1. Information Security 365/765, Fall Semester, 2017 Course
Instructor, Nicholas Davis, CISSP, CISA Lecture 17, Course
Summary
2. Guest Speaker Dec. 12 FBI Special Agent Byron Franz Over 15
years experience working on national security investigations Prior
to working in Milwaukee, Byron spent 10 years in Indianapolis,
where he was a member of the SWAT team Led investigation of an
Iraqi agent of Saddam Hussein BA degree in International Relations
and Russian and a JD from UW Law School 12/5/2017 UNIVERSITY OF
WISCONSIN 2
3. Security Controls Security controls are safeguards or
countermeasures to avoid, detect, counteract, or minimize security
risks to physical property, information, computer systems, or other
assets. 12/5/2017 UNIVERSITY OF WISCONSIN 3
4. C I A We will never forget that Information Security is
comprised of Confidentiality Integrity Security We must work to
balance all three, in order to have effective security 12/5/2017
UNIVERSITY OF WISCONSIN 4
5. Categories of Controls Computer security is divided into
three distinct master categories, commonly referred to as controls:
Physical Technical Administrative 12/5/2017 UNIVERSITY OF WISCONSIN
5
6. Information Security is Made of Four Ingredients Solid
security requires: Hardware Software People Procedures All working
in tandem (together) 12/5/2017 UNIVERSITY OF WISCONSIN 6
7. Lets Watch the Story Written Assignment #1 Dont worry about
taking notes, you can watch the video again, later
https://www.youtube.com/watch?v=TEYRLDvJaxo
https://www.youtube.com/watch?v=Fw8ZorTB7_o 12/5/2017 UNIVERSITY OF
WISCONSIN 7
8. Ashley Madison! We talked about Ashley Madison! What
happened? Who were the victims? What are the implications?
12/5/2017 UNIVERSITY OF WISCONSIN 8
9. Common Technical Weaknesses in IT We discussed the most
common corporate IT weakenesses: Incorrect firewall configurations
Unpatched web server vulnerabilities Databases which accept
requests from any source Lack of intrusion detection systems Lack
of intrusion prevention systems Failure to disable unused protocols
Failure to teach proper secure software coding to programmers
Failure to sanitize data 12/5/2017 UNIVERSITY OF WISCONSIN 9
10. Defense in Depth We learned about Defense in Depth, using
multiple controls, in case one fails Use better granular control
for both processes and peoples access rights Better physical
security Perform routine monitoring and auditing Develop staff who
are more proficient in the tools and methods of information
security 12/5/2017 UNIVERSITY OF WISCONSIN 10
11. So Many Definitions! We learned the differences between:
Vulnerability Threat Risk Exposure 12/5/2017 UNIVERSITY OF
WISCONSIN 11
12. Obscurity does Not Equal Security 12/5/2017 UNIVERSITY OF
WISCONSIN 12
13. Planning for IT Security The three planning areas of IT
security Strategic Tactical Operational 12/5/2017 UNIVERSITY OF
WISCONSIN 13
14. IT Risk Analysis We learned to do an IT Risk Analysis
Identify assets and their values Identify vulnerabilities and
threats Quantify the probability and business impact of these
potential threats Provide an economic balance between the impact of
the threat and the cost of the countermeasure 12/5/2017 UNIVERSITY
OF WISCONSIN 14
15. Hiring Practices Job skill screening Reference check
Non-disclosure agreement (NDA) signed Education verification
Criminal background check Credit report check Sex offender check
Drug screening Professional license check Immigration status check
Social Security Number trace to ensure validity 12/5/2017
UNIVERSITY OF WISCONSIN 15
16. Employee Controls Rotation of Duties No one person should
stay in one position for an uninterrupted period of time, as this
may enable them to have too much control over a segment of business
Mandatory vacation policy 12/5/2017 UNIVERSITY OF WISCONSIN 16
17. Termination Practices Each company needs a set of
pre-defined termination procedures Example: Once terminated, the
employee must be escorted out of the facility by their manager
Employee must immediately surrender keys, employee badge, etc.
Employee must be asked to complete an exit interview and return
company property The terminated employees online accounts must be
disabled immediately upon termination 12/5/2017 UNIVERSITY OF
WISCONSIN 17
18. Three Types of Security Policies Exist Regulatory Advisory
Informative 12/5/2017 UNIVERSITY OF WISCONSIN 18
19. How Due Diligence Due Care are Related Due diligence is the
understanding of the threats and risks, while due care is the
countermeasures which the company has put in place to address the
threats and risks 12/5/2017 UNIVERSITY OF WISCONSIN 19
20. Data Classification Types (typical) Public Sensitive
Private Confidential Some models may differ in number of levels
and/or how they are referred to 12/5/2017 UNIVERSITY OF WISCONSIN
20
21. Security Awareness Training Program One for senior
management One for staff One for technical employees
Responsibilities of everyone Potential Liabilities if program is
not followed Expectations of everyone 12/5/2017 UNIVERSITY OF
WISCONSIN 21
22. Assignment #2 Responding to a National Security Letter
National Security Letters (NSLs) are an extraordinary search
procedure which gives the FBI the power to compel the disclosure of
customer records held by banks, telephone companies, Internet
Service Providers, and others. These entities are prohibited, or
"gagged," from telling anyone about their receipt of the NSL, which
makes oversight difficult. The Number of NSLs issued has grown
dramatically since the Patriot Act expanded the FBI's authority to
issue them. 12/5/2017 UNIVERSITY OF WISCONSIN 22
23. Identification, Authentication Authorization and
Accountability Identification Who you say you are Authentication
verifying that you are who you claim to be Authorization decision
of what you are allowed to access, read, change, add, delete
Accountability proof of what a person, process or Angry Bird has
done 12/5/2017 UNIVERSITY OF WISCONSIN 23
24. Centralized Identity Management VS Federated Centralized
Identity Management a single entity is responsible for
authentication and authorization. Facebook for example Federated
Identity Management a set number of various organizations are
deemed trusted For example Eduroam 12/5/2017 UNIVERSITY OF
WISCONSIN 24
25. Methods to Steal Passwords Electronic monitoring Access the
password file Brute force attacks Dictionary attacks Social
engineering 12/5/2017 UNIVERSITY OF WISCONSIN 25
26. Major Categories of Access Controls Deterrent A warning on
a website, forbidding unauthorized access Preventive Username and
password controlled access Detective logs are audited in real- time
and an alarm goes off after 10 incorrect login attempts There are
four other categories of access controls, but, not important for
our discussion 12/5/2017 UNIVERSITY OF WISCONSIN 26
27. Rockwell Automation Spent a Lecture With Us 12/5/2017
UNIVERSITY OF WISCONSIN 27
28. Steve Foy Spoke About Security at AT&T 12/5/2017
UNIVERSITY OF WISCONSIN 28
29. Single Best Piece of Technical Advice You Can Provide
Remove, or at a minimum, turn off USB port access on all end user
computing devices USB allows access even when the screen is locked
USB is small, easy to move in and out of a building, with enormous
capacity USB can carry dangerous self- installing payload USB ports
are often out of sight, and not noticed on back of computer, when
flash drive is inserted 12/5/2017 UNIVERSITY OF WISCONSIN 29
30. How to Recognize When IP and Trade Secret Theft is
Occurring Excessive printing taking place Use of unapproved
encryption software Spike in e-mail and USB storage/transfer
volumes Increase in foreign IP traffic Unusual network and building
access times Unexplained wealth or affluence Unusual foreign travel
Disillusionment/entitlement due to missed promotions or other
perceived grievances Increased amount of non-business-related
activities (i.e., web surfing, job hunting, social media etc.)
12/5/2017 UNIVERSITY OF WISCONSIN 30
31. Todays Movie Feature! Based on a true story of an attempted
theft of trade secrets Happens to involve China, but could just as
easily have been a competitor in Minnesota or Texas Focus on the
story, techniques and implications, not the nationalities of the
people in the story 12/5/2017 UNIVERSITY OF WISCONSIN 31
32. Assignment #3 Assignments 1 and 2 were essay based
Assignment 3 is more straightforward, question and answer based
Please label your answers accordingly (1,2,3, etc) Due date is Oct
25th, but I will accept them on Oct 27th as well 12/5/2017
UNIVERSITY OF WISCONSIN 32
33. Memory Management For a secure operating environment, an
operating system must exercise proper memory management. A memory
management system has five basic responsibilities: Relocation
Protection Sharing Logical Organization Physical Organization
12/5/2017 UNIVERSITY OF WISCONSIN 33
34. Memory Leaks https://www.youtube.com/watch?v=67m5jwoNkfo
12/5/2017 UNIVERSITY OF WISCONSIN 34
35. Four Major Physical Security Threats Natural environmental
Supply system Human made Politically motivated Good security
program protects against all of these, in layers 12/5/2017
UNIVERSITY OF WISCONSIN 35
36. Physical Access Control For Visitors Limit the number of
entry points Force all guests to sign-in at a common location
Reduce entry points even more, after hours and on weekends Validate
a government issued picture ID before allowing entry Require all
guests to be escorted by a full time employee Encourage employees
to question strangers 12/5/2017 UNIVERSITY OF WISCONSIN 36
37. 5 Core Steps in a Physical Security System Deter Delay
Detect Assess Respond 12/5/2017 UNIVERSITY OF WISCONSIN 37
38. Laptops Are One of the Most Frequently Stolen Physical
Assets Inventory the laptops Harden the Operating system Password
protect BIOS Register laptops with vendor Dont check laptop as
baggage! Dont leave laptop unattended Engrave the laptop visibly
Use a physical cable and lock Backup data Encrypt hard disk Store
in secure place when not in use 12/5/2017 UNIVERSITY OF WISCONSIN
38
39. A Note About Credit Card Reader Physical Security
https://www.youtube.com/watch?v=Xip jYIbBj7k Physical access to
credit card transaction equipment is one of the greatest physical
security threats facing most small businesses in the United States,
but most people never give it a second thought 12/5/2017 UNIVERSITY
OF WISCONSIN 39
40. Cloud Security Cloud Security refers to a broad set of
policies, technologies, and controls deployed to protect data,
applications, and the associated infrastructure of cloud computing.
12/5/2017 UNIVERSITY OF WISCONSIN 40
41. Cloud Service Models Software as a Service Platform as a
Service Infrastructure as a Service 12/5/2017 UNIVERSITY OF
WISCONSIN 41
42. Cloud Deployment Models Private Public Hybrid 12/5/2017
UNIVERSITY OF WISCONSIN 42
43. Bring Your Own Device BYOD (bring your own device) is the
increasing trend toward employee-owned devices within a business.
Smartphones are the most common example but employees also take
their own tablets, laptops and USB drives into the workplace.
12/5/2017 UNIVERSITY OF WISCONSIN 43
44. Lost Devices, Sold Devices Memorized Passwords BYOD has
resulted in data breaches. For example, if an employee uses a
smartphone to access the company network and then loses that phone
or sells that phone, untrusted parties could retrieve any unsecured
data on the phone. Another type of security breach occurs when an
employee leaves the company, they do not have to give back the
device, so company applications and other data may still be present
on their device If passwords are cached (remembered) by the phone,
anyone who has access to the device can now access the password
protected resources 12/5/2017 UNIVERSITY OF WISCONSIN 44
45. Personal Privacy Drawing the Line IT Security departments
that wish to monitor usage of personal devices must ensure that
they only monitor work related activities or activities that
accesses company data or information 12/5/2017 UNIVERSITY OF
WISCONSIN 45
46. Malware Infections Organizations who wish to adopt a BYOD
policy must also consider how they will ensure that the devices
which connect to the organizations network infrastructure to access
sensitive information will be protected from malware. 12/5/2017
UNIVERSITY OF WISCONSIN 46
47. Patching Many Different Models of BYODs BYOD policy must be
prepared to have the necessary systems and processes in place that
will apply the patches to protect systems against the known
vulnerabilities to the various devices that users may choose to
use. 12/5/2017 UNIVERSITY OF WISCONSIN 47
48. Mobile Device Management Solutions Several market and
policies have emerged to address BYOD security concerns, including
mobile device management (MDM), containerization and app
virtualization Containerization Virtualization 12/5/2017 UNIVERSITY
OF WISCONSIN 48
49. MDM May Result in Privacy and Usability Concerns While MDM
provides organizations with the ability to control applications and
content on the device, research has revealed controversy related to
employee privacy and usability issues that lead to resistance in
some organizations 12/5/2017 UNIVERSITY OF WISCONSIN 49
50. Phone Number Ownership A key issue of BYOD which is often
overlooked is BYOD's phone number problem, which raises the
question of the ownership of the phone number. The issue becomes
apparent when employees in sales or other customer-facing roles
leave the company and take their phone number with them. Customers
calling the number will then potentially be calling competitors
which can lead to loss of business for BYOD enterprises 12/5/2017
UNIVERSITY OF WISCONSIN 50
51. Lack of BYOD Policy Research reveals that only 20% of
employees have signed a BYOD policy Why not have them agree online,
in order to gain network access? Offer them a carrot (network
access) to agree. Businesses need to get out of the idea of using
legacy paper forms for such things 12/5/2017 UNIVERSITY OF
WISCONSIN 51
52. BYOD Inventory Firms need an efficient inventory management
system that keeps track of which devices employees are using, where
the device is located, whether it is being used, and what software
it is equipped with 12/5/2017 UNIVERSITY OF WISCONSIN 52
53. Make Sure the Employees Know If sensitive, classified, or
criminal data lands on a U.S. government employee's device, the
device is subject to confiscation 12/5/2017 UNIVERSITY OF WISCONSIN
53
54. Scalability and Capability of Corporate Networks Many
organizations today lack proper network infrastructure to handle
the large traffic which will be generated when employees will start
using different devices at the same time 12/5/2017 UNIVERSITY OF
WISCONSIN 54
55. 12/5/2017 UNIVERSITY OF WISCONSIN 55
56. Summary Both Cloud and BYOD are relatively new to
organizations Both Cloud and BYOD blur the lines of where an
organizations control over data resides Both Cloud and BYOD extend
the information assets beyond historic organizational geographic
boundaries Both Cloud and BYOD are security concerns, in an attempt
to maintain Confidentiality, Integrity and Availability 12/5/2017
UNIVERSITY OF WISCONSIN 56
57. Session Overview Introduction and Warning The Deep Web
Defined Dynamic Content Unlinked Content Private Web Contextual Web
Limited Access Content Scripted Content Non-HTML Content Deep Web
Search Engines & Tor Client Examples of what can found on the
Deep Web Exciting Documentary Video Question and Answer session
12/5/2017 UNIVERSITY OF WISCONSIN 57
58. Grams Sample Search Crunchy Dutch Moonrocks 12/5/2017
UNIVERSITY OF WISCONSIN 58
59. Deep Web Dangerous Web 12/5/2017 UNIVERSITY OF WISCONSIN
59
60. Class Discussion You love the Internet. However, you
favorite sites, such as Facebook, Amazon, and wisc.edu are just the
surface. There is another world out there: the Deep Web The Deep
Web is where online information is password protected, or requires
special software to accessand its massive, yet its almost
completely out of sight. The Deep Web contains a hidden world, a
community where malicious actors unite in common nefarious purpose.
Should the government control or forbid certain sites? Why? Do you
think buying the following items on the Internet is possible? If it
is possible, should they be forbidden? How and why? Drugs (both
prescription and clearly the clearly illegal type) Forged identity
papers Weapons, explosives and ammunition Hired assassins Human
organs 12/5/2017 UNIVERSITY OF WISCONSIN 60
61. The EU and Privacy The European Union (EU) has some of the
most stringent data privacy rules When it comes to data collection,
the EU has six privacy principles which all countries and
businesses within those countries must follow 12/5/2017 UNIVERSITY
OF WISCONSIN 61
62. European Privacy Principles 1. The reason for gathering the
information must be specified at the time of collection 2. Data
cannot be used for other purposes 3. Un-necessary data should not
be collected 12/5/2017 UNIVERSITY OF WISCONSIN 62
63. Privacy: The Need For Better Laws Data aggregation and data
retrieval technologies advancement -- Large data warehouses Loss of
borders Private data flows from country to country with ease
Convergent technology advances Gathering, mining and distributing
information has become much easier 12/5/2017 UNIVERSITY OF
WISCONSIN 63
64. Laws, Directives and Regulations Covers many different
areas for many different reasons Privacy Computer Misuse Software
copyright Data protection Controls on cryptography 12/5/2017
UNIVERSITY OF WISCONSIN 64
65. Laws, Directives and Regulations Laws, directives and
regulations usually provide only broad guidance and not detailed
instructions Environments are just too diverse to get specific in
terms of the details of laws, directives and regulations Lets look
at some examples 12/5/2017 UNIVERSITY OF WISCONSIN 65
66. Sarbanes-Oxley Act The Sarbanes-Oxley Act of 2002 (often
shortened to SOX) is legislation passed by the U.S. Congress to
protect shareholders and the general public from accounting errors
and fraudulent practices in the enterprise, as well as improve the
accuracy of corporate disclosures. 12/5/2017 UNIVERSITY OF
WISCONSIN 66
67. HIPAA HIPAA is the federal Health Insurance Portability and
Accountability Act of 1996. The primary goal of the law is to make
it easier for people to keep health insurance, protect the
confidentiality and security of healthcare information and help the
healthcare industry control administrative costs. 12/5/2017
UNIVERSITY OF WISCONSIN 67
68. GLB (GLBA) The Gramm-Leach-Bliley Act (GLB Act or GLBA),
also known as the Financial Modernization Act of 1999, is a federal
law enacted in the United States to control the ways that financial
institutions deal with the private information of individuals.
12/5/2017 UNIVERSITY OF WISCONSIN 68
69. CFAA The Computer Fraud and Abuse Act (CFAA) of 1986 is
United States legislation that made it a federal crime to access a
protected computer without proper authorization. 12/5/2017
UNIVERSITY OF WISCONSIN 69
70. Federal Privacy Act of 1974 The Privacy Act of 1974, a
United States federal law, establishes a Code of Fair Information
Practice that governs the collection, maintenance, use, and
dissemination of personally identifiable information about
individuals that is maintained in systems of records by federal
agencies. 12/5/2017 UNIVERSITY OF WISCONSIN 70
71. PCI-DSS (PCI) Short for Payment Card Industry (PCI) Data
Security Standard (DSS), PCI DSS is a standard that all
organizations, including online retailers, must follow when
storing, processing and transmitting their customer's credit card
data. 12/5/2017 UNIVERSITY OF WISCONSIN 71
72. 1. Validate Input and Output All data input and output
should be checked very carefully for appropriateness. This check
should be to see if the data is what is expected (length,
characters). Making a list of bad characters is not the way to go;
the lists are rarely complete. A secure program should know what it
expects, and reject other input. For example, if an input field is
for a Social Security Number, then any data that is not a string of
nine integers is not valid. A common mistake is to filter for
specific strings or payloads in the belief specific problems can be
prevented.
73. 2. Fail Securely (Closed) Applications should default to
secure operation. That is, in the event of failure or
misconfiguration, they should not reveal more information than
necessary with regard to: Error messages (for efficient debugging
purposes) The application configuration (directory, version/patch
levels) The operating environment (network addressing, OS
version/patch levels) As well, they should not allow transactions
or processes to continue With more privileges than normal With more
access than normal Without proper validation of input parameters
and output results Bypassing any monitoring or logging
facilities
74. 3. Keep it Simple While it is tempting to build elaborate
and complex security controls, the reality is that if a security
system is too complex for its user base, it will either not be used
or users will try to find measures to bypass it. Often the most
effective security is the simplest security. Do not expect users to
enter 12 passwords.
75. 4. Use and Reuse Trusted Components Invariably other system
designers (either on your development team or on the Internet) have
faced the same problems as you. They may have invested a large
amount of time on research and developing robust solutions to the
problem. In many cases they will have improved components through
an iterative process and learned from common mistakes along the
way. Using and reusing trusted components make sense both from a
resource stance and from a security stance. When someone else has
proven they got it right; take advantage.
76. 5. Defense in Depth Relying on one component to perform its
function 100% of the time is unrealistic. While we hope to build
software and hardware that works as planned, predicting the
unexpected is difficult . Good systems dont predict the unexpected,
but plan for it. If one component fails to catch a security event,
a second one would.
77. 6. Only as Secure as the Weakest Link Weve all seen it,
This system is 100% secure, it uses 128 bit SSL. While it may be
true that the data in transit from the users browser to the web
server has appropriate security controls, more often that not the
focus of security mechanisms is at the wrong place. As in the real
world where there is no point in placing all of your locks on your
front door to leave the backdoor swinging in its hinges, you need
to think carefully about what you are securing. Attackers are lazy
and will find the weakest point and attempt to exploit it.
78. 7. Security by Obscurity Wont Work in the Long Run Its nave
to think that hiding things from prying eyes doesnt buy you some
amount of time. Lets face it some of the biggest exploits unveiled
in software have been obscured for years. But obscuring information
is very different from protecting it. You are relying on the fact
that no one stumbles onto your obfuscation. This strategy doesnt
work in the long term and has no guarantee of working in the short
term.
79. 8. Least Privilege Systems should be designed in such a way
that they run with the least amount of system privilege they need
to do their job. This is the need to know approach. If a user
account doesnt need root privileges to operate, dont assign them in
the anticipation they may need them. Giving the pool man an
unlimited bank account to buy the chemicals for your pool when
youre on vacation is unlikely to be a positive experience.
80. 9. Compartmentalization Similarly compartmentalizing users,
processes and data helps contain problems if they do occur.
Compartmentalization is an important concept widely adopted in the
information security realm. Imagine the same pool man scenario.
Giving the pool man the keys to the house while you are away so he
can get to the pool house, may not be a wise move. Containing his
access to the pool house limits the types of problems that may
occur if something was to happen.
81. Telecommunications and Network Security Overview TCP/IP and
other protocols LAN, WAN, MAN, intranet, extranet Cable types and
data transmission types Network devices and services Communications
security management 12/5/2017 UNIVERSITY OF WISCONSIN 81
82. TCP and UDP Two Major Protocols For Transmission Over IP
12/5/2017 UNIVERSITY OF WISCONSIN 82
83. Reliabaility TCP TCP is connection-oriented protocol. When
a file or message send it will get delivered unless connections
fails. If connection lost, the server will request the lost part.
There is no corruption while transferring a message. 12/5/2017
UNIVERSITY OF WISCONSIN 83
84. Reliability UDP UDP is connectionless protocol. When you a
send a data or message, you don't know if it'll get there, it could
get lost on the way. There may be corruption while transferring a
message. 12/5/2017 UNIVERSITY OF WISCONSIN 84
85. Ordered Delivery TCP Ordered: If you send two messages
along a connection, one after the other, you know the first message
will get there first. You don't have to worry about data arriving
in the wrong order 12/5/2017 UNIVERSITY OF WISCONSIN 85
86. No Ordered Delivery UDP If you send two messages out, you
don't know what order they'll arrive in 12/5/2017 UNIVERSITY OF
WISCONSIN 86
87. TCP is a Heavyweight Protocol Heavyweight: - when the low
level parts of the TCP "stream" arrive in the wrong order, resend
requests have to be sent, and all the out of sequence parts have to
be put back together, so requires a bit of work to piece together
12/5/2017 UNIVERSITY OF WISCONSIN 87
88. UDP is a Lightweight Protocol Lightweight: No ordering of
messages, no tracking connections, etc. It's just fire and forget!
This means it's a lot quicker, and the network card / OS have to do
very little work to translate the data back from the packets.
12/5/2017 UNIVERSITY OF WISCONSIN 88
89. The 5 Types of Physical Network Topologies Bus Ring Star
Tree Mesh 12/5/2017 UNIVERSITY OF WISCONSIN 89
90. Network Cabling Coaxial Cable Coaxial cable, or coax
(pronounced 'ko.ks), is a type of cable that has an inner conductor
surrounded by a tubular insulating layer, surrounded by a tubular
conducting shield. Many coaxial cables also have an insulating
outer sheath or jacket. 12/5/2017 UNIVERSITY OF WISCONSIN 90
91. Network Cabling Twisted Pair Twisted pair cabling is a type
of wiring in which two conductors of a single circuit are twisted
together for the purposes of canceling out electromagnetic
interference from external sources; for instance, electromagnetic
radiation from unshielded twisted pair cables, and crosstalk
between neighboring pairs. 12/5/2017 UNIVERSITY OF WISCONSIN
91
92. Network Cabling Fiber Optic A technology that uses glass
(or plastic) threads (fibers) to transmit data. A fiber optic cable
consists of a bundle of glass threads, each of which is capable of
transmitting messages modulated onto light waves. Fiber optics has
several advantages over traditional metal communications lines:
12/5/2017 UNIVERSITY OF WISCONSIN 92
93. Wireless Best Practices Protect your network with password
and encryption Change default SSID (name of network) Disable
broadcast SSID (name of network) Place the Access Point at the
center of the building to avoid external access Configure the
Access Point to only allow known MAC (hardware) addresses into the
network 12/5/2017 UNIVERSITY OF WISCONSIN 93
94. Configuration and Change Management Policies should: 1.
Document how all changes are made and approved 2. Guidelines should
be different based upon the kind of data being managed 3.
Disruptions in service must be planned and approved in advance 4.
Contingency plans must be in place to address planned outages
12/5/2017 UNIVERSITY OF WISCONSIN 94
95. Change Control Process Process: 1. Submit request for
change to take place 2. Formal approval of the change 3. Formal
documentation of the change 4. Assurance of testing must be
presented to the group approving the change 5. Implement the change
6. Report results to management 12/5/2017 UNIVERSITY OF WISCONSIN
95
96. Examples of Change Controlled Events New computers
installed New applications installed Changes in system
configurations implemented Patches and system updates New
networking equipment installed Company IT infrastructure merged
with that of another company which was acquired 12/5/2017
UNIVERSITY OF WISCONSIN 96
97. Physical Media Controls 1. Protect from unauthorized access
2. Protect from environmental issues such as flooding, overheating,
etc. 3. Media should be labeled 4. Media should be sanitized when
they reach the end of their use/life. 5. Tracking number, chain of
custody of media 6. Location of backups 7. Keep history of any
changes to media (replacements, etc) 12/5/2017 UNIVERSITY OF
WISCONSIN 97
98. Vulnerability Testing Goals: 1. Evaluate your companys true
and actual security posture vs your companys stated and or assumed
security posture 2. Confirms known vulnerabilities and identifies
new vulnerabilities 3. Tests how your company reacts to attacks of
information systems 12/5/2017 UNIVERSITY OF WISCONSIN 98
99. We Watched Some Interesting Videos Glen Duffy Shriver Story
(Game of Pawns, about student spy) The Company Man (story of
industrial espionage) United States of Secrets (dramatic inside
story of mass surveillance in America) The Spy Factory (an
eye-opening documentary on the National Security Agency) Short
Youtube videos, throughout semester 12/5/2017 UNIVERSITY OF
WISCONSIN 99
100. We Ate a Lot of Chocolate! 12/5/2017 UNIVERSITY OF
WISCONSIN 100
101. We Took All Our Knowledge and Put It into Our Team
Project! Put forth your best effort Better too long than too short
Send me a copy I print them out and give them to the Chair of the
OIM Department. I smile and say This is what the students learned
this semester when I present the copies of your presentations
12/5/2017 UNIVERSITY OF WISCONSIN 101
102. Things to Remember I am proud of all of youWe covered a
LOT of material this semester Everyone did a GREAT job being
involved with class participation Your written assignments were
fantastic, showed concern, thought, originality, honesty and
intelligence You ARE every bit as smart as the people you will be
working forThey are just older, not smarter If things are not right
in your job, do what is right, speak your mind, assess the
situation for what it REALLY is, not what you would like it to
be----and then ACT IN YOUR OWN BEST INTEREST 12/5/2017 UNIVERSITY
OF WISCONSIN 102
103. Thank You! Happy Holidays! Information Systems 365/765
Nicholas Davis 1570 Van Hise Hall Tel. 608.347.2486 (mobile) Email
[email protected] LinkedIn https://www.linkedin.com/in/nicholascv
Facebook https://www.facebook.com/nicholas.a.davis 12/5/2017
UNIVERSITY OF WISCONSIN 103