L9-PhysicalAndPersonnelSecurity.pptVIP

PhysicalPersonnelSecurity Ken Fletcher With Acknowledgments to Mick Eaton and Tony Kerr Information Systems Security Objectives The Risk Balance What is the threat? Loss of Confidentiality or Privacy Legal action, either criminal or civil Embarrassment Political pressures Loss of commercial advantage (eg trade secrets) Loss of Integrity Inappropriate decisions Loss of accuracy and control Loss of Availability Loss of capability to do useful work Misuse and Abuse Excessive costs (or legal action) Loss of reputation IN SUMMARYthe real impact is loss of business and profit Who is the threat? Insiders - very knowledgable about your organisation Disgruntled Employee Careless Employee Other insider (eg office comedian, office ‘payback’) Ex-employee Disgruntled customer, supplier, or sub-contractor Outsiders - Strangers-but with drive to succeed Thief, Vandal, or Hacker Deliberate Commercial Espionage Agent(eg on behalf of a competitor, or subcontractor) Issue Motivated Groups (eg animal liberationists) Terrorists Groups and Sympathisers Foreign Intelligence Service Agent Computer Abuse and Fraud What is their motivation What is their capability Capability (‘know how’, and ability to perform) is available, for a price if necessary: High Capability-  Foreign Intelligence Service  Ex Employee  (has knowledge of procedures) Big Money Interests (could pay for it) Medium Capability- Hackers (have knowledge) General Commercial Interests (can pay for it) Low Capability-  Disgruntled Customer (has knowledge) What do we do about it? Conduct Threat Assessment Identify and value assets Postulate threats to the significant assets Identify Vulnerabilities to the postulated threats Select Countermeasures Implement Countermeasures Aftercare Audit implementation and operation Continuously review tables of assets, threats, and countermeasures Live happily ever after - until the next security breach The 3-D approach Deter (to Prevent the attack) Stron