Date post: | 15-Jan-2016 |
Category: |
Documents |
Upload: | miranda-thornton |
View: | 214 times |
Download: | 0 times |
“Information Security For Your Company:
Its Risks, Tradeoffs, and Solutions A Management Perspective”
November 17, 2005
eWorkshop Purpose
To demystify the process of protecting your
company’s information
Our presenter will cover
• Types of information to protect• Types of attackers• Exposure• Defenses• Examples
Lois Webster
CEO
Jones International University offers an online MBA in Information Security Management
For more information go to www.jiu.edu or call 866.246.0368 to speak with an Admissions
Counselor.
This Webcast is hosted by
www.meetingone.com
How ask a question:
Maura van der Linden
Software Development Engineer in Test
Microsoft Corporation
Understanding Information Security Tradeoffs:
A Management Perspective
Written by:
Maura van der Linden([email protected])
Brought to you by:
Jones International University
MBA with Information Security Management(www.jiu.edu/learnshare)
© 2005 Jones International University
Presentation Goals
• Convey a basic understanding of the Information Security Equation and its five variables.
• Provide an overview of the process of Threat Analysis.
• Demonstrate the iterative and ongoing nature of Information Security.
• Illustrate the Threat Analysis and Mitigation process with several real life samples of the tradeoffs made to minimize or remove Information Security threats.
© 2005 Jones International University
Key Information SecurityConcepts
• Information Security Equation• Threat Analyses• Threat Mitigation and Re-Evaluation• Response and Contingency Planning• Security Champions• Security Reviews
© 2005 Jones International University
Information Security EquationVariables
1. Information• Collection• Storage• Replication
2. Intruders / Attackers• Sources• Motivations
3. Exposure4. Defenses5. Responses
© 2005 Jones International University
Poll Question #1
What do you think are the biggest risks to your company?
1 = Email Viruses2 = Directed Hacking Attacks3 = Opportunistic Hacking Attacks4 = Internal Theft / Misuse
© 2005 Jones International University
Information Aspect 1:Collection
Examples:• Internet Orders or Submissions• Paper Orders• Employee Hiring Paperwork• Point-of-Sale Systems• Telephone Ordering Systems• 3rd Party Data Forwarding
© 2005 Jones International University
Information Aspect 2:Storage
Business Data Examples:• HR Data• Emails• Intranet Documents• Financial Data• Payroll Data• Intellectual Property• Partner/Vendor/ Supplier
Data
Customer Data Examples:• Personal Data (Identifying
Information)• Credit Card Data• Order History• Financial Data• Medical Data
© 2005 Jones International University
Information Aspect 3:Replication
Examples:• Live Databases• Test Databases• 3rd Party Forwarding• Backups• Log Files• Printouts• Paper Files / Copies
© 2005 Jones International University
Intruders / Attackers Aspect 1:Sources
Internal Source Examples:• Current Employees• Contracting Companies• Vendors / Sub-
Contractors
External Source Examples:• Ex-Employees• Protesters / Idealists• Professional Hackers• Competitors• Cyber-Vandals
© 2005 Jones International University
Intruders / Attackers Aspect 2:Motivations
Examples:• Data Theft• Data Destruction• Cyber-Vandalism / Nuisance• Coup Counters
© 2005 Jones International University
Exposure
Internal Examples:• Employees• Locations• Intranet• Contractors
External Examples:• Internet• Partners• Vendors / Contractors• Customers
© 2005 Jones International University
Defenses
Examples:• Commercial Software Defenses• Commercial Hardware Defenses• In-House / Custom Defenses• Physical Defenses• Policy Defenses
© 2005 Jones International University
Responses
Examples:• Intrusion Detection Plan• Data Recovery Plan• Data Restoration• Web Site Restoration• Customer Notification
© 2005 Jones International University
Poll Question #2
How many of you have defenses and a response plan in place already?
1 = Both are in place and updated.
2 = Both are in place but are out of date.
3 = Defenses are in place but no response plan.
4 = No formal plan for either
© 2005 Jones International University
Threat Modeling Aspects
Examples:• How much harm can be done?• How easy is it to perform?• How well known is it?• How hard or expensive will it be to recover?• How many customers will it affect?
© 2005 Jones International University
Threat Analysis & Mitigation Process
Example Questions:• What is the threat rating (severity)?• What mitigations are available?• What do those mitigations cost vs. how well they
mitigate the threat?• Is the convenience worth the risk?• How will the mitigation be enforced?• Are there additional legal or regulatory issues if the
threat is carried out?
© 2005 Jones International University
Common Misconceptionsof Tradeoffs
• High mitigation = high cost.• Mitigation solutions must be custom or
customized.• Obscurity = security at very low cost.• All mitigations are high tech.• Hackers are isolated and tend to work alone.
© 2005 Jones International University
Take Incremental Steps
• After each mitigation is developed, the threat must be reviewed again.
• Revisit the threat rating.• Identify any other threats that might be
affected – beneficially or adversely – by a mitigation designed for another threat.
• Don’t neglect easily mitigated threats that do not have the highest threat ratings.
© 2005 Jones International University
Samples of Common Tradeoffs
• Convenience of multiple places to find the same data vs having to secure every place that data is stored.
• Ease of referencing plain text data instead of encrypted data vs. the risk that if the data is stolen, it’s easy and ready to use.
• Ability for any employee to solve problems for customers vs. the risk of all employees having the ability to steal customer data or misuse it.
© 2005 Jones International University
More Samples of Common Tradeoffs
• Cost of buying commercial security software for every workstation vs. the risk of even one incident of a virus shutting down the business’ intranet.
• Employee morale and freedom of being able to open and read any email at work plus the expense of setting up and enforcing email attachment policies vs. risk of virus attack revealing confidential business information.
© 2005 Jones International University
Sample Situation #1
Situation: A medical supply company keeps customer information in their permanent database and indexes the information by social security number. The database is accessible from the internet so customers can look up their own information.
Mitigation: The risk of exposing the customers’ social security numbers along with their associated personal information on an internet-facing database is mitigated by the company switching to a random customer number and removing the social security number from their data storage.
Tradeoffs: The convenience of having the social security number as a built-in index is traded for a Customer ID that means the records have to be retrieved by number or email address and password. A mailing had to be done to customers to inform them of why the change was being made and how to now access their information.
© 2005 Jones International University
Sample Situation #2
Situation: An online shopping business was allowing their customers to store credit card information, including the three digit code, in order to provide the convenience of not having to enter their credit card information each time they placed an order.
Mitigation: The risk of both exposing credit card information in this internet-facing shopping system as well as the risk of a third party being able to charge items to the saved information was too high so the credit card information was removed from the customer database and the users now have to enter the credit card information for each purpose.
Tradeoffs: The convenience of having the credit card information already entered and available was traded for the security of not having credit card information vulnerable to theft of misuse. Information on the reason for the change was posted to the shopping checkout page and customer response was quite positive, especially in the wake of a highly publicized credit card information theft.
© 2005 Jones International University
Sample Situation #3
Situation: A financial investment company which develops and utilizes in-house software for account maintenance has a test database for use by their contract testers but the test database is actually a copy of the live customer database and contains all the information that exists in the live database. In order to make it easier for the testers, the database administrator password has been set to <blank>.
Mitigation: The previously overlooked risk of having live data in an easy to access place was considered too high so an application was written to simulate live transactions and used to build a dummy database for test to use. Because the database now contained NO real data, the administrator password was left as <blank> .
Tradeoffs: The perfect replication of live customer data was traded for a very realistic set of dummy data without the risk of data theft. There was an additional benefit because the tool designed to create the test database was able to be used by other parts of the test effort.
© 2005 Jones International University
Poll Question #3
How is your Information Security currently being managed?
1 = One person is in charge of it as a main job function and may or may not have a team working under them.
2 = One person is in charge of it as a secondary or lesser task.
3 = A team of people are in charge of it but are not coordinated by a single individual.
4 = It’s outsourced to another company
5 = It’s not being managed
© 2005 Jones International University
Role of the Security Champion
• Centrally responsible for security efforts.• Single point of coordination for response plans and
materials.• Disseminates knowledge and information as changes
are made in business practices and policies.• Keeps up to date on software patches, vulnerabilities
and versions.• Presents threat analyses and mitigation plans and
proposals to management. • Conducts and enforces security review standards and
schedules.
© 2005 Jones International University
External Security Consultants
Pro:• Considerable knowledge
and training that is generally kept up to date.
• Can be less expensive to use in circumstances where risks are fairly low and are not overly prone to frequent or rapid changes.
• Can provide a second set of eyes for in-house plans or for vulnerability assessment.
Con:• May not understand the
customer’s business so making an accurate determination of the tradeoff viabilities may be difficult.
• May be difficult to communicate the full impact of analyses and proposed changes.
• More difficult to use for ongoing changes or revisions.
© 2005 Jones International University
Continuing Efforts are Key
• Businesses change over time.• Threats and vulnerabilities change over time.• Attack vectors and techniques change over
time.• Laws and legal precedents change over time.
© 2005 Jones International University
How ask a question:
To access presentation materials
Go to www.LearnShare.comBest Practice Events
eWorkshops “Information Security For Your Company: It’s Risks,
Tradeoffs, and Solutions – A Management Perspective”
Thanks!
Evaluation by email