College Presentation

1. The C, I, As of Security Introduction to Security Presentation Given To Students in The Master of Information Strategy, System and Technology Curriculum at Muskingum College Scott Frost CISSP, CISM, CISA The Polaris Consulting Group, LLC.

Integrity

Confidentiality

Availability

Confidentiality ensures that computer-related assets are accessed only by authorized parties. That is, only those who should have access to something will actually get that access. By access, we mean not only reading but also viewing, printing, or simply knowing that a particular asset exists. Confidentiality is sometimes called secrecy or privacy

Security in Computing, Third Edition pg 10

The quality of correctness, completeness, wholeness, soundness and compliance with the intention of the creators of the data.

Or more simply put, The data hasnt been changed

The degree to which data and the services or systems that provide the data are working acceptably

Possession - The ownership or control of information, as distinct from confidentiality.

Authenticity - The correct attribution of origin such as the authorship of an e-mail message or the correct description of information such as a data field that is properly named.

Utility - Usefulness; fitness for a particular use.

Non-repudiation Sender cant deny sending and receiver cant deny receiving (Think digital signatures)

Threats something that has the potential to cause harm or loss

Vulnerabilities weakness in a security system

Controls protective measure that removes or reduces a vulnerability

Risks The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. The impact or relative severity of the risk is proportional to the business value of the loss/damage and to the estimated frequency of the threat (1)

Acts of God forces of nature, fire, flood, earthquake

Technical Failures Hardware or software with errors or flaws. (i.e. - Intel FDIV)

Management Failures Failure to upgrade or update, Inappropriate configuration. (AV updates, mis-configured firewall)

Weak or default passwords

Un-patched system

Design flaw

Code flaw (buffer overflows, input validation, etc.)

Inadequate building construction

Security Guards and badges

Required vacations for key personnel

Internet versus intranet zones

Firewalls

Mathmatical Definition of Risk:

Risk = Threat x Vulnerability x Cost

What does this mean? Lets look at a few examples:

Earthquake

Computer Virus

The CISA Review Manual 2006 provides the following definition of risk management:"Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization."

Identification of assets

Identification of vulnerabilities and threats to those assets

Controls to mitigate risks

Aid in the prioritization of scarce resources

Is this a one time process or iterative? Why?

How do you find them?

Company provided inventory (generally not so good)

Internal Scans (will catch a lot but only if the asset is connected to the network)

Walk around

Talk to employees

Visit data center

Tuesday at noon EDT a new Top Cyber Risks report will be released summarizing current data from the largest network of intrusion prevention sensors and the largest network of vulnerability testers (millions of systems).It shows that the top two cyber risks are far more critical than previously thought, and at the same time that enterprises are acting very slowly to mitigate the risks. In fact the data show that enterprises are investing in less important risks and skimping on the important ones.This is the first time a threat report has been based on a combination of these two data sources on a global scale. Very cool because the findings are authoritative (and were vetted by the Storm Center folks and SANS' top instructors). If you have wanted to get your organization to fix the key problems, you'll find this report to be a powerful tool to move executive decision making forward. If you are a press person and want to be included in the press conference call, please email[email_address] and tell me which publication.

SANS NewsBites Vol. 11 Num. 72

Accept the risk

Mitigate the Risk

Transfer the risk

Deny the risk

1980s Introduction of personal computers

Movies such as War Games Matthew Broderick

Hacking is cool and geeky

1989 The Cockoos Egg Clifford Stoll

$0.75 accounting error leads to one of the first documented cases of hacking

Birth of Netscape

Back Orifice

Kevin Mitnick

Early 2000 Code Red, Nimba, Slammer, identity theft

Mid to late 2000s Organized crime and governments

Personal challenge

Follow the money

Early hacking was to avoid long distance phone calls

Later hacking was to break into banks and steal money

Now compromising personal information (credit cards, SSNs, DOB, etc.) are sold in bulk for credit card and other fraud

Control of Assets botnets

Corporate and Government Secrets

Relatively Anonymous

1980s Start of Federal laws on computer activity

Federal Computer Fraud and Abuse Act

HIPAA Health Insurance Portability And Accountability Act Health sector

Gramm-Leach-Bliley Financial Sector

Federal Information Security Act (FISMA) Government regulations

Sarbanes-Oxley Management on the hook for security of financial systems

PCI DSS

Security Breach Notification Laws

Required by PCI-DSS, GLBA, HIPAA, etc.

Main Purpose

Ensure that there are sufficient controls to preventunauthorized data disclosure

Likely Result?

Long list of vulnerabilities that when exploited resulted in unauthorized data disclosure

Now we are back into Risk Management

Management Sponsor

Liability protection

What is the asset to be protected? Hint: Look for databases, customer data, financial data, corporate secrets, etc.

Should include technical and human vulnerabilities (Kevin Mitnick)

Should handle false positives and false negatives

Risk assessment results that identify the assets, threats, vulnerabilities, etc.

Prioritized list of recommendations

Final Step?

Management buy in

Security Framework (SANS CAG, ISO 27001/2, ITIL

People, Technology, Process

Set security goals and develop a WAITT (We Are In This Together) philosophy

Risk Prioritization

Metrics

Defense in Depth Recognition that one layer is not sufficient

Proactive

Critical Controls Subject to Automated Collection, Measurement, and Validation:

Inventory of Authorized and Unauthorized Devices

Inventory of Authorized and Unauthorized Software

Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

Boundary Defense

Maintenance, Monitoring, and Analysis of Security Audit Logs

Application Software Security

Controlled Use of Administrative Privileges

Controlled Access Based on Need to Know

Continuous Vulnerability Assessment and Remediation

Account Monitoring and Control

Malware Defenses

Limitation and Control of Network Ports, Protocols, and Services

Wireless Device Control

Data Loss Prevention

Additional Critical Controls (not directly supported by automated measurement and validation):

Secure Network Engineering

Penetration Tests and Red Team Exercises

Incident Response Capability

Data Recovery Capability

Security Skills Assessment and Appropriate Training to Fill Gaps

Proactive security

Honeypots, Honeyports

Good Trojan horses and call home viruses

Think like a hacker

Use Twitter

Ongoing scan

Monitor log files

You can't manage what you don't measure. It is an old management adage that is accurate today. Unless you measure something you don't know if it is getting better or worse. You can't manage for improvement if you don't measure to see what is getting better and what isn't.

ByF. John Reh , About.com

Evolution of security risks

External versus Internal Wheres the greater threat?

Costs of doing nothing

TOP OF THE NEWS --Cyber Criminals Targeting Smaller US Firms; Get Millions (August 25, 2009) Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the United States , setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions. http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402272.html?hpid=topnews [Guest Editor's Note (Rob Lee): We are seeing a lot of these. There are three contributing reasons they are growing so fast: (1) Low threat of arrest in these "safe havens," (2) High payout for the crime, and (3) Victim sharing data on these attacks has been minimal. The attacks are amazingly simple and the amount of money taken is large. The firms do not know how to protect themselves. In some cases where credit card theft has occurred, they have had to shut down because they lost the ability to process credit cards. Small businesses are being affected greatly by poor security practices. It isn't a risk issue. It is a survival one.]

87% of FBI respondents in 2005 survey indicated that they had some form of security incident

73% of threat is internal

23% is external (Where did the other 4% go to?)

Average internal threat costs the company 2.7 million

Average external threat costs the company $57,000

The average security breach can cost a company between $90 and $305 per lost record, according to a new study from Forrester Research.( http://www.informationweek.com/news/security/showArticle.jhtml?articleID=199000222 )

T.J. Maxx Security Breach Costs Soar To 10 Times Earlier Estimate

The retailers' second-quarter earnings show that the company had to absorb $118 million in that quarter alone. That's added to earlier breach costs of $17 million.( http://www.informationweek.com/news/global-cio/compliance/showArticle.jhtml?articleID=201800259)

Client-side Vulnerabilities in:

C1. Web Browsers C2. Office Software C3. Email Clients C4. Media Players

Server-side Vulnerabilities in:

S1. Web Applications S2. Windows Services S3. Unix and Mac OS Services S4. Backup Software S5. Anti-virus Software S6. Management Servers S7. Database Software

Security Policy and Personnel:

H1. Excessive User Rights and Unauthorized Devices H2. Phishing/Spear Phishing H3. Unencrypted Laptops and Removable Media

Application Abuse:

A1. Instant MessagingA2. Peer-to-Peer Programs

Network Devices:

N1. VoIP Servers and Phones

Zero Day Attacks:

Z1. Zero Day Attacks

Encrypting mobile devices

Theft of mobile devices

Additional laws

Cyber attacks to increase

Cell phone worms

VOIP attacks

Spyware

0-Day exploits

Rootkit bots

Network Access Control will become more important

sans.org -SysAdmin, Audit, Network, Security

cisecurity.org -Center for Internet Security

www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml -NSA Security Configuration Guides

csrc.nist.gov -NIST Computer Security Division

LinkedIn: Scott Frost

Email:[email_address]

Web Site:http://thepolarisconsultinggroup.com

Date post:	22-Jan-2015
Category:	Documents
Upload:	scottfrost
View:	1,270 times
Download:	0 times

College Presentation

Documents