Enterprise IT Security

What you need to know

Presented By

Vipul Shah

Director, PC Solutions Limited

Objective

Raise awareness that IT Security is

1. an important business issue,

2. deserves the attention of the organisational leadership AND

3. must be part of an overall risk management strategy for the organisation

If you are a leader within an organisation

Ask yourself1. Has computer security received my attention?

2. Do I assist my IT team by providing them with the tools they need to do their jobs?

3. Do I support my IT team by abiding by the policies that have been set?

4. Do we have good company wide IT policies in place?

Probably not

Probably NO

So does Anyone care about Security?

When we buy a new car we

1. first install the state of the art alarm system

2. then we install tracker

3. then we insure the car so that if 1 and 2 fail we can still buy another and

4. then we employ security guards – at home, at the office and even on the streets

We always worry about loss or damage to our assets. We crave security !

Where are your company’s assets? Buildings Vehicles Fixtures and fittings Computer and office equipment

IS That it?

Information and Data held on computers and servers throughout the organisation is also a business asset  

What is the information worth?

1. If your competitor got the names and details of all your customers would you have a problem?

2. If a fire destroyed all your buildings and your records what would you do?

3. If the day before a major tender your hard drive crashed– what would you do?

What is the information worth?

1. If your competitor got the names and details of all your customers would you have a problem?

2. If a fire destroyed all your buildings and your records what would you do?

3. If the day before a major tender your hard drive crashed– what would you do?

If you are in the service industry then your information is your PRIMARY asset.  Impossible to put a value on how much it is really worth.

When thinking of your corporate assets INCLUDE your IT systems and the data that resides on them.

 Step one to an effective security system

Know what you want to protect

What are the risks to your IT assets ?

Physical risks– Theft– Damage– Disaster– Catastrophe

Digital Risks– Viruses– Denial of Service– Unauthorised access– Abuse of the

systems– Malicious code

Physical Risks

Walls/ fences Locks Security guards Fire detection systems Fire proof safes Off-site storage of data/ backups

Digital Risks

Viruses Denial of Service Unauthorised access Abuse of the systems Malicious code

Viruses

Well Known Risk How many have AV software? How many paid for AV software? How do you manage the updates/ upgrades

process?– Do you have a policy?– Do you have someone responsible/accountable?– Are you protecting all the entry points?

Denial of Service Attack in which the organisation is denied access

to a specific service Known to have affected Global Brands such as

Yahoo and ebay Often carried out by exploiting known weaknesses

in the OS When a DoS attack happens Would you

– know you were being subjected to a DoS attack? – How would you react? – Is there a plan in place to deal with the event?

Unauthorised Access

unauthorised use of your corporate systems – Theft, unauthorised changes, deletion, and

unauthorised distribution

Issue of Data Security and Integrity Many ways these are carried out

– user error, ex-employees whose passwords are still active, Hackers etc.

Impact– From Minor embarassment to multi-million $$$

losses affecting many people

Unauthorised access 2

What do you do to limit unauthorised access?– Have you got effective password management? – Do users know never to give their passwords out

to anyone?– How well does your IDS work? – Have you investigated encryption?

You have a financial audit annually – when was the last time you had a IT security audit?

Abuse of the Systems

Generally internal to the organisation – Physical world – my guys having a long break– Virtual world – Use of IT resources for personal

use (lara croft manuals)

SPAM– Unsolicited email sent to people without their

consent

Mail relay– Use of your bandwidth to send mails (SPAM)

Abuse of the Systems (2)

Why is this an issue?– TIME

• Cost of SPAM to a 100 user organisation will exceed US $5,000 per year.

– Use of resources paid for by the organisation– Loss of business

Do you have an appropriate use policy? – For example no personal use of email during the working

day? No XXX material!Company policy on not sending out

SPAM mail?

Malicious Code

Software designed to cause losses/ damage? Some written by employees (fraud/ revenge) More publicity – Worms and Trojans

– Blaster Worm – takes advantage of error in s/w code to spread to many computers and then launch a coordinated attack on MS Windows update site

– Nachi worm – designed to clean the Blaster worm then delete itself on 1/1/2004

– Klez – around since April but still prevalent and exploits weakness in IE 5 and 5.5 without SP. Mails itself to people on the mailing list

Malicious Code (2)

How do you guard? Employee designed S/W – Difficult but needs

an effective “authorisation” procedure Worms – make sure AV is always uptodate

and ensure all latest patches are installed• Massive task given the number of patches being

released

Are you protecting all the different entry points?

Digital Risks

Viruses Denial of Service Unauthorised access Abuse of the systems Malicious code

Some other issues

IT Staff are probably stretched “fighting fires”

Range of skills unavailable – impossible to be good at everything

Intrusion Detection Systems generating so many alerts impossible to tell actual threats from “background noise”

Lack of management support – I don’t want to know your problems just “fix it”

Recap

Raise awareness that IT Security is

1. an important business issue,

2. deserves the attention of the organisational leadership AND

3. must be part of an overall risk management strategy for the organisation

The risks are known

Your choice to act or ignore

ACT

Identify your IT assets and determine their value

Identify the risks and determine the likelihood of the risk

Formulate a policy to manage the risks Train the users in implementing the policy Use a firm that can help you design an

effective risk management strategy

Questions?

ContactVipul Shah

Tel: 2133040 or 0741 784 786

Email: vipul@pcsolutions.co.tz

Mtendeni Street, DSM