Gilbert Verdian MBA, CISA, CISSP EMEA Security Architecture and Consulting Manager Security Compliance and Management - Issues Faced by Organisations Today. InfoSec 2007 - London

Agenda Security is Dynamic Threats Current Issues Addressing Issues

Security is Dynamic

Threats

Current Issues

Addressing Issues

Security is Very Dynamic The landscape is constantly changing: New Technology New Operating Systems Vista, Apple Leopard Ubiquitous Computing & Interconnectivity Threats Web Applications Malware/Spyware Botnets Motivation $, £, €

The landscape is constantly changing:

New Technology

New Operating Systems

Vista, Apple Leopard

Ubiquitous Computing & Interconnectivity

Threats

Web Applications

Malware/Spyware

Botnets

Motivation

$, £, €

Threats are Changing Hacking Then "Hacking was about learning how a computer operates. You always tried to push it to the edge. Kids these days, they just want to do any damage they can" - Val Koseroski Hacking was about bragging rights What skills you had How you came up with the idea that beat the system Fixing things Frustration from restrictions (hardware/software) Finding ways to push the limits Sharing Helping others to learn what you discovered Helping to fix the problems in place

Hacking Then

"Hacking was about learning how a computer operates. You always tried to push it to the edge. Kids these days, they just want to do any damage they can" - Val Koseroski

Hacking was about bragging rights

What skills you had

How you came up with the idea that beat the system

Fixing things

Frustration from restrictions (hardware/software)

Finding ways to push the limits

Sharing

Helping others to learn what you discovered

Helping to fix the problems in place

Threats are Changing Hacking Now Now there is profit to gain Black Market Trade Vulnerabilities - 0 day Trade accounts Paypal Credit Cards, Bank Account Details Trade Servers Trade Identities Malicious Intent Botnets Malware/Spyware DDoS Root Servers in March

Hacking Now

Now there is profit to gain

Black Market

Trade Vulnerabilities - 0 day

Trade accounts

Paypal

Credit Cards, Bank Account Details

Trade Servers

Trade Identities

Malicious Intent

Botnets

Malware/Spyware

DDoS

Root Servers in March

Threats are Changing

Threats are Changing

Threats are Changing

Threats are Changing

What Affects Organisations Statutory and regulatory compliance deadlines and stepped up enforcement and penalty actions E.g., statutory - HIPAA, Sarbanes-Oxley, Patriot Act, Privacy Act, Gramm-Leach-Bliley (GLB), EU Privacy Directives E.g., regulatory - SEC, OCC, FRB, Turnbull report, Basel II, ITAR/EAR and export control Virus attacks and threats are increasing at a faster rate A demand for ROI on security spend No longer just about compliance - executives require business value Public trust of brand and image is under attack Privacy concerns Continuity of operations fears New and complex business models add risk

Statutory and regulatory compliance deadlines and stepped up enforcement and penalty actions

E.g., statutory - HIPAA, Sarbanes-Oxley, Patriot Act, Privacy Act, Gramm-Leach-Bliley (GLB), EU Privacy Directives

E.g., regulatory - SEC, OCC, FRB, Turnbull report, Basel II, ITAR/EAR and export control

Virus attacks and threats are increasing at a faster rate

A demand for ROI on security spend

No longer just about compliance - executives require business value

Public trust of brand and image is under attack

Privacy concerns

Continuity of operations fears

New and complex business models add risk

Typical Security functions in Organisations Segregated Security Management Networks Firewalls IDS/IPS Desktops AV Personal FWs Malware/Spyware Patching Servers User Provisioning AV Patching Security Department IT Functions Security Function

Typical Security functions in Organisations

Networks

Firewalls

IDS/IPS

Desktops

AV

Personal FWs

Malware/Spyware

Patching

Servers

User Provisioning

AV

Patching

Large amounts of Segregated Security Data Do not share information with each other

Security Management Help is on the way Proper Risk Management IT Risk is part of Business Risk Risk goes to Board level Criminal prosecution Single view of Risk Level Automation using tools and Methodologies Bindview, Probity OCTAVE, MORDA Single view of IT Landscape (Dashboards) Log collection and correlation - SIMs

Help is on the way

Proper Risk Management

IT Risk is part of Business Risk

Risk goes to Board level

Criminal prosecution

Single view of Risk Level

Automation using tools and Methodologies

Bindview, Probity

OCTAVE, MORDA

Single view of IT Landscape (Dashboards)

Log collection and correlation - SIMs

http://www.gilbertverdian.com