Reading Journal Week 13 Security - echadbourne/ChadbourneSYS-140 GitHub Wiki

Security Policy

Summary:

  • A security policy is a written set of rules and guidelines pertaining to the computer and network security of a business or organization. Some common things that are addressed in a security policy include physical access, antivirus, acceptable use, passwords, email usage, remote access, and emergency procedures. These are elaborated on in the table below. A security policy is most easily enforced with the use of user profiles for a user with the organization.

image

image

My Response:

  • As explained by the textbook, security policies are really important because they are put in place to protect the computers and networks of a business or organization. No matter how small a business is, it is a really good idea to always have some sort of written security policy in case of a conflict or issue. This makes it easier to protect the digital systems of an organization, and in some cases easier to recover in the event of a security breach or attack.

Physical Security

Summary:

  • Physical security generally consists of physical barriers for protecting information and equipment. Some common methods for physical security include the use of electronic key cards (which can also be combined with ID and smart cards), key fobs, and password security, as well as non-electronic related things such as locked doors, mantraps, computer cages, and cable locks. In addition to general physical security, you will also want to consider implementing multi factor authentication, which is simply the use of two or more ways of verifying one's identity. Common ones include a combination of identification things like fingerprints and IDs. Physical security can also take advantage of biometric technologies like fingerprint or retina scanners, or facial recognition.

My Response:

  • I feel like in many places this type of security is becoming much more well known and better utilized, because people are starting to understand the benefits. The technology is also getting more advanced, and maybe even cheaper/more available. I know that many phones, and now even some laptops use facial recognition as part of their locking and purchasing functions, which is a really cool and frankly very secure way of doing that.

Logical/Digital Security

Summary:

  • There are a number of ways to protect computers and digital data on computers. Some of the ones mentioned in the textbook include using Virtual Private Networks (VPN) to securely connect to the internet, Firewalls for network traffic, antivirus software, user authentication or strong passwords, multi factor authentication, permissions, and disabling unused ports on computers and networking devices (important for network security). In addition, the usage of good and strong passwords is emphasized, and the table below contains some guidelines for creating strong and secure passwords.

image

image

My Response:

  • A lot of this digital security stuff is not new to me, but it was nice to see it all in one place. Some stuff I knew more about before than others, but everything mentioned here I at least had heard about once. I agree that these are good things to consider when thinking about digital security, however one of the password guidelines could have been better worded. While it is true that a password with just regular dictionary words can be cracked with a dictionary attack, generally if you pick a few regular words, and add on a few random numbers and maybe a special character or two, you have a fairly secure and potentially easy to remember password (or at least easier than the “super secure” random letters and numbers that password protectors always recommend). Do that a few times (and make sure to pick random and hopefully longer words) and you have a number of very secure passwords. Adding in numbers really helps with the dictionary attack style.

End User Education

Summary:

  • The human is usually the weakest link when it comes to digital security, so users and people who are a part of a business must be educated on what is right and wrong when it comes to digital use and security. Generally, new employees are given the acceptable use policy of the company as part of their training when they first join. In addition, users should be reminded to keep potentially sensitive information private from passerby or a technician remoting into a device (including personal identification information like social security numbers) or any other similar situations, and any incidents with malware should be addressed with training to further educate on whatever caused the problem in the first place (like clicking a suspicious link). It is also important to understand licensing and that it is very bad to pirate software.

My Response:

  • This is all stuff that has been gone over before in my cybersecurity classes, but it really is an important thing to remember. User education regularly gets left behind for one reason or another, which can cause some serious security issues later down the road. Having users understand the basics of what is and isn’t acceptable regarding software and just general information and data security (even on the most basic level) can be the one thing between a safe network and the beginnings of a contaminated one. This seems like something someone working with computers and security should always have in the back of their mind.

Permissions

Summary:

  • Share and NTFS Permissions are used to dictate who has what kind of access to a folder and the files within that folder. Simple Share permissions are used on older Windows computers, and provides Full Control (user can do anything to the folder, including take ownership), Change (user can add things and delete things from a folder, as well as read and execute things from the folder), and Read (user can view and execute files and scripts from the folder). NTFS is available for newer Windows computers, and provides more options for sharing files. The options and what they do can be seen in the table below.

image

My Response:

  • This section of the chapter emphasizes how important it is to only give the permissions that someone needs, and no more, when sharing files and folders like this. I agree with this wholeheartedly, because it is very important for data and network security to comply with this idea. If you give too many permissions to the wrong person, for the wrong folder, it could severely damage the organization’s data because the wrong thing could get deleted or copied.

Protecting the Operating System and Data

Summary:

  • This whole chapter went over different ways to protect the operating system and data. Some (but not all) of the things that were mentioned include using the NTFS file system, making sure everything is up to date, using antivirus software, remember that virtual machines are also susceptible and need their own protection, and disable unused ports. In addition, it is good to keep a backup of the data on a computer. Data should be backed up to an external source, not a separate partition on the regular hard drive (because the whole hard drive could fail). It can be backed up to any number of storage devices, but some common ones are external hard drives, Thumbdrives, CDs and DVDs, and magnetic tape.

My Response:

  • This was a really good overview of all of the information covered in the chapter so far, and it was nice to see it all in one place. I agree that regular backups of data are really important (I should back up my computer again when I get home) and it was really interesting to see what some of the other common storage devices used for backups are.