Security+Policies+and+Procedures

Back

Security Policies and Procedures Computer and network security help to keep data and equipment functioning and provide access only to appropriate people. Everyone in an organization should give high priority to security because everyone can be affected by a lapse in security.

Tasks required protecting physical equipment

Physical security is as important as data security. When a computer is taken, the data is also stolen.  There are several methods of physically protecting computer equipment:


 * Control access to facilities.
 * Use cable locks with equipment.
 * Keep telecommunication rooms locked.
 * Fit equipment with security screws.
 * Use security cages around equipment.
 * Label and install sensors, such as Radio Frequency Identification (RFID) tags, on equipment.
 * Install physical alarms triggered by motion-detection sensors.
 * Use webcams with motion-detection and surveillance software.



For access to facilities, there are several means of protection:
 * <span style="font-family: Georgia,serif; font-size: 120%;">Card keys that store user data, including level of access
 * <span style="font-family: Georgia,serif; font-size: 120%;">Biometric sensors that identify physical characteristics of the user, such as fingerprints or retinas
 * <span style="font-family: Georgia,serif; font-size: 120%;">Posted security guard
 * <span style="font-family: Georgia,serif; font-size: 120%;">Sensors, such as RFID tags, to monitor equipment



<span style="font-family: 'Comic Sans MS',cursive; font-size: 140%;">Trusted Platform Module (TPM).

<span style="font-family: Georgia,serif; font-size: 120%;">One form of hardware security is the Trusted Platform Module (TPM). The TPM is a specialized chip installed on the motherboard of a computer to be used for hardware and software authentication. The TPM stores information specific to the host system, such as encryption keys, digital certificates, and passwords. Applications that use encryption can make use of the TPM chip to secure things like user authentication information, software license protection, and encrypted files, folders, and disks. Integrating hardware security, such as TPM with software security, results in a much safer computer system than using software security alone.



<span style="font-family: 'Comic Sans MS',cursive; font-size: 140%;">Ways to protect data

<span style="font-family: Georgia,serif; font-size: 120%;">To protect data, several methods of security protection can be implemented.

<span style="font-family: 'Comic Sans MS',cursive; font-size: 120%;">Password protection

<span style="font-family: Georgia,serif; font-size: 120%;">Password protection can prevent unauthorized access to content. Attackers can gain access to unprotected computer data. All computers should be password protected. Two levels of password protection are recommended:


 * <span style="font-family: Georgia,serif; font-size: 120%;">**BIOS –** Prevents the operating system from booting, and prevents BIOS settings from being changed without the appropriate password
 * <span style="font-family: Georgia,serif; font-size: 120%;">**Login –** Prevents unauthorized access to the local computer and the network



<span style="font-family: Georgia,serif; font-size: 120%;">Network logins provide a means of logging activity on the network and either preventing or allowing access to resources. This makes it possible to determine which resources are being accessed. Usually, the system administrator defines a naming convention for the usernames when creating network logins. A common example of a username is the first initial of the person's first name and then the entire last name. You should keep the username naming convention simple so that people do not have a hard time remembering it.

<span style="font-family: Georgia,serif; font-size: 120%;">Usernames, like passwords, are an important piece of information and should not be revealed. Default usernames should be changed so that hackers do not know either part of the username and password combination.

<span style="font-family: Georgia,serif; font-size: 120%;">When assigning passwords, the level of password control should match the level of protection required. A good security policy should be strictly enforced and include, but not be limited to, the following rules:


 * <span style="font-family: Georgia,serif; font-size: 120%;">Passwords should expire after a specific period of time.
 * <span style="font-family: Georgia,serif; font-size: 120%;">Passwords should contain a mixture of letters and numbers so that they cannot easily be broken.
 * <span style="font-family: Georgia,serif; font-size: 120%;">Password standards should prevent users from writing down passwords and exposing them to public view.
 * <span style="font-family: Georgia,serif; font-size: 120%;">Rules about password expiration and lockout should be defined. Lockout rules apply when an unsuccessful attempt has been made to access the system or when a specific change has been detected in the system configuration.

<span style="font-family: Georgia,serif; font-size: 120%;">To simplify the process of administrating security, it is common to assign users to groups, and then to assign groups to resources. This allows the access capability of users on a network to be changed easily by assigning or removing the user from various groups. This is useful when setting up temporary accounts for visiting workers or consultants, giving you the ability to limit access to resources. <span style="font-family: Georgia,serif; font-size: 120%;">To prevent unauthorized users from accessing local computers and network resources, lock your workstation, laptop, or server when you are not present.

<span style="font-family: 'Comic Sans MS',cursive; font-size: 140%;">Encrypting data

<span style="font-family: Georgia,serif; font-size: 120%;">Encrypting data uses codes and ciphers. Traffic between resources and computers on the network can be protected from attackers monitoring or recording transactions by implementing encryption. It might not be possible to decipher captured data in time to make any use of it.

<span style="font-family: Georgia,serif; font-size: 120%;">A VPN uses encryption to protect data. A VPN connection allows remote users to safely access resources as if their computer is physically attached to the local network.



<span style="font-family: 'Comic Sans MS',cursive; font-size: 140%;">Software Firewall

<span style="font-family: Georgia,serif; font-size: 120%;">Data being transported on a network is called traffic. A software firewall is a program that runs on a computer to allow or deny traffic between the computer and the network to which it is connected. Every communication using TCP/IP is associated with a port number. HTTPS, for instance, uses port 443 by default. A software firewall, as shown in Figure 2, is capable of protecting a computer from intrusion through the ports. The user can control the type of data sent to a computer by selecting which ports will be open and which will be secured. You must create exceptions to allow certain traffic or applications to connect to the computer. Firewalls can block incoming and outgoing network connections unless exceptions are defined to open and close the ports required by a program .

<span style="font-family: 'Comic Sans MS',cursive; font-size: 140%;">Data Backups <span style="font-family: Georgia,serif; font-size: 120%;">Data backup procedures should be included in a security plan. Data can be lost or damaged in circumstances such as theft, equipment failure, or a disaster such as a fire or flood. Backing up data is one of the most effective ways of protecting against data loss. Here are some considerations for data backups:


 * <span style="font-family: Georgia,serif; font-size: 120%;">**Frequency of backups** – Backups can take a long time. Sometimes it is easier to make a full backup monthly or weekly, and then do frequent partial backups of any data that has changed since the last full backup. However, spreading the backups over many recordings increases the amount of time needed to restore the data.
 * <span style="font-family: Georgia,serif; font-size: 120%;">**Storage of backups –** Backups should be transported to an approved offsite storage location for extra security. The current backup media is transported to the offsite location on a daily, weekly, or monthly rotation, as required by the local organization.
 * <span style="font-family: Georgia,serif; font-size: 120%;">**Security of backups** – Backups can be protected with passwords. These passwords would have to be entered before the data on the backup media could be restored.



<span style="font-family: 'Comic Sans MS',cursive; font-size: 140%;">Smart Card Security

<span style="font-family: Georgia,serif; font-size: 120%;"><span style="font-family: 'Comic Sans MS',cursive; font-size: 120%;">﻿ A smart card is a small plastic card, about the size of a credit card, with a small chip embedded in it. The chip is an intelligent data carrier, capable of processing, storing, and safeguarding thousands of bytes of data. Smart cards store private information such as bank account numbers, personal identification, medical records, and digital signatures. Smart cards provide authentication and encryption to keep data safe.



<span style="font-family: 'Comic Sans MS',cursive; font-size: 140%;">Biometric Security

<span style="font-family: Georgia,serif; font-size: 120%;">Biometric security compares physical characteristics against stored profiles to authenticate people. A profile is a data file containing known characteristics of an individual such as a fingerprint or a handprint. In theory, biometric security is more secure than security measures such as passwords or smart cards, because passwords can be discovered and smart cards can be stolen. Common biometric devices available include fingerprint readers, handprint readers, iris scanners, and face recognition devices.

.

<span style="font-family: 'Comic Sans MS',cursive; font-size: 140%;">File System Security

<span style="font-family: Georgia,serif; font-size: 120%;">All file systems keep track of resources, but only file systems with journals can log access by user, date, and time. A comparison of the two file systems. The FAT32 file system, which is used in some versions of Windows, lacks both journaling and encryption capabilities. As a result, situations that require good security are usually deployed using a file system such as NTFS, which is part of Windows 2000 and Windows XP. If increased security is needed, it is possible to run certain utilities, such as CONVERT, to upgrade a FAT32 file system to NTFS. The conversion process is not reversible. It is important to clearly define your goals before making the transition.

<span style="font-family: 'Comic Sans MS',cursive; font-size: 140%;">Wireless security techniques

<span style="font-family: Georgia,serif; font-size: 120%;">Because traffic flows through radio waves in wireless networks, it is easy for attackers to monitor and attack data without having to physically connect to a network. Attackers gain access to a network by being within range of an unprotected wireless network. A technician needs to know how to configure access points and wireless NICs to an appropriate level of security.

<span style="font-family: Georgia,serif; font-size: 120%;">When installing wireless services, you should apply wireless security techniques immediately to prevent unwanted access to the network, as shown in Figure 1. Wireless access points should be configured with basic security settings that are compatible with the existing network security. The following items are basic security settings that can be configured on a wireless router or access point:


 * <span style="font-family: Georgia,serif; font-size: 120%;">Service Set Identifier **(SSID)** – The name of the wireless network. A wireless router or access point broadcasts the SSID by default so that wireless devices can detect the wireless network. Manually enter the SSID on wireless devices to connect to the wireless network when the SSID broadcast has been disabled on the wireless router or access point

<span style="font-family: Georgia,serif; font-size: 120%;">.


 * <span style="font-family: Georgia,serif; font-size: 120%;">**MAC Address Filtering** – A technique used to deploy device-level security on a wireless LAN. Because every wireless device has a unique MAC address, wireless routers and access points can prevent wireless devices from connecting to the wireless network if the devices do not have authorized MAC addresses. Enable MAC address filtering, and list each wireless device MAC address to enforce MAC address filtering.



<span style="font-family: Georgia,serif; font-size: 120%;">An attacker can access data as it travels over the radio signal. A wireless encryption system can be used to prevent unwanted capture and use of data by encoding the information that is sent. Both ends of every link must use the same encryption standard. The following items are wireless encryption and authentication technologies:


 * <span style="font-family: Georgia,serif; font-size: 120%;">Wired Equivalent Privacy (**WEP**) – The first generation security standard for wireless. Attackers quickly discovered that WEP encryption was easy to break. The encryption keys used to encode the messages could be detected by monitoring programs. Once the keys were obtained, messages could be easily decoded.




 * <span style="font-family: Georgia,serif; font-size: 120%;">Wi-Fi Protected Access **(WPA)** – An improved version of WEP. It was created as a temporary solution until the 802.11i (a security layer for wireless systems) was fully implemented. Now that 802.11i has been ratified, WPA2 has been released. It covers the entire 802.11i standard. WPA uses much stronger encryption than WEP encryption.


 * <span style="font-family: Georgia,serif; font-size: 120%;">Wi-Fi Protected Access 2 **(WPA2)** – An improved version of WPA. This protocol was released to introduce higher levels of security than WPA. WPA2 supports robust encryption providing government grade security. WPA2 can be enabled in two versions: Personal (password authentication) and Enterprise (server authentication).


 * <span style="font-family: Georgia,serif; font-size: 120%;">Lightweight Extensible Authentication Protocol **(LEAP),** also called EAP-Cisco – A wireless security protocol created by Cisco to address the weaknesses in WEP and WPA. LEAP is a good choice when using Cisco equipment in conjunction with operating systems like Windows and Linux.




 * <span style="font-family: Georgia,serif; font-size: 120%;">Wireless Transport Layer Security **(WTLS)** is a security layer used in mobile devices that employ the Wireless Applications Protocol (WAP). Mobile devices do not have a great deal of spare bandwidth to devote to security protocols. WTLS was designed to provide security for WAP devices in a bandwidth-efficient manner.

<span style="font-family: 'Comic Sans MS',cursive; font-size: 130%;">Summary  <span style="font-family: Georgia,serif; font-size: 120%;">It is very important to secure your data from being stolen. There are two ways of protecting data: physical security and data protection. To protect the equipment; physical security should be used such as: cables locks, card key and using web cams. On the other hand, to protect data inside the computer, data protection such as password, software firewall and data backups should be used. Also, smart card security is used to secure personal information and accounts. <span style="font-family: 'Comic Sans MS',cursive; font-size: 120%;">Resources  <span style="font-family: Georgia,serif; font-size: 120%;">Cisco Networking Academy Program