit request for change to take place 2. Formal approval of the change 3. Formal documentation of the change 4. Assurance of testing must be presented to the group approving the change 5. Implement the change 6. Report results to management 12/5/2017 UNIVERSITY OF WISCONSIN 95
  96. 96. Examples of Change Controlled Events New computers installed New applications installed Changes in system configurations implemented Patches and system updates New networking equipment installed Company IT infrastructure merged with that of another company which was acquired 12/5/2017 UNIVERSITY OF WISCONSIN 96
  97. 97. Physical Media Controls 1. Protect from unauthorized access 2. Protect from environmental issues such as flooding, overheating, etc. 3. Media should be labeled 4. Media should be sanitized when they reach the end of their use/life. 5. Tracking number, chain of custody of media 6. Location of backups 7. Keep history of any changes to media (replacements, etc) 12/5/2017 UNIVERSITY OF WISCONSIN 97
  98. 98. Vulnerability Testing Goals: 1. Evaluate your companys true and actual security posture vs your companys stated and or assumed security posture 2. Confirms known vulnerabilities and identifies new vulnerabilities 3. Tests how your company reacts to attacks of information systems 12/5/2017 UNIVERSITY OF WISCONSIN 98
  99. 99. We Watched Some Interesting Videos Glen Duffy Shriver Story (Game of Pawns, about student spy) The Company Man (story of industrial espionage) United States of Secrets (dramatic inside story of mass surveillance in America) The Spy Factory (an eye-opening documentary on the National Security Agency) Short Youtube videos, throughout semester 12/5/2017 UNIVERSITY OF WISCONSIN 99
  100. 100. We Ate a Lot of Chocolate! 12/5/2017 UNIVERSITY OF WISCONSIN 100
  101. 101. We Took All Our Knowledge and Put It into Our Team Project! Put forth your best effort Better too long than too short Send me a copy I print them out and give them to the Chair of the OIM Department. I smile and say This is what the students learned this semester when I present the copies of your presentations 12/5/2017 UNIVERSITY OF WISCONSIN 101
  102. 102. Things to Remember I am proud of all of youWe covered a LOT of material this semester Everyone did a GREAT job being involved with class participation Your written assignments were fantastic, showed concern, thought, originality, honesty and intelligence You ARE every bit as smart as the people you will be working forThey are just older, not smarter If things are not right in your job, do what is right, speak your mind, assess the situation for what it REALLY is, not what you would like it to be----and then ACT IN YOUR OWN BEST INTEREST 12/5/2017 UNIVERSITY OF WISCONSIN 102
  103. 103. Thank You! Happy Holidays! Information Systems 365/765 Nicholas Davis 1570 Van Hise Hall Tel. 608.347.2486 (mobile) Email [email protected] LinkedIn https://www.linkedin.com/in/nicholascv Facebook https://www.facebook.com/nicholas.a.davis 12/5/2017 UNIVERSITY OF WISCONSIN 103

Download 765

Download 765

Documents
765 ½”- 2”

765 ½”- 2”

Documents
Puls Capital 765

Puls Capital 765

Documents
765 - Israel -Tagbha

765 - Israel -Tagbha

Travel
Resource Guide - Indiana Philanthropy Alliance€¦ · TOPS Club Inc. Church of Nazarene 2000 Cragmont Street (765)385-0106 Madison, Indiana 47250 Hours: Thursday, 4:30 pm weigh-in;

Resource Guide - Indiana Philanthropy Alliance€¦ · TOPS Club Inc. Church of Nazarene 2000 Cragmont Street (765)385-0106 Madison, Indiana 47250 Hours: Thursday, 4:30 pm weigh-in;

Documents
Gooya issue 765

Gooya issue 765

Documents
Chapter 765 es

Chapter 765 es

Entertainment & Humor
Chapter 765

Chapter 765

Entertainment & Humor
765 - Oil Center

765 - Oil Center

Documents
765 delivery

765 delivery

Business
765 KV Transformer

765 KV Transformer

Documents
Astro/CSI 765

Astro/CSI 765

Documents
LONA 765 - 06.05.2013

LONA 765 - 06.05.2013

Documents
AD-765 597

AD-765 597

Documents
UW-Madison Information Systems 365 -- Physical Security -- Lecture 9

UW-Madison Information Systems 365 -- Physical Security -- Lecture 9

Education
UW Madison Information Systems 365 Information Security Exam Answer Key Presentation

UW Madison Information Systems 365 Information Security Exam Answer Key Presentation

Documents
Show Kat 765

Show Kat 765

Documents
eleTurf 765

eleTurf 765

Documents
Winter 2013 LABNOTES€¦ · LabCert Program Info Camille Turcotte, Section chief 608-266-0245 (desk) 920-765-3232 (cell) Camille.Turcotte@Wisconsin.gov MADISON STAFF Rick Mealy,

Winter 2013 LABNOTES€¦ · LabCert Program Info Camille Turcotte, Section chief 608-266-0245 (desk) 920-765-3232 (cell) [email protected] MADISON STAFF Rick Mealy,

Documents
EDUC 765 Project

EDUC 765 Project

Documents
ARTÍCULO ORIGINAL DOI: 10.1016/j.recqb.2016.06 · 2016. 7. 26. · Genesys 6 spectrophotometer (Madison, WI, USA) at a 765 nm wavelength, the results were interpolated in a gallic

ARTÍCULO ORIGINAL DOI: 10.1016/j.recqb.2016.06 · 2016. 7. 26. · Genesys 6 spectrophotometer (Madison, WI, USA) at a 765 nm wavelength, the results were interpolated in a gallic

Documents
Ivy Tech Community CollegeKids Plus - Community Hospital Anderson 765-298-4554 1210-B Medical Arts Blvd., Suite 300 Anderson, IN 46011 Madison County Community Health Center 765-641-7499

Ivy Tech Community CollegeKids Plus - Community Hospital Anderson 765-298-4554 1210-B Medical Arts Blvd., Suite 300 Anderson, IN 46011 Madison County Community Health Center 765-641-7499

Documents
Uw madison information systems 365 information security exam - answer key presentation

Uw madison information systems 365 information security exam - answer key presentation

Technology
Prova 765 AR

Prova 765 AR

Documents
Ertebat Issue 765

Ertebat Issue 765

Documents
765 ; 5 ;

765 ; 5 ;

Documents
d2y1pz2y630308.cloudfront.net · 2019. 10. 20. · 765-724-3035 765-278-9504 ETC) 765-724-3035 765-278-6915 765-536-2187 765-552-6753 765-552-5933 DIRECTOR OF PARISH LIFE & ADMIN.,

d2y1pz2y630308.cloudfront.net · 2019. 10. 20. · 765-724-3035 765-278-9504 ETC) 765-724-3035 765-278-6915 765-536-2187 765-552-6753 765-552-5933 DIRECTOR OF PARISH LIFE & ADMIN.,

Documents
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compliance and Forensic Investigations

Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compliance and Forensic Investigations

Internet
delibera 765-2019

delibera 765-2019

Documents
EDICION 765

EDICION 765

Documents